Well, perhaps Ben is wrong. I landed yesterday in one of those countries wishing to enter the European Union for some security work and today, amongst the many meetings, one is with a gentleman about the same age as my father who is responsible for security in division of a medium-sized state-owned company.
We have an interesting chat and as he warms up he starts talking using sentences which start with the fabled "What keeps me awake at night is..." which is so common in paranoid security analysts. Not only, he is also very conscious of the security issues surrounding the EU privacy directive.
Towards the end of our conversation he whips out his security policy and asks me candidly if, from the height of my experience, I have anything to add to it. It takes me a few seconds to recover from the shock of being handed a security policy where none was expected (if only companies within the EU bothered to have one...) and then on reading it I am hit by a second shock: it is also well written.
Of course there are faults but I actually have to think about it rather than just blurt the usual "what about e-mail attachments" or some other obvious, to a security analyst, issue.
To be perfectly honest there were only three issues:
My only hope is that I managed to convey my true admiration for his work and that this will reinforce his desire to improve the security of his company. What is more I could sense that what had started as a "I had better cover my back" was now turning into a true desire to do something about security.
Yesterday I was humbled by one of my students at SANS Amsterdam. While discussing Snort he started asking me about an IDS called "Prelude". I wish I had known about it before: written by a group of mainly french hackers (in the true meaning of the word) it is a particularly interesting dNIDS.
How marvellous when students teach you something new and make your lectures much more interactive and interesting for all concerned. It is definitely going to be a fixture in my "to do" list.
Some days I am fascinated by the output from the Snort box I run for the purposes of the IDS-Europe mailing list.
It is sitting off in the middle of nowhere on an ADSL line, doesn't really have any content (besides the mailing list and the web site associated with it) and yet it is bombared with attacks. Best of all the network it sits on is 100% non-Windows so why on Earth do you get all these Windows attacks?
The answer is that there is a major sales job for a good database. It all started off as a bit of a joke in 1999 on the GIAC pages at SANS where small group of analysts used to post their "catches" pretty much on a daily basis. For some reason at some point I wrote a rant where I was complaining that surely after two months or so of my 64kbit/s leased line being connected the script kiddies must have worked out that there were no Windows boxes there. Did they not keep a record? Were years and years of database development wasted?
Well, at some point we started conjecturing that somewhere on the underground there must be a database of scanned sites, that it would make very much sense for someone to create a public one in the interest of the script-kiddie community and make targeted attacks that much simpler. Think about it: why have your mum complain that instead of doing your homework you are hogging the phone line? You could pick the attack, select the hosts and selectively try "0wn1ng" them. So much better!
Somehow I doubt it has happened. From today's log:
| # | from | to | with |
|---|---|---|---|
| 57 | 64.4.30.250 | 195.82.120.110 | MS/SQL connection attempt |
Then people wonder when you tell them that most "hackers" (in the most erroneous interpretation of the word) are clueless.
"Another law goes through and nobody noticed" would have been a better title for this piece of news. The Department of Homeland Security is now but a signature away from existence after being voted upon by the US Senate.
Very few sites picked up on its significance: a balanced overview as usual comes from the BBC and a more polemic note from the italian paper L' Unità (in italian).
You might ask: so what? Well, it gives pretty much unlimited powers of snooping and sniffing although Ashcroft's rather controversial "TIPS" (Terrorist Information Prevention System) didn't make it. On top you now have life sentences for "hacking crimes" if they cause "tragic events".
Not surprisingly there isn't a single civil liberties association which finds the law appropriate...
Clearly today isn't such a bad day: I feel constructive, perhaps the coffee from the freshly opened pack is having an influence on my neurons.
Believe it or not people actually pay to listen to me teach Intrusion Detection although they pay for the course quality not necessarily the lecturer. This might lead you to the wrong conclusion that security people actually teach security. They do, but you need to qualify the remark: they teach security to other security people.
The problem is how to educate the masses. It doesn't help that much to have an amazingly good security analyst on-site if the rest of the staff view attachments as something you should always open. The poor analyst might shout, scream, write memos but the bottom line is that you need to get to the end-users.
Has anybody managed? Well, Microsoft has been educating the masses in precisely the opposite direction, the mantra being: let us make everything so easy and obvious that nobody will have problems using Outlook or Windows (I'd be honoured to present my mother as an example of how hopeless their usability studies are). This has meant that people, already scared by computers in the first place, now try to get their work done as quickly as possible without applying any of the common sense of their day-to-day lives. So off they go clicking on attachments, handing out passwords over the phone (would they ever hand out their ATM card PIN? Of course not but a computer password is a different matter, is it not?).
In the mix you can throw the false sense of security of anti-virus products which, when badly maintained (ie. the majority of cases), are about as useful as leaving your front door open assuming that the alarm in the off position will work. The cherry on top is a badly configured "personal firewall" which the vast majority of users wouldn't have a clue about in the first place, never mind configuring it properly. The final result is the warm and fuzzy feeling of "security" which is so far removed from the truth that you could almost call it fraud and, most important of all, a fundamentally scared user. Scared of the technology, not> about the security implications of his misunderstandings.
So the real challenge is to improve the true single weak link of the security chain: the user.
Amazingly enough I believe this can be done. First of all we, as in the security practitioners, need to descend from our ivory tower and understand that users are not generally stupid. Their abilities simply lie in a different field. Just because they do not appreciate the finer point of how to encode NOPs in shellcode doesn't mean that they cannot understand security. The question is one of "conditioning". In a major city do you leave your car unlocked, the keys in the dashboard and the door ajar? Probably not. Why? Because the environment around you has made you aware that this isn't the best of plans. Sometimes the explanation has been from people at other times an event helped ("Oh. Where's the car?").
So we need to create this environment and we need to create it via peer-pressure. Having tried coercion ("though shall not use Internet Explorer") I can attest that it doesn't work. The first time the replacement doesn't work they just click on the icon and off they go (with due credit to Microsoft for making IE inextricably linked into Windows). To raise security awareness you need to find examples which people can relate to.
One issue which does focus minds is prison terms. In the UK the Data Protection Act 1998 does mention that the people responsible for data held under the DPA could face a prison term. That works but only partially for two reasons: one is that nobody has ended up in jail yet, the second is that it is too much of a stick and not enough of a carrot.
I've also tried explaining in excruciating detail how a virus works and why attachments are bad. That was a bad plan. Just like you don't expect a neurosurgeon to explain the finer parts of an operation to you, users find hour long explanations rather tiring and wander off within ten minutes of starting. They also think you are lecturing them.
Pride does strike a chord with a few people. The line: "Think about our competitor, company X which has been down for two days because of a virus. Because we don't run Exchange and you are vigilant with attachments we were totally unaffected". This works until the usual Microsoft zealot comes round and start telling everybody that company X didn't install the software "properly" (shouldn't that be that they installed it in the first place?).
So far my success rate has been low, abysmally low but I am not giving up, at lest today.
12th November 2002: the day "responsible disclosure" went down the drain.
Why would a theoretically well-respected company, producer of the currently best selling IDS, publish a security advisory 24hrs before the agreed date? Surely by mistake, just like it might just be a coincidence should the same company just happen to have a signature ready for this vulnerability for its scanner but no patch to offer...
Facts rather than conspiracy theory: the ISS X-Force released an adivisory on BIND on 12th November 2002 affecting both BIND4 and BIND8. So far so good. Problemette: no patch was available at the ISC until 3pm GMT on 14th November because that was apparently the agreed date (and the date on which CERT advisory CA-2002-31 was released).
Now, I don't know what went through the minds of those responsible but I had both BIND4 and BIND8 servers susceptible to remote root compromise according to the X-Force advisory for over 24hrs (or more, who knows, it might have leaked earlier) and I definitely was not pleased.
Does releasing something with that potential lethality knowing full well that a patch is not publicly available make you "133t"?
Where's the apology? What grounds have we now to try and convince people to give vendors a chance and release security vulnerabilities responsibly? How about "none".
In the meantime, if you still haven't patched do yourself a favour, visit the ISC and grab the latest patches.
It is 1am, I am supposed to complete a review of a security design and the more I read it the more I'd rip it all up and rewrite it from scratch. The "record changes" option in OpenOffice is turning the text into a sea of red and the pain is just growing.
Something which I have been mulling over in the past few months, at least since I've moved out of London and its pointless angst, is the current posture of the security community. Each and every day a so-called "Internet security expert" (comfortable with the security of the whole Internet? Now that's impressive!) talks about the terrible disasters which the world is facing. Be it cyber-terrorism or the terrible hackers which infest the Internet, nothing seems to be safe.
Why so much alarm, why so much need to create alarm? Well, option one is that the more people are worried the more they pay for security services. Option two is that it is true. Given the name of this blog there is no prize for guessing the option I am taking. But is it working? When I was a tad younger my parents used to read me the fable of Peter and the Wolf. There was a highly instructive concept represented within the fable: that if you continue crying wolf then when you really need it nobody turns up. Now wouldn't that be most unfortunate?
Let's take the interesting scenario for once: the whole world has been bombarded with security warnings, dreadful menaces awaiting to strike, ethernet cables awaiting a command to strangle their owners. Now, either you believed this and you've moved to a remote hut in the middle of nowhere or there is the distinct possibility that you have, quite rightly, decided that it is all a lot of hot air without much substance and are still alive and well. The second option means that you haven't exactly killed yourself in patching your system but nobody has broken in, script kiddies continue trying but can't modify the offsets on the buffer overflows and get nowhere on your 64-bit system.
Then something happens: someone really releases a lethal worm, one which sets up a major DDoS network with the aim to take everything down (who knows, how about the DNS infrastructure? Good start, isn't it?) or perhaps something which injects a good 0-day exploit into any Cisco router ("we run the Internet" can have its drawbacks on a bad day). The usual advisory goes out to bugtraq, vulnwatch, you name it. A few people install the patches, the others ignore it. Then it starts getting "hot", alerts go out, they happily get ignored. This is called "over-exposure" and is the result of being at "Red Alert" level continuously. Red becomes green and then there is no red to go to.
Oh dear.
How about we start telling people that things are actually OK? That the Internet is doing just fine and that in comparison the crime rate in Washington D.C. is infinitely larger? How about starting to work on releasing less often and concentrating on securing & stabilising software in the first place? Or, God forbid, actually work on egress filtering and installing things well in the first place? The world actually needs people helping in this direction, something terrible called "education", rather than a bad attempt at an Internet version of Stephen King.
It is coming up to 1:30am and the document is sadly still worthy of a rewrite.
Ben Laurie wrote a beautiful piece of desperation a while back in his O' Reilly blog. In it he describes his frustration and woes in dealing with the now infamous OpenSSL and Apache security holes and in doing so ends up asking himself "why do I bother?".
He is not the only one. Take for example the latest BIND vulnerability, the disclosure of which is worthy of a good rant. The moment the patch was out sysadmins & security people alike scrambled to patch their servers to make sure that the infrastructure they protect is safe and yet what is the truth? The truth is that frankly nobody cares, nobody in the company you work for understands email never mind DNS.
The daily battles are against people who are scared to death of being mugged and walk carefully around town avoiding dark alleys and yet happily open attachments from unknown people bearing titles such as "I love you" or something even more obviously fake. The not-so-daily battles involve sysadmins who install boxes only to forget about them leaving fertile ground for script kiddies. You are attacked from all over the planet by machines stuck in dusty corners of universities or indeed from mail servers of large corporations. How can this happen? Why don't universities use egress filtering? Why do corporations allow their main mail servers to be totally insecure?
So what happens is that you sigh, you bang your head against the wall, you vent your frustration and you go back to that other dark alley of the soul which is coding. There comes Emacs, up comes the code for your latest packet crafter so you can test your new IDS.
Why? I wish I had an answer.