Security Lessons from Nature – Natalids and Stargate Universe

So, I’m reading a book on the mammals of Costa Rica. (Why? Because it’s more interesting than watching Stargate Universe, that’s why. (Which says a lot about the quality of storytelling these days.)) In the chapter on bats, I ran across a mention of a natalid organ.

“That’s funny…”, I thought. “I’ve never heard of that!”

So off to the Google I go, to google about and, as it turns out, waste a good hour reading about bat taxonomy. (Which is still better than watching Stargate Universe!) Here’s what I learned:

There are these bats, see, that have an organ. It’s more than one species, it’s in a lot of them… but no one knows what it does!

  • Discover Life reports that the cells may be sensory or secretory.
  • Novel Guide tells us that it’s bell shaped and can cover the entire muzzle (though Answers.com suggests that that’s not always the case).
  • Brain Museum implies that the presence of the organ may be linked to the lack of a nose leaf. (What’s a nose leaf, you ask? Go research it yourself, I’m busy with natalids.)
  • Bob’s Bat Cave, despite having perhaps one of the coolest names on the Internet, indicates that the organ is below the skin on the forehead, though other sites place it at the back of the muzzle. (This seems like a conflict to me, but perhaps I don’t know my way around a bat’s head very well.)
  • Lastly, Animal Diversity gives us the useful information that only Natalids have natalid organs. Of course, the group of bats known as natalids are defined as those bats that have natalid organs, so that information is less useful than it may initially appear.

I might have learned more, had I given J STOR $19 for the full article, but let’s face it, I’m just a Stargate fan who is oddly distracted by bats, and it would be unwise to give my bad research habits free rein.

So what is all of this doing on an I.T. security blog? I haven’t the faintest clue… and that’s the important thing. The number one biggest threat out there isn’t the mysterious Chinese hacker of the organized criminals writing malware. The most dangerous threat is that of poorly-documented legacy systems. These systems exist on every business network I’ve seen.  They lurk in the dark corners, staring at admins and, well, do something… I think… maybe.  These systems are dangerous because:

  1. We have to keep them running.
  2. We don’t know what they do.

Most people therefore, set them on the network and proceed to ignore them until they break. Maybe all they do is serve a few static web pages. Maybe, though, they process proprietary data. However, since we don’t know, we can’t pick an appropriate method of securing them.

We can’t turn them off, because it might harm the business, just like we can’t go up to random bats and remove the natalid organ. If we don’t know what it does, we often can’t take the risk of killing the business (or bat) by removing it to find out. (Just like we can’t take the risk of not trying the new Stargate series, as they might be awesome as SG1 (though, admittedly, history has not born this out)).

We can look deeper into the systems and possibly get an insight (“hmm, it’s kinda slimy, but it also looks like it might be a detector”). We can ask those that use it what they use it for (which might be more effective in your coworkers than it is on bats). Or, we can just name it and leave it alone (“well, it’s gotta be there for a reason, right?”)…

Which works until someone like me comes along and thinks “what the heck is a natalid organ?”, and starts digging into the problem. Because at that point, you have to justify one of two likely scenarios:

  1. Why you kept a legacy system running and consuming resources when it serves no valid purpose to the business.
  2. Why you failed to adequately secure and plan migration paths for a business-critical system.

Really, it’s probably better to find out what it does and document the thing.  Luckily, we have technologies now that allow us to record inputs and outputs and clone systems, so the process should be a lot less messy than dissecting the muzzle of a bat or figuring what on Earth the producers of Stargate Universe are thinking.

Security Lessons from Nature – Minimizing Shadows

Imagine for a minute that you’re a bug. You wander around looking for food and avoiding predators. Now, most critters that predate on bugs aren’t exactly the brightest. They just sort of fly around and look for anything that looks buggy and then try to eat it. There are generally only two clues for buggyness: movement and contrast.

Basically, if something moves like a bug, it’s probably a bug. Of course, this is only good against the bugs that haven’t learned to just keep still. If you want to keep your little bug self safe and secure, all you have to do is not move when a predator comes at you… which is a lot harder than it sounds… and not 100% successful now that predators have learned the contrast trick.

Most says, there tends to be light around, and even though bugs have gotten pretty good at matching their surroundings, if the light comes from the wrong angle, it doesn’t matter how well you match your environment, you’ll cast a nice long shadow. If a bird is looking for an area of sharp contrast, they can find you even if you manage to stay frozen.

Bad news for bugs.

Unless, of course, you manage to reduce your shadow. If you are careful to shift your position or only land in pre-existing shadows, you can really reduce these shadows. Similarly, if you only come out during mid day and stay hidden during morning and evening, you’ll avoid the long shadows. Basically, you want to reduce the amount of your body that catches the light, which would reduce the amount of shadow, which would reduce the likelihood of attack.

We do the same thing in the security world. A system can be attacked in many (many (many)) ways. Looking just at a fairly standard Web system, a system can be attacked at: ssh, apache, mysql/postresql, openssl, php/perl/ruby, ftp, or any modules contained within… and this assumes that the system has been hardened and isn’t running any of the common applications such as X, Gnome/KDE, OpenOffice.org, Firefox, portmap, r* commands, etc. The simple fact is that we load our systems with all sorts of fancy widgets, adding new functionality here and there, making it run faster (or least, more interestingly) and… if an attacker looks at… casting a very interesting shadow.

Simply put, every thing you can install can be exploited. It may be reviewed. It may be well designed. It may be hardened. However, this is not a perfect world, and there are no guarantees. You can’t make sure that everything is running exactly as it should be, but what you can know with absolute certainty is that something that’s not there cannot be exploited. People have a really hard time robbing a house that’s not been built, and they’d have similar difficulties attacking a service that’s not running.

In I.T. Security, we call this reducing our attack surface. The term can apply to an entire business, a network, a server or just an application. The idea is pretty much exactly what a bug does. We want to make our shadow as small as possible, by reducing the number of protrusions and things that make the shadow interesting. In practice, this means reducing your business (you’re not a bug anymore, by the way) to just what you need. If you don’t need modems, don’t leave them plugged in. If you don’t need to be running telnet, don’t run it. If you don’t need to employ untrusted people at incredibly low wages, don’t do it.

The point here isn’t to say that you can be completely safe by minimizing what’s running… there is no completely safe. Any bug can get eaten, despite how good it gets at what it does. The point is that by minimizing the attack surface, you can get it to a manageable size. If bugs were the size of baseballs, cast huge shadows and were slow to maneuver, they’d be eaten awfully quickly. By staying small and relatively flat, they’ve been able to focus on better defenses (such as scent bombing, protective colouration, and just plain old tasting bad). The same applies to your business. If you limit what you’re doing and running to something manageable, it can then be managed.

It also helps not to move suddenly when someone flips over a leaf… but I’ve not yet figured out exactly how that applies to business.

Security Lessons From Nature – Pangolin

Normally in this section I pick one aspect of the natural world and focus on the security ramifications of that animal of adaptation. However, this doesn’t really do justice to the complexities that surround security posture. So today, we’re going to look at the pangolin.

Now, you can either hit the link and read all about it, or we can play the build-an-animal game. (The game is more fun.)

  1. Start with an anteater.
  2. Give it huge sharp claws.
  3. Now grant it the ability to spray a stinky acid like a skunk.
  4. Take the scales off a fish and glue them to the anteater.
  5. Thicken the scales so it’s armored like an armadillo.
  6. Sharpen each scale so it’s razor sharp.
  7. Oh yeah, they’re also good at tunneling and swimming.
  8. Now just for fun, lets expand their brains and make them little Houdinis.

Now let’s think for a minute about the threats that could have provoked such defenses.  Before we had an anteater, we must have started with ants. That’s all well and good. After all, who doesn’t love a yummy meal of ants? Well, other than the ants, I guess. In the US, ants tend to build nests underground and just pile up the dirt outside. However, in anteater territory, ant and termite mounds are heavily armored, so our pangolins need big sharp claws to get to their food. Now, not only are ants yummy, but in areas where hyenas roam, so are pangolins.

Of course, the easiest way to make the annoying creatures go away is to spray them with a noxious fluid… though one has to wonder exactly how that particular defense mechanism came about.

Then there are the roaming large felines. Where those abound, it helps to grow large, thick, scales to protect yourself. Now, generally speaking, if you grew up in a world where your biggest threats are jaguarundi and sabertooth tigers (with respective Bite Force Quotients (BFQ) of 75 and 78), regular armor is probably fine. However, if your predators are clouded leopards and tigers (BFQs of 137 and 127 respectively), regular armor is apparently insufficient, and you need razor sharp scales instead.

So here you, safe against the abundant predators of Southeast Asia… except for those pesky humans. People of the area like to eat them and use part of them for medicine. Since humans tend to use tools that render claws, razor scales and explosive scent ineffective, it’s important to be able to run away. Thus, it helps to learn how to dig intricate tunnels and learn to swim out of range of these tools. Of course, some humans still manage to capture some pangolins, so it’s quite helpful be able to escape with ease.

Thus, through simple defenses against ordinary threats, we get an animal that seems almost mythological in it’s complexity. The same applies to business. We tend to build very complex systems with numerous layers of defenses, but each of them is targeted at attacks that manage to get through the outer layer of defenses.

We hardened systems, but attackers got through. We created firewalls, but attackers got through. We added application awareness to the firewalls, but attackers worked within the applications. We added kernel-level hooks to restrict what the application can do, and attackers still managed to get personal data. More recently, we’ve added Network Access Control, Data Loss Prevention, Buffer Overflow Protection and others. Of course, it’s just a matter of time until the attackers start working against those too.

Like the pangolin, we have to pay attention to new threats and adapt to new threats.  If we don’t, well, the pangolin has an answer for that too.

Thanks to dotpolka for the use of the photo.

Mythic Monday – Aesop: The Dog, The Rooster and the Fox

This isn’t one of Aesop’s more commonly known fables. Like most of them, it quite simple. Essentially, a dog and rooster are friends (we ignore the improbability of that bit), and taking a bit of a holiday. As they came do the end of the day, they decide to go to sleep. As is their nature, the rooster perches atop a hollow tree and the dog curls up to sleep inside the tree.

When morning comes, the rooster crows, and attracts the attention of a fox. The fox invites the rooster home for breakfast. The rooster, being wise (demonstrating again, that this is a fable and not reality), tells the fox the he is regrettably unable to accept such a generous offer, but instead invites the fox to join him inside the tree. The fox (seemingly unable to smell the dog within) enters the tree and is promptly devoured.

Clearly, the lesson that Aesop wished us to learn was to beware the rooster. However, it is also quite possible that Aesop was covering for the known illegal leanings of roosters and dogs. This dastardly duo was singlehandedly responsible for the massive reduction of the fox population in ancient Greece. This is much as how modern phishers work.

Security attacks have gotten sufficiently complex that different people are better at different aspects. Some attackers are best at writing malware and others are best at sending the emails that distribute the malware. So, just like the dog and rooster, they have gotten good at working together. By each relying upon their their best skills, they can take over (attract and eat) various targeted computers (foxes).

Of course, this only works on foxes that aren’t paying attention.  If the fox in the story had simply stopped to realize that:

  1. Roosters tend not to live in hollow trees.
  2. Dogs have a noticeable odor. . .  especially for foxes.

The same applies to phishing emails.

  1. Organizations such as the FBI and IRS are generally not in the habit of emailing people.
  2. Phishing spam also has a noticeable odor (spear phishing is a bit different).

At the core, email is not 100% deliverable.  If anything is extremely important (as someting from the FBI or IRS would be), it would come in a manner that is more reliable.  Registered letter and phone calls tend to be popular.  Similarly, if someone has your email address, wouldn’t it make sense that they already have your name, phone number and other personal information?  If an email asks you to “verify” your information, it’s good to be suspicious.

Above all, unlike the fox in the story (and just like foxes in real life) it pays to be wary.

Security Lessons from Nature – Units of Measurement

One thing that was hammered into me as I pursued my Physics degree was the importance of specifying units in my answers. Unlike my fellow students who chose to study Math, those of us in Physics actually had work that meant something. ;) At the time, I thought that my teachers were just being annoying, as it was pretty obvious what the units were.

Well, as it turns out, the reason that units matter in Physics is because it helps to build physical intuition. Since all answers match (at least, theoretically) reality, you can do a quick check against the answer at the end and make sure it makes sense (well, usually).

However, the reason that this works at all is because we defined all the units a long time ago. The International System of Units (which, for some stupid reason involving non-English languages, we abbreviate as “SI”), defines a unit for everything we have to measure and does so in such a way that it is standardized throughout the world.

  • The meter measures length, and is defined as the length of the path travelled by light in vacuum during a time interval of 1/299 792 458 of a second
  • The second measures time and is the duration of 9 192 631 770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium 133 atom.
  • The kelvin measures temperature and is the fraction 1/273.16 of the thermodynamic temperature of the triple point of water.
  • The candela measures luminous intensity, in a given direction, of a source that emits monochromatic radiation of frequency 540 x 1012 hertz and that has a radiant intensity in that direction of 1/683 watt per steradian.

Now, sure, for historical reasons, we have had to fix the values of the units to some pretty arbitrary numbers.  However, whenever someone says that something is a second long, everyone knows exactly what they mean (unless it’s a justasecond, which quite a bit longer).  That is the advantage of scientific consensus.

Which, of course, makes certain aspects of business difficult. Test of Time Design recently pointed out the problems with comparing yourself to your competition. Really though, the problem compounds when your competition starts comparing themselves to you too. That way, you build a vicious cycle of measurement and are soon making decisions based on metrics that are drifting further and further from reality.

I think that we tend to fall into the trap of measuring the easy things instead of the things that really matter. For example, there are many retail establishments that measure their progress against last year’s performance. What does that really measure? After all, you’re measuring in dollars, and the value of a dollar changes over time. If you base your business decisions on a constantly-changing unit, you have no idea if the changes you are making matter.

We see this problem in the security field as well. Many of us bemoan the lack of decent security metrics. Really, what we want to measure is how much we’re protecting the organization. However, it’s clear that the right way to measure that would be to wait until your company gets breached, figure out what it cost, travel back in time, put up defenses. Then you simply measure the cost of the breach and the cost of the defense, a little subtraction, and you know exactly what your solution is worth.

Alas, time travel can be tricky. So, we have to resort to other methods. There are communities doing some very interesting work in this subject. There are formal methods that are used in enterprises.  However, those models tend to take time to work through… often time that the small business doesn’t have in the first place.  Luckily, there’s another option.

Just fall back to physical intuition. Even if you can’t make a precise measurement of the weight of a brick, you can know that it’s going to hurt like hell when one hundred of them land on you. Similarly, you don’t need to know exactly what it will save you to deploy a security technology. You just need to look at the cost of the technology and ask yourself “if something bad happened, what would that cost me and how likely is it to happen?” Will this model work for a large enterprise where security solutions cost hundreds of thousands of dollars and can take up to a year to implement? Of course not. However, for small and medium sized business, most common security solutions are inexpensive enough that a rough intuitive calculation will probably do just fine.

Mythic Natural History – Encapsulation

Yesterday (as I write this), I was privileged to attend the Iowa State University Cyber Defense Competition. The basic idea is that you have students build a handful of servers that must withstand attack from the “red team” while simultaneously providing services.

Though I generally specialize in Linux defense, I did manage some successful attacks against both operating systems. There was one team that watched the network and blocked some of the IP addresses that were attacking them. There was another that was hiding behind a firewall appliance.  However, what was most interesting was the level of awareness that different teams had about what I was doing. Generally, once I connected via an encrypted session, the admins let me do whatever I wanted to do. I could try exploit after exploit with no interference at all. Odds are, if they were watching me at all, they were looking at network traffic. As such, I was hidden from their view due to encapsulation.

TechTarget defines encapsulation as: “In general, encapsulation is the inclusion of one thing within another thing so that the included thing is not apparent. Decapsulation is the removal or the making apparent a thing previously encapsulated.” . . . but this is boring. I could go on at length about how TCPIP has layers like an onion (or an ogre), or I could just point you over to the The TCPIP Guide. However, since TCPIP is also boring, I’ll let you go read about it yourself.

Instead, I want to talk about the Mayans. After the competition, I was relaxing at home by reading a book of Mesoamerican Myth, and I got to a part that told how Xbalanque and Hunahpu (let’s call them Xbally and Huna for short) were contacted by their grandmother. Apparently, the spread of the Internet had not reached the Yucatán Peninsula by 250AD, so when their grandmother wished to send them a message, she didn’t send them an instant message. Instead, she told a louse.

Now, it is clearly ridiculous to think of a louse able to carry to a message all the way to the Eastern end of the Earth (likely Tulum), which is why it was most fortunate that the louse was swallowed by a toad. The toad, of course, was eaten by a snake, which was gobbled up by a hawk. The hawk then flew to Xbally and Huna. Of course, the hawk could not give them the message directly. He had to first disgorge the snake, which spit up the toad which vomited up the louse (you can’t keep a good louse down), which delivered the message. At which point, our pals Xbally and Huna went off to the underworld to work for some strangely-named underworld gods, avenge their father and otherwise exit the interesting part of our story.

See, the message couldn’t get there on it’s own. No matter how loud someone shouts, there’s a limited distance along which the message may be understood. Thus, it helps to encapsulate the message inside a louse (SSH). If anyone looks at the louse, they just think “eew, louse!” and not “hey, maybe that louse contains a secret message”. Even if the louse were cut open, it wouldn’t reveal anything other than louse guts. The message is well concealed.

However, even though a louse is a good way to hide in plain sight, it’s not so good at crossing distances. Particularly if the terrain is somewhat marshy. That’s why, if you don’t want the message to drown, you’d better put it in a toad (UDP). This way, the delivery is more robust.

(As an aside, I chose UDP over TCP for this analogy, because otherwise at the end of the story, Xbally and Huna would have to find another louse, give it a message that says that they got the message, shove it in the toad, feed the toad to the snake, let the hawk eat the snake and send the snake back to their grandmother… and that would just be silly.)

A toad, however, doesn’t do so well in all environments. It may be able to hop over a desert, but it would take a while and it could get lost. That’s why toads are more comfortable inside of snakes (IP). The snake has a more complex brain and can remember more of the environment than a toad can. Thus, instead of just hopping from puddle to puddle in the hope that it’s going the right way, the snake can take a more direct route… within it’s own little area. Snakes are, alas, not so good at crossing barriers like mountains and chasms. For that, you want a hawk (Link Layer). The hawk is used to flying and tends to have a good solid understanding of it’s environment. When it flies, even if snake-laden, the hawk can get where it needs to go quite quickly by flying through the air (Layer 1).

Thus, by combining all four animals (or Link, IP, UDP and SSH), you can get a message securely to where it needs to go. True, these days we use somewhat obscure mechanisms to do so, but hey, these days lice are relatively rare.

It’s a good tradeoff.

Security Lessons from Nature – Status monitoring

I weigh between 150 and 155 pounds. What’s interesting is that, under ideal conditions, it is exactly between 150 and 155. I weigh myself regularly, and I have noticed that if my weight ever drops below 150, I get sick within a day. The same applies if it holds steady over 155 for more than a couple of days. Similarly, I have an average temperature range, and any significant variance typically bodes ill(ness).

The human body (really, all mammals) has many such metrics. In addition to weight and temp, there is an average heart rate, normal EKG, bone density and typical levels of vitamins, minerals and hormones. These can be measured in many ways, but they generally fall into two categories. Some things can be measured at a surface level (weight and temp), others require special equipment, a tolerance of invasive procedures and significant amounts of time. Of course, the more time you devote to it, the better the data you get, so these scans are generally only done when a problem is suspected.

The same applies to IT systems. There are certain metrics that are easily determined and if they vary, it can indicate a problem. Just like weight and temperature, some can be easily gathered, gathering others can impact the system, and some require the system to be down before they can be gathered.

Just like we generally don’t send people in for a full body scan on a regular basis, we aren’t in the habit of shutting down servers for a day each week and performing precautionary forensic analysis upon them. Instead, we prefer to check surface-level data: Disk, CPU and RAM usage, network connection statistics. If one of these indicate a problem, then and only then do we begin to dig more deeply and run scans that might impact system performance.

The key, just like my regular monitoring of my weight and temp, is to regularly monitor system performance metrics. Otherwise, you only catch problems after they’ve already impacted the system. Just as it’s easiest to deal with a cold before it really sets in, it’s easier to identify an attack at the beginning of the process.

Security Lessons from Nature – Long Worm

There is a story that we hear as kids about worms.  We’re told that you can cut worms into as many pieces as you like and they’ll each grow into a new worm.  As cool as that sounds, it’s a lie… mostly.

Regular earthworms don’t regenerate, so you can set aside your plans to buy worms on the Internet, cut them up, and sell them at a profit. However, after generations of scientists spent their lives gleefully chopping up worms and recording the results, we know of a few families of worms that do manage to more of less regenerate.

The key seems to be the segments. When you make a cut, the number of segments connected to one another determine the worm’s ability to regenerate. Certain worms can, in fact, grow from both ends and go on to live fairly normal lives… at least, as far as worms go.

This can be applied to business systems as well, though we call the segments different things at different levels. At a programming level, we work with modules and services. A good design would use lose coupling and connect the segments in such a way that some of them could fail and the system would still function. At a system/network level, you can build highly available systems out of nodes and connect them with either a cluster or virtualization system. Again, the goal would be that if any nodes fail, the system itself would survive.

What’s interesting is that the same model works at the business as well. One of the techniques discussed at last month’s BIZ presentation for business acquisition, was to build your business such that you can spin portions off. Business incubators often work the same way.

The thing we often forget about security is that it’s not just about keeping the wrong people out and allowing the right people in. It’s about survival. The reason we care so much about access and is that one of the easiest ways to ensure survivability is to prevent bad people from getting in. However, if the ultimate goal is to survive, you also have to consider ways to thrive in changing environments. Security should be intrinsically tied into the business in the same way that the segments tie into the worm.

The segments do more than just allow the worm to survive should it be dissevered in the name of scientific discovery. They give the worm flexibility and help contain organs. In fact, the longest worms in the world are segmented.

Makes you think, doesn’t it?

Security Lessons from Nature – Smart Crabs

Crabs have claws. Some of them have ridiculously oversized claws, some are stronger than the jaws of a wolf and some can give you wicked papercuts.

However, there are a few crabs that just don’t think that’s good enough. Instead, they pick up anemones and carry them around. Since anemones have tentacles, the crabs look a bit like high school cheerleaders carrying pompoms, but they don’t mind. After all, it’s a great defense. An attacker girds itself to fight against pinching and instead it gets a face full of stinging pain… quite the surprise.

Businesswise, it would be pretty ineffective if you have your employee carrying around anemones. Not only would it make typing difficult, but they would also have to kept underwater, which might present issues with keyboards. Instead, the lessons are, I think, misdirection and non-localized advantage.

Your business has a brand, so an attacker would naturally expect that a defense would match what your company is best at. For example, if you make surveillance cameras, one might expect that your network is well watched, but perhaps not well protected in other ways. So, if an attacker can manage to encrypt traffic or otherwise hide what they are doing, they can likely expect a fairly easy time of it. However, if you manage to partner with a company that produces a more active defense, such as HIPS, an attacker may find themselves blocked, traced and served with a face full of stinging tentacles (or a lawsuit… the modern equivalent).

Security Lessons from Nature – Fierasfer

All over the Internet, the fierasfer (aka pearlfish) is defined as: A genus of small, slender fishes, remarkable for their habit of living as commensals in other animals. One species inhabits the gill cavity of the pearl oyster near Panama; another lives within an East Indian holothurian. Not only does this go to show that almost no one does anything original on the Internet anymore, but also that fierasfers are some of the coolest fish ever.

What makes them unique is that they live inside other animals. Some may live inside other fish, clams, starfish or sea cucumbers. In most cases, they don’t harm the other creature, they just live together and share resources. This is much like a business that incubates other businesses. In this model, the larger business shelters and stabilizes the smaller startups, and the startups in turn, allow the larger business to be more nimble and responsive to market demands.

However, there is one small flaw in the plan. That flaw is known as Carapus acus. This pearlfish lives inside sea cucumbers and swims out at night looking for food. If food cannot be found, they eat the organs of the host. This would be like a startup having difficulty with cash flow and solving the problem by just taking money out of the accounts of the larger firm. Sadly, it can happen.

So, what lesson can be learned here? Well, one would be to not go swimming where fierasfers abound. A more practical one would be to be careful with whom you choose to partner. At the very least, be sure that any financial systems are separated. At most, you might want to find some way to keep the systems audited and make sure that the line between the companies are clear.

This way, you can keep your organs from being eaten while you sleep.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.