back to article NCC Group admits its training data was leaked online after folders full of CREST pentest certification exam notes posted to GitHub

British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub – after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. The documents, posted to the cloudy code shack by an account set up last month, were …

  1. Anonymous Coward
    Anonymous Coward

    "One file, called notes.txt and no longer available on Github"

    Uh... false? Seems to still be there to me...

    1. memnoch

      NCC Groups understanding of Git is apparently as good as their understanding of NDA's

    2. diodesign (Written by Reg staff) Silver badge

      "Uh... false?"

      Well, true in that the offending GitHub repo has been taken down. But I understand it's been forked. Don't forget to email corrections@theregister.com if you think something's wrong.

      C.

  2. WolfFan Silver badge

    ET Phone Home

    They put in a phone-home thingie on _files from an infosec course_? Really? Lesson 1, laddie: air gap. Or use Someone Else’s Computer (™). Or set the firewall, etc, on the home server (anyone taking infosec courses would have a home server or two, right? DHCP, DNS, RRAS, ADDS, Pi-hole, etc...). Or some combination of the three. Anyone who got caught by this should fail twice. Once for cheating, once for not taking elementary precautions.

  3. Anonymous Coward
    Anonymous Coward

    Outdated, I dont think so.

    One of those cheat sheet documents is an exact abbreviated walkthrough of an exam box I saw before the Covid-19 lockdowns. Some of this is definitely recent. I am appalled buy their attitude and attempts to talk this down. Especially, when others have worked very hard for the qualification.

  4. Pete 2 Silver badge

    On trusting trust

    An online exam for pen testers. What could possibly go wrong?

    1. renke

      Re: On trusting trust

      Bonus points for pwning the host?

      Depending on the scope of the course and exam this may be a valid solution (but harder to grade, counting multiple choice answers is probably a more fair assessment).

    2. Anonymous Coward
      Anonymous Coward

      Re: On trusting trust

      Yeah, its not an online exam. You have to go to sunny Slough and plugin to an isolated network. Normally moderated by an invigilator that works at a certain three letter UK consultancy.

  5. Anonymous Coward
    Anonymous Coward

    In the context of being a certified pentester I fail to see what knowing the blocksize of DES brings to the table. Unless I'm missing something.

    1. Anonymous Coward
      Anonymous Coward

      I assume you haven't still used that data as a pick up phrase yet. If it doesn't work when combined with "I am a certified pentester", you need to try at different kind of pub.

      1. Ken Moorhouse Silver badge

        Re: a pick up phrase

        The response to

        "Oh I do like your 64206 Mask"

        will rapidly filter out those that are merely sex mad.

        Knowing the blocksize can be important, ask a sweet 32 year-old, in the pub, once they have passed the above test.

    2. Anonymous Coward
      Anonymous Coward

      Because you would have to report it if found on a clients SSL config. It's a general knowledge exam, so loads of the content is mundane and fairly boring stuff.

    3. AndyD 8-)₹

      @DES blocksize

      In the parallel universe I share with WikiPedia the answer on the crib sheet is wrong, but what do I know - I'm so old I even worked for the NCC before it was 'privatised'.

  6. HildyJ Silver badge
    Devil

    Betting pool

    Are they going to blame it on:

    Leaky buckets

    DNS

    Certificates

    COVID-19

  7. Anonymous Coward
    Anonymous Coward

    NCC Group director Mark Turner re-elected to CREST Executive board

    The title says it all really - unfortunately CREST and NCC will never be honest about this. It's a known fact that NCC have CREST documentation about how to pass the CRT/CCT exams. I don't doubt that there are a number of genuinely good testers at NCC who achieved their qualifications through hard work and experience - but on the flip side, I can imagine the arrogate n*bs there sitting a new starter down and saying

    'Don't worry about passing CRT/CCT - I'm just going to leave this pile of documents here for a moment while I go for lunch, when we come back we can discuss you booking your exam in - nudge nudge wink wink'

  8. Anonymous Coward
    Anonymous Coward

    check-ing in

    This becomes even more interesting when CCT and CRT act as gatekeepers for CHECK team positions and big government or public sector contracts. Bidding for these is limited based on having the staff available to deliver them.

    I cant speak for NCC as have luckily never worked there but it used to be that Crest exams were very hard to pass within the time given if you did not know what was on there despite not being that hard technically. Most candidates from a company without a training programme wouldn't even know what to prepare for. I am out of the game and in management now but i think they have given more time. The syllabus never reflected the actual content but was just about close enough not to be an outright scam.

    Convenient if you can get your staff through an exam that allows you to control the market and rent seek while others or the self employed have to fail the exams several times to work out what is on there at 2k a shot to get over the barrier. We could get a new STEM grad with little infosec knowledge through the exams and onto a CHECK team within a few months.

    Also convenient if you can pick which staff to give access to the secret materials and run your pay and promotion structure based on passing them, then tell those who fail that they simply aren't good enough. It made the teams much easier to manage, saved some difficult conversations and helped justify keeping pay lower for those who wernt a flight risk.

    I assume Crest will be treating NCC as per their CoC or alternatively apologising to the guy who was stripped of his qualifications and banned for being overheard discussing exam topics on the train back from slough - unless NCC are above that and it doesn't count...

    1. Anonymous Coward
      Anonymous Coward

      Re: check-ing in

      Yes yes and yes. Correct on all accounts. If your face fits, especially in Manchester, you get access to all of the goodies and work your way up the ranks. Is there a reason NCC push CREST so hard? Sure, Mark is on the board at CREST and it makes things great from a business perspective knowing you can push loads of people through the CRT/CCT route using cheat sheets and cloned labs as a PR dream saying 'look how many of our testers are CRT/CCT - that's why we charge so much'.

      If I was a customer of NCC - I would be wanting to know that the tester who did my work, potentially on government jobs did a thorough job and wasn't just someone who got their CRT through the 'rush' method. I'd also make ALL staff at NCC who are currently CRT/CCT re-sit their exams and see just how many of them passed. No doubt there would be some who would pass it no problems at all, but would weedle out those who had 'special' help. I wonder how many of the 'cheaters' would drop Mark or one of his fanbois in it if pressure was applied...

    2. anonymouses

      Re: check-ing in

      "Also convenient if you can pick which staff to give access to the secret materials and run your pay and promotion structure based on passing them" - I couldn't agree more with this statement in particular. Well I agree with most of your comment, but this one stands out. Do people think this is the only material that in circulating within the team? of course not!

  9. Anonymous Coward
    Anonymous Coward

    Not the first time...definitely not the last

    Accept it, NCC is not the only company doing this "internal training with cheat sheets" and definitely not going to be the the last one. What was wrong with CHECK certification before CREST came along and tried to make money out of this exam ? What is wrong with TIGER scheme ?

    The monopoly of CREST needs to end.

    The Sales tactics of "We have largest CREST certified consultants so our day rate is high" needs to end too. As a customer if I'm getting rigged consultants, then I don't want to work with such company.

    NCSC should step in and hand over the entire certification process to an independent body (just the way they did with Cyber Essentials) who is not inclined to get pally with one company out there to be the biggest pentest providers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not the first time...definitely not the last

      Given the out and out lies from Crest in their response. One of the exam boxes was still valid pre-covid so by "Old" they meant they just removed it.

      Are NCSC going to respond at all? Should they strip the exam results from those who have taken Crest Exams from NCC during the time period?

      As to different exam structures, having taken the Tigerscheme SST, Cyber Schem CSTL and Crest CCT in my time so far. I can confidently say there is barely any difference is difficultly technically only differences in what they test. The main difference however is that SST is 6 hours and CCT is 3 hours for the main scenario. I believe the viva in the SST and CSTL is a key part of testing as you have to explain how and why you made the choices you did this will catch out a lot of those who have just been trained on cloned rigs.

      1. anonymouses

        Re: Not the first time...definitely not the last

        The way CREST works is bound to make people have cheatsheets and secret notes.

        This is like enforcing 30 character passwords on employees with all the complexities for 30 day time period. What is the result ?? People are going to write their passwords on sticky notes and put it on their desk. Did you achieve the goal of making passwords secure? Not at all.

        CREST exams are more like CTF's with a timer assigned to each flag. Is this the right way to test how competent you are ?? If your approach is correct but you failed to achieve the flag, you fail the exam straightaway. And if god forbids if you are in NCC, that means you fail your promotion and hike as well because management is prepared with - we paid 2K for your CREST so no hike for you this year!

        Other exams dont do that. CHECK scheme (and I believe TIGER as well) watch your screen and grades you based on your approach and knowledge of attempting a challenge. My clients while on a project dont want me to take their network as a CTF, they want to get a thorough testing. CREST needs to change their approach.

  10. streaky

    Wat

    What's that certification supposed to be with such remarkably easy questions in a test?

  11. This post has been deleted by its author

  12. Anonymous Coward
    Anonymous Coward

    Where is NCSC ??

    Why is CREST solely responsible to take the entire UK (and global) market to assess the consultants ? No wonder they are abusing this privilege and their monopoly.

    Rotate the certification bodies operating this assessment each year. There are other players in the market too. Give one year to TIGER, then to OSCP, IRM, back to CREST. This would be the true test of people actually passing out without having to maintain cheat sheet and secret notes. Lets see how many actually pass out from companies like NCC who are producing more CRT/CCT's

    What is NCSC doing about all this corruption that is happening already.?

  13. Anonymous Coward
    Anonymous Coward

    Corruption through and through

    What is even worse about this is that Mark Turner in his day job of director of NCC is ultimately responsible for the team schedule. When jobs are allocated by the scheduling team, Mark has overall say and oversight of the schedule and approves jobs. And yet, he is also the chairman of CREST talking about ethics and professionalism...

    I had posted this earlier but withdrew it in order to add the following:

    When consultants are taking non-billable time for training and courses this is reviewed and noted in the schedule differently to a client project. As Mark Turner approves the schedule, he is fully aware of the training courses his company run, and he's fully aware of who is on these courses so he can't claim ignorance as he knows full well who is doing what and when. He would also approve the non-billable development time needed to build and deploy training machines...

    He has wilfully ignored the CREST CoC and NDAs and should resign from CREST immediately.

    1. anonymouses

      Re: Corruption through and through

      If this is true, then its really bad to be affiliated with CREST and manage a team who are breaking the NDA and CoC willy nilly.

      I wonder what investigation CREST is doing as they clearly denied wrong doings according to their announcement and that the "material was outdated". So is it fair for everyone who has appeared for CREST to release their cheat sheets and secret notes on the Internet? How is CREST going to stop that from happening ? And what is stopping people from releasing their "outdated" notes ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Corruption through and through

        As an Ex-NCC employee I can confirm it is true that mark is the person ultimately in charge of the manchester team schedule. Everyone at NCC knows about cheat sheets and is always sharing exam material. Management know too. All the assessors who work at NCC know.

        Considering these certificates are tied to promotions and payrises, no wonder everyone is at it.

        1. anonymouses

          Re: Corruption through and through

          CREST's action after all this will be worth watching.

          Will they allow any other company to continue after all this leak that has come out ? Why favour one and treat others differently ?

  14. Anonymous Coward
    Anonymous Coward

    NCCheaters finally exposed - best in the f'ing world, eh?

    I am personally very happy to see that someone finally decided to expose this corrupt relationship between CREST and NCC Group. This is indeed an open secret known in the UK infosec industry for a long time, and many other companies and individuals suspected of the disproportionate amount of CREST certified consultants from NCC Group that passed the exam in their first attempt - now you all know why.

    While I cannot confirm the materials leaked are real, I can say their internal CREST workshop is indeed a leaked version of the exam. This is not a new thing: I was certified nearly a decade ago while working there and seems like this practice exists up to this day. To make matters worse, management is complicit and senior staff are aware of this and many of them are holding this workshop.

    When the workshop finished we were not allowed to take the mock exam or any other material: it was all shredded right in front of us. A few days later I sat the exam and lo and behold... those were the exact same questions of the mock test of a few days earlier.

    The response from CREST to this leak was ludicrous, but not unexpected. The not-for-profit is nothing but an old boy's club, money grabbing scheme envisioned by Ian Glover to make sure government and private sector won't hire the companies that prefer to stay out of this bullshit and don't subjugate to their extortionate membership fees.

    Consultants from NCC Group and the company have been given an unfair advantage over all other consulting firms competing for CREST work for over a decade now. If CREST was a serious organization, all certificates issued to NCC would be voided by now - but we all know this will never happen.

    Both NCC Group and CREST should be held accountable for their corrupt relationship. This episode should serve as a warning to the whole industry and infosec market about how worthless many certifications and schemes are and about their real purpose: to benefit the big players and screw over small boutique firms trying to make a name for themselves in this market.

  15. Anonymous Coward
    Anonymous Coward

    As an ex-NCC pentester this isn't a surprise. The internal lab environment closely mirrored the CREST lab including having the same AD domain names and host names. I wasn't told this before the exam, however, during the exam it became clear.

    I brought this up at my annual review and was told to look at it from a commercial perspective. They need to churn out qualified testers to do more CHECK work. It makes sense for them to make it easy to pass the exams.

  16. Anonymous Coward
    Anonymous Coward

    Glassdoor review from 11th Feb 2019 (http://www.glassdoor.co.uk/Reviews/Employee-Review-NCC-Group-RVW31805003.htm)

    "Good training program, especially the internal CREST workshops and virtual labs that train you to pass CRT and CCT first time. I took CCT App and passed 1st time because of the the training labs."

    Overall it's a negative review but NCC even responded to it with - "It's fantastic to hear you consider your bonus scheme and technical training programs to be some of the pros of your role."

    The arrogance they wouldn't get caught beggars belief.

  17. Bobb1ns

    Long time coming

    It's a well-known industry fact that if you have a CREST assessor in your company then you're much more likely to pass CREST. I worked at NCC when the CREST exam replica rigs were set up and the exam has not changed much over the years. Before that when GCHQ were doing the exams there was a replica set up of that exam to set up by Mark Turner.

    For the Git dump to have the entire multi-choice question and answers, this has come directly from an assessor within NCC who had access to copy it and distribute it internally. Can't believe Ed and Dave Cash were so stupid to put their names on the documents.

    Then for CREST to say the changed made to the rig between 2018 and JULY 2020 make the info invalid is absolutely absurd as anyone who has sat the exam in the last few weeks will attest to.

    That said, nothing will happen. The "independent" review they say they will do will be selected by CREST so won't result in anything.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021