Code Craft

By: Pete Goodliffe

Publisher: No Starch Press

Price: $44.95

Rating (out of 5): *****

This is an excellent book about moving from average software development to professional-grade software development. The book basically covers the topics needed to teach developers how to make better software in a more effective manner than may be happening in many organizations today. Topics covered include: effective commenting and documentation, industry standards for software testing (including security), interface design standards, group development practices, mechanisms for spec development and code review and even insights into managing programmers more effectively.

If you are a developer or manage a group of developers, this book will teach you the softer skills to complement the technical skills you have already mastered. Given the complexity of today’s software, it is these softer skills that often make all the difference between career success and remaining “one of the code jockeys”.

My favorite thing about this book is the insightful tone it uses to get its point across. It truly reflects wisdom and experience from the author without getting the “preachy tone” some technical books seem to take on. Be prepared though, the book is big, some 500+ pages of actual content – so if you just finished that huge Harry Potter book everyone is reading, this may seem a little longer than you like for reading in your easy chair. But, unlike Harry Potter, this book’s payoff is long term career growth and skills improvement!

Practical Packet Analysis

By: Chris Sanders

Publisher: No Starch Press

Price: $39.95

Rating (out of 5): ****

This book is an excellent introduction to the basics of packet analysis. It gives good introductions to the basics of protocols, use of Wireshark, sniffer deployment and the other skills needed to perform packet capture and inspection.

Packet analysis is a vital skill for network technicians and security folks. This book takes users through a variety of scenarios including wireless network sniffing, protocol debugging and even attack inspection. In addition to Wireshark, it also covers getting dumps from Cain and other common sources.

The book is easy to read, easy to follow and the graphics are very readable. The scenarios are very detailed and reality based. All in all, if you need to get the basics of packet analysis down pat, this is a very good place to start.

Last month, I posted a list of indicators that you may experience if there were computer Viruses infecting your system (see the blog from June 1, 2007). This was just the first in a series of articles on indicators of various types of Malware. This month, our Malware topic is the Trojan Horse, or just plain “Trojan”.

Trojans are self-contained programs that are designed to look like (and be mistaken for) useful or necessary programs on your computer you would never look twice at. There are several ways a Trojan might make its way onto your system. All you have to do is open or even just read emails that contain a Trojan and suddenly you have it too! A Trojan can be hiding in documents that contain Macros such as a regular Word document. You can download or upload a program or even just click links displayed on Web pages, and guess what? You can get a Trojan that way too! Trojans can also be the payload of a classic Virus, or they can be implanted by an attacker that has already compromised your system.

So when you get a Trojan, what can it do? Typically, Trojans contain backdoor remote administration tools that allow attackers to access your system undetected. There are all sorts of things that can be done from there. Often attackers will implant keystroke loggers or leverage password extraction and cracking techniques that will allow them to then thoroughly compromise your system.

So what are some indicators that you do have a Trojan on your system? Here are some that may show up:

·         Registry updating: Startup messages may appear that say new software has been (or is being) installed

·         You may see new or strange processes running in the Windows Task Manager

·         You may see anti-Virus software and/or personal firewall software terminate suddenly or unexpectedly. This can occur at startup or when loading these programs

·         Applications may suddenly and inexplicably become unresponsive to normal commands

·         You may see unexplained remote login prompts occurring at unusual times

·         You may see an unfamiliar login screen pop up

·         You may see unexpected or unscheduled Internet connection activity

·         You may see unusual redirection of normal Web requests to unknown sites

If you see things like this happening on your computer, it is really a good idea to check them out instead of just assuming they are more inexplicable computer activities. Remember, if you get a Trojan on your home computer and you also use that computer for business purposes, you might just be handing an attacker the keys to the kingdom!

So, we now know that “hackers” have been doing a ton of vulnerability research on the new iPhone since it was released. That research has turned up a couple of interesting vulnerabilities. The first is a flaw in the Safari web browser that could allow an attacker to take complete control over the phone by tricking the phone’s owner into following a link to a malicious website that would exploit a buffer overflow in the browser. The attacker could then listen to the room’s audio or steal SMS logs, the address book, email passwords, and much more. The other interesting issue that was found is the possibility of crashing the phone by doing some bluetooth fuzzing against it.

None of the revelations are new to security professionals or penetration testers. This is all just normal, run of the mill stuff that we see and deal with every day. What’s interesting to us is how quickly these issues were found and what it could mean, in the grand scheme of things. I’m not really interested in what will become of the iPhone. Mostly because I don’t have any plans on paying $600 for a phone. What does interest me is the consideration of how this is just one more piece of the “perfect storm” that mobile technology is going to bring to our lives.

For several months, maybe even a couple of years, MSI has been telling our clients and our friends how we believe mobile technology is going to lead to major problems for companies and individuals, alike. We all love the convenience that our newly acquired mobile devices provide. In some countries (look for it to make its way here soon) it’s not even necessary to carry plastic or cash anymore. Take for example, in some parts of Europe and Asia, its now possible to pay for your McDonald’s, or your soda from a vending machine, or buy your clothes at the retail store with a bluetooth enabled phone and a PayPal account. How about using that same bluetooth enabled phone and PayPal account that can be used to associate with the nearest pay day loan boutique, while you sit in the bar, for a quick loan to continue your happy hour. Or consider that certain cell phone companies are now making it possible to pay all your bills from your cell phone. Not to mention the accepted risk of laptops coming in and out of an enterprise. Or how about unnoticed wireless access points in your enterprise?

What many people don’t understand is what attackers are already doing to take advantage of the lack of security of these convenient technologies. People were going gaga over the iPhone before it came out. People in this country will LOVE the idea of being able to pay for things with their cell phone. What the consumer won’t be told is that there are already attackers setting up fake bluetooth ID’s for your phone to associate with. Imagine that Coke machine that has a bluetooth ID of “Coke”. Now imagine my laptop that is sitting on top of the Coke machine with a bluetooth ID of “CokeMachine”. How are you going to know which one to associate with? Will your phone even give you the option of choosing? What if it chooses the first one it sees. Ok, so I get your 75 cents and you don’t get the coke. What I also get is your PayPal account information. This is just one of the many examples that we could give.

The point of this post is not to discuss stealing 75 cents from a thirsty consumer. What we are concerned about is how the lack of security in these devices is being completely ignored because of the convenience they bring to the consumer. There will always be people out there that try to take advantage of the unsuspecting consumer. Occasionally, they will be successful. A little bit of education could go a long way towards teaching these same consumers how to remain vigilant and protect their identity, as well as their bank accounts. At the same time, the same educational programs need to be put into place in the corporate enterprise to ensure that these insecure mobile devices are not being brought into the enterprise, increasing the risk of compromise. We’d like to see much more information being distributed to consumers about the technologies they are using and how they could be inadvertently endangering their financial future.

I was online the other day doing some research about excellence in customer service when I ran across one of Seth Godin’s recent blogs about his disappointing experience at a car dealership. It caught my attention, as I had just had a very similar and equally disappointing experience at a car dealership myself.

What first struck me was the commonality of our experiences, and how, despite American’s heightened awareness about good customer service, entire industries may be lagging behind. Then I began to think about all of us in one “technology industry” or another and it dawned on me that some of us may be lagging behind, too.

This experience was made all that more clear when I recently talked to a couple of our clients who were returning to us after being with another vendor for a year. One of the major reasons they returned was that with MSI they got to actually talk to engineers, support folks and their account executive. If they have a billing problem, they can call me, the CFO, directly and actually TALK to a human being. One of their largest complaints and their biggest reasons for returning to our services over our competitor was that they were not forced to use some arcane, and in many cases, barely functional web-application, email interface or other non-personal communication. With MSI they talk to engineers, their reports come to them in email and if they have a problem – they get to interact directly with the people who can make the problem better. Kind of a novel concept, huh?

Who would have thought that in a business as driven by technology as information security is, that human contact would be such a differentiator? The simple act of talking on the phone, getting to know your clients and making sure that they never get relegated to some automated purgatory seems to have become a very powerful difference indeed.

After all, the kid at the drive thru at McDonalds must learn about customer service before he fills his first order, but do we teach our engineers, our technical support staff and our project managers the same, simple messages? Excellent customer service isn’t just for fast food and superstores, we need to embrace these concepts in whatever industry we work. Although technology is an exciting, ever changing industry, it looks to me as though many of us should be sitting in “Customer Service 101” right next to the car salesperson….

Scripting and an understanding of scripting languages are critical skills for infosec folks. Not only do they lend themselves to understanding threats and attacker tools, but in many cases they make it possible for automation to assist the infosec practitioner in performing many of their duties and can help them be more effective in environments where large quantities of data must be analyzed against common issues or have similar functions performed repeatedly.

In my opinion, here is a quick summary of the top 5 scripting skills infosec folks should have or pursue.

1. Shell scripting or batch file programming – These skills are essential for the day to day work of an infosec technician. Such programming often increases the effectiveness of work tasks and brings greater quality to things like data analysis, basic reporting and other essential functions.

2. PERL – Perl is just plain critical. It is THE language of performing complex analysis of data, automating many security focused tasks and even doing socket-based network and application work. Perl is easy to learn, simple enough to manage and powerful enough to automate complex tasks. If you need a swiss army knife programming language, Perl will rise to the challenge.

3. Javascript – This language is essential to understanding modern web mechanisms and attacks. Basic knowledge of Javascript will take practitioners far into the web-application realm and can be leveraged to gain knowledge of AJAX, SOAP and deeper web architectures. While it can also be used for some simple forms of web-based assistance or aggregation, it may not be an overwhelming aid to your productivity like other languages, but in order to have even basic web-application skills, it is simply a must.

4. Python – Python is the quick hack choice for doing network and socket-based tool prototyping. Its rich and simple socket controls make it a clear choice for pen-testers and other developers of “quick and dirty” code. It makes a fantastic alternate choice for Perl folks, and can be used to do some effective data parsing as well. The syntax seems to be even easier than Perl and many folks become proficient in it more quickly than Perl.

5. Ruby – Ruby is the Perl of the future. It is a fantastic prototyping language and of course, it powers Rails, which makes it a growing giant in Web 2.0. Ruby and Ruby on Rails (RoR) can be leveraged by security folks to quickly create demonstration sites, to establish honeypot sites and even to create web-based tools quickly to share with others in their organization. In addition, Ruby alone can be used to automate large amounts of data processing, create custom reports and can be just as useful and powerful as Perl. Depending on how the future of Ruby shakes out, it might even surpass Perl in the future as the critical language for doing real work, so it makes sense to add it to your repertoire.

There you have it. Take the time to learn the basics of these scripting languages and then look for places in your daily work to apply automation. As your skills grow, likely your capabilities to automate much of the manual work you do will grow as well. Who knows, you might just automate yourself back into having free time again. Not to worry though, that would just give you even more time to concentrate on your scripting skills!

Is this what it has come to in Homeland Security now?

Chertoff Claims “Gut Feeling” About Summer Attacks

I normally try and stay away from public commentary on DHS goings on, but this seems so devoid of reason that I just had to talk about it. So, here we go…

First off, I would like to see the true risk assessment behind the idea that terrorists prefer summer for attacks. I simply do not believe this and in my opinion, it smacks of a lack of reason. Do we really believe that if our enemies discovered a soft target that they could exploit that they would even consider waiting for a specific season to attack us? I mean, everything we know about terrorism shows patterns of exploiting identified weaknesses with haste. Even the attacks sited as references to the summer attack pattern talked about in the articles were performed with minimal planning and tactical processes. They certainly were not part of campaigns designed to be sustained over long periods like multiple seasons. What from these events and other recent attacks around the world do we leverage to gain the insight that terrorists attacks are more likely in the warm summer sun?

Secondly, the idea that we are now making public announcements about potential threats using the DHS leader’s “gut feelings” as a barometer makes me pretty crazy. Now, I understand that he might have intelligence that is not open to the public, or he may be privy to some other form of insight that can’t yet (or ever) be shared, but the idea that we as Americans should take any action based on his own described “gut feeling” is preposterous. With all of the money we are budgeting for DHS and the war on terror, is “gut feelings” seriously the best they can offer in terms of threat prediction? I mean, honestly, wouldn’t we all feel better if they even tried to make something sound more plausible – like increased chatter, new emerging patterns in a chaotic stream or even some super computer somewhere that raised the theoretical attack threshold versus the overall security against terror inverse logarithmic curve or something. Anything. What’s next, war strategies by crystals, cards and dice? We are supposedly the most advanced culture in the history of this planet, I really really want something more reasonable from someone who is in charge of protecting our way of life…

Again, sorry for the rant, but I just couldn’t let this one pass by without raising my hand and asking “Huh?”…

With more and more integration of the voice world into the network, companies are finally waking up to the idea that VoIP brings rewards, but also risk. When the network was down and voice lived in the analog world, you could still talk to your customers and let them know you were having a few problems, but likely could assist them fully very soon. Now days, with VoIP riding the same network as email and other applications, if the network is down – likely so are the phones.

That, in itself is a risk many organizations are not used to. They just seem to be coming to terms with the other issues that surround VoIP confidentiality, integrity and availability. For a long time, VoIP has been becoming “main stream”, but now security around VoIP seems to be on everyone’s mind too.

This is a good trend. VoIP is a very cool and rich technology, and one that levels the playing field for many organizations. It brings with it some exciting capabilities and powerful features. I think as organizations grow their understanding of VoIP risks, technical issues and security requirements – it can only help with better, safer, more effective VoIP adoption.

So, if you are considering a VoIP deployment, or you already have one – make sure you include steps for risk assessment, vulnerability testing and an in-depth review of the architecture, processes and procedures involved with both management and security. Taking the time to include security considerations into the decision and testing matrices will probably save you quite a bit of time, effort and money down the road – not to mention the savings of any incidents that you will prevent!

A big name entering the cell phone market is likely to put mobile device vulnerabilities in the spotlight.  Of course I’m referring to Apple’s iPhone. The long awaited and highly anticipated entry into the mobile market for Apple. This isn’t a review about the iPhone though, but a short look at the impact it’s going to have on mobile security.

Just 3 days after the iPhone release date, researchers have already found a few vulnerabilities in the iPhone. One of the vulnerabilities is an overflow issue in Safari, which could lead to a code execution issue. A denial of service vulnerability was also identified in the Bluetooth module. Fuzzing the Bluetooth interface causes the phone to become unresponsive.

There are already many vulnerabilities known in existing phones, including smartphones running Windows mobile. At the current moment they are fortunately not exploited in great numbers. Carriers have also been very slow at updating the phones, to such an extent that it’s estimated that as many as 90% of all smartphones are currently vulnerable to at least one exploitable issue.

Apple has smartly kept the iPhone very close to them. Apple’s update track record is much better than any mobile carriers, and the iPhones are designed to update periodically. Hopefully vulnerabilities identified in the iPhone will wake up the other manufactures and carriers, and get them to updating their phones as well.

In response to a couple of emails I got from readers in regards to the post about HPSS detecting malicious activity earlier than most NIDS/NIPS I wanted to take a moment and clarify a couple of things.

First, HoneyPoint Security Server (HPSS) is not a panacea. It is one component of a network defense. MSI does not suggest you replace your existing defenses with HPSS, we suggest that you integrate HPSS into your existing environment and use it as a tool to identify malicious traffic in a new way. Quite frankly, using HPSS and a system & log monitoring tool like OSSEC, you can quickly, easily and cheaply create a pretty effective defensive posture for your internal systems and evolve to using NIDS/NIPS as forensic tools, where they are much more effective in terms of ROI.

HPSS is designed to integrate into existing security architectures. Our console can simply drop our security alerts to syslog/event logs and hand them off to any existing tools, aggregators or SIM products you may have in place. Our plugin interface allows you to use third party tools to do things like send SNMP alerts, communicate with other network devices and facilitate IPS-style responses such as quarantine, automated port shutdowns and the like.

By leveraging HPSS and the new capabilities it brings for detecting malicious behaviors, you can make your IDS/IPS postures that much more effective. In the port-scanning model from the previous post, our HoneyPoint detected a single connection. That connection, depending on your environment could be grounds enough to warrant IPS-style responses. So, HPSS could send an alert to your IPS or SIM that could then take the action you deem appropriate – whether that is an email alert to an admin or an automatic port shutdown by your IPS on the network switch of the offender. The point is, you make the decision, as always how to handle issues, but HPSS gives you a faster, more reliable way to identify the bad stuff and can communicate with whatever your existing security infrastructure is to facilitate the responses.

This is just another way that HPSS achieves such a high ROI. You gain new capabilities without throwing away the investments you have already made. Add to that the fact that HPSS runs on your existing hardware, lowers your false positive rate to near zero and helps you focus on the real security issues instead of chasing ghosts and you can pretty easily see why people get so excited about it.

I hope that answers the questions about HPSS integration and strategy. Feel free to email me or give me a call to discuss any other questions you may have!