Wednesday, October 31, 2007

In keeping with the Internet security theme

This was originally posted at It's a really good graphic presentation on Web-application problems.


Sunday, October 28, 2007

The final solution

Internet Security:

With apologies to

A couple of toughts and things to come

1. If you have not seen the Tactical Exploitation presentation by HD Moore and Valsmith did at Defcon this year, you need to see it.

There's good stuff there for forensic folks too. Things like that some people don't know about. . . just good stuff.

2. When you do forensics on compromised systems, there is an inverse relationship between time and evidence; that is, the greater the time between compromise and examination, the evidence decreases.

A couple of files that I've found to be useful in exams - memory.dmp and drwatson.log (it might be drwtsn.log. . .). I'm going to do a do a longer post on this later on, but in short, attacker's tools often cause applications to crash. This is an easy way to find out how the attack was accomplished. WinDbg is your friend here. More later.

3. I'll be posting a couple of scripts in the near future. One will extract event logs from a remote computer, and the other gets services from a remote computer (similar to sc \\remote query), but it also extracts the PID and the path to the executable and command line.

I've been *really* busy in the last couple of months, between work and home life, but I'll continue to post when I've got something that I think is useful.

Saturday, October 6, 2007

Things that pain me

<\begin rant>It's been a really busy couple of months, so I haven't had much time to myself, but a couple of quick thoughts:

1. 5 Minutes a week isn't asking that much, is it?

I have a server that I manage - I've been putting in extra hours at work, but still somehow I manage to have 5 minutes a week to look at my logs. I wrote a shell script that looks for things like failed logins, brute force attacks, successful logins, etcetera; why can't IT "Professionals" spend a little time doing the same thing?

I'd challenge everyone to stop right here and take a look at the logs on the box that you are viewing this post from, or even better, a server that you manage - you'll learn more from five minutes of reading your own logs than you will from the rest of this blog.

2. Information security/assurance/warfare/technology/badgers are stupid

Until artificial intelligence (AI) gets significantly better (read, not during the course of your career), there will be no substitute for people doing work to analyze the products that computers create. There is, and there will be no appliance, no snort box, no grep expression, no program, no pretty graphic user interface that will be able to analyze data collected and conclude with a reasonable degree of certainty that something is amiss. People on the other hand can infer and from those infrences determine the likely answer to questions. Attackers are people, and as such are remarkably fluid and resilient in the face of adversity; that is, they can modify their behavior when confronted with new information or situations.

Computers by contrast, are rule based - if text == Attack! then drop packet - but if text == 0x41ttack, well. . .

This is not to say that computers do not do some things better than people. Data can be sorted and noise eliminated more quickly with them but people have to analyze the data. It's a waste of time to have IDS analysts unless you have an IDS, and it is a waste of time to have a IDS without an analyst.

3. Network engineers should consider layer 8 during design, and plan their security accordingly.

People are distracted, stupid, ignorant or indifferent to policy. Policy can prohibit me from visiting, but someone won't get the word, or won't care if they do. Policy without enforcement is a waste of time.

The only way to secure a network is to build in security as the primary consideration. Some people have come to view their ability to access the Internet as some inalienable right on par with the 4th Amendment to the Constitution* - and IT workers seem to have become both the customer service representatives for said access. It's a sad state of affairs. If your network policy is not governed by a deny all, permit by exception principle, you are owned. Maybe not today, but you will be owned. If you have a DAPBE rule set in place for your network environment, you'll still get owned, but it will be easier to clean up.

People don't need to have access to webmail, CNN, ESPN, Homestarrunner or XKCD from work. They want it, sure, and maybe some do need CNN, but who can tell me of a blacklist that will prevent users from going to all of say, the malware sites that are hosted by blogger? I'm guessing that there isn't one.

3. When you say, "We need to educate the users." I want you to stop breathing my air.

User education is valuable, but only when it's actually education. Education is not the bi-annual, "click here to click through" our security training. You are wasting your money (ok, granted, this was probably some bureaucrat's idea of what security training should entail) and it's a waste of energy. Spend your budget on things that work - and if you've got extra time and money at the end of the year, then you can worry about user education. This also means that I'll be less likely to garrote you in a server room.<\rant>

*The Fourth Amendment to the Constitution of United States guarantees the right of persons to be secure from unreasonable searches/seizures by the Government.