Review – Security Power Tools

Security Power Tools is one of those monstrous tomes that people buy and almost no one ever actually reads. It sits on the shelf and mocks you with the knowledge that it contains while simultaneously scaring you with the commitment it would take to actually read it. It’s 822 pages of dense techno babble.

It took me about three weeks to get through it.

In general, it contains the same information that is in SANS 504, but not quite as complete. It is, however, much cheaper than the course.

In the course, you get six days with a top-notch penetration tester and walk through all of the commonly-used tools in a standardized environment. You get lots of practice and a interactive sessions with security practitioners of various levels. In my opinion, it is the best way to learn.

However, it’s not something that everyone can do, either for reasons of budget or time. Failing that, Security Power Tools is a good alternative. It digs into scanning, reconnaissance, penetration techniques and tools, backdoors, rootkits, firewalls, encryption, service tuning, monitoring, forensics, fuzzing and reverse engineering. It’s a fairly complete book.

It is important, though, to read the book correctly. If you want to learn, really learn, how these things work, you have to approach it as self study, not just a reference guide. Before you pick it up, look at your life and decide how much time each week you can devote to the process. Reserve that time in your schedule. As you read the book, consider each section independently and think about how you might use the tool in a real world scenario. Then, build such an environment (use virtualization if it helps). Read the section again and run the tool within the environment.

That way, you actually learn how things work instead of just having a surface-level understanding.

Small Business Defense – Anti-Malware (yes, again)

Microsoft recently released their Security Essentials product. This is a free anti-malware product, and analysts seem to think that it does a pretty good job at what it does.

However, I want to point out one thing that you probably already know: You get what you pay for.

Security Essentials is intended to be a lightweight anti-malware solution that competes against other free AV solutions. It does a decent job at protecting against the average threat and is certainly better than using nothing at all. However, it is a mistake to compare it to a professional anti-malware system. As SANS says, “Think of this as the AV as it used to be in 2000 or so.”

In short, if you are a home user and don’t care enough about your system to spent $50 a year to protect it, go ahead and use Security Essentials. However, if you are in a business environment, you need something that includes firewall, behavioral detection, network access control, data loss prevention and central management (and more). Security Essentials won’t cut it.

Lastly, if you do decide that you want to try it out, be sure you download the right thing. There are search engine optimization attempts going on to make malicious software (fake antivirus) appear on the search results instead of the link you really want. The right link is http://www.microsoft.com/security_essentials/.

Small Business Attack – Malware (yes, again)

I’ve posted about the current run of banking malware before. For a quick review, this is malware that sits on your computer and waits for you to access your online banking site. Once you’re logged in, it watches what you do and then surreptitiously transfers money out of your account to the attacker. I’m posting about it again because of the new wrinkle:

It will now alter what your browser shows to you, so that you don’t see the unauthorized transfers.

Essentially, the malware knows what you expect to see and shows you that, while it is simultaneously lurking under the radar of banks and avoiding their anti-fraud systems. For those that want more details, read this, this, this and this.

For everyone else, try the following:

1) Check your banking statements very carefully. Most home users have at least 30 days to challenge a transfer, but business users only get 2.

2) Work with your bank to implement a call-back mechanism so that you can approve transfers.

3) See if you can use a dedicated system for only doing banking. Leave it unplugged and turned off unless you’re using it or patching it.

4) Keep all of your other systems patched and run a decent anti-malware system.

Security Lessons from Nature – Long Worm

There is a story that we hear as kids about worms. We’re told that you can cut worms into as many pieces as you like and they’ll each grow into a new worm. As cool as that sounds, it’s a lie… mostly.

Regular earthworms don’t regenerate, so you can set aside your plans to buy worms on the Internet, cut them up, and sell them at a profit. However, after generations of scientists spent their lives gleefully chopping up worms and recording the results, we know of a few families of worms that do manage to more of less regenerate.

The key seems to be the segments. When you make a cut, the number of segments connected to one another determine the worm’s ability to regenerate. Certain worms can, in fact, grow from both ends and go on to live fairly normal lives… at least, as far as worms go.

This can be applied to business systems as well, though we call the segments different things at different levels. At a programming level, we work with modules and services. A good design would use lose coupling and connect the segments in such a way that some of them could fail and the system would still function. At a system/network level, you can build highly available systems out of nodes and connect them with either a cluster or virtualization system. Again, the goal would be that if any nodes fail, the system itself would survive.

What’s interesting is that the same model works at the business as well. One of the techniques discussed at last month’s BIZ presentation for business acquisition, was to build your business such that you can spin portions off. Business incubators often work the same way.

The thing we often forget about security is that it’s not just about keeping the wrong people out and allowing the right people in. It’s about survival. The reason we care so much about access and is that one of the easiest ways to ensure survivability is to prevent bad people from getting in. However, if the ultimate goal is to survive, you also have to consider ways to thrive in changing environments. Security should be intrinsically tied into the business in the same way that the segments tie into the worm.

The segments do more than just allow the worm to survive should it be dissevered in the name of scientific discovery. They give the worm flexibility and help contain organs. In fact, the longest worms in the world are segmented.

Makes you think, doesn’t it?

Mythic Monday – The Camel Seen For The First Time

Another Aesop fable is The Camel Seen For the First Time. You can read it here, here or here… but since it’s short, I’ll paraphrase it here. (While the actual text is public domain, the translations are, for the most part, not.)

When humans first say the camel, they found it frightening. It was huge, scary and humpy, so everyone fled. However, as time went by, people discovered that the camel was gentle. As they grew more familiar with it, they began to hold it in contempt and eventually allowed their children to lead it.

The intent of the fable is to basically show that familiarity breeds contempt. It is both a message that one should not fear things unnecessarily, and that one should not become so familiar with something that fear goes away entirely.

I think that this applies to technology as well. We often hear about new technology and how it can be paradigm-changing. However, when we first attempt to deploy such technology we are often baffled and confused. New technology can be incredibly complex and difficult to understand. It can take days of trial and error to figure it out, much less determine how to best fit the technology into your existing infrastructure.

Of course, once you’ve managed to get the technology working, it seems old hat and it is often baffling when new employees don’t pick it up right away. As time goes by, though, they learn the technology and eventually take over.

The lesson here, of course, is to learn from other camel trainers. If you just believe those that have gone before you, you can avoid the whole fear response and jump ahead to figuring out how to train the camel. Then you can get the technology quickly deployed and get on to learning about future species.

Review – Apache Security

I’ve had the book Apache Security for a while now, so I thought I’d give it a quick review.

Like most O’Reilly books, it’s well thought out and fairly complete. Unsurprisingly, it focuses on the standard LAMP stack, giving advice on building and deploying Apache and hooking in PHP and SSL. Ruby seem to be missing, and Perl is just discussed within a chroot environment. It discusses performance tuning a bit, in the guise of protection against DOS, and then moves onto issues in a shared hosting environment.

Much of what is in this book is more general than just Apache, so it’s best to consider this as a general security book for people running both Linux and Apache, and ideally using PHP and MySQL. It would be less useful to people running Apache on Windows and for people using less common languages. However, it is very good for the basics:

Installing Apache
Hardening Apache
Setting up chroot
Hardening PHP
Configuring logging and access
Understanding web attacks

Where it seems to lack a bit is:

It presumes that the reader will install Apache from source, whereas most these days will install from a package. More advice on hardening Apache in the SuSE, Red Hat and Ubuntu/Debian environments would be useful.
There is no mention of AppArmor or SELinux (which, to be fair, were pretty new when this book came out). A second edition will have to have these, as they are a key way to protect Apache against itself.
A few pages on how to use Suhosin to protect PHP applications would be good.
A section on protecting Ruby and one on Perl would be good. While it is certainly true that no book can cover everything, these three languages are the most common in the LAMP world and should probably be addressed, at least in passing.
While we’re at it, a section on hardening MySQL wouldn’t be out place, as the book is more of a LAMP book than an Apache book anyway.

I recommend this book for the beginner to moderate admin, be they a web admin or in the security space. However, experienced people may not find much new in here. I would, however, love to see a second edition released.

Small Business Attack – Metasploit Defenses

The easiest way to protect against tools like Metasploit is to make sure that there are no exploitable services running. Of course, this isn’t always as easy as it sounds. Services are constantly being explored and new exploits are often found. If you’re lucky, the vendor will release a patch. If you’re even luckier, the patch won’t break anything essential.

However, odds are that you’re not that lucky.

Some systems stop being updated after a period of time (Windows NT and 2000) and some cannot be updated without causing a problem for a linked system (manufacturing systems are often prevented from being updated). It’s also quite likely that a so-called “zero day” exploit will be used against you. Zero day exploits are ones that are used the day that they are announced. Of course, they tend to be announced after the exploit had been found and used… so the “zero” could well be a “negative thirty” (or 60 or 120).

So, if you can’t make sure that your running services aren’t inherently exploitable, you’re pretty much left to two choices. You can either turn the services off (a service that isn’t running can’t be exploited) or you can try to wrap the service in a system that makes it less exploitable.

I recommend that you do both. If you don’t need a service, disable it. If you do need it, consider wrapping technologies like AppArmor, Suhosin, OSSEC, Core Force and Mod Security or using a more generic proxy solution.

Small Business Attack – Metasploit

Though there is a saying in the Security profession, it’s not about the tools some tools are pretty cool. In general business, common tools are things like Microsoft Word and Excel (or their open source equivalents in OpenOffice). On the defense side, we use antimalware suites like Sophos. Generally speaking, attack tools aren’t as polished and are very narrowly focused. However, that’s starting to change.

To attack tool I want to discuss today is Metasploit. This tool has one primary purpose — to break through your defenses. It’s built using a framework methodology. You can think of it as having “plugins” like Firefox. In Firefox, plugins can extend the functionality of the browser by Blocking Ads or Blocking Scripts. In Metasploit, the plugins are a bit more dangerous and add functionality like exploiting a service and escalating users.

Basically, the tool works as follows:

1. Pick your target
2. Break in

That’s pretty much it. If there is a flaw in the system, an attacker can probably get in. And since this tool is so easy to use, an attacker doesn’t have to be particularly skilled to take over a system. They just point, click, and get your data.

Security Lessons from Nature – Smart Crabs

Crabs have claws. Some of them have ridiculously oversized claws, some are stronger than the jaws of a wolf and some can give you wicked papercuts.

However, there are a few crabs that just don’t think that’s good enough. Instead, they pick up anemones and carry them around. Since anemones have tentacles, the crabs look a bit like high school cheerleaders carrying pompoms, but they don’t mind. After all, it’s a great defense. An attacker girds itself to fight against pinching and instead it gets a face full of stinging pain… quite the surprise.

Businesswise, it would be pretty ineffective if you have your employee carrying around anemones. Not only would it make typing difficult, but they would also have to kept underwater, which might present issues with keyboards. Instead, the lessons are, I think, misdirection and non-localized advantage.

Your business has a brand, so an attacker would naturally expect that a defense would match what your company is best at. For example, if you make surveillance cameras, one might expect that your network is well watched, but perhaps not well protected in other ways. So, if an attacker can manage to encrypt traffic or otherwise hide what they are doing, they can likely expect a fairly easy time of it. However, if you manage to partner with a company that produces a more active defense, such as HIPS, an attacker may find themselves blocked, traced and served with a face full of stinging tentacles (or a lawsuit… the modern equivalent).

Mythic Monday – Nommo

Recently, I was reading about African mythology, I ran across the story of the sky god Amma and it’s creation of the half-human half-fish hermaphroditic creature Nommo, which split into four pairs of twins and, after normal mythical events, become the ancestors to the contemporary Dogon people. Due to mistranslations of early ethnographic studies, these creatures were identified as coming from Sirius, which if true, would indicate that the ancient Dogon people either had powerful telescopes (unlikely) or were visited by aliens (which some people seem to view as more likely).

Now, as I read this, I thought “hermaphroditic human/fish hybrid that some point to as proof as alien contact… I’ve got to blog about this!” Sadly, though, I just couldn’t come up with a good business or security angle (there’s something to the “one twin goes evil, so the other has to be sacrificed” story… but there are other such stories in myth that are far more accessible).

Then I started researching Binu shrines. The story goes that one of the Nommo twins was evil, and to make up for this, another twin had to sacrificed, dismembered and scattered all over the earth. Wherever a piece of Nommo landed, a Binu shrine was built. I was curious, and wondered what a Binu shrine looked like. Looking on Flickr, I ran across this photo by sunshinerythym. I looked at the terms of use and saw that it was marked “All rights reserved”, so I didn’t embed it. I sighed and moved on.

Shortly thereafter, I saw this page on the Sacred Sites of the Dogon, Mali. Well, that photo sure looks familiar, doesn’t it? It’s lightened up a bit, but it looks awfully close. And that link below it? Order Fine Print?

Very interesting.

Now, it is quite possible that sunshinerythym was contacted by the people that run SacredSites.com and gave permission for the photo to be used in this manner. I know that I’ve gotten requests to use my photos in such a way.

However, I also want to point out that there are some untrustworthy people out there who make money by selling other people’s work. If you post a photo in full resolution, anyone can download it and do whatever they want with it. If you license it appropriately, you can take legal action against them… but you have to catch them first. Of course, if you screw up your licensing, you probably don’t have a leg to stand on (unlike Nommo, who being half-human had legs (look, I tied it back in!)).

The security lesson here is that if you are generating content, be careful with it. Though I have chosen to make my full resolution photos available, I do so with the understanding that others may steal them. To help mitigate this, I have licensed them for non-commercial use only. For me, photos are fun, but not my main business. I am fine taking the risk if it means that zoos and similar educational organizations can use my photos to help other people learn. The point is that I know I am taking the risk to begin with.

The other security lesson is that if you are a business, keep track of rights of the things you use. If such use is not previously authorized, it could be construed as intellectual property theft and could be quite costly.

The mythological lesson less clear. :)

(Before writing this post, I sent an email to sunshinerythym, as we Flickr users have to help protect each other. It is quite possible that by the time you read this, the links may be broken.)