Presentation
- 1. Hacking Tay’les of
the 1 st Degree
Doctor_Hacker @ twitter
BSides London, 25th April 2012
(My opinions...not my employers).
- 2. Who he?
Colin McLean (Dad)
◦ Lecturer at Abertay University, Dundee for
213/4 years 7907 days – 28,465,200 secs
Mech Eng, Mechatronics, Computing
Developed the B Sc in Ethical Hacking at
Abertay University, Dundee in 2006.
The first undergraduate degree in the
world with the word “Hacking” in the
title.
- 3. The story…
◦ The idea
◦ The early days
◦ B Sc EH 2.0
◦ End Games.
◦ Quickly!
- 5. 2005 – KTP Project
Two year government funded project with
NCR R&D, Dundee.
Risk analysis of an NCR ATM.
◦ “Identify all possible risks to an NCR
ATM, their possible dangers and their
mitigations”.
◦ Involved security staff at NCR and me identifying all
the possible ways of hacking into an ATM.
- 6. Colin had a thought…
We weren’t thinking like
defenders.
We were thinking like
attackers.
We MUST think like the
opposition in order to
know how to stop them.
The more devious we are the better we can
defend.
- 7. Security in Education
Other degrees in “Computer Security” were
looking mainly at the mitigations.
They did not appear to examine the hacks.
Graduates who think like hackers?
Hence the world’s first undergraduate degree
in “Ethical Hacking”.
- 8. Programme design
Input to the content of the degree from NCR.
Input and support from various other
companies.
Programme validation panel included Head of
School @ Northumbria University.
- 9. In truth…
The course was not as first imagined.
“Internal” validation was difficult.
◦ Had to fight off “not enough ethics” and “more law
modules”.
It took some years before the course
matured.
- 10. Hacking interests the
media we publicly released the degree….
In June 2006,
BBC Reporting Scotland & STV News
Polish TV, Brazilian TV.
Live on Canadian Radio.
Interviewed live on French TV
Newspapers had a field day…
“Doctor Hacker!” The Sun Newspaper.
“Lord Voldemort” (PC1 News)
“Les Pirates Ecosse”
There was also resistance.
- 11. Academics comments
“A title like that would be a catastrophe for
the University.”
“Crass programme names that bring our
discipline into disrepute.”
“I doubt it would look good to prospective
employers.”
http://www.ics.heacademy.ac.uk/resources/faqs/answers.php?id=56
- 12. The “establishment” had a
go
If penetration testing is what is being taught,
then that is how it should be labeled
Rather than seeking to use marketing spin to
gain credibility within an industry that is
seeking to improve its professional image.
“Ethical hacking should not be considered to be
an accepted professional industry term.
http://www.bcs.org/content/ConMediaFile/7266
- 13. A stolen slide.. Security, Social
+ Physical
Engineering, Educating
Staff etc.
link
- 14. And by the way…
The BCS validated the Ethical hacking degree
at Abertay University in 2010.
This is the earliest that it could have been
validated.
- 16. Entry procedures
Tried to mirror medical degrees.
◦ Interview.
◦ Ethical scenarios.
◦ Disclosure check.
◦ Sign on the dotted line.
Also, legal issues are paramount in early
stages.
- 18. Cohort #0
They could certainly think outside the box.
◦ Not the usual cohort.
- 19. 2 students over 50.
1 student aged 16.
2 female students.
2 English students.
Only 4 completed the
honours degree.
3 completed degrees in
other subjects.
- 20. Within 18 months, 6
babies.
Did I mention that this
isn’t a penetration testing
degree?
- 21. Taking a side step…
A troll had lived in the
(alleged)
“Full Disclosure mailing list” (2002’ish).
He was one of the earliest known (alleged)
trolls.
- 24. Hurrah!
The people waved him goodbye with hearty cheer.
- 25. Timeline…..
(alleged) Troll went missing 1st September 2006
◦ Abertay’s Ethical Hacking degree started around then.
(alleged) Troll went back to FD January 5th 2007.
◦ One of Abertay’s students did not return in January.
He was welcomed back.
- 26. Some serious questions.
1. What about hacking group members?
◦ Difficult to identify.
◦ Whistle-blowing would be a possibility.
◦ Abertay reserves the right to remove any student.
◦ We NEED to educate about hacking techniques.
3. Many people have proved not to be
suitable for an EH degree.
◦ How does the industry effectively make use of the
talents of these people?
- 27. BSc EH 2.0
What it’s become…
PS The students still volatile!
- 29. The syllabus (briefly!)
Themed:-
◦ Programming.
◦ Networking.
◦ Ethical Hacking.
Four year honours degree in Scotland.
◦ Year 1 and 2 still geared towards “basics”.
◦ Year 3 and 4 much more research and self-
learn.
- 30. “You should teach us X”
Culture of project work as assessments:-
◦ Year 1 Ethical Hacking – Mini project
◦ Year 2 Ethical Hacking – Project
◦ Year 2 Smart Programming – Project
◦ Year 3 Ethical hacking - Web security project
◦ Year 3 Ethical Hacking – Mini-project
◦ Year 3 Ethical Hacking – Exploit development
◦ Year 3 Group Project - Student chosen
◦ Year 4 Network Management – Network Security project
◦ Year 4 Honours project
- 31. Student Centred Learning
Students encouraged to create their own
CV’s, mould their own careers.
In many cases, students can learn what THEY
think is important.
Documentation skills (& feedback on this) are
more prominent.
- 32. E-Hacking modules.
General security Internal & External Pen testing
- Firstbase techies (2 staff)
Penetration testing
Web Application testing
Exploitlab 5.0
Exploit Development - Saumil Shah & SK Chong 2011
Reverse Engineering
Password security CEH (3 members of staff)
NCR work
Malware analysis “Other” companies
Etc.
Staff training & company involvement essential.
- 34. Students talking @cons
BruCon Security Conference 2011
◦ “Smart Phones – The Weak Link in the Security Chain,
Hacking a network through an Android device” by Nick
Walker and Werner Nel
BruCon Security Conference 2011
◦ “Script Kiddie Hacking Techniques by Ellen Moar
BSides London Security Conference 2011
◦ “DNS Tunnelling: It's all in the name!”, Arron "finux"
Finnon
BSides Berlin Security Conference 2011
◦ A Salesman's Guide to Social Engineering by Gavin Ewan
- 35. A question
So are there jobs?
◦ We are a vocational University.
◦ Companies are coming to us (e.g. NGS).
◦ Qinetiq interested after 3 summer
placements.
◦ PwC stole(!) two of our students this year!
◦ Current grads are out there.
◦ Current hons year are easily getting jobs.
- 36. Finally..
Is the sensationalistic title necessary?
◦ Security mindset, culture is VERY
important.
◦ All aspects of security are important.
◦ Ethical Hacking is what we are doing.
The future?
◦ Graduates are now out there.
◦ Summary – course has been a success.