Horsing around at SchmooCon

Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable.  Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

2) Separation of Targets

Fortunately, not every business is as behind as most we see. There are many businesses doing security right. They are investing money to protect assets, training employees and seamlessly running operations. These companies are succeeding, and as a result, the gap between “good” and “average” is widening dramatically.

To get back to the horse metaphor, we no longer have a single race. Instead, we have two. In the first, people are riding their horses much as you’d expect. In the second, businesses have invested in security but not operations, dragging their dead and dying horses around the track. These races work very differently and therefore are attacked differently.

If your operations are failing (as in #1 above), your horse may not be worth much. However, if an attacker can get a nice pile of dead horses, they can sell them for glue. In other words, these are the low-level attacks we see every day zeroing in on credit cards, ACH transfers and customer data. Attackers focus on bulk theft and you are just a convenient target.

However, if you have good security AND good internal operations, you’re in a different race. A horse thief focusing on live horses is going to have more options than one who raids the graveyard. The attacker who selects a company with good operations will see greater value from a successful attack. If your company is investing in day-to-day operations, odds are you have some juicy intellectual property to protect. This is where these attackers focus.

In either case, if you’re behind more than half the horses in the race (i.e., below average), you’re going to lose. Remember, the attacker just has to win once… you have to deflect the attacks constantly. The attackers are targeting the easiest in each category first, so as horses vanish from the race, you have to keep improving to stay above average.

3) Defensive Intel Sharing

Finally, there is the true value of an event like Shmoo. The value isn’t in the sessions (though they are great), but in the discussions in hallways and over meals. This is where security people get together and share ideas as to what techniques work to defend against these attacks. We brainstorm and share intelligence. This helps us protect our own little corners of the world better.

To beat the horse metaphor to death, it is as though an international team of horse rustlers (hackers) specialize in stealing horses (your business). Some are great at stealing wagons and have no idea what horse they’ll be getting. Others team up and have one person good at riding horses, one at distracting jockeys and maybe a large animal vet to determine how best to use the newly-stolen horse. They share ideas with other teams as to what has worked and what hasn’t, thus they constantly improve.

At Shmoo, we share ideas that keep our horses from being stolen. It could be as easy as putting better locks on the stables, or as ridiculous as using velcro saddles to keep the jockeys firmly seated. In many cases, it is about small improvements … ways to feed the horses more cost-effectively, or the ability to keep an extra set of eyes on people approaching your stable.

In other words, going to Shmoo isn’t likely to help you, but it will certainly help me help you. Now, let’s talk about your horse.

 

(Originally posted on RJS Informer)

Password Security and Schools

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

  • glasses = 13 (5.28%)
  • finish = 12 (4.88%)
  • button = 12 (4.88%)
  • dinner = 12 (4.88%)
  • oranges = 12 (4.88%)
  • apples = 12 (4.88%)
  • letter = 12 (4.88%)
  • stormy = 12 (4.88%)
  • gentle = 11 (4.47%)
  • cupcake = 11 (4.47%)
  • winter = 11 (4.47%)
  • butter = 11 (4.47%)
  • carpet = 11 (4.47%)
  • joyful = 11 (4.47%)
  • summer = 10 (4.07%)
  • middle = 10 (4.07%)
  • friday = 10 (4.07%)
  • person = 10 (4.07%)
  • football = 10 (4.07%)
  • people = 10 (4.07%)
  • soccer = 10 (4.07%)
  • butter32 = 1 (0.41%)
  • butter27 = 1 (0.41%)
  • dinner20 = 1 (0.41%)
  • letter38 = 1 (0.41%)
  • summer17 = 1 (0.41%)
  • summer83 = 1 (0.41%)
  • winter34 = 1 (0.41%)
  • apples74 = 1 (0.41%)
  • letter28 = 1 (0.41%)
  • Password = 1 (0.41%)
  • summer22 = 1 (0.41%)
  • letter48 = 1 (0.41%)
  • winter64 = 1 (0.41%)

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst.  There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.”  The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day.  In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

  • Users are assigned completely random passwords
  • The system required passwords to be at least 12 characters long.
  • The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen?  First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying.  Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

  • base starts at 0
  • Upper case character base+10
  • Lower case character = base+10
  • Number = base+10
  • Punctuation = base+10
  • Space character = base+10
  • Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.”  Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

 

 

(This article original posted at the RJS Insider)

Security Certification 3/3 – Doing and Teaching

This post is part 3 of a series.  Please see posts 1 and 2.

So you’ve learned something. Congratulations. Knowing is half the battle. Sadly, the other half involves actual fighting. This post is on how to fight… or, in this case, demonstrate that you know stuff. (Which is a lot like fighting if you leave all that tedious stuff about hitting people.)

I like to follow the old cliche “Learn One, Do One, Teach One”. So you’ve learned something. The next step is how do you do something with it? Since we’re talking about security, the best option would probably be to stop a bad guy. Sadly, that’s not always feasible. Fortunately, you have some options.

Doing

One thing I strongly suggest is joining an open source project. I used to suggest starting one, but it seems that whenever I said that, someone would run off and make a new network scanner. We have enough of those.

Join a project that uses modules. Metasploit is good. So are SET and NMap. If you’re webby, take a crack at extending w3af. This will force you to understand a system, improve a system and work with others to get your change accepted. In short, it demonstrates everything that a prospective employer wants.

Suppose you’re not a programmer. That’s OK. You can use the tools above to run assessments. Assess your home network to learn how everything works then start calling local non-profit groups. Offer them scan in return for the ability to post a summary of the results online (after they approve the anonymization of the data). Now, there is a bit of risk here, so you might want to investigate error and omissions insurance before hand. At the very least, consider one of the “approval” forms so that you’re protected. Learning the ins and outs of these sorts of assessments demonstrates that you not only have the technical skills, but that you can also use them in a meaningful way.

(Note: Never give anything away for free. This is a scan in exchange for publicly-viewable experience. If you offer to work for free, all you’ll do is get a lot of clients… who also want you to work for free.)

Now, those two paths are all well and good if you’re technical. However, we have some people in this field that aren’t technical at all. There’s nothing wrong with that… but be aware that to be truly successful you have to understand both technology and people. Try to branch out.

If you’re not going to branch out, you can still help an open source project. Documentation on many projects is… well to call it “lacking” would be like calling the Titanic “a boat that encountered a spot of bother”. There’s a lot of need there and a lot of wikis that are fully editable, so get cracking. You might also be able to help with project management, with resolving disputes on mailing lists, or by prioritizing bugs based on user impact. You know, basically doing all the tasks that stereotypical geeks aren’t very good at.

The next step is to promote the fact that you’ve done something. The best way to do this is teaching, and the Internet makes this easy.

Teaching

Teaching is all about sharing knowledge. While the traditional teaching option of holding a class is still viable, it doesn’t give you the same range of exposure as techniques like blogging and vidding. You certainly get a more personal connection by teaching a class and the people consuming your content might absorb it better, but if you’re wanting to build a brand and try to jump into a better job, you have to cast wide. Here are some options:

Basic blogging is much like you’re reading now. Just grab yourself a domain, link it to WordPress and go. The difficulty with blogging is the tendency to lose time to “research”. If you’re new to blogging, give yourself two days (20 hours) of research time on how to blog. A good place to start are the Converstation Archives. Once you’ve done that, build a list of topics and give yourself one hour for each topic. Give yourself 20 minutes to write the content, 20 minutes to edit the content (after waiting a day or so), and 20 minutes to publish the content on WordPress (this includes adding links and images). You can spend more time than that on posts that matter strongly to you (as I did on this series), but be careful not to spend too much time. If you keep trying to make it “perfetc”, it’ll never get published.

Micro-blogging is a lot like blogging, but you say more with less. In the US, Twitter is the most popular micro-blogging platform, but Facebook and Google+ are challenging it. Personally, I find this a very difficult medium. What works for me is to write a blog and then excerpt key phrases from it for micro-blogging purposes. If you’re gifted in this medium, feel free to start here. However, if you use it for professional purposes, please try to avoid the shorthand that’s common in the medium. U wont get jobz talking lik this.

Vidding and podcasting are other techniques that I’m not personally comfortable with, but which work for a whole lot of people. This is as simple as sitting in front of a web camera and talking to an audience that you hope will emerge over time. My attempts at podcasting were all aborted because the editing took too much time. Perfectionism and linear editing do not mix well. I hope to give this a shot again later this year, but we’ll see. It’s very hard for me.

One friend suggests that these techniques are made easier if you have a script.  Granted, you have to practice to make sure it doesn’t sound scripted, but this is very good advice.  I’ll have to try it the next time I give this technique a whirl.

Graphically-intensive content such as infographics and comics is another way to get the message out. I’ve done tons of infographics (few are public) and a fairly large graphic novel that has been “in progress” for the last five years. The trick here is not biting off more than you can chew. If you are skilled graphically, take a shot at illustrating what you’ve done and sharing it with others. This can be a very powerful technique.

There are tons of other methods. If you think I’ve missed something important, please let me know in the comments.

Conclusion

This has been a lot of text… but hopefully this has answered your certification questions at a very high level and explained how to extend your learning. If you do this, you should gain something more directly useful to you than tacking a few letters to your name. Of course, it’s a bit more complex than this in “real life”.

In addition to what I described here, each certification comes with it’s own community which may or may not mesh with your needs. Personally, I mesh well with the SANS community and not very well with the ISC(2) community… but this is extremely personal. There’s no way to know where you’ll mesh without giving it a try, so pick the certification based on what you need to learn and figure out the social aspects once your certification grants you access to a community.

Similarly, the “doing” and “teaching” phases only work if you dedicate enough time to them. Your journey doesn’t end when you get the certification, so if you can’t devote the time from your life to complete the process, you should seriously reconsider whether to even get a certification in the first place.

However, if you can afford the time to learn, do and teach, you should see your professional life advance extremely quickly.

Security Certification 2/3 – Learning

If you’re reading this post, it is assumed that you’ve already read my post on what certifications are for. If not, go there and check it out. This post details my method for comparing certifications.

First, go to each certification’s website and review each certification’s pre-requisites. If you don’t have any of them, it’s probably not wise to do the next step with that one. While I recommend challenging yourself and pursuing a certification for which you do not have all of the pre-requisites, if you have absolutely none of them, you’ve identified what you need to learn and that the certification you are considering will not teach you that.

Second, consider your career trajectory… then throw it away. Some certifications have specific paths that are laid out for you.  If you go into the CISSP world, you’re “supposed” to be a manager.  If you use Offensive Security, you’re “supposed” to be a penetration tester.  While it’s true that these certifications have somewhat high value in these areas, increasingly, security practitioners are expected to know a bit of everything and be good at what they’re good at. It’s about the learning process. Unless you have no interest in learning (in which, go away, this post is not for you), you’ll be better off picking a certification based on what you’ll learn from the process. If you pick a career path laid out for you by someone else, you’re not only trusting your life to guesswork… but to someone else’s guesswork.  For example, my grandfather gave me my first computer because it was the wave of the future… but also gave me a slide rule… “because you’ll need to be able to take something into the field with you”.  If you’re going to screw up your career path, at least do yourself the favor of doing it to yourself so you can analyze why you wound up where you did and can correct from there.

Third, review what the different certifications cover. For each topic covered, give yourself a rating based on how well you know the topic.

  • 0 = No idea what the topic means
  • 1 = Have a bit of clue about the topic, maybe played with it in a lab
  • 2 = Have done this professionally or played with it a lot in a lab environment. Still have room to learn.
  • 3 = Have done this enough to consider yourself something of an expert
  • 4 = Understand this topic inside and out. Comfortable teaching it to others.

Now, take an average of all your ratings and divide it by four. This will give you a percent of what you already know from what the certification will teach you. Subtract this from 100% to get the amount you will learn from the certification.

Fourth, you have to factor in your time. Most of us have a loaded rate for work that includes salary and benefits. If you know this number, use it. If not, take your hourly rate (convert if you’re salaried) and multiply it by 1.5. If you’re unemployed, figure out what you’d charge doing freelance work. You can quibble over this all you like. Really, you’re just measuring the cost of the time it takes to gain a certification, as that time could be used to boost your skills by working overtime at your day job or doing freelance work in the evenings.

Finally, estimate the time you’ll spend on the certification, multiply it by your rate, add the certification costs and you’ll have a dollar estimate. Take your learning percentage and divide it by the dollar estimate and you’ll get you a number that you can use to compare how valuable that particular certification will be for you.

In other words, Value = (Learning Percentage) / ((Time Spent * Hourly Rate) + (Cost of Certification)). When comparing certifications, the highest value wins.

Here are two examples. Since a lot of the information about tests is hidden behind registration links, I won’t do a complete analysis… just enough to give you an idea of what I’m talking about. In this, we’ll assume that my time value is $50/hr. Basically, I am choosing this number because it makes the math easier and should be in line with a mid-level career person that loves learning enough to drop the “personal cost” a bit. If you’re entry level, it’ll be lower. If you’re well seasoned and have other hobbies, it’ll be higher.

Note: I am also assuming a “zero” time cost to taking in-person classes. There is actually a time cost here, but for most people, it’ll be incurred by your organization, not you. If this isn’t the case, add the time cost back in.

Example: CISSP-ISSAP

This certification would extend my existing CISSP to focus on architecture. Reviewing the Candidate Information Bulletin, there’s a lot of information covered. Here are the first two domains. My score for each point is in brackets at the end. (The typo for “Methodology” is theirs… sorry.)

1) ACCESS CONTROL SYSTEMS AND METHODOLGY
A. Apply Access Control Concepts Methodologies, and Techniques
A.1 Application of control concepts and principles (e.g., discretionary/mandatory, segregation/separation of duties, rule of least privilege) [4]
A.2 Access control administration [4]
A.3 Identification, authentication, authorization, and accounting methods [3]
A.4 Identify and access management architecture [3]
B. Determine access control protocols and technologies (e.g., RADIUS, Kerberos, EAP) [3]

2) COMMUNICATIONS & NETWORK SECURITY
A. Determine Communications Architecture
A.1 Unified communication (e.g., convergence, collaboration, messaging) [2]
A.2 Transportation mechanisms (e.g., voice, facsimile) [4]
B. DetermineNetworkArchitecture
B.1 Network types [3]
B.2 Protocols [3]
B.3 Securing common services (e.g., wireless, email, VoIP) [4]
C. Protect Communications and Networks
C.1 Firewalls [4]
C.2 Gateways, routers, and switches architecture (e.g., access control, segmentation, out-of-band management) [4]
C.3 Detection and response [4]
C.4 Content filtering [4]
C.5 Device control [4]
D. Identify Security Design Considerations and Associated Risks
D.1 Interoperability [2]
D.2 Audit requirements (e.g., regulatory, legislative) [3]
D.3 Security configuration (e.g., baseline) [4]
D.4 Remote access [4]
D.5 Monitoring (e.g., sensor placement) [4]
D.6 Network configuration (e.g., physical, logical, high availability) [4]
D.7 Operating environment (e.g., virtualization, cloud computing) [4]

So, for the first two domains of the CISSP-ISSAP, we get (4+4+3+3+3+2+4+3+3+4+4+4+4+4+4+2+3+4+4+4+4+4) / (22 * 4) = .886 for a “known” ratio. This means that the percentage that I have to learn is 11%.

Now let’s look at costs. The official textbook runs $80. The review class runs $2,195. The test costs $449. And the certification costs $82.50. (Not required, but included because the GIAC cert comes with passing the test and we want to be as fair as possible.)

So, we have two options.

* Take the full in person class (assuming the course book is included with the class) $2,195 + $449 + $82.50 = $2,726.50. Add to this, study time of 20 hours at $50/hr and you get $3,726.50
* Wing it with the textbook $80 + $449 + $82.50 = $611.50. Add to this study time of 40 hours, and you get 2,611.50

So, if I were to take the in person class, I’d get a learning value of 11/3,726.50, or 0.295%. If I were to wing it, my learning value would be 0.42%… but the burden of the work would be on me.

Example: SANS/GIAC GXPN

Let’s compare this to the SANS/GIAC Advanced Penetration Testing Essentials / GXPN option. Looking at Day 1, we have the following list of learning objectives:

Low profile enumeration of large Windows environments without heavy scanning [1]
Strategic target selection [2]
Remote Desktop Protocol (RDP) [1] and man-in-the-middle attacks [1]
Windows network authentication attacks (e.g., MS-Kerberos, NTLMv2, NTLMv1, LM) [2]
Windows network authentication downgrade [0]
Discovering [3] and leveraging MS-SQL for domain compromise without knowing the sa password [1]
Metasploit tricks to attack fully patched systems [1]
Utilize LSA Secrets and service accounts to dominate Windows targets [1]
Dealing with unguessable/uncrackable passwords [2]
Leveraging password histories [1]
Gaining graphical access [2]
Expanding influence to non-Windows systems [3]
Exploiting single sign-on systems [1]
Escaping restricted desktops [1]

So, for the first day of this class, we get (1+2+1+1+2+0+1+1+1+2+1+2+3+1+1) / (15*4) == .333 for a “known” ratio, or a learning percentage of 67%.

Looking at costs, it’s a tad more complex, with more options, but fewer parts. The vLive version of the course costs $4,370. The Self Study option costs $3,916. The Conference version costs $4,595. For all options, the test costs $549.

So we have three learning ratios to calculate:

* Self Study: 67 / ($3,916 + $549 + 60*$50) = 0.89%
* vLive: 67 / ($4,370 + $549 + 40*$50) = 0.97%
* Conference: 67 / ($4,595 + $549 + 20*$50) = 1.09%

Example: CISSP-ISSAP vs SANS/GIAC GXPN

So, as you see, even though it’s the most expensive option, you maximize learning when compared to time and dollar costs with the GXPN Conference option.

Certification Option Cost Learning Value
CISSP-ISSAP Class $3,726.50 0.295%
CISSP-ISSAP Self Study $2,611.50 0.42%
GXPN Self Study $7,465 0.89%
GXPN vLive $6,919 0.97%
GXPN Conference $6,144 1.09%

Now, there are a LOT of variables at play here. If you mis-estimate the time you’ll spend or the amount of money your time is worth, you’ll get drastically different values. So think about these numbers carefully before before you decide for certain which certification to pursue.

Once you’ve followed this process, you’ll have an idea as to which certification to pursue. If you are in this solely for the learning, stop now. The next post is not about certification but focuses on extending your learning in a way that is visible and gets you both known in the community (building the Who You Know) and in gaining and demonstrating experience.

Security Certification 1/3 – Certifications in General

It seems that, about once a week, someone asks me about security certification. A lot of people seem to believe that a security certification can get you over the “need experience to get experience” hurdle. The point of this post is not to tell you which certification to get (though it does do this), but to explain why this common line of thinking is wrong.

At the entry level of the job market, the “you don’t have enough experience to get experience” problem is particularly troublesome. This is especially true in the current economy where fewer jobs means that many more experienced workers are competing for the entry level ones. These are the people that typically come to me and ask “CISSP, Security+ or GSEC?”.

However, if you show someone an experience-less resume that lists a security certification, all that is communicated is that that particular certification can be attained without experience. This weakens the certification and does nothing to make you look better.

In fact, most hiring managers I’ve spoken too will take the stack of resumes and filter it as follows:

  1. Throw out everyone lacking a college degree.
  2. If the stack is still too tall, throw out everyone that doesn’t have a four year degree.
  3. Then they look at experience and get rid of everyone that lacks the requirements.
  4. If the stack is still too big, throw out everyone that has experience but isn’t certified.
  5. Take any resumes that come with a personal recommendation and add them back in to the pool.

It may not be fair, but when any job opening solicits hundreds of resumes, it is a fast way to get through them. It also means that if you have no experience, possessing a certification gains you absolutely nothing. In fact, the best thing you can do to be considered is to know someone in the organization. After that, the most helpful is a degree, then experience, then certification… but only as a tie breaker.

(Note, in some job areas, like the US Federal Government, certain certifications are required for specific job levels. Assume I’m not talking about these job areas. After all, if you’re going for one of those, you already know which certification you need.)

It seems, from this, that I’m saying that certifications are useless. Nothing could be further from the truth. Certifications are great… just not for getting a job. Let’s look at what employers find to be the most useful: who you know, college degrees and experience.

Who you know

If you are recommended by someone that the hiring manager knows, the manager has already vetted you far more thoroughly than is possible in a series of interviews. They know that you are likely a good person to work with, as you can clearly be friends with the sort of people that work at the organization. They know some of your strengths and weaknesses. In short, they know that you can probably do the job and that you are likely to grow with the business.

A lot of people are disdainful of the “good old boys” network, but if you’re not in it, there is always the question of “why”. Without an answer to that question, people create their own answers… and they are seldom complimentary of you as a candidate.

College degree

The industry also has a lot of disdain for college degrees. Do you need a college degree to work in security? Of course not. There are tons of people in the industry without them. (Of course, they got in because of who they knew.) Like many people state, a college degree is just a piece of paper that says that you spent four years putting up with crap… which is a really good measurement of what many organizations want.

If you can get through a university program for two or four years, toe the line and do what you’re told, a hiring manager will know that you’ll be unlikely to make waves. You might not know all you need to do the job, but you’ll likely be able to deal with stupid corporate rules for long enough to learn what you need.

In short, a standard degree is not a measure that you’ll be an awesome employee. It’s a measure that you won’t be horrible and cost the organization more money than you bring in.

(Note: liberal arts degrees are something different entirely… but from a hiring perspective, they are only useful if the hiring manager is aware of the school and what the degree means. Without that knowledge, they look the same as a regular degree, so it comes back to “who you know”)

Experience

Experience is, of course, the gold standard of getting hired. If you’ve done the job before, the manager knows that you can do it again. However, there’s a trap. If you have experience you’re somewhat stuck in that area of expertiese, and if that area goes away, you could be in trouble. A lot of COBOL programmers discovered this in recent years. If you’re in this situation, you’re really back to who you know.

Of course, it’s better to avoid getting into this situation by constantly taking on new projects and expanding your skill set. However, this series of posts is about certification, so I won’t delve into that topic.

Learning

So if that’s the situation, what do you do about it? The key, I think, is learning.

When you get right down to it, what a hiring manager wants to know is:

  • What do you know?
  • What are you capable of learning?
  • Can you convert that knowledge into something useful to the organization?
  • Can you do so without causing problems in other areas of the organization?

That’s it. Based on how well you do at those four points, your career will skyrocket or stagnate.

So, the keys are learning, translation and communication. Let’s look at certifications with that in mind.

Most people looking at security certifications look in four areas: ISC(2)’s CISSP line, SANS/GIAC’s G* line, CompTIA’s Security+ line and Offensive Security’s OS* line. The key criterion for you to consider is which line is going to maximize your learning for your dollar. Generally, SANS/GIAC is considered the most expensive, but in my experience also has the greatest opportunity for learning. Second to that, in my opinion, is the Offensive Security line. They’re more focused and hands-on than a lot of SANS/GIAC offerings, but also start a bit higher in the experience level.

So what you need is a way to compare not certifications, but what you learn from the certification process. If you can maximize the amount you learn per dollar you spend, you can both select the best certification for you and the best experience you can get from pursuing that certification.

Check in tomorrow for the method I use to compare certifications.

(See parts 2 and 3)

Angry Birds and Security

There are many exciting projects going on at my new company, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction
A more secure design

The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment

Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

 

(This post originally published at the RJS Informer)

It’s a matter of trust

Warning: this blog entry covers sensitive current events and some of the links may use strong language.

When a big news story hits, do you ever notice a pattern or significant fact, that despite 24/7 coverage, everyone appears to be missing? The world has had three events in recent weeks get considerable attention throughout television, newspapers, radio and social media; and each of these events are catastrophes that occurred because of poor policy choice and unplanned reactions. Let’s briefly explore them.


PayPal v. Regretsy

Paypal is known to “freeze” the assets of somewhat questionable groups. However, many are saying they crossed the line by pulling the plug on a fundraising effort to get Christmas gifts for 200 children in need. Yep, you read that right. Paypal followed their policy and basically profited three times off of preventing children from receiving gifts. Is it surprising that this blew up in their face?

April Winchell, of the popular website Regretsy.com, wrote up her story and published it online with a follow-up. Not only did she get a massive movement behind her, but due to the fame of regretsy.com and the nature of what Paypal’s employee said, the story went viral and is being spread throughout Facebook, Twitter and other social networks. The story has been reported so widely,  there are now over 20,000 hits on Google with titles like:

– PayPal ruins Christmas for over 200 kids

– Paypal has no problem ruining Christmas for Children

– Paypal – The Christmas Grinch

There are posts claiming “Paypal is evil” and people should “stop doing business with them immediately.” On top of that, there is a public list of Paypal and Ebay employee phone numbers and email addresses being spread along with this story.


Carrier IQ
As we have covered previously, Carrier IQ is the company that writes activity-monitoring software for cell phone providers. Some call it the rootkit of all evil but others say it’s not so bad. The news started within a rather small technical community, but rapidly expanded throughout the internet and has resulted in a class action law suit and a senate inquiry. Carrier IQ’s customers are also being sued.


Pepper Spraying Cop

Most everyone today knows the story about the cop that sprayed pepper spray in the faces of protesters at the University of California-Davis. While such events happen often, the fact it was captured with cameras and posted all over the internet made it famous. The incident has started a national discussion about militaristic police forces, a personal investigation into Lt. John Pike and endless parodies.


What does this mean?

In each case, someone did something no rational person would do if presented with the given scenario. The various parties all defended themselves by citing law and policy, yet each instance caused a catastrophic public relations nightmare they may never be able to fix.

If you asked John Pike, weeks before the instance, if he would ever walk past a line of passive college students and cover them with pepper spray, I’m sure he would have said no. If you asked the CEOs of ATT or Sprint a month ago if they ever thought about tracking every single action their customers took on the internet, they would have dismissed the idea as ridiculous. If you asked the leadership of Paypal if they planned to steal money from impoverished children for Christmas, they’d have called you insane.

Yet, each of these events happened. Why? It comes down to policy. Policy’s role is to guide behavior. It sets expectations and makes individuals accountable. Sadly, the latter is often phrased in a negative manner so employees do the bare minimum to protect the organization and, in the process, open up the potential for these types of unfortunate events.


A better way?

Think about what would have happened if the Paypal representative had taken the call and responded with “That sounds like a good cause to me. I’m not authorized to allow it, but let me get my boss on the phone.” Maybe their officers wouldn’t have gotten inundated with spam and phone calls. Maybe their name wouldn’t be equated with thievery and evil. Maybe working with the offended party would be a better approach than a half-hearted apology.

Similarly, what if Carrier IQ had entered into discussions with TrevE about his findings and then worked with ATT and Sprint to resolve the issue instead of immediately going to the legal system (and getting trounced)? Maybe the whole issue could have been avoided.

Lastly, what if, Norm Stamper’s reforms of the police system gained traction? Maybe Occupy UC-Davis would have looked a lot more like Occupy Iowa City.


It’s a matter of trust

When I write policy for a client, the goal is to protect the business from mistakes made by employees. The goal is never to restrict employees to the point their only answer is always what the rule book states regardless of gray area. If you need something done exactly the same way every time, use a computer. They’re actually pretty good at repeatable tasks. People, in contrast, are really good facing unique situations and resolving them in creative ways. As soon as a policy prevents an employee from making improvements, there is no longer use for the employee. Just automate that job and be done with it. If that’s not your goal, your policy is broken. You can fix it by looking for scenarios which can be read literally and, as a result, cause catastrophes like the ones mentioned above.

There are many ways to fix these problems, once they’re found. Some businesses give their employees discretionary budgets. What if Paypal had said “Sorry for the mix up, and since it’s a good cause, here’s $100 to buy a kid a present.” Some businesses have an official PR escalation team. What if TrevE’s report hadn’t been met with hostility, but instead they said “Huh, good point. If we give you $1,000 can you give us some consulting on doing this better?” Some organizations create an expectation of personal responsibility, where it is illegal to obey an illegal order. Might that not have helped things at UC-Davis?

If you’re going to have people working for you, you have to let them be people. Let the policy be the guideline and trust them to follow the guidelines. If you do not trust your policy to guide, and not prescribe, action, you need a new policy. If you do not trust your people to be guided by a good policy, you need new people.

 

This blog entry was originally posted over at the RJS informer.

Leaked Password Analysis – 2011-06 Edition

As most of you likely know, several months ago saw a shift in how a certain type of attack was being done on the Internet. Instead of breaking into a website and simply stealing information, people began breaking into sites to steal information and then release it publicly on the Internet. It is not my intent to discuss the choice of targets or the motivations of these groups. Others have written plenty on this topic and really, if you’re not working for a target or one of the attackers, anything you can say about their motivations is likely to be guesswork at best.

Instead, I want to talk about the passwords. I’ve been following these leaks and collecting password information. My goal is not to break into people’s accounts or to discuss whether or not the leaked data supports the claims of either side. I only have one goal in doing this. I want to find out what I can about people and passwords so I can help everyone choose better ones. So here is my initial analysis. If time permits, I hope to come back to this and do the analysis with more rigor and dive more deeply. However, since my initial rough analysis is done, I wanted to share my preliminary findings. I think they’re interesting, so I hope that you will as well.

 

Data Set

I’ve combed leaked data for all the cleartext passwords I could fine. Realistically, this means that the passwords I’ve analyzed here fall into two categories. The first category is passwords that were stored unencrypted or very weakly. The second is passwords that were weak to begin with and were easily cracked by those who released the data sets or analyzed them later. So, the important takeaway here is that this is not and analysis of typical passwords used on the Internet. This is an analysis of bad passwords used on the Internet combined with passwords that were stored poorly. Still, since I want to learn what not to do, this seems like a worthy use of my time.

The data set exceeded half a million passwords… but likely involved some duplicate records. I hope to tighten up the analysis in my next go-around.

 

Common Passwords

Everyone starts these analysis with a list of the most common passwords. I do not wish to disappoint, so here is what I found.

So what can we learn from this? First of all, note the number of passwords that are just numbers. 123456, 12345678, 12345, 111111, 1234, 1234567, and 123456789 were seven of the top 20 bad passwords. This is ridiculous. Who on earth thinks this is a good idea? A lot of people, apparently.

Second, notice the surprisingly large number of people who thought that trustno1, baseball and superman were good choices. Perhaps choosing passwords based on popular culture is unwise.

 

Password Lengths

I then looked at the average password length. There’s not much of a surprise here, but here’s the graph if you’re interested:

What I found most interesting was how relatively few passwords were seven characters long. I expected six and eight to be large, but not for seven to be so short. Also, note how quickly it drops off after 8. Nine characters and up are ridiculously small.

 

Keyspaces

This is where things get interesting. We have been talking for years about how people should use a mix of lower case, upper case, numbers and symbols in their passwords. I don’t want to bore you with math, but the reason is that the more characters you have to pick from, the longer it’s going to take to guess the password. If, for example, your password is one character long, if you use a lowercase letter and the attacker tries those first, it will only take 26 tries to get it. If you use a character from any of these sets, it will take 26 (lower case) + 26 (upper case) + 10 (numbers) + 32 (symbols) = 94 tries. If your password is longer, then it will be increasingly harder.

Let’s use a few pictures to make this easier to talk about.

 

This is what we’d like to think people are doing. We know that not everyone is following our advice, but at a guess, we’d expect there to be a reasonable mix of people doing it the right way and some overlaps within the other spaces.

 

Our ideal, of course, would be to widen the overlapping space. This way, more people are using more complex passwords and would be safer.

 

… and this is where we actually are today. The spaces aren’t the same size, which isn’t terribly surprising I guess. However, I didn’t expect not only for the special characters space to be so small, but I also didn’t expect the overlap to be so tiny. In fact, of the 519,229 I analyzed, only 315 had a mix of lower case letters, upper case letters, numbers and special characters. No wonder they got hacked. This means that 0.06% of all the passwords were considered minimally secure.

Really… is it so hard to add an exclamation point or question mark in there somewhere?  Here, I’ll even give you some you can use.  I mean, really!?!?!?!?!?!?

 

Other Metrics of Interest

When I compared the list of passwords to itself and weeded out the duplicates, I found that 65.71% of the passwords overlapped. I must say, folks are just not as creative as I had hoped.

For those that follow math, the average entropy score of the password set was 29.63. I hope to make a neat graph comparing entropy to things like length and commonality, but will apparently have to get more proficient with better graphing tools first. My existing tools found graphing 500,000+ data points somewhat challenging.  :)

When I ran the list of passwords against the standard Linux word list, I got 85,196 hits out of 178,049 unique passwords. That’s a 47.85% rate of people that aren’t even trying. Again, we’re talking about the easily-cracked passwords, so this number is inflated… but it’s still much too high.

Surprisingly, I did not see many passwords that were just dates. Those stories of people using their kids’ birthdays as passwords seem to have been exaggerated… or perhaps people today don’t care about their kids very much.  :)

So What Do We Do?

Given that this was a set of easily broken passwords, the key things to do to prevent your password from being broken is to make them not fit these patterns. This means:

  1. Use a mix of lower case letters, upper case letters, numbers and special characters. Use at least one of each.
  2. Make your passwords longer than eight characters. To lay outside of this data set, 10 would be fine. Personally, I’m going up to 16. After all, if you can remember an eight character password, you should be able to remember two of them stuck together.
  3. Avoid basing your password on popular culture, sequences of numbers (or keys on the keyboard) or sports. Those passwords are much more common than you’d think.

That’s it. If you do these three steps, you’ll be well outside of this data set and therefore, much less likely to get your password stolen. Of course, the one thing I couldn’t measure was how much these passwords are shared between accounts of the same person. The 65.71% overlap rate suggests that there is a lot of this going on, but I can’t prove it. Still, it’d be a good idea not to do that.

Do these suggestions sound familiar? They should. If you’re still not following them, maybe you should. We don’t suggest them to be annoying or to help protect against some amorphous threat in the future. We suggest it because if you don’t follow these rules, you will be hacked.

We’ve just seen it happen.

Over half a million times in the last six months.

Cuttlefish

I know, I know. The security and squid blog is located elsewhere. Sorry, but I just have to write about this article.

A short time ago, Chuan-Chin Chiao, Kenneth Wickiser, Justine J. Allen, Brock Genter and Roger T. Hanlon published the article Hyperspectral imaging of cuttlefish camouflage indicates good color match in the eyes of fish predators. (How can you resist an article with such a fascinating title?) For those that don’t thrill to reading academic articles about the eyes of coleoid cephalopods (you weirdos), there is a more accessible press release here.

Why am I fascinated about this? Well, cuttlefish have the ability to change their patterning to blending into the background. We’re familiar with how chameleons do this, but cuttlefish are a lot better at it. Not only are they better at it, but they’re also colorblind! (Like me.) That’s right, these critters are capable of changing their own coloration when they can’t even see it.  How do they do it?  Well, sorry to keep you in suspense, but we still don’t know.  There is some suspicion that it involves opsin transcripts, and evidence that body position may have something to do with it, but those theories are insufficient for complete explanation.  What’s interesting is the approach of the paper.

Science, as you know, is all about measurement.  There’s little room for guesswork and lots of opportunity to be wrong.  So if you’re going to measure camouflage, you’d better have a darn good way of doing it.  What these guys did was to take hyperspectral images with a HyperScan VNIR system.  Effectively, it measured the different amounts of 540 different colors to determine how well the cuttlefish blended in to their background.  They looked at their targets as if they were a super predator, with capabilities far beyond that of the predators we know… and the cuttlefish’s technique was still effective.

So what does this mean for us?  Well, for me it means that I lost out, as I am colorblind, but aren’t able to perceive the polarization of light like cuttlefish can (lucky critters).  However, for the rest of us as a group, it means this:

These creatures developed this ability over millions of years through a complex process of trying different ways to hide and, when they failed, being eaten.  From a business perspective, there is some value in failing fast… but little advantage in being eaten.  If you want to develop strong protections, you need to find a predator that lets you know when your defense is working and when it’s not, without eating you.  Ideally, this would be a super-predator that is better than most of the predators out there.

We call these people penetration testers.  Armed not with a HyperScan VNIR, but with tools like network mappers, vulnerability scanners and exploit frameworks, these people can assess your business and let you know if they could break through your defenses and how.  You can then protect yourself better by making appropriate changes.  Sadly, the industry is still young, and it’s hard to identify the super predators from the others. There is a project to help with this, but for now, here’s a quick evaluation process.  When you call a company (like mine) and ask for an evaluation, ask this handful of questions:

  1. How much will a penetration test cost?
  2. How much will a vulnerability assessment cost?
    • Rule of thumb: Due to the time involved, penetration tests cost at least ten times when vulnerability assessments do.  If they don’t, find another company.
  3. What is the difference between a penetration test and a vulnerability assessment?
    • Rule of thumb: If they only say “A penetration test tries to break in, a vulnerability assessment does not”, find another company.
  4. What is your assessment methodology?
    • Here, you should be looking for a standard and repeatable process.  You don’t need to dig into the weeds, but you do want to weed out companies that come across as “We just try stuff at random”.
  5. What problems have your tests caused in the past?
    • Here’s a secret of the industry.  Anyone worth their salt has broken something.  If you don’t sometimes break stuff, you’re not trying hard enough.  Companies that try to gloss over this and say “Oh, our tests are safe” are not super-predators.

Get the right help or get eaten.

It’s that simple.

Firefox and Facebook

I am involved in a great many groups that are (ostensibly) focused on technology or security to some extent.  One somewhat disturbing trend that I’ve noticed in recent months is people complaining about their significant others and how they constantly put their shared system at risk through Facebook.  Now, I could make this post about how being with someone means accepting their flaws along with their virtues or even go so far down the path of “all you ever do is complain, why on Earth did you marry them in the first place?”, but this isn’t that sort of blog.  Instead of doing that, I’ll point out that we have all the tools we need to secure someone else’s connection and you’re having issues isn’t because your spouse is stupid, it’s because you’re lazy.

Here’s how to be less lazy… involving Firefox profiles and Facebook.

This is not another “how to secure Facebook” post.  To do that, please see this post from Sophos.  This is also not about basic Internet security.  No, this is about how to use some built-in functionality in Firefox to create walls between dangerous sites.  By itself, it will help a lot against account takeovers and complex leveraged attacks… but if you don’t follow basic security practices like using complex passwords and not sharing them between systems, the benefit will be limited.  Keep this in mind as we go through this process.

Profiles

Firefox uses profiles to separate different settings.  They are amazingly powerful, and yet, shockingly, people hardly use them at all.  What we’re going to do here is create a specific profile for Facebook use and then adjust the default profile to block Facebook.  The important thing to remember here is that this technique can be used to protect ANY website, not just Facebook.

Let’s start by installing Firefox if it is not already installed.  To do that, just go over to Mozilla.com and download and install Firefox. Once it’s installed, we have to launch the profile manager. The way you do this is going to vary based on operating system. Under Windows 7 and Vista, go to the search box at the bottom left of the start menu and type firefox.exe -ProfileManager -no-remote. If you are running Windows XP, go to the start menu, click Run… and in the dialog, type firefox.exe -ProfileManager -no-remote. If you are running an older version of Windows, just give up now. Those operating systems are dead and cannot be secured. Either upgrade to Windows 7 or look at running an alternate operating system like Ubuntu Linux.

If you are running Linux, you can just open a shell and run firefox -ProfileManager -no-remote

Now we need to create a new profile for Facebook use.  To do this, go to Create Profile -> Next -> Enter Facebook for the profile name and click on Finish.

Now you can just select the Facebook profile and click on Start Firefox.  This will launch a basic web browser for you.  Now we need to configure the appropriate add-ons.

Add-ons

Firefox supports “add-ons” (also called “extensions”) which supply additional functionality to the browser.  Each profile maintains its own set of add-ons, so if you like any of the one’s we’re adding here and want to use them in your regular browsing, you’ll have to add them into the default profile as well.

To select your add-ons, you should open the Firefox menu and select the Add-ons link over to the right.  For the rest of this section, we will be adding each add-on by searching for the name in the search box at the top right and then clicking the Install button by the Add-on name.  The links provided are so you can read about the add-on before adding it if desired.  However, please add them through the Firefox interface so that they will be automatically updated for you.

  • RequestPolicy – This prevents the so-called “like-jacking” attack by explicitly allowing the browser to connect to specific sites.
  • Web of Trust – This connects your browser to a free service that compares sites you try to visit to known list of bad sites.
  • NoScript – This prevents your browser from running scripts except for the ones that you explicitly allow.
  • AdBlock Plus – Prevents ads from displaying, however, this may break some games.  If you play games, please see note 1 at the bottom of this post.
  • Certificate Patrol – Improves the HTTPS security within Firefox.
  • Force-TLS – Allows Firefox to refuse to connect to a site if it is not secure.

Once these are installed, you will have to restart Firefox to activate them.  Either click on of the Restart Firefox links or close the browser and re-launch it using the -ProfileManager -no-remote trick above.

Automatic Tuning

Once you’ve restarted Firefox, it will launch into the automated tuning process and you’ll have to specify some configuration options.

The first thing that will come up is the RequestPolicy configuration window.  By default, it allows for some automated tuning… but this makes it less secure than we really want here.  Uncheck the “International” checkbox and click on “OK”.  We’ll tune the rest of this add-on shortly.

The next dialog is Web of Trust (WOT).  The WOT add-on just needs you to accept the EULA before you proceed.  Read the EULA and then click on “Accept” if you accept the terms of the EULA.

Now you should have four to five tabs open.  The order will likely depend on the order in which you added the add-ons.  We will be tuning the NoScript and ForceTLS later in this process, so just close those tabs.

Web of Trust
This is where things start to get complicated.  The RequestPolicy addon, by default, will conflict with WOT.  You can tell because there is a red flag icon in the bottom right corner.  You need to click on the flag and go up to the “Temporarily allow all requests” option.

NOTE:  This is something you should do only during the tuning process.  Allowing all requests basically turns off the protection that Request Policy allows, and since this is the key protection for Facebook, it should usually be on.

Once this is selected, the page should reload and give you a configuration page for Web of trust. Basic is good enough for us, so just click on Next.

The next option is to register.  You do now have to do this, but if you wish to do so, fill out the form and click Finish.  Otherwise click on the little red X at the top of the “window” in the browser.  Then close the tab.

Adblock Plus

If you chose to install Adblock Plus, this tab will appear.  If you chose not to do this, just skip to the next sub-section. On this pane, you select the subscriptions you want.  Most users will be fine with just EasyList which should be selected by default, so click on Add subscription and that tab will close.

Options

Now we need to tell Firefox that this profile is to launch Facebook.  To do this, click on the Firefox menu and then go to Options and select the top Options option.  (And please accept my apologies for that sentence.)  You should be in the General tab (far left) of the options dialog.  In the area where it says Home Page, please enter in https://www.facebook.com.

Now click on the Content tab.  Where it says Enable JavaScript look over at the right and click on the Advanced button.  In the tiny little window that comes up, uncheck each checkbox and click on OK.  This will help prevent Javascript-based attacks, which are very common on Facebook.  We will protect against the rest of them shortly when we configure NoScript.

Now click on the Privacy tab and select Never remember history in the drop down.  The less data you store, the less there is for an attacker to steal.

Now click on the Security tab.  For the most part, the defaults are good, except that it defaults to storing passwords.  Remember that every password you store is a password that could be stolen by an attacker.   Uncheck the Remember passwords for sites checkbox.  If you have used this profile in the past, you may also wish to click on Saved Passwords and select Remove All.

Now for the complicated step.  By default, most browsers choose user convenience over security.  We discovered this problem back when Comodo was hacked a few months ago, and this is what you need to do to fix it.  Select the Advanced tab.  Then select the Encryption sub-tab at the far right of the list of tabs below the primary tabs across the top.  Click on Validation and click the bottom-most checkbox.  Then click OK to close the sub-dialog and then OK to close the options dialog.  The drawback to this is that if Facebook’s OCSP server goes down, you will not be able to connect.  The upside is that if Facebook is attacked, you won’t be able to connect to a compromised site.

Now it’s time to restart Firefox again.  This will clear the temporary setting change we made and get us to where we can start tuning the system.  Run Firefox with the -ProfileManager -no-remote trick again and select the Facebook profile.  You should automatically-connect to Facebook and be prompted to log in.  Just log in as usual and we can start the manual tuning process.

Manual Tuning

Request Policy

This is going to be the most annoying aspect of accessing Facebook this way, but it is very much worth the extra time it takes.  When you start Facebook, you will see a bunch of missing images and some grey flags in their place.  This is because RequestPolicy doesn’t yet know which sites are safe, so it blocks everything.

To fix this, click on the little red flag icon in the bottom right of your browser (this is in the status bar of the browser window, not in the Facebook section).  This will allow you to let RequestPolicy know which sites can talk to other sites. First we need to go to the Preferences option at the top of the RequestPolicy menu.  Click on the Advanced tab over at the right and then select Allow permanent whitelisting when using Private Browsing.  Now click on the red flag again and allow the two sites akamaihd.net and fbcdn.net to be accessed by Facebook by selecting the option in bold at the top of each sub-menu.

NoScript

Now we need to allow Javascript so more of Facebook will work.  To do this, click on the Options button on the yellow bar along the bottom of the screen.
This works much like RequestPolicy.  Just click on the Allow Facebook.com option in bold and the page should refresh.

At this point, Facebooks should be looking pretty normal.

ForceTLS

Now we need to force secure connections in the event that Facebook changes that option (again).  To do this, right-click on the Facebook page and select View Page Info, click on the Permission tab, scroll down to where it says Secure Connection and click on both checkboxes.

Games

At this point, things should be more or less working securely for basic Facebook services (reading and posting to walls, getting messages, etc).  If you play games, you may have to go through the RequestPolicy and NoScript steps above to allow different sites, but be aware that for every site you add, you increase your risk significantly.

Default Profile

Now we have to tweak the default profile.  Restart Firefox again (sorry), and run Firefox with the -ProfileManager -no-remote trick again.  This time, select the default profile and go into the Add-ons section as before.  This time, we will be adding only one add-on.

LeechBlock

  • LeechBlock – Prevents access to specific sites.

After it’s installed and you’ve restarted Firefox, it should come back to the Add-ons Manager.  If it does not, you can get there by going to the Firefox menu, then to Add-ons then the Extensions.  Now click on Options next to LeechBlock.  The Block Set 1 tab should be selected.  Under What to Block enter *.facebook.com.  Then click on Next to go to the When to Block tab.  Just click on the All Day and Every Day buttons as you never want to access Facebook from the default profile.  Now, click on OK to activate this change.

Note, if you are doing this to protect someone other than yourself, you may wish to turn on some other options in this add-on to prevent them from unblocking Facebook.  You may also wish to replace the standard page with one that says that Facebook is only available via the dedicated Facebook profile.  These steps are out of scope for this little How To guide.

Optional Others

If you plan to do anything risky in the default profile, consider using the other add-ons that we used on the Facebook profile.  After you’ve used them a bit for Facebook, it should be pretty easy to adapt them to other uses.  You may also wish to load LeechBlock into the Facebook profile to prevent people from using that profile to go to other common sites (online banking, webmail, etc) from that profile.

You can also create a dedicated Firefox profile for each of these common uses, if you wish.

Desktop Configuration

Now for the final step.  You don’t want people to have to manually type in -ProfileManager -no-remote every time they need to access this profile.  Instead, we’ll modify the Firefox icon on the desktop to do this automatically.  To do this, right click on the Firefox icon on your desktop and add  -ProfileManager -no-remote to the end of the Target section (outside the quotes).  Then click OK to save your change.  Now when you double-click on the icon, you will be prompted for which profile you wish to run.

If you wish, you can read a bit more about Firefox profiles and make an icon that launches the Facebook profile, but this How To is long enough already, so I won’t be getting into it.

There you go, that’s it!  While there’s no “Safe” on the Internet, if you take these steps, you’ll be a whole lot safer than the vast majority of Facebook users.

Notes:

  1. It would be best if you don’t play games at all on Facebook.  There have been numerous problems with game developers being less than trustworthy… and you probably have better things to do with your time anyway.  ;)   If you must play games, consider using two Facebook accounts and creating a second “Facebook Games” profile to access them in.  This way, if you have your friends in one account and your games in another, a bad game won’t put all of your friends at risk.
  2. You should still use a strong password on your account and not share it anywhere else.  If you have a weak password, an attacker can figure it out without your involvement at all, and none of these protections will help.  If you share passwords, an attacker can use your password to steal a lot more from you.  You can generate strong passwords over at Strong Password Generator.
  3. You may wish to add different Firefox themes to each profile so there is a visual reminder where you are and what you can do.  You can find lots of Firefox themes at the Firefox Themes Site.
  4. If you are technically-skilled, both RequestPolicy and NoScript allow you to export your configuration so you can import it elsewhere.  If you have to set up multiple computers, this can be a time saver (or you can just copy the profile directories).  In case it’s useful, here are my exported policy files:
Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.