Mythic Monday – Medusa and Immutability

Most people these days know at least part of the tale of Medusa. You know that she had snakes for hair and that everything she looked at turned to stone. Well, unless you’re big into gender theory, you can ignore the rest (at least for the purposes of this post), because today we’re going to talk about stone.

Throughout myth, stone is often viewed as unchangable.  Even in this modern day, we have phrases like “etched in stone” and stories of the weeping angels.  Despite the obvious fact that it’s not true, we tend to think of stone as permanent.  After all, making it otherwise requires special tools and/or special skill.  In everyday experience, something that is made of stone is going to stay that way forever.

If only there were a way to apply the same concept to business security.

Granted, in many cases, you wouldn’t want this.  Security should be reactive and responsive. As stable as stone may be, very few people would call it highly responsive.  (Amusingly, as I write this, reports of the eruptions of Redoubt and Tonga are just coming in.)  However, it would be nice if you could effectively lock certain changes into stone, rendering them immutable.

Well, you can.  Most systems have access rights that can be tuned.  If you configure them correctly, only the right people will be able to write to those files.  In effect, it’s like the computer has a special Medusa inside it that can turn files into stone for most people.  This is a basic aspect of system hardening.  If an attacker cannot write to a file, they can’t make changes, and you’re better off.

Ah, but what if you’re one of those Greek heros for whom the computer’s Medusa doesn’t work?  Shouldn’t you have the ability to ask Medusa to lock your files so that even you can’t change them?

Well, once again, you can do this.  Most Linux systems have what are called extended file permissions that, strangely enough, are generally only used by attackers.  In addition to the basic read/write/execute (in this case, “execute” means “run”, not “stalk with mirrored shield, cut off head and cause the birthing of the pegasus”), you get special magic powers such as:

  • Make immutable
  • Make undeletable
  • Make appendable-only

Thus, you can create a configuration that is readable and works just fine, but is completely unchangable unless you are the admin of the server and you know the extra level of protection.  Now, it’s not a panacea by any means, but one more layer of protection keeps out one more class of attacks. . .  and that’s a win.

For more information:

Announcement – Linux Security Presentation

The presentation that I gave at Infragard can be found here. In it, I discuss:

  • How to choose between the multitude of Linux distributions
  • How to properly secure a system once the choice has been made

The semipermanent home is here, and has a link to the .zip archive containing my raw vector and PovRay files from which this presentation is made.

Small Business Defense – AntiPhishing

The core problem with phishing is that it is a very human attack.  It relies on people to, well, be people.  The emails are crafted to be interesting or scary, and right when the reader is at the peak of wanting to know more, they are presented with a link.  Once the link is clicked on, it’s game over… so the point of the game is to keep the link from being clicked.

It’s harder than it sounds.

One technique that would work well would be to completely block all HTML email.  Thus, no pictures, no links.  All email looks the same and all the HTML email coming in will look like utter gibberish.  Now, as much fun as we all had in 1995, I think that we can all agree that that approach would not work well these days.  So, what does?

Antispam

Many phishing attempts will trigger on good spam filters.  The important thing to note, though, is that phishing attempts in a spam folder are just as effective as ones that appear in the INBOX.  If you use this as a primary defense, it’s important to make sure that the anti-spam quarantine system traps the messages in such a way as to prevent such clicks from being active.  Google’s gmail and their add-on message security products work well for this.

Anticlick

If the emails get through, and let’s face it, no antispam solution is perfect, it can work well to prevent the click from occuring.  There are certain technologies that whitelist allowed links and render all others are unclickable.  You can also run local HIPS software that can prevent such clicks from downloading and running software.  If the HIPS software is good enough, it might even protect against overflows in the email client itself.  Again, however, these solutions aren’t perfect.

Employee Education

The absolute best way to keep employees from clicking on the link is to continuously tell them not to click on links. It’s not perfect, but making employees responsible for their actions is the best way to get results. Much as someone would not leave the front door open and unlocked, they should be aware of the ramifications to the business should they engage in unsafe practices on the Internet.

Of course, we all know that people will make mistakes, which is why it would be wise to use both antispam and anticlick technologies as well. The combination of all three work far better than any one alone.

Small Business Attack – Phishing

Odds are that your business has a relationship with key vendors.  Commonly, these include at least one bank and payroll processor.  Of course, were one of these accounts breached, things could get really bad. Really really bad. In fact, things could get bad enough that people might not be thinking clearly when they click on links.

That’s all an attacker needs. One brief moment of panic or excitement, one click of a link, and they’re in.

Attacks can come in many forms. All an attacker needs to know is a little bit of information about your company and be able to bypass a spam filter. Then, suddenly, your employees will start seeing emails with subject lines like:

  • “Problem processing your paycheck”
  • “Health insurance lapsed”
  • “[Payroll Company]: Bonus check available”
  • “[Your Company] being sued by [Big Company”

Once the employee opens the email, it may be all over, but odds are that your systems are somewhat secure.  This means that they’ll actually also have to click on a link.  Generally, this is done by naming the link one of the following:

  • “click here”
  • “more info”

At this point, the user generally clicks their mouse, the attack runs, and the attacker has access to all the files on the workstation.

But you should be OK.  After all, it’s not like your employees have access to proprietary or customer data… right?

Security lessons from Nature – The Dinochicken

OK, so we don’t have a dinochicken yet, it’s being worked on.  I just couldn’t pass up the chance to blog about it.

Building on last year’s moderate success linking a tyrannosaurus rex to a chicken (which, admittedly is being challenged), scientists are attempting to reverse genetically-engineer dinosaurs from chickens. Specifically, they’re trying to produce chickens with teeth (which can happen), longer tail and forearms.

So, what does this have to do with business, other than it’s being really neat?

Simply put, even if it’s possible to do this, it will be extremely difficult and expensive.  They have to identify specific genes, figure out how to turn them on and off, find a series of stages to make the embryos viable (you can’t just hatch a dinosaur from a chicken egg, there’ll need to be steps), and eventually grow them to the point where they can self-reproduce.   It’s a whole lot of work.  If you wanted a dinosaur, it would have made a lot more sense to not let them go extinct in the first place.

Of course, there’s not much any of could have done to prevent the extinction of the dinosaurs, but there are certain present-day species that could probably use a bit of help.  If they become extinct, they’re gone.  Sure, we could try to resurrect them with technology, but we’d lose all of the learned behavior that passes from generation to generation.  It would be a lot cheaper and easier to save them now… and we’d do a better job.

The same applies to your internal I.T. projects.  As the economy continues to stall out, and companies readjust their spending, stop and consider more than just the immediate costs. If you have a project that is truly wonderful, but is costing a fair amount of money, don’t just kill it. Maybe shift your focus from development towards documentation. Maybe adjust your sales strategy. Maybe sell it to another company. Just don’t let the project die. Recreating it could be far more time consuming and costly than you may like.

After all, you can go extinct after economic recovery just as easily as during.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.