Review – Apache Security
- At October 02, 2009
- By Josh More
- In Business Security
0
I’ve had the book Apache Security for a while now, so I thought I’d give it a quick review.
Like most O’Reilly books, it’s well thought out and fairly complete. Unsurprisingly, it focuses on the standard LAMP stack, giving advice on building and deploying Apache and hooking in PHP and SSL. Ruby seem to be missing, and Perl is just discussed within a chroot environment. It discusses performance tuning a bit, in the guise of protection against DOS, and then moves onto issues in a shared hosting environment.
Much of what is in this book is more general than just Apache, so it’s best to consider this as a general security book for people running both Linux and Apache, and ideally using PHP and MySQL. It would be less useful to people running Apache on Windows and for people using less common languages. However, it is very good for the basics:
- Installing Apache
- Hardening Apache
- Setting up chroot
- Hardening PHP
- Configuring logging and access
- Understanding web attacks
Where it seems to lack a bit is:
- It presumes that the reader will install Apache from source, whereas most these days will install from a package. More advice on hardening Apache in the SuSE, Red Hat and Ubuntu/Debian environments would be useful.
- There is no mention of AppArmor or SELinux (which, to be fair, were pretty new when this book came out). A second edition will have to have these, as they are a key way to protect Apache against itself.
- A few pages on how to use Suhosin to protect PHP applications would be good.
- A section on protecting Ruby and one on Perl would be good. While it is certainly true that no book can cover everything, these three languages are the most common in the LAMP world and should probably be addressed, at least in passing.
- While we’re at it, a section on hardening MySQL wouldn’t be out place, as the book is more of a LAMP book than an Apache book anyway.
I recommend this book for the beginner to moderate admin, be they a web admin or in the security space. However, experienced people may not find much new in here. I would, however, love to see a second edition released.
Small Business Attack – Metasploit Defenses
- At October 01, 2009
- By Josh More
- In Business Security
- 0
The easiest way to protect against tools like Metasploit is to make sure that there are no exploitable services running. Of course, this isn’t always as easy as it sounds. Services are constantly being explored and new exploits are often found. If you’re lucky, the vendor will release a patch. If you’re even luckier, the patch won’t break anything essential.
However, odds are that you’re not that lucky.
Some systems stop being updated after a period of time (Windows NT and 2000) and some cannot be updated without causing a problem for a linked system (manufacturing systems are often prevented from being updated). It’s also quite likely that a so-called “zero day” exploit will be used against you. Zero day exploits are ones that are used the day that they are announced. Of course, they tend to be announced after the exploit had been found and used… so the “zero” could well be a “negative thirty” (or 60 or 120).
So, if you can’t make sure that your running services aren’t inherently exploitable, you’re pretty much left to two choices. You can either turn the services off (a service that isn’t running can’t be exploited) or you can try to wrap the service in a system that makes it less exploitable.
I recommend that you do both. If you don’t need a service, disable it. If you do need it, consider wrapping technologies like AppArmor, Suhosin, OSSEC, Core Force and Mod Security or using a more generic proxy solution.
Small Business Attack – Metasploit
- At September 30, 2009
- By Josh More
- In Business Security
- 0
Though there is a saying in the Security profession, it’s not about the tools some tools are pretty cool. In general business, common tools are things like Microsoft Word and Excel (or their open source equivalents in OpenOffice). On the defense side, we use antimalware suites like Sophos. Generally speaking, attack tools aren’t as polished and are very narrowly focused. However, that’s starting to change.
To attack tool I want to discuss today is Metasploit. This tool has one primary purpose — to break through your defenses. It’s built using a framework methodology. You can think of it as having “plugins” like Firefox. In Firefox, plugins can extend the functionality of the browser by Blocking Ads or Blocking Scripts. In Metasploit, the plugins are a bit more dangerous and add functionality like exploiting a service and escalating users.
Basically, the tool works as follows:
1. Pick your target
2. Break in
That’s pretty much it. If there is a flaw in the system, an attacker can probably get in. And since this tool is so easy to use, an attacker doesn’t have to be particularly skilled to take over a system. They just point, click, and get your data.
Security Lessons from Nature – Smart Crabs
- At September 29, 2009
- By Josh More
- In Natural History
- 0
Crabs have claws. Some of them have ridiculously oversized claws, some are stronger than the jaws of a wolf and some can give you wicked papercuts.
However, there are a few crabs that just don’t think that’s good enough. Instead, they pick up anemones and carry them around. Since anemones have tentacles, the crabs look a bit like high school cheerleaders carrying pompoms, but they don’t mind. After all, it’s a great defense. An attacker girds itself to fight against pinching and instead it gets a face full of stinging pain… quite the surprise.
Businesswise, it would be pretty ineffective if you have your employee carrying around anemones. Not only would it make typing difficult, but they would also have to kept underwater, which might present issues with keyboards. Instead, the lessons are, I think, misdirection and non-localized advantage.
Your business has a brand, so an attacker would naturally expect that a defense would match what your company is best at. For example, if you make surveillance cameras, one might expect that your network is well watched, but perhaps not well protected in other ways. So, if an attacker can manage to encrypt traffic or otherwise hide what they are doing, they can likely expect a fairly easy time of it. However, if you manage to partner with a company that produces a more active defense, such as HIPS, an attacker may find themselves blocked, traced and served with a face full of stinging tentacles (or a lawsuit… the modern equivalent).
Mythic Monday – Nommo
- At September 28, 2009
- By Josh More
- In Mythology
- 0
Recently, I was reading about African mythology, I ran across the story of the sky god Amma and it’s creation of the half-human half-fish hermaphroditic creature Nommo, which split into four pairs of twins and, after normal mythical events, become the ancestors to the contemporary Dogon people. Due to mistranslations of early ethnographic studies, these creatures were identified as coming from Sirius, which if true, would indicate that the ancient Dogon people either had powerful telescopes (unlikely) or were visited by aliens (which some people seem to view as more likely).
Now, as I read this, I thought “hermaphroditic human/fish hybrid that some point to as proof as alien contact… I’ve got to blog about this!” Sadly, though, I just couldn’t come up with a good business or security angle (there’s something to the “one twin goes evil, so the other has to be sacrificed” story… but there are other such stories in myth that are far more accessible).
Then I started researching Binu shrines. The story goes that one of the Nommo twins was evil, and to make up for this, another twin had to sacrificed, dismembered and scattered all over the earth. Wherever a piece of Nommo landed, a Binu shrine was built. I was curious, and wondered what a Binu shrine looked like. Looking on Flickr, I ran across this photo by sunshinerythym. I looked at the terms of use and saw that it was marked “All rights reserved”, so I didn’t embed it. I sighed and moved on.
Shortly thereafter, I saw this page on the Sacred Sites of the Dogon, Mali. Well, that photo sure looks familiar, doesn’t it? It’s lightened up a bit, but it looks awfully close. And that link below it? Order Fine Print?
Very interesting.
Now, it is quite possible that sunshinerythym was contacted by the people that run SacredSites.com and gave permission for the photo to be used in this manner. I know that I’ve gotten requests to use my photos in such a way.
However, I also want to point out that there are some untrustworthy people out there who make money by selling other people’s work. If you post a photo in full resolution, anyone can download it and do whatever they want with it. If you license it appropriately, you can take legal action against them… but you have to catch them first. Of course, if you screw up your licensing, you probably don’t have a leg to stand on (unlike Nommo, who being half-human had legs (look, I tied it back in!)).
The security lesson here is that if you are generating content, be careful with it. Though I have chosen to make my full resolution photos available, I do so with the understanding that others may steal them. To help mitigate this, I have licensed them for non-commercial use only. For me, photos are fun, but not my main business. I am fine taking the risk if it means that zoos and similar educational organizations can use my photos to help other people learn. The point is that I know I am taking the risk to begin with.
The other security lesson is that if you are a business, keep track of rights of the things you use. If such use is not previously authorized, it could be construed as intellectual property theft and could be quite costly.
The mythological lesson less clear. :)
(Before writing this post, I sent an email to sunshinerythym, as we Flickr users have to help protect each other. It is quite possible that by the time you read this, the links may be broken.)
