InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

March 27, 2000

Hacker School Teaches Security
Training sessions help students learn vulnerabilities in Windows NT and Linux systems

By Matthew G. Nelson

Related links from our sister publications:

Network Computing Is Security the Next Big Thing? (3/20/00)

InternetWeek Firewall Appliances -- Keep The Barbarians away (2/21/00)

TechWeb White House Presses Industry For Security (2/15/00)

TechEncyclopedia

Need a definition of a technology term? Look it up here:

Send Us Your Feedback

ore than 20 students recently sat in a muggy room on the 12th floor of a New York office building to learn how to hack into Microsoft Windows NT and Linux systems. But it wasn't an underground session run by computer criminals; instead, these students hoped to learn how to protect their computer systems and E-commerce Web sites from attack.

The Ultimate Hacking class was taught by startup Foundstone Inc., formerly Rampart Security Systems, which offers security consulting services as well as classes on the tools of the hacker's trade. Foundstone, in Mission Viejo, Calif., has received $3 million in funding from Olympic Venture Partners.

"We have laptops for everybody with both Linux and NT, and we bring our own server boxes that have been misconfigured or have known vulnerabilities on them and then allow the students to break into them," says Stuart McClure, Foundstone's president and chief technology officer. "We want to train people to understand what hackers do and how they do it, because that's the only way they can protect themselves. Know thy enemy."

During the four days of training, students are provided with hacking tools that are available over the Internet for free, in most cases. They include an information-gathering tool called "Sam Spade" and a port-scanning tool called "SuperScan" that sends queries to Internet servers to check their levels of security.

McClure says students are taught "methods by which several tools are utilized together to break into a network. We orient most of the training around techniques. We teach things like buffer overflows as a technique, or password guessing."

Most of the students are business users. "Ninety-five percent of the time it's system administrators; the other 5% are general consumers" who want to learn more about security, he says.

John Carlson, manager of virtual private networking services at GTE Internetworking Inc., sent several of his employees to the class. Carlson's organization has grown from about 30 employees to nearly 100 in 15 months, and he says this type of class helps to educate his staff.

"When you come away from their training, you think a lot differently about network solutions," Carlson says. "They actually get you to think about the security of your network and its integrity. They show you what can happen if you aren't taking the right measures. And it's scary."

Another "student" was Larry Leibrock, associate dean and CTO at the graduate school of business at the University of Texas at Austin. He used his spring break to attend the class because his students were demanding more information on security. He also wanted to protect the school's networks better.

"At the business school, there has been a demand for E-business courses, and security in general," Leibrock says. "I thought it was time for me to invest in some training. I learned a lot more about the vulnerabilities in Linux and gained some hands-on experience with tools that I didn't know about. It also confirmed that you can never know it all about security, it's changing too fast."

One of the youngest students was 18-year-old Vic Thelian from Queens, N.Y., who left his house every morning at 5:30 to attend the class. He was so interested in the subject that he used the last of a bank loan to pay for the class--a loan he intended to use to become a Microsoft certified engineer.

"I sort of blew off the last half of the Microsoft training to come and take this. It was definitely worth it," Thelian says. "I was actually looking to get into network security, but I couldn't find any classes that had hands-on training--it was all theory. This isn't something that can be taught with just theory, it's something you just have to do."

Foundstone screens students and requires them to sign an affidavit that says they will use their training appropriately. The four-day sessions, which are scheduled to take place in Boston, the San Francisco Bay area, Seattle, and Virginia, are priced at $3,500 per student.

Back to This Week's Issue
Send Us Your Feedback
Top of the Page