Exclusive British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub – after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories.
The documents, posted to the cloudy code shack by an account set up last month, were held in a folder marked "cheatsheets". They appeared to be a collection of exceptionally frank and well informed training materials. The offending repositories have now been removed from GitHub though we understand some forked copies may still exist.
The docs offered step-by-step guides and walkthroughs of information about the CREST exams. One file, called notes.txt, included the line, “clone of the app exam so u can pass 1st time,” adding “speak to your line manager or AD first to book before your exam.” It also referred to “mock rigs” and “inhouse crt rigs to solve” on a “CRT training course”.
Some of the files in a repo labelled "cheatsheets and write ups for the CREST CRT and CTT exams". Click to enlarge
CREST offers a certification called CRT: CREST Registered Tester. As explained on the CREST website, the exam is a practical exercise where candidates are “expected to find known vulnerabilities across common network, application and database technologies”.
The revelation of the internal company docs have provoked a debate in Britain's tight-knit infosec community about the nature of the relationship between NCC and CREST.
An NCC Group spokeswoman told The Register that the files were “a combination of old NCC Group internal training materials and content that has either been incorrectly attributed to NCC Group or which is unconnected to NCC Group.” She also confirmed that NCC CISO Dominic Beecher had posted on GitHub asking the person who shared them to get in touch.
NCC Group confirmed to El Reg that this was a genuine message posted by CISO Dominic Beecher to the GitHub leaks page
Sources who contacted The Register and spoke on condition of anonymity described the data's existence as an “open secret” in the British infosec world. Another who examined the files told us: “Some of the material is current exam content, while some of it is over a decade old (but current at the time of the material being created as per its date).”
CREST's CRT certification exam also includes a “multiple choice section aimed at assessing the candidate’s technical knowledge.” Copies of what appeared to be multiple choice test questions had also been uploaded to GitHub, complete with highlighted answers.
A screenshot of what appears to be a multiple choice exam with correct answers highlighted in yellow
At least some of the files in the repo also appeared to be connecting to a domain called canarytokens-dot-net when opened, multiple sources told The Register. VirusTotal entries shown to us suggested that one file was loading something that registered with two detection engines as a generic remote access trojan; however, the canarytoken website appears to be a freely available honeypot-style file tracking token designed to phone home once a file including them was opened.
“CREST have strict NDAs in place which forbid the disclosure of ANY exam/lab content for these exams and quite rightly so,” said a Reg reader who asked to be identified only as S. “I know that if I was a customer of NCC Group, I would be annoyed that I had paid for a qualified CREST tester, and may have received a tester who only passed the exams due to receiving these [documents].”
Others on Twitter expressed similar concerns:
It's been forked, but that isn't really the issue at hand here. It's the abuse of the NDA and breach of both the CREST company CoC along with the member CoC for those who trained or authored the materials. NCC and CREST are like a jam sandwich and this is one sticky situation.— Scriptmonkey_ (@scriptmonkey_) August 11, 2020
A CREST spokeswoman told The Register the training materials were not relevant to current exams, while acknowledging their origin from NCC, which is a founding member of CREST. In a statement the organisation said:
CREST is aware of the content that has been posted by an individual on GitHub. We have conducted our initial investigation and this does not affect the integrity of current CREST examinations. The content appears to mainly be internal training material produced by a member company. There is also a small amount of old exam material that has been posted by the individual however this is out-of-date and is no longer used in CREST examinations.
CREST's spokeswoman added: “We can confirm that neither the ‘crestnda’ nor the ‘crestapproved’ replies on GitHub were posted by CREST and that these accounts are not affiliated with us in any way. We are continuing to investigate this incident."
NCC’s spokeswoman added to El Reg: “We take our membership of CREST, the integrity of the CREST Code of Conduct, and our related obligations very seriously and comply with our obligations as a CREST member. We are currently reviewing the materials that have been posted, and are working closely with CREST.”
A couple of years ago a grad trainee who evidently did not have access to any cheat sheets took NCC to an employment tribunal, having emailed 300 staff asking for help on locking Kali Linux before stepping away from her laptop.
NCC’s share price on the London Stock Exchange was 181.30p at the time of writing. ®