Mythic Monday – Medusa and Immutability

Most people these days know at least part of the tale of Medusa. You know that she had snakes for hair and that everything she looked at turned to stone. Well, unless you’re big into gender theory, you can ignore the rest (at least for the purposes of this post), because today we’re going to talk about stone.

Throughout myth, stone is often viewed as unchangable.  Even in this modern day, we have phrases like “etched in stone” and stories of the weeping angels.  Despite the obvious fact that it’s not true, we tend to think of stone as permanent.  After all, making it otherwise requires special tools and/or special skill.  In everyday experience, something that is made of stone is going to stay that way forever.

If only there were a way to apply the same concept to business security.

Granted, in many cases, you wouldn’t want this.  Security should be reactive and responsive. As stable as stone may be, very few people would call it highly responsive.  (Amusingly, as I write this, reports of the eruptions of Redoubt and Tonga are just coming in.)  However, it would be nice if you could effectively lock certain changes into stone, rendering them immutable.

Well, you can.  Most systems have access rights that can be tuned.  If you configure them correctly, only the right people will be able to write to those files.  In effect, it’s like the computer has a special Medusa inside it that can turn files into stone for most people.  This is a basic aspect of system hardening.  If an attacker cannot write to a file, they can’t make changes, and you’re better off.

Ah, but what if you’re one of those Greek heros for whom the computer’s Medusa doesn’t work?  Shouldn’t you have the ability to ask Medusa to lock your files so that even you can’t change them?

Well, once again, you can do this.  Most Linux systems have what are called extended file permissions that, strangely enough, are generally only used by attackers.  In addition to the basic read/write/execute (in this case, “execute” means “run”, not “stalk with mirrored shield, cut off head and cause the birthing of the pegasus”), you get special magic powers such as:

  • Make immutable
  • Make undeletable
  • Make appendable-only

Thus, you can create a configuration that is readable and works just fine, but is completely unchangable unless you are the admin of the server and you know the extra level of protection.  Now, it’s not a panacea by any means, but one more layer of protection keeps out one more class of attacks. . .  and that’s a win.

For more information:

Announcement – Linux Security Presentation

The presentation that I gave at Infragard can be found here. In it, I discuss:

  • How to choose between the multitude of Linux distributions
  • How to properly secure a system once the choice has been made

The semipermanent home is here, and has a link to the .zip archive containing my raw vector and PovRay files from which this presentation is made.

Small Business Defense – AntiPhishing

The core problem with phishing is that it is a very human attack.  It relies on people to, well, be people.  The emails are crafted to be interesting or scary, and right when the reader is at the peak of wanting to know more, they are presented with a link.  Once the link is clicked on, it’s game over… so the point of the game is to keep the link from being clicked.

It’s harder than it sounds.

One technique that would work well would be to completely block all HTML email.  Thus, no pictures, no links.  All email looks the same and all the HTML email coming in will look like utter gibberish.  Now, as much fun as we all had in 1995, I think that we can all agree that that approach would not work well these days.  So, what does?

Antispam

Many phishing attempts will trigger on good spam filters.  The important thing to note, though, is that phishing attempts in a spam folder are just as effective as ones that appear in the INBOX.  If you use this as a primary defense, it’s important to make sure that the anti-spam quarantine system traps the messages in such a way as to prevent such clicks from being active.  Google’s gmail and their add-on message security products work well for this.

Anticlick

If the emails get through, and let’s face it, no antispam solution is perfect, it can work well to prevent the click from occuring.  There are certain technologies that whitelist allowed links and render all others are unclickable.  You can also run local HIPS software that can prevent such clicks from downloading and running software.  If the HIPS software is good enough, it might even protect against overflows in the email client itself.  Again, however, these solutions aren’t perfect.

Employee Education

The absolute best way to keep employees from clicking on the link is to continuously tell them not to click on links. It’s not perfect, but making employees responsible for their actions is the best way to get results. Much as someone would not leave the front door open and unlocked, they should be aware of the ramifications to the business should they engage in unsafe practices on the Internet.

Of course, we all know that people will make mistakes, which is why it would be wise to use both antispam and anticlick technologies as well. The combination of all three work far better than any one alone.

Small Business Attack – Phishing

Odds are that your business has a relationship with key vendors.  Commonly, these include at least one bank and payroll processor.  Of course, were one of these accounts breached, things could get really bad. Really really bad. In fact, things could get bad enough that people might not be thinking clearly when they click on links.

That’s all an attacker needs. One brief moment of panic or excitement, one click of a link, and they’re in.

Attacks can come in many forms. All an attacker needs to know is a little bit of information about your company and be able to bypass a spam filter. Then, suddenly, your employees will start seeing emails with subject lines like:

  • “Problem processing your paycheck”
  • “Health insurance lapsed”
  • “[Payroll Company]: Bonus check available”
  • “[Your Company] being sued by [Big Company”

Once the employee opens the email, it may be all over, but odds are that your systems are somewhat secure.  This means that they’ll actually also have to click on a link.  Generally, this is done by naming the link one of the following:

  • “click here”
  • “more info”

At this point, the user generally clicks their mouse, the attack runs, and the attacker has access to all the files on the workstation.

But you should be OK.  After all, it’s not like your employees have access to proprietary or customer data… right?

Security lessons from Nature – The Dinochicken

OK, so we don’t have a dinochicken yet, it’s being worked on.  I just couldn’t pass up the chance to blog about it.

Building on last year’s moderate success linking a tyrannosaurus rex to a chicken (which, admittedly is being challenged), scientists are attempting to reverse genetically-engineer dinosaurs from chickens. Specifically, they’re trying to produce chickens with teeth (which can happen), longer tail and forearms.

So, what does this have to do with business, other than it’s being really neat?

Simply put, even if it’s possible to do this, it will be extremely difficult and expensive.  They have to identify specific genes, figure out how to turn them on and off, find a series of stages to make the embryos viable (you can’t just hatch a dinosaur from a chicken egg, there’ll need to be steps), and eventually grow them to the point where they can self-reproduce.   It’s a whole lot of work.  If you wanted a dinosaur, it would have made a lot more sense to not let them go extinct in the first place.

Of course, there’s not much any of could have done to prevent the extinction of the dinosaurs, but there are certain present-day species that could probably use a bit of help.  If they become extinct, they’re gone.  Sure, we could try to resurrect them with technology, but we’d lose all of the learned behavior that passes from generation to generation.  It would be a lot cheaper and easier to save them now… and we’d do a better job.

The same applies to your internal I.T. projects.  As the economy continues to stall out, and companies readjust their spending, stop and consider more than just the immediate costs. If you have a project that is truly wonderful, but is costing a fair amount of money, don’t just kill it. Maybe shift your focus from development towards documentation. Maybe adjust your sales strategy. Maybe sell it to another company. Just don’t let the project die. Recreating it could be far more time consuming and costly than you may like.

After all, you can go extinct after economic recovery just as easily as during.

Mythic Monday – Cúchulainn and the Morrigan

In Celtic myth, Cúchulainn was a classic hero.  The Morrigan, however, was a goddess of battle and fertility (interesting how those two often go together).  Near the end of his life, the Morrigan appeared to Cúchulainn in the guise of a young woman and offered him her help in battle.  Cúchulainn, of course, refused her help and did so in such a way as to cause offense.

Admire the classic heroes as much as you like, but you have to admit that they had a fair amount of arrogance to them.

The Morrigan, upset at Cúchulainn’s attitude cursed him and left.  Later, so the story goes, Cúchulainn entered into battle with another warrior and the Morrigan did her level best to bring about his defeat.  Being a classic hero, of course, he prevailed and later met her again in the guise of an old woman.  Again, he didn’t recognize her.

At a later point, the Morrigan appears as the Washer at the Ford (aka bean nighe, a type of bean sídhe (not this one)) and then, after he ignores this warning, as three old crones (it’s a goddess plurality thing, just go with it).  The three crones trick him into eating dog flesh, which he was sworn to never do.  Cúchulainn is then weakened and loses his next battle.

So, ignoring the obvious lesson here (which is, of course, don’t anger a goddess), what business-applicable lesson might we learn from this story?

I think that the important thing here is that Cúchulainn has numerous chances to treat the Morrigan with respect, and never does.  He is too caught up in his own legend to recognize the power of another.  The classic read on this myth is that he doesn’t recognize feminine power, but I think that business-point works well as a gender-neutral.  As such, he makes an enemy for life and she eventually brings about his downfall.

In business, we often see the same people over and over again. Some of my old coworkers are now working for competitors, some are potential clients, some have started their own businesses.  Odds are that the same applies to you.  If you work in this industry for any length of time, you may well see the same people rise and fall.  You may find yourself sitting across the negotiating table from your worst enemy or your best friend.  You never know what the future may hold.

Thus, it would be wise to pay attention to all people.  Treat them with respect and help them when they ask.  After all, the nice, but inexperienced coworker may not be a goddess in disguise, but it’s quite likely that they may become your boss in the future.

Announcement

I am giving some presentations over the next few months

  • Group: Infragard
  • Topic: Linux and Security
  • Time: Wednesday, March 18th at 8:00 AM
  • Place: FBL – 5400 University Avenue – West Des Moines, Iowa 50266

Infragard is a joint effort of businesses and the FBI. At this monthly meeting, I will be giving a talk on Linux and Security. The talk is aimed at security professionals who may not be very familiar with Linux. This is an open meeting, so anyone may attend, but they have to RSVP. If you wish to RSVP, please leave me a comment and I will get your information to the person running it.

  • Group: ISSA
  • Topic: Virtualization and Security
  • Time: Monday, March 23rd at 11:30 AM
  • Place: Buccaneer Computer Systems – 1401 50th St – West Des Moines, IA 50266

ISSA is a group of security professionals.  At this monthly meeting, I will be giving a talk on Virtualization and Security.  The talk is aimed at security professionals who may not be very familiar with virtualization.  Anyone may attend an ISSA meeting as a guest, but to attend several, you must join.  Leave a comment if you wish to be my guest.

  • Group: Des Moines Web Geeks
  • Topic: Web Applications and Security
  • Time: Monday, April 6th at 7:00 PM
  • Place: Impromptu Studio – 300 Southwest Fifth Street – Suite 220 – Des Moines, Iowa 50309

The Des Moines Web Geeks are a group of web developers.  At this monthly meeting, I will be giving a talk on web applications and security.  The talk is aimed at experienced web developers and technologists.  We will talk about basic attacks and then play with some tools and hopefully run attacks on some web sites.  We’ll try to have some sample sites running, but for a really good time, get permission from your companies to attack your own sites.

After each presentation, I will post the materials on my website.  However, the more the merrier, so please come and join the discussion.

Small Business Defense – Encryption

I think we can probably all agree that the right way to deal with yesterday’s attack is to build a system where only the right and trusted individuals have access to sensitive data. I think we can probably also agree that this will never happen in your average small business. Rearchitecting your data storage system, doing data classification and identifying user roles is just too much work, and any project that requires that much churn and does not impact the bottom line will never get approved.

So, let’s accept the reality that you’re not going to follow my advice and you are fully committed to an insecure paradigm. How can you minimize your losses?

They key here is to look for a system that allows your data to be readable by the right people, and unreadable by the wrong people. Naturally, this means encryption. There are a lot of encryption solutions out there. Lots of people will tell you that theirs is better than the others. Some will throw bit length at you, some will talk algorithms, some will focus on speed.

None of this should matter to you.

You want a solution to a problem, not a fight over mathematical intricacies, so here’s the deal.

  • The system has to be publicly verified. If the word “proprietary” appears anywhere in the marketing material, it has probably been unverified and is too weak to use.
  • The system should be inexpensive. If you have to count where you’re using it and pay accordingly, you won’t use it everywhere you need to.
  • The system should handle key management. If an attacker can get the key to unlock the data, you’ve lost.  If the valid users lose the key to unlock the data, you’ve lost.

That’s it.  Three simple rules.  Nothing else matters, because right now you don’t have encryption technology in place so any encryption technology that you deploy will be a win.  Don’t spin your wheels picking solutions.  Get a list together, throw out everything that doesn’t fit these three rules and randomly pick one of the very few solutions remaining.

Then, after you’ve used it for a year or three, you should know enough about encryption to pick a solution that truly matches your business needs.  Best of all, you won’t be out much money and you won’t have lost much data during the learning process.

As a quick note to get you started, TrueCrypt is free and can encrypt entire hard drives and GnuPG is free and can do a lot (it can be hard to use though). On the commercial side, PGP has a 30 day free trial, after which is cripples itself. It’s still usable, but not quite as usable as it used to be.

Small Business Attack – Type of Data: Proprietary Information

All businesses have it. There’s information that is important to the business. Maybe it’s a contract. Maybe it’s a client list. Maybe it’s a product roadmap. Whatever it is, odds are that you’d lose tons of money if a competitor got it. However, it’s also vital to your operations. There are employees that need access to the information to do their jobs. So, there is likely one of to scenarios at work:

1) There’s a shared drive somewhere that has the proprietary information on it, and is open to all people in the company.

2) Each employee has their own copy of the information, so there are multiple versions on multiple workstations.

So, if someone can access your network as a user or even just take an employee’s workstation, they get your data and you lose tons of money.  How likely is that?

  • Have you ever had a virus/malware infection in your business?
  • Have you ever lost a laptop?  A smartphone?
  • Have you ever had an employee that worked for a week or two and then left suddenly?
  • Have you ever had a breech of a web server?
  • Have you ever received an email with a funny attachment?  Did you launch it?

Odds are, that if an attacker wanted that data, they could get it easily. But with so many attack vectors, how do you protect the data and still allow people to access it?

Security lessons from Nature – Playing Dead

The natural world is resplendent with stories of animals that play dead. Some are well known, such as the opossum and the hognose and grass snakes. Others, such as the lemon shark, parasitic wasps and brittle stars are less well known. What is interesting, though, is that this behavior is common across many families of animals.

The root of this behavior is that an animal that is dead is likely less appetizing to an attacking predator than one that is alive. Some even go so far as to foul themselves and release blood from their mouths to be very convincing. In many cases, it works. The attacker looks at the critter, maybe paws it a bit, and then wanders off to find something better.

Wouldn’t it be nice if we could use this same technique in our everyday businesses?

Well, in a way we can. Many systems are built to detect attacks and deny traffic. This is much like a turtle hiding in it’s shell. The attacker knows that the attack was detected, and all it has to do is wait or attack from a different direction when it’s blocked. However, if you can make the system unpalatable, the attacker might just stop altogether. What if, instead of just doing a deny, you redirected that traffic to a honeypot or system in an error state. If the attacker started getting back error pages or saw services stopping, they might conclude that they broke something. Thus, instead of constantly trying, they might go on to something else.

Now, it’s important to note that, like most defenses, this one is not perfect. Some attackers would just break into the system faster than you could “play dead”. Others might persist in the attack until they get in, whether or not you are dead. This defense, much like in nature, would only function against non-persistent attackers. It might, however, be a good way to identify which attackers are persistent. That might help you determine and reasonable and targeted defense system.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.