Author Archives: Chris Sanders

Help Me Introduce Rural 100,000 Students to Technology

I didn’t know when I was growing up in rural western Kentucky that just by virtue of living where I did that I was disadvantaged. I grew up poor, but so did all my friends and as rough as I had it, I knew people who had it worse. The fact is that people growing up in rural areas are significantly more likely to be unemployed, live in poverty, become disabled due to poor health, and die early. I didn’t know that all these things were working against me.

At a young age, I was introduced to computers. This initial spark of interest led me to write software, learn how to connect computers into networks, and use technology to enrich my life and the lives of those around me. A few teachers recognized my interest and helped me turn that spark into a sustained interest that eventually led to a college degree and a career in computer technology. The fate that I seem predestined for was not to be, and it was because of that initial spark and the opportunity to pursue it. Sadly, this spark is too often missed or never cultivated.

I started the RTF to introduce other young people to technology so that it could change their lives in the same way it changed mine. So far, we’ve been able to do that with great success. In 2017 alone, we’ve been able to introduce just over 28,000 rural students to technology careers by equipping their schools with things like Chromebooks, Raspberry Pi’s, Robotics Kits, 3D Printers, and more. While our progress this year has been tremendous, we’ve got more work to do.

We want to reach 30,000 students in 2017 and 100,000 total students within the next two years. These are massive goals and represent tremendous impact. Our goal is to introduce students to the potential of technology careers so that we can help end the generational poverty that has defined their lives. Through this, we hope to bring greater economic impact to rural areas and help decrease the massively unequal distribution of wealth between rural areas and their urban counterparts.

We need your help to reach this goal. The month of December is our most important month for fundraising as it helps us meet our year-end goals and begin the new year with momentum. If we’re going to reach 100,000 students we need your contribution. With this, you have our guarantee that 100% of your donation will go straight to the classroom. We are an entirely volunteer-led organization, which means we pay no salaries. Your donation will have direct, tangible impact.

There are several ways to help:

  • One Time Donation: A one time gift can be made via check or PayPal. A PayPal account is not required to make an online gift. You can do so here:
  • Recurring Donation: A recurring gift helps us better plan our charitable work. As a part of contributing to our Patreon, you’ll get exclusive updates about work we’re doing in classrooms all over the country. You do so here:
  • Amazon Smile: As you’re doing your holiday shopping considering doing so through Amazon Smile. When you select the RTF as your charity of choice, Amazon will contribute a portion of your purchase price directly to us.

The Rural Technology Fund is a 501(c)(3) organization, which means your donations are tax deductible.

I didn’t know what I had working against me when I was growing up in a rural area. Now I know, and we’re working to change the future for kids like me. I hope you’ll join us. We can’t do it without your help.

Cuckoo’s Egg – Week 3 Notes

Next Week’s Registration:

This week, we reviewed chapters 9-14.

Cliff observes the attacker logging in again via the Sventek account. Sventek uses Kermit to copy a file over. The file is an application that solicits users to enter their password before redirecting them back to a legitimate application. The purpose of the tool is clearly to steal user passwords, but the attacker fails at deploying it successfully and it never executes. 

Realities of Password Theft

We use this opportunity to talk about password theft and the dramatic impact it can have. I posed the question to the group, which of these is worse?

  • An attacker having root privileges on a single system without a clear text user password?
  • An attacker having user privileges no a single system with a clear text user password?

Of course, the answer is “it depends.” The nightmare scenario for prevention and detection is an attacker with clear text credentials for a user with great power.

I highlighted four realities of password theft:

  1. If I can authenticate to a machine as you, the machine gives me the privileges assigned to you.
  2. An attacker doesn’t have to attack vulnerabilities in software if they have legitimate credentials.
  3. An attacker who can access a network with legitimate credentials will almost always do so.
  4. Many long-term attacks involve the use of legitimate credentials.

It’s also important to keep in mind that a user account is not equivalent to a user, it only represents them. An attacker can authenticate as a user, but can never be that user. It is that distinction that we must leverage to detect and prevent attackers who would seek to impersonate.

Clear Text Password Theft

Clear text passwords primarily exist in three places: the user’s head, in transit on the network, in limited places on the operating system. There are techniques attackers can use to steal passwords from all three locations. I performed a demo of each one of these attacks.

Harvesting from the Human: We used the Social Engineering Toolkit to replicate legitimate sites. These are delivered to the victim via some form of social engineering (like a phishing e-mail). The attacker inputs their password, which is covertly sent to the attacker.

Harvesting from the Network: Some protocols perform submission of credentials over clear text. Anyone with a packet sniffer in the right location can intercept these credentials. I demonstrated extracting web application credentials that were transmitted over HTTP.

Harvesting from the OS: While passwords most often exist as file hashes on the local system, there are methods that can be used to extract their clear text representation. One of the most common techniques on Windows systems is the use Mimikatz to take advantage of the LSASS process. I demonstrated the execution of Mimikatz on a Windows 7 system.


More Reading:

Dig Deeper Exercises:

  • Level 1: Download the Social Engineering Toolkit and use the credential collection feature that will clone an existing website. Consider how you might compose a phishing e-mail that tricks a victim to inputting their credentials (don’t actually send it)
  • Level 2: Perform a packet capture while browsing to applications you authenticate to on a regular basis. Assess whether your credentials are submitted in the clear, or over an encrypted channel.


Sandy, a colleague of Cliff finds a computer lab in the library setup to auto-dial Tymnet when students login. It seems logical that an internal attacker (like a student) might be using these terminals to attack the network. Cliff and Sandy work with local law enforcement to post someone in the lab. Cliff monitors for the next time the attacker logs in and calls the lab. Unfortunately, nobody is logged into any of the terminals. The theory that the attacker was coming from the lab is debunked. 

Insider vs. Outsider Threat

We briefly discussed the source of threats. The insider threat has potential to be much more damaging and hard to detect. However, the hype surrounding insider threat is dramatically overblown. Insider threat accounts for an incredibly small percentage of actual breaches.


Cliff begins going through his attacker logs in more depth. He eventually discovers more compromised accounts. A portion of the attacker’s tradecraft is revealed. The attacker will search for old, unused accounts and edit the password file to reactivate them. The attacker would also clear their password so it could be reset, making the accounts perfectly suitable for use again. This was all made possible by the same emacs bug. 

Password Hash Theft

In most places, passwords are stored as hashes rather than in clear text. A hash is a one-way cryptographic function that creates a representation of a password. This is used by the operating system for authentication and storage because it’s more secure than keeping the plaintext password in multiple places. While a password hash is less valuable than a clear text password, it can still be leveraged by attackers to gain access.

I discussed two techniques relating to password hashes.

Password Cracking: An attacker who desires the clear text password associated with a user can attempt to crack the password. I used John the Ripper to demonstrate this process.

Pass the Hash: Sometimes, all you need is the hash. I discussed the Pass the Hash toolkit and how an attacker could use this to gain access as the user whose password hash they’ve stolen.


More Reading:

Dig Deeper Exercises:

  • Level 1: Create a user account on a Windows system. Extract the hash and use John to attempt to crack the password.
  • Level 2: Increase the complexity of the password minimally, and perform the same task again. Keep increasing the complexity and take note of how much longer it takes to crack the password.


Cliff observes the attacker using the LBL connection to connect to White Sands Missile Range (WSMR). The attacker fails to get in. Cliff notifies the FBI of what he’s seen, but they don’t care enough to investigate it. He also notifies the AF OSI. They start looking into it but don’t provide any immediate significant response. 

The next time the attacker dials in, Cliff initiates another trace. The local phone company traces it to a telco in Virginia who is able to trace it to the next hop. Unfortunately, they can’t share the results with Cliff. The telco works with the police, not individuals. Furthermore, that would require a warrant in Virginia and Cliff’s warrant is only good for California. For now, Cliff’s stuck. 


Critical Question(s)

Should this crime have warranted closer inspection by the FBI?

  • Why or why not?
  • How do you determine the threshold for a crime worthy of investigation? Think about this from a macro (FBI) and micro (your company) scale. What is worth the expenditure of resources to pursue?


Next Session

December 7th 7:30PM ET

Read Chapters 15-23

Register/Attend Here:


Source Code S2: Episode 4 – Sergio Caltagirone

Sometimes you only need one name. Prince, Madonna, Oprah….and Sergio. This week I’m thrilled to be joined by my good friend Sergio Caltagirone. We talked about the importance of ICS security, control system themed road trips, and the intersection of information security and philosophy. Sergio takes us through his journey from the Department of Defense, Microsoft and at Dragos. We also get the story of how the Diamond model came into existence. Perhaps most importantly, we talk about his work to fight human trafficking and how he is applying data science to this problem at the Global Emancipation Network.

Sergio chose to support the Rural Technology Fund with his appearance (I promise I didn’t coerce him). These funds will go to rural public school classrooms to introduce more kids to computer science.

You can find Sergio on Twitter @cnoanalysis.

Listen Now:

You can also subscribe to it using your favorite podcasting platform:


If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Sergio know by tweeting at him @cnoanalysis. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Special thanks to our title sponsor, Ninja Jobs!



Cuckoo’s Egg – Week 2 Notes

Next Week’s Registration:

This week, we reviewed chapters 4-8.

After setting up his monitoring system, Cliff observes another suspicious login using the Sventek account. Now, Cliff is better equipped to figure out what is going on and monitor every command issued by the potential attacker. He reads the logs showing the activities taken by the attacker over a three hour span. First of all, he notices that the attacker is logged in from Tymnet. This means the attacker could be coming from anywhere as Tymnet was a global network. Cliff digs into the meat of the log and is alarmed the find that Sventek is operating as a superuser. That shouldn’t be possible!

The Principle of Least Privilege

In security, we operate under the principle of least privilege. The means that users on a system should only be allowed to do the bare minimum required to complete their task and for only as long as they are required to complete it. This means users should not have administrative privileges to change the system, and applications should be installed with limited user accounts. This speaks to the concept of the attack surface. Any access an attacker has on a system provides points of interaction. Generally speaking, the more points of interaction the attacker has, the more opportunities they have to force applications or systems to respond in ways that might allow compromise. This characterizes the attack surface. The fewer interaction points we give users, the smaller the attack surface is when an attacker compromises a user’s account.

In class, we completed an exercise where we mapped the privileges of various roles in a bank setting and analyzed the attack surface of roles controlled by an attacker. I also discussed mechanisms meant to ease the burden of PLP, just as Windows User Account Control (UAC) and Linux sudo.  We are all sysadmins on our own mobile devices, and I discuss how these vendors have taken the approach of forcing us to consent applications into specific access based on their feature needs. Facebook was given as an example along with screenshots showing all the things it needs to access in order to provide its full array of features.

More Reading:

Dig Deeper Exercises:

  • Level 1:  Look at the permissions granted to a social media app on your phone. Try to map each permission to a specific function.
  • Level 2: On a Windows system, use a limited user account and attempt to perform an administrative action. Find an event log that indicates you took this action.
  • Level 3: On a Linux system, create a limited user account. Give it sudo privileges to perform administrative actions. Test this out, and find an event log indicating you took this action.


Cliff continues to dig around and discovers how the attacker became a superuser. It turns out that the attacker found a bug in the gnu-emacs application related to how it assigns ownership of files mailed between users on the system. The application simply changes the ownership of a file without respect to privilege assignments. Since the application was installed as an admin user, this allowed the attacker to trick it into copying a file such that it became owned by a privileged account. The attacker used this big to replace a systems ATRUN file, which executes every 5 minutes to conduct system administration tasks. When the attacker’s version of this file ran, it added the Sventek user to an administrative users group.

As a superuser, the attacker begins pillaging the network. They read sensitive files and e-mails, and look for passwords. The attacker also appears to be very paranoid and constantly looking over their shoulders. They enumerate who the system operators are and constantly look to see who is logged into the system and what processes are running.

Cliff presents these findings to his boss, who tells him to keep watching the attacker but not to take action yet. The monitoring system is refined to alert only when known compromised accounts login.

Process Monitoring

We use this opportunity to talk about process monitoring. The concept of a process is easy to understand, but we should give attention to the tools we can use to monitor running processes and their limitations. Active process monitoring is something done by defenders to look for suspicious or malicious processes. It is also something done by attackers to look for processes that might detect them or prevent them from accomplishing a goal.

In class, I demonstrated the PS command on Linux and discussed different ways to use it to look for running processes. I also demonstrated Process Explorer on a Windows system, as well as TASKLIST for command-line and remote process monitoring.

More Reading:

Dig Deeper Exercises:

  • Level 1: Choose three processes you use on a daily basis. Use the tools here to locate them and trace their parent processes as far as you can. Research what each parent process does.
  • Level 2: Compare your system to a clean system with no software installed (you may need to set up a virtual machine in a lab to do this). Identify what processes are unique to your system and those that are standard with the operating system.


In discussion with one of Cliff’s colleagues, the attacker’s use of the PS command is brought up. The attacker uses a flag (-g) that is supported on AT&T Unix, but not Berkeley Unix that is run at LBL. Someone wagers that the hacker is not from the west coast or he would be well versed in their flavor of Linux.

The attacker dials back in but doesn’t stay on LBL systems for long. Instead, they use LBL as a hop point to connect to a DoD server as the user Hunter. Cliff queries the NIC and finds that this IP belongs to Anniston Army Depot in Alabama. He calls the system operator and explains what he observed. The operator is aware of the attacker having been there, but thought he had been eradicated. It turns out that the attacker was using the same emacs bug but is coming in through LBL and not the front door anymore. Cliff ponders the thought that the attacker might be southern, as it would explain the familiarity with AT&T Unix which was run on the Anniston systems.


Next Session

November 30th 7:30PM ET

Read Chapters 9-14

Register/Attend Here:


Source Code S2: Episode 3 – Haroon Meer

Haroon Meer joins us this week to talk about his journey from running South African flea market booths to founding one of the most innovative companies in information security. We discuss the differences between South African and US education, common pitfalls made by security product vendors, and the use of honeypots for detection.

Harron chose to support the United for Puerto Rico with his appearance. These funds will go to support hurricane relief from the recent weather events that occurred there.

You can find Haroon on Twitter @haroonmeer.

Listen Now:

You can also subscribe to it using your favorite podcasting platform:


If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Haroon know by tweeting at him @haroonmeer. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Special thanks to our title sponsor, Ninja Jobs!