Mythic Natural History – Encapsulation

Yesterday (as I write this), I was privileged to attend the Iowa State University Cyber Defense Competition. The basic idea is that you have students build a handful of servers that must withstand attack from the “red team” while simultaneously providing services.

Though I generally specialize in Linux defense, I did manage some successful attacks against both operating systems. There was one team that watched the network and blocked some of the IP addresses that were attacking them. There was another that was hiding behind a firewall appliance.  However, what was most interesting was the level of awareness that different teams had about what I was doing. Generally, once I connected via an encrypted session, the admins let me do whatever I wanted to do. I could try exploit after exploit with no interference at all. Odds are, if they were watching me at all, they were looking at network traffic. As such, I was hidden from their view due to encapsulation.

TechTarget defines encapsulation as: “In general, encapsulation is the inclusion of one thing within another thing so that the included thing is not apparent. Decapsulation is the removal or the making apparent a thing previously encapsulated.” . . . but this is boring. I could go on at length about how TCPIP has layers like an onion (or an ogre), or I could just point you over to the The TCPIP Guide. However, since TCPIP is also boring, I’ll let you go read about it yourself.

Instead, I want to talk about the Mayans. After the competition, I was relaxing at home by reading a book of Mesoamerican Myth, and I got to a part that told how Xbalanque and Hunahpu (let’s call them Xbally and Huna for short) were contacted by their grandmother. Apparently, the spread of the Internet had not reached the Yucatán Peninsula by 250AD, so when their grandmother wished to send them a message, she didn’t send them an instant message. Instead, she told a louse.

Now, it is clearly ridiculous to think of a louse able to carry to a message all the way to the Eastern end of the Earth (likely Tulum), which is why it was most fortunate that the louse was swallowed by a toad. The toad, of course, was eaten by a snake, which was gobbled up by a hawk. The hawk then flew to Xbally and Huna. Of course, the hawk could not give them the message directly. He had to first disgorge the snake, which spit up the toad which vomited up the louse (you can’t keep a good louse down), which delivered the message. At which point, our pals Xbally and Huna went off to the underworld to work for some strangely-named underworld gods, avenge their father and otherwise exit the interesting part of our story.

See, the message couldn’t get there on it’s own. No matter how loud someone shouts, there’s a limited distance along which the message may be understood. Thus, it helps to encapsulate the message inside a louse (SSH). If anyone looks at the louse, they just think “eew, louse!” and not “hey, maybe that louse contains a secret message”. Even if the louse were cut open, it wouldn’t reveal anything other than louse guts. The message is well concealed.

However, even though a louse is a good way to hide in plain sight, it’s not so good at crossing distances. Particularly if the terrain is somewhat marshy. That’s why, if you don’t want the message to drown, you’d better put it in a toad (UDP). This way, the delivery is more robust.

(As an aside, I chose UDP over TCP for this analogy, because otherwise at the end of the story, Xbally and Huna would have to find another louse, give it a message that says that they got the message, shove it in the toad, feed the toad to the snake, let the hawk eat the snake and send the snake back to their grandmother… and that would just be silly.)

A toad, however, doesn’t do so well in all environments. It may be able to hop over a desert, but it would take a while and it could get lost. That’s why toads are more comfortable inside of snakes (IP). The snake has a more complex brain and can remember more of the environment than a toad can. Thus, instead of just hopping from puddle to puddle in the hope that it’s going the right way, the snake can take a more direct route… within it’s own little area. Snakes are, alas, not so good at crossing barriers like mountains and chasms. For that, you want a hawk (Link Layer). The hawk is used to flying and tends to have a good solid understanding of it’s environment. When it flies, even if snake-laden, the hawk can get where it needs to go quite quickly by flying through the air (Layer 1).

Thus, by combining all four animals (or Link, IP, UDP and SSH), you can get a message securely to where it needs to go. True, these days we use somewhat obscure mechanisms to do so, but hey, these days lice are relatively rare.

It’s a good tradeoff.

Small Business Defense – Cross Site Scripting

Let’s start with some basic assumptions:

  1. You must have a website to do business in today’s world.
  2. Your customers have to be able to post content, either on your website or on a shared thirdparty site that you have to use to communicate with them (twitter, Facebook or LinkedIn.
  3. That communication method will be attacked.

So, you have two scenarios.  Your own website or a third party website.

If it’s your own website, you have a bit more control.  There are techniques that you can use to limit cross site scripting.  The common advice is to use a whitelist of “good” characters, and filter out everything else.  That’s not hard to do, actually.  However, the problem has to be solved at every possible entrypoint, which if you don’t design it into the system can be very difficult.

However, if it’s on a third party website, your options are a trifle more limited.  You don’t know what they allow or disallow.  You don’t know what other users are going to post, or even who they may be.  What you do know, though, is that there will be attacks.  Do you trust them?

Odds are that the answer is “no”.

The good news is that there is a simple test that works on both your own website and the third party systems.  Just log in and find what of your data you can see.  If an attacker gets in, they will run attacks as you.  If your local workstation is protected, you can probably assume that the attack will be limited to the context of the website itself.  Thus, you can limit what an attacker can get to by simply controling the data that you allow online.

So here are two good rules of thumb:

  1. If you don’t need to put pieces of data online, don’t.
  2. If the site requires information that you don’t want to give, either don’t use the site or make something up.

Small Business Attack – Cross Site Scripting

On September 23rd, LiveJournal was attacked. The attackers used flash. When the flash file was loaded, it ran within the context of the user who was logged in and made changes to recent posts. This allowed the attack to spread friend-to-friend. It also harvested email addresses.

Doesn’t sound like much, does it? After all, it’s basically a flash virus that steals email addresses, right? What’s new there?

Well, let’s look at the one thing that makes LiveJournal a successful site. At it’s core, it allows users to post content and share links with one another. In order to block the attack, the admins had to effectively break the site until they tracked it down. The one thing that LiveJournal requires is the same thing that the attacker was able to use to get in. In fact, given what it does, there may not be a way to secure the system and still give users what they want.

OK, then, suppose you accept the fact that you’re going to be successfully attacked. How do you protect yourself?

It’s interesting to note that the attackers just wanted email addresses. Odds are that they could have gotten other things too. However, since many people publish their list of friends, it would be trivial to link those email addresses to other email addresses. Now, if you have a database of email addresses and the email addresses of people that are their friends, you have just what you need to run a phishing attack.

Do you allow your customers to post content on your website? Do you use any websites that allow you or your associates to post content? How are you protecting your data?

Note: since I wrote this post, but before it was posted, Reddit was similarly attacked.

Security Lessons from Nature – Status monitoring

I weigh between 150 and 155 pounds. What’s interesting is that, under ideal conditions, it is exactly between 150 and 155. I weigh myself regularly, and I have noticed that if my weight ever drops below 150, I get sick within a day. The same applies if it holds steady over 155 for more than a couple of days. Similarly, I have an average temperature range, and any significant variance typically bodes ill(ness).

The human body (really, all mammals) has many such metrics. In addition to weight and temp, there is an average heart rate, normal EKG, bone density and typical levels of vitamins, minerals and hormones. These can be measured in many ways, but they generally fall into two categories. Some things can be measured at a surface level (weight and temp), others require special equipment, a tolerance of invasive procedures and significant amounts of time. Of course, the more time you devote to it, the better the data you get, so these scans are generally only done when a problem is suspected.

The same applies to IT systems. There are certain metrics that are easily determined and if they vary, it can indicate a problem. Just like weight and temperature, some can be easily gathered, gathering others can impact the system, and some require the system to be down before they can be gathered.

Just like we generally don’t send people in for a full body scan on a regular basis, we aren’t in the habit of shutting down servers for a day each week and performing precautionary forensic analysis upon them. Instead, we prefer to check surface-level data: Disk, CPU and RAM usage, network connection statistics. If one of these indicate a problem, then and only then do we begin to dig more deeply and run scans that might impact system performance.

The key, just like my regular monitoring of my weight and temp, is to regularly monitor system performance metrics. Otherwise, you only catch problems after they’ve already impacted the system. Just as it’s easiest to deal with a cold before it really sets in, it’s easier to identify an attack at the beginning of the process.

Mythic Monday – Alternate Worlds

There is an interesting thing about studying Myth.  Looking just at origin stories, there is a basic belief that each culture has but one.  However, this isn’t true.  Most cultures have many stories.  Historically, this may be due to the constant culture clashes of warring tribes, where differing cultures absorbed parts of one another and partially merged in order to avoid utter annihilation.  Politically, it may be because no matter how the rulers divided the maps, the people stayed more or less the same, and gods and goddesses were simply added into hierarchies (until we got to monotheism and saints started to serve this role).  However, sociologically, what’s fascinating is that the stories can conflict and still both be viewed as true.

The human mind, apparently, has a desire to know and believe in the one universal truth, but doesn’t seem to have to deal with the cognitive dissonance around conflicting worlds. This has even been studied:

An initial study involved 50 three- and four-year-olds. Each child sat with two experimenters, a toy bear, a toy doll and a central pile of toy blocks. The first experimenter, located to the right, introduced the child to the doll Mary; together they pretended it was her bath-time and the child used one or more blocks as bath objects, such as soap. Then the second experimenter, located to the left, introduced the child to Bruno the bear. They pretended it was his bedtime and the child used one or more blocks in the game, for example as a pillow.

The crucial part came next, as the first experimenter told the child that Mary had grown tired and needed to sleep, whilst Bruno had woken and wanted to wash. Rather than using the toy block already established to be a pillow in Bruno’s world, the children, regardless of age, nearly always reached for a new block from the pile to use as a pillow for Mary.

In short, kids seem to resolve the conflict by constructing an alternate world for each story.  In their minds, anything can happen within one world, but events in one world cannot cross over to the other.  This keeps things simple and easily understood.  Sure, we play with the idea here and there. We cross genres in the movies, comics and literature.  However, even within these genres, you’ll find that there is a not-insignificant number of people who can easily point out half a dozen logical flaws in each story. It doesn’t matter how careful you are, the flaws seem to inevitably exist and leap right out at anyone who cares to look.

So, it would seem that we’re wired to allow for almost infinite flexibility but only so long as it stays segmented.  So I have to ask, why do we insist on tearing down the walls?

I’ve seen numerous envionments, where for one reason or another, there are a mix of technologies in play.  This makes sense.  There are good reasons to use both Microsoft and Linux operating systems in an environment.  The same goes for firewalls (Cisco/Astaro), endpoint protection (Sophos/Bit9) and  word processing (MS Office/OpenOffice).  Each of these technologies is powerful and can bring definite business advantages.

However, point here is that each should be kept isolated, as much as possible.  From a security perspective, one can use flaws in one product to escalate an attack on another. Operationally, trying to connect diverse systems means that you are making both of them work in non-intended ways, which means that subject matter experts in both tend to point fingers at one another.

That’s not to say that every technology should be kept isolated. Not at all. Technology tends to fall into specific worlds. There are three primary Linux worlds: Ubuntu/Debian, SuSE and Red Hat. Each of these worlds have their own repositories, and are built to be more or less complete. Microsoft Windows tends be a bit less well defined, but it still has it’s set of technologies that are designed to inter-operate with one another and not necessarily with anything else. Yes, you can try to force it… but as the article shows, we don’t naturally think that way, so there may be problems.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.