Beeler 1

Austin Beeler Professor Anthony Borrero English 1101 23 November 2012 An Ethnographic Essay Regarding the 49th Security Division A stolen credit card. Access to personal information. The possibility of entire identities being stolen. The only place that a would-be criminal could have simultaneous access to these vital pieces of information is over the massive network known colloquially as the Internet. As businesses and people continuously turn to using the Internet as part of their daily lives, cyber criminals have no end to their pick of targets. Whether it be for personal gain, defamation, or simply for fun, cybercrime is on the rise and the only combatant against it is Internet security and those who make a career of it. This essay intends to examine how members of the 49th Security Division learn about and utilize network forensic tools to further their own knowledge of Internet security. It will explore the early history of security issues, the issues being faced today, and how the concepts, tools, and skills required to face these issues are being learned by the next generation of security professionals, with the discussion of these topics geared toward those with little to no knowledge of the field. With this information, I hope to explore the way that the 49th Security Division teaches these skills and presents this information to its members, as well as offer suggestions as to how it can improve the way it provides this education. To be able to efficiently learn about and become capable in the field of Internet security, an understanding of its origins is necessary. Internet security has been around for several decades. The necessity for it arose on November 2, 1988, the day that a portion of the computers

Beeler 2

connected to the Internet began behaving queerly. Upon investigation, it was discovered that a program, capable of reproducing itself after termination, was actively running on all the afflicted machines. The source of this program turned out to be a graduate student, with the intention of the program being to count the number of computers connected to the Internet, and nothing more. It was designed to spread from computer to computer autonomously, but due to certain errors in its code, it had the unfortunate side effect of slowing down every computer affected. It is considered the first Internet worm, due its capability of spreading quickly and unnoticed, consuming the processing resources of the host computer (Zittrain 7). Naturally, there was a quick response to prevent a similar occurrence. The immediate result was the creation of the Computer Emergency Response Team Coordination Center, based out of Carnegie Mellon University and funded by the Defense Department. Blame was placed on the graduate student, and the entire incident was chalked up as the result of a poorly conceived and childish act. University committees, formed to create a plan to prevent further network maluse, concluded that the best prevention methods were for users to apply updates regularly and not misuse software that could be potentially dangerous (Zittrain 7). While such strategies may have been effective in those days, three decades later they no longer hold true. These days, the Internet is everywhere. Even on phones. According to one study conducted by the telecommunications company O2, people use their smartphones to access the Internet more than twice the amount of time they use it to make a phone call. With more and more services being provided in the virtual landscape, such as banking, shopping, and file storage, users increase their reliance on these services and are putting their information on networked servers. The only thing preventing access to these sensitive bits of data are the

Beeler 3

precautions that system operators put into place. However, these precautions, assuming they were even originally used, are sometimes not enough. An example of this is the claim posted by the group Anonymous on the night of November 5, 2012, that they had cracked into the servers of Paypal.com. While inside the network, they extracted 28,000 passwords and posted them for all to see. Fortunately, these passwords meant nothing without the accompanying usernames, but the possibility of malicious use is still evident. In fact, on the same night, an individual cracked into several of NBCs websites, replacing content with the Remember, Remember poem dedicated to Guy Fawkes (Sieczkowski). The results of these two attacks are very different, but both involved the decryption of the targeted networks' encryption keys. Networks protect the information being sent through them by encrypting them with a secure key that, generally, only administrators know. The process of encryption involves a block of plaintext being passed along with its key, the identifier for how it is encrypted. Once these two are given, an algorithm, which changes based on the preferences of the network owner, is performed using the key to change the block of text into an incomprehensible mess, known as ciphertext. To decrypt this, it is passed into the same algorithm with the same key, but the process is reversed, resulting in the original block of text (Rhee 58-60). A cracker with access to a networks key can decrypt any data being passed through it. The process of getting this key, however, varies. All methods for encrypted key acquisition fall under two categories, plain-text based and ciphertext based. Plain-text based attacks involve access to both the original plaintext and the complementing ciphertext or the ability to choose a plaintext and get its resulting ciphertext. These techniques involve analyzing similarities between the two pieces of information. Ciphertext based attacks rely entirely on having just the ciphertext, and these attacks require

Beeler 4

analysis of either the frequency of characters in the ciphertext or of found matching plaintext. Under these categories are countless individual techniques based on the needs of the cracker and the network being cracked (Conrad). With each of these methods, a virtual trail is left behind the perpetrator based on their method of entry into the network. Whenever two computers communicate over the Internet, the data being communicated must be formatted in a certain way so that both sides can understand it. This formatting is known as a protocol, and there are many types of protocols for different types of communication (Rhee 12). Networks can record the information being passed through them, including the protocols used, and store them in files known as packet captures. To discover the culprit of a network breach, this information can be analyzed for certain types of protocols being used and data transferred, isolating the ip address, the unique identifier of an Internet user, that was assigned to them. With this information, tracing the cyber criminals location becomes a possibility by tracing the path their connection took to reach the network (Ho 16). However, the analysis of packet capture files requires intimate knowledge of network protocols and the ability to differentiate between normal network traffic and malicious network traffic. Only trained professionals are up for such a complex task, but fortunately the next generation of such professionals are getting a head start in the University of North Carolina at Charlottes student organization known as the 49th Security Division.. The 49th Security Division was founded in 2009 with a goal of bringing together security enthusiasts under one roof. It maintains an open door policy, welcoming any student wishing to join, despite age, major, or even level of expertise. Outreaching to local professionals, organizations, and companies, the group has a focus on development of not just security-related skills but also on personal and professional capabilities. WIth regular participation in national

Beeler 5

and global competitions, they not only teach necessary skills, they put them to use (49th). As the group holds weekly meetings, utilizing hands on training as well as educational presentations, there is always an opportunity for members to hone their craft. Each week, at 5pm on Wednesdays, the Security Division meets in a 250 person capacity lecture hall. An average turnout for a meeting is around twenty to thirty people. Generally, there is at least one presentation on a particular subject, often with the presenter using a projector screen connected to a computer to either give hands on training or a presentation on a particular topic. Occasionally a lesson will be held focusing on a particular piece of hardware, and demonstrations and explanations will be given with specific skills and information related to the hardware in mind. These weekly meetings are held with the intention of giving initial instruction to members, though a certain amount of basic knowledge in the field is required to fully grasp the concepts being explained. Fortunately, most members possess the interest and basic skills to move forward with their education on Internet security by attending these meetings. In response to why they joined the 49er SD, two different members shared the same response: to share their interest with like-minded people. Members of the 49th join either because they possess a passion for security or have an interest in the subject and want to learn more. As far as I can tell, there are no members that lack this initial interest. One interviewee, speaking on behalf of other members of the group, stated that for most it was their planned career choice, with several taking the first step by means of internships. He explained how through the group, he is preparing to help protect the sensitive information that this age places in the chaotic realm of the Internet. He also stated that the group taught a wide variety of skills, giving it a broad appeal, but also providing in depth focus and more advanced concepts to accompany basic lessons.

Beeler 6

I attended two separate meetings of the Security Division, and both covered two separate topics, though both were important concepts behind network security. For these meetings, the majority of those in attendance brought along their laptops. In the first meeting, the presenter gave a hands on lesson of a tool known as WireShark, which allows a user to analyze packet capture files and presents the data in a more organized format than the raw information alone. The second meeting consisted of a Powerpoint presentation describing man-in-the-middle attacks, a very particular type of intrusion involving a single individual intercepting communications between two people unnoticed. Both meetings utilized the projector at the disposal of the group due to their meeting location, and offered information even to someone as uninitiated as myself, and I observed several things about how the group functions and teaches through these meetings, and some possible ways to improve on these points.. The very first thing I noticed upon my arrival in the lecture hall was that the members who attended seemed to splinter off into their own individual groups. In both meetings, there were two larger groups, consisting of five to eight members, who sat in the same seats each time. The other members were scattered around the lecture hall either alone or in groups of two. Most of those who sat alone remained silent behind their laptops for the entirety of the session. Many were several rows behind most of the others as well. A possible solution to this would be for it to be mandatory that a row be filled before another can be sat in, to get members near each other at the least. Another possibility would be to center presentations and lessons on the members, rather than the presenter. Have the lesson focus on what the audience is learning to emphasize participation and help retainment of the information being taught. Fortunately, there are some very social and outgoing members of the group, so it isnt entirely silent.

Beeler 7

The second observation that I made was how the atmosphere of the group was very light, and quite fun. The president even opened the first meeting I attended with a joke. However, the conversations that created this atmosphere seemed to be only between the two larger groups of members, and not so much between others. I felt as if there was an inside joke that I was not a part of through the duration of both meetings. By bringing quieter members into this atmosphere and having them participate as a part of it rather than as bystanders, the group as a whole can benefit from their contributions. While questions seemed encouraged, my position as someone who was not part of this inner group made me feel that asking one would result in me being singled out. Moving the members together could fix this issue, though encouraging participation would be much more effective. To that end, hands on lessons could be turned into contests among the attending members, with groups being randomly assigned to split up the predispositioned ones and mixing in the outlying members. The presenter could simply give the basic directions necessary and then send the groups of. Small prizes could be awarded to every group that accomplishes particular goals. Though these lessons would require a large amount of preparation. A common occurrence between both meetings I observed was that the lesson was impeded by lack of preparation. Though it barely affected the first meeting, as the issue was resolved quickly, the second meeting had an entire portion skipped. However, this was more of a technical difficulty than a lack of preparation, though proper planning could have alleviated the issue that occurred. My suggestion would be for the group to plan out its meetings a couple weeks or an entire month in advance. This would allow not only for ample time to be allowed for each meeting to be prepared, but for members to be informed of the content of each meeting and know what to expect. This is assuming they show up to learn, of course.

Beeler 8

During the first meeting, I noticed that while the lesson was being walked through, several members were talking amongst themselves and not following along. While this might be acceptable in a classroom where attendance is mandatory, to come to an optional meeting and not pay attention is a little strange. Distractions are abundant, unfortunately, as with any time a laptop with access to the Internet is present. Another observation I made was that when questions about what was being done were asked, they would often go unanswered. My solution to this dilemma would once again be to focus the lessons around the members, that their participation keeps their attention on whats at hand, rather than whats in their hands. Though a larger problem arises when distraction occurs because the lesson being taught is one already well understood. One of my final observations was that the lessons being taught were already ones that some members in attendance had learned. This was especially apparent during the second meeting I sat in on, where an entire presentation was ended early because everyone present understood the content of it, excluding myself. During the first meeting, the presenter would occasionally ask specific members if they could add more about a topic, as it was not something he himself knew. This disproportionate distribution of expertise might also be the reason certain members choose to skip out on meetings, though this is an inference. A possible solution to this could be to split meetings up, so that members of equivalent skill can learn together. This would help alleviate not only members being excluded due to lack of knowledge, but also ensure that each lesson is being taught only to those who lack the information already. These groups dont have to be set either, with members transitioning between each based on the lesson being taught. An additional benefit is that the more skilled members can work together to create a lesson plan for future meetings, if they so choose, and these planned lessons, in tandem with the advanced

Beeler 9

planning solution mentioned earlier, could allow members to decide what group they will be participating in for a given meeting with notices weeks in advance. While the observations I have stated here seem negative, they are only minor hindrances to the educational powerhouse that is the Security Division. The group is well organized and leadership roles are well-defined. Those in officer positions work diligently to make sure that their tasks are completed, and I can personally attest to the dedication of the president towards the group and its members. Should the problems I have specified be fixed, however, the group might see itself thrive even more, and open up its doors to more members that might be less inclined to join otherwise. Even in spite of those solutions, I foresee that the 49th will continue to be a clearinghouse for all things security related, and will continue training and informing its members, as well as presenting them with valuable opportunities to showcase their efforts. The world is connected by the Internet. According to a study by IMS Research, there are over 10 billion devices capable of connecting to the Internet, with an estimated 28 billion by the year 2020. As the human race slowly increases its reliance on technology, so too must it increase the importance of security. Technology changes and grows rapidly, and the only way for it to remain secure is for security professionals, trained for the specific purpose of preventing infiltration, to change and grow with it. The 49th Security Division recognizes the future of security, and embraces its role as a breeding ground for the next generation of security specialists. I hope that through this essay, I have provided an insight that only an outsider could that will help the group perform its task to a greater extent than before.