Slashdot Mirror
Ask Fyodor Your Network Security Questions
Fyodor is the driving force behind Insecure.org and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.
As networks become more complex, and hackers become more sophisticated, how do you see the use of honeypots evolving? Do you think they will have to become mini-networks that can actually be used in-order to prevent them from being detected as honeypots? Or do you think the use of honeypots will just be phased out like many other security tools in the past?
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
How do you find what you do surviving the likes of DCMA/Patriot Act II/etc???
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
If you could get the computer world to agree to change one fundamental thing in computer security on all OSs across the board what would it be?
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.
One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).
Thanks in advance!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Has the DMCA hindered your company in any way, do you see it as working against security professionals around the US or helping those of us who are interested in security as a career path?
Why doesnt nmap use libnet?
were you expecting to see a sig here? perhaps you'd rather see the inside of an ambulance!
On any project like this where there's potentially evil uses mixed in amongst the various good ones, you're bound to get a few angry people who don't understand how helpful your work is to the community at large.
How much criticism do you have to deal with? And how does it compare to the kudos you receive, quantity-wise? Has it ever made you doubt what you're doing?
PS- Thanks. nmap proves its usefulness to me every day.
Game... blouses.
It seems that the numbre of security exploits and updates seems to be growing as more people start experimenting with trying the break systems. Now I'm subscribe to BugTraq et all but find it hard to keep on top of what is going on and what I need to update. What would you say are good tools for keeping up to date across multiple systems and platforms?
Rus
Cheap UK and US VPS
There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kick out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...
What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?
"America has done some terrible things. But I know that Americans don't cheer when innocents die." -Dave Barry
What are 'good' dead-tree references for the following categories:
FNG--Fscking New Guy
-Terminology, broad-brush concepts, checklists, good reference list
Suit
-Management concerns, planning
Expert
-Detail, performance considerations
Categories are arbitrary; others will segment the market differently. Mainly seeking recommended authors/titles. Full-on reviews too space consumptive.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
The Honeynet project seems to focus a significant amount of attention to the culture of the attackers (extensive logs of IRC chats, for instance.) Do you think the research the honeynet project is doing might make some headway in preventing social engineering attacks (The only hole nmap can't tell you about)?
I saw the Top 75 Security Tools survey you did. Lots of great tools there. But I can't help but think that the security community still has plenty of tools that need to be written. So I'm curious what kind of new tools would you like to see written , re-written from scratch, or merged together to create a better tool? Basically, where do you see the missing pieces in the security community toolkit? What kinds or pieces of software would you encourage people in the slashdot community to write?
What is your opinion on the proposed "Super-DMCA" acts being proposed in several states, which would make honeypots illegal?
Here's the article on it that ran in Slashdot awhile ago.
Basically, the law says you can't "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." - thus making honeypots, even when used to thwart illegal computer activity, are illegal.
I belong to the ______ generation.
Do you think that Brandon Wiley's thought-design of "Curious Yellow" (paper at: http://blanu.net/curious_yellow.html or http://www.securiteam.com/securityreviews/6U00L1P5 PY.html) will come about as he's laid out? It seems like not an unlikely scenario once someone puts some effort into actually designing it. What are your thoughts about the evolution of 'smart' worm attacks balanced agains thre need of good network security scanners?
Returned Peace Corps IT Volunteer
Since ipv6 is supposed to address many of the security issues inherent in ipv4, should there be more of an industry push to adopt it quicker? OR having many years now since ipv6 was drafted, have we learned more about the types of attacks/tactics, and therefore should ipv6 be updated. Seems like now would be the time to do it since ipv6 still has not been adopted and changes could be made without too much disruption or cost (time or money).
I've heard that using "exotic" OSs for network security like OpenBSD on SPARC, NetBSD on SuperH, and Windows NT on Alpha will help increasing my security. Could you verify this?
Thanks?
During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.
-- Hulver's site
examples:
* "SSH shows a warning that the host key has changed. The user ignores it and continues on."
* "The browser warns the a SSL certificate doesn't match the host IP. The user ignores it and continues on."
* "The browser asks if you trust the signer before running some piece of ActiveX. The user ignores it and continues on."
* "The sysadmin warns not to share passwords. The users ignore that too."
Now the question. It seems to me that despite all the work being done in the security field, back in reality things have gone from bad to worse. People constantly sidestep the very systems that are put in place to protect them. Is anything being done in the computer security field to address this important "Human Factors" aspect?
--
Simon
How crazy is the idea of having a hardware based(where all security tools are hardcoded to the chip, and there is some way of updating, lik BIOS flashing) security system installed on machines, rather than using software to detect flaws? Also, do you see buffer-overflow related problems decreasing? As a followup, is gcc a secure enough compiler, or are commercial compilers like say Intel's C++ compiler more effective?
I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work througout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?
As more and more applications are written from a standard base (servlets on a J2EE server, PHP under Apache interfaced via HTTP instead of a proprietary protocol, etc.), how relevant are low-level tools? The proliferation of high-level applications means that that OS becomes almost irrelevant--the firewall only allows HTTP through, and a load balancer tosses requests to different servers that might very well be hetrogenous insofar as operating systems and other low-level implementation details are concerned.
Given all of this, what motivation is there for a modern CS student to learn things like the 3-way TCP handshake, or the differences in implementations in various TCP/IP stacks, when the base level of the equation is irrelevant from a security standpoint? How can I convince our network administrators that it's worthwhile to learn something other than JNDI when it comes to network protocols; that for security and network troubleshooting, nothing will ever top a simple Ethereal packet trace?
Jouster
What would you say is the line where someone's activity could be considered "unauthorized access"?
Wearing pants should always be optional.
Given that effectively ANY tool can be used for good or evil, and also given that we can't completely eliminate risk...
How can we develop and promote the state-of-the-art in security (tools, understanding, knowledge) while giving as few gems as possible to the criminal wannabes of the world? In other words, how can we bias the work and research towards the defensive, rather than progress that's either neutral or preferentially offensive?
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
A recent SecurityFocus article talks about possible legal implications for people who administer honeypots (here). Do you feel that this is a legitimate concern, and have you or your colleagues run into any legal issues with honeypots or the use of Nmap and similar tools? Thank you.
nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?
"I hate quotations. Tell me what you know." -Ralph Waldo Emerson
Currently attempts to secure networks depend on "band-aids" over inherent problems in the design of protocols and protocol implementations (software.) Relatively little effort has gone into solving security problems before they are created. I know IPv6 has taken some steps in the right direction - where would you start?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why do you think system administrators (more so NT) do not have the ability to figure out what program/daemon is keeping the port open on their systems?
After a user uses nmap to enumerate open ports on their systems, what tools should they use to determine what prgram is keeping that port open?
in a negative manner?
Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?
And if you haven't, why is that the case?
A modern firewall administrator has a very easy job, it seems--all her users care about is their DNS service and their Web access (and, with a good Web proxy, you don't even really need to have an inward-facing Internet-recursive DNS). Indeed, most users blithely assume that "The Internet" and "The Web" are the same entity.
A modern protocol designer has to choose between efficient data representation and firewall penetration. She will almost always choose the latter. Thus we have a thousand X-over-HTTP protocols, most of which are replicating services (like RPC) that are exactly what the firewall administrator was trying to block.
As everything becomes X-over-HTTP, how long will it be before we see stateful HTTP firewalls to block malicious kinds of data flowing over HTTP? And when firewall administrators again take the easy way out, blocking everything but "plain" HTTP, how do vendors send their data? Are we, in fact, turning the Internet into the Web? Eventually, it seems that application communication will just be a special case of a Web browser fetching a URL. By tunneling everything over HTTP, and eventually dropping even the tunneling, is the Internet in danger of becoming nothing but the Web--sure, there are other services running, but nobody but the occasional network admin on an un-firewalled network can reach them?
Jouster
I've been using nmap for quite some time now, and it's an excellent tool by all accounts.
My question is, do you plan to implement firewall discovery? Instead of just reporting what ports are open, you could report:
- closed
- opened
- filtered (no reply)
- firewalled (firewall reply)
Like suggested in the latest phrack.
How small a thought it takes to fill a whole life
I've been doing network security for a while now, but I still have yet to find a nice single sentence summary for why security is necessary, that is easily understood by everyone who hears it from the techie to the manager.
Do you have any suggestions?
It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I that that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?
At present, nmap has limited ipv6 capabilities, are you going to add more ipv6 functionality in the near future?
All security experts have opinions on Trusted Computing, which goes under various names such as TCPA, Palladium, NGSCB, TCG, DRM,... The Slashdot community tends to say that this is security at the cost of freedom, and disapproves it. But not all rolemodels in the world of computers seem to agree with this. Linus Torvalds, who gave Linux its name, for example, openly blesses DRM. What do you think about Trusted Computing? Do you see it as an additional value to computers, or more as an erosion of our freedom? And even more important, why do you think so?
Background info: Linus Torvalds blesses DRM
I spend a lot of time reading and training myself on how to prepare myself and the systems I manage against attacks and other hostile acts. I find much of this to be a fairly linear technical task.
I often find myself at a loss as to how to help train the end users at my company on how they can help insure the security of their systems and help prevent things like social engineering attacks and what good password practices are.
I usually run into problems of user apathy, training materials or discussions being too technical, or trying to apply to technical training techniques to sometimes non techncial problems such as the aforementioned social engineering attack.
Have you found a good way to educate largely non technical end users on ways that they can help contribute to the overall security of the systems of the company they work for. What should be included in the training? What should be left out?
Thanks
What are the latest advances in fingerprinting networked devices that seem most promising to you?
I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture.
What are the most elusive OS's that aren't on the NMAP OS fingerprint database?
Given the many ways in which I can make a machine
a passive listening device on the LAN to gather information (even in a switched environment), do you
see future security focusing on authentication mechanisims on the LAN, even for the simplest of things (e.g. to get connected to a switch, to allow a MAC address, etc)? Going to a larger scale, do you see something like this taking place on the WAN? Lets say (putting on my lets get nasty hat) Microsoft Palladium (.net, NM$FPSG, whatever they call it now) authentication + your MAC addres s just to get connected to the net?
Obviously, as time goes on we'll be getting new technologies such as self-configuring networks and networks with some level of conscienceness capable of detecting and stopping break-ins as well as doing a number of mundain things such as patching automatically and updating software. The current nearly 20 year old approach to compromising these networks through software exploit or social engineering will be nearly impossible to do from right off of the bat as we've all seen them before; what kinds of attacks do you anticipate happening on these kinds of networks and what do you think the technician will be doing to stop them?
Candy-Coated Knowledge
--it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.
We've made a lot of progress with open source intrusion detection devices (IDS) in the last few years, with SNORT many times beating out similar offerings from commercial companies.
But so far, we have only been attempting to detect and report possible intrusions into private networks or studying attack vectors using Honeypots.
There has been a lot of talk lately about the possibility of using independent worms that fix vulnerabilities in network hosts so that those hosts aren't used as an attack vectors to compromise/disable other hosts.
Instead of just detecting and reporting intrusions or active worms fixing vulnerabilites, how do you feel about having IDS systems reporting to a host/daemon that would then launch protective countermeasures against the possible detected intrusion?
Thanks. BTW, Nmap ROCKS!
Your mom always said, a PB&J is better than nothing, and God is nothing, is a PB&J better than God?
Informed design decisions in classical engineering use estimates of cost, correctness and performance to pick the best solution. In security, much of the selection seems to be "a matter of taste", but perhaps it shouldn't be. Given two competing solutions to security problems, how do you propose that the user measure the solutions fitness to make an informed design decision?
Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?
Get your own free personal location tracker
P.S. For everyone else, I've had the privilege to work in a small way on an information sharing project to build on Fyodor's mailing list archives & I'm here to testify that he lives up to the standards he sets.
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
I think I speak for many people here: why is Nmap 3.0 so much slower than 2.53 ? /24 network. 2.53 would take about 1.5 seconds, but 3.0 takes up to 3 minutes to complete. Even using the -T switch it's still much slower.
For example, I use it to ping-sweep my local
As an author of a security book and of a well known security application, how much do you feel code cleanliness/quality affects security of products? ... Or do you feel that only a very few products should worry about security?
For instance from looking at nmap-3 it's, ignoring the style, littered with magic numbers _esp_ for things like size of an array of char (which is the only concept like a "string" that nmap has) and also more than a few obvious misuses of strncpy() etc. to go along with it.
Contrast this with other security concious programs, like vsftpd and postfix, and it's like the difference between night and day.
Obviously anyone putting nmap at the end of a CGI is just asking for pain, but one traditional view is that this isn't wouldn't be the problem of nmap ... but of whoever decided that it was security concious, not just a "security" application.
ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B