Slashdot Mirror
Security Warrior
The book comes lightly packaged in a metaphor about the training of samurai. A security warrior, it is said, must avoid a "superficial study of the subject" because that leads to a "deterioration of the samurai spirit." To avoid this, the authors plunge deeply into a wide variety of ways that attackers might break into your system. The book is meant to help you "know your enemy" and "see through an attacker's eyes."
This chestbeating fluff disappears pretty quickly because the authors dive into reading assembly code in the first chapter and start talking about the registers of the CPU by page 4. The rest of the first part of the book explores reverse engineering software by reading assembly dumps and using good tools to decipher it.
After poking around in binary code, they turn to the bits floating around the network. Chapters 6 through 10 explore how to sit on one end of the Internet and pry your way into another computer. Chapters 11 through 17 dive deeper into the specific defenses of platforms like UNIX, Windows, SOAP and SQL. The rest of the book, Chapters 18 through 22, explore how to figure out just what the attackers may be doing by setting up honeypots and log analysis tools.
Covering all of these topics in 531 pages is clearly not possible and the book reads more like a survey or a catalog of what can go wrong. If you use PHP, for instance, as a frontend to your database, you might want to be sure that some "script kiddie" won't slip in some extra SQL in the form fields. Each topic isn't built up from some bedrock foundation with perfect mathematical pedagogy, it's just defined as a list of bad things that you should avoid doing.
The authors seem to be aware of how this might be misinterpreted. There are many good tricks in the book and it wouldn't be hard to rename it Al K Da's 1337 Haxor Tips . So the authors stress how learning about the enemy is the only way to defeat the hordes.
I think the problem is deeper and more philosophical. There's no way to prove a negative. There are no good mathematical tools that make it easy to prove statements like P!=NP or big numbers can't be factored quickly. In a larger sense, it's not really possible to prove that someone can't break into a system. A more traditional, ground-up approach to the topic can offer some assurances, but books like this one are always necessary. Anyone doing battle against unknowable and unpredictable adversaries must look between the cracks.
If you look at it this way, the book is a good collection of tips and hints that will help someone keep their network a bit more secure. It doesn't provide a deep, elegant and rigorous explication of the topic, but I don't think that is possible. It's a great collection of tricks that should be part of a good warrior's training.
Peter Wayner is the author of Translucent Databases and Policing Online Games . You can purchase Security Warrior from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Another good book in the same vein is Counter Hack by Ed Skoudis. It can be slightly dated, but still informative.
Here's amazon's page on it. It's ranked 5 out of 5 stars.
Casual Games/Downloads
A good security policy is paramount. This book does a good job pointing out some not-so-obvious places that are often over-looked in our haste to meet deadlines.
The book comes lightly packaged in a metaphor about the training of samurai.
First rule: know when to commit seppuku.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
"Windows Reverse Engineering (PDF)"
Can someone tell me if this is a good book to read if you are using a hosting service as opposed to operating your own server?
Can I bum a sig?
It's nice to see there is no lack of someone/somecompany trying to make some money off of the security FUD/Errata scene nowadays. Strangely I've been running webservers, databases, clients without problems for years. I keep a slight watch on lists, and I think (IMO) I keep systems pretty tight either via normal tools, whether they're open source or not.
I still don't understand how hard it is for companies to throw up a so called webserver and have who knows how many ports open. If it's a webserver its a webserver, mailserver then its a mailserver. I call it shoddy administration. Taking the time beforehand to configure something properly will definitely save you a heck of a lot of time down the line, it becomes a matter of watching for new holes and patching them up quickly. If servers are an issue write some script to install patches/fixes to clusters or so.
Sometimes I sit back and wonder what the hell is happening to the security field as a whole. Within the past four years it went from a couple of individuals to everything being overrun by corporations. Security Focus to me pretty much sucks nowadays, but yet aside from lists such as NANOG, Secfocus, ISP-Lists, there are little resources left. I say strong planning nulls out any information you can get from a book. Besides most of the information one could ponder looking for can be found using good old google. Why should I keep waisting money to see the same things over and over again.
MoFscker
Security has been the same for a while:
Don't open unused ports.
Don't make your system unnecessarily complex.
Don't use software if you haven't inspected it.
Don't give access to those who don't need it.
Handle every exception.
Assume your user is an a**hole/dumbass who will use your system every way except the way it was intended to be used.
Dot your i's and cross your t's.
Now... Who wants to give me a book deal?
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
There's no such thing as a physical lock that can't be broken. It's only a matter of how much force needs to be gathered to break down the door, or break a hole in the wall.
An entirely secure site can be breached by a bomb being dropped on top of it. Now, some people might say that's cheating, because demolishing the site, and therefore whatever valuable was being protected too, doesn't give control of the valuable to the atacker. However, it does deny the services of the valuable to its owner as well. That's a security failure, the job is to keep the services of that valuable always available.
Computer security should be thought of in those terms. There's no such thing as unbreachable security, you just want to set the threshholds of what it takes to breach the security high enough so that it becomes highly unlikely that anybody can come up with the force it takes to defeat them.
Clearly, if somebody comes up with a processor that can quickly factor large numbers, then a good chunk of today's security theory will go straight out the window. However, since to our knowledge nobody has done so and nobody's close to doing so, we can consider that a good security technique to use now.
One must always keep up with what tools the bad guys have available, because once they have something that can knock down a defensive tool with ease, that defensive tool had better have another line of defense behind it.
Nuff said.
They have been replaced by Japanese riot cops practicing Aikido, a fighting philosophy where there is neither victor nor vanquished.
Aikido isn't for fighting -- it's a defensive martial art whose purpose is to gently take down your opponent using a variety of joint locks, etc.
Is it impossible? I mean, there are known vulnerablities, know secure tricks (i.e. passwords that would require unreachable computational power, "security areas" accessible only by people invulnerable to social engineering, after special training, system routines written with security in mind, hardware that is sealed in such a way that it cuts off any attacker on attempt of attack, and physically assaulted self-destructs?
Things slipped out of control because growth wasn't followed by quality control. It would need to be designed from scratch. I think it would be possible - system completely unbreakable, without ANY holes.
But I guess building it would be so expensive, that EVERYBODY prefers systems that work so-so and contain unknown bugs and nobody would be willing to buy it.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
If you use PHP, for instance, as a frontend to your database, you might want to be sure that some "script kiddie" won't slip in some extra SQL in the form fields. This can easily be fixed using mod_security . Remember - for the PHPNuke/Postnuke, or any other content management based site - there needs to be a connection to your admin page at some point in order to manipulate anything. Another fix:
I still don't see the big hooplah. If you need to connect via various addresses you could add them to httpd.conf or install squid with an ACL of accepted hosts, and add that address in your httpd.conf. I don't need to buy a book to tell me this, I would rather RTFM's and know what the heck is running beforehandMoFscker
You ARE clever.
I'm reviewing the book as well with the intent to publish the review, but with so much work lately I haven't had time for reading. Any way, my summary so far (up to the UNIX specific attacks) is that it feels somewhat fragmented, and the order is slightly jarring. The first section of the book jumps right into assembly. While that might be a foundation to computing (one step up from machine code), it's a real bucket of ice water in the face for anyone trying to get started with the book. Even though I've been trained in a couple of programming languages and I'm familiar with ASM, it was still difficult to follow along some times. The first section on networking felt very incomplete and shallow, but then after skipping around a bit they come back to more network security topics a bit later. It remains to be seen how well it will flesh out in the later chapters. I was rather hoping for some details, like W. Richard Stevens tcpdump approach to teaching TCP/IP, given all the detail they had earlier on ASM, but alas I haven't seen anything like that, so far. On the other hand, I found the section on reversing Linux binaries to be very enlightening. I never realized how broken/limited the tools are for reversing on a Linux platform. Certainly that could make it very difficult to examine Linux viruses and worms when they finally start circulating in large numbers. Any way, I'll reserve the rest of my judgement until I actually finish the book.
Someone is WRONG on the Internet!
for those using apache, if you haven't had the chance to play with it you should, and you should also check out the snort2modsec perl script if you're too lazy to make your own SetFilter rules. Sorry for the multiple postings
MoFscker
Computer security is an odd pursuit because it's just not possible to have a strong, theory of everything when cracks can appear anywhere.
Simply unplug the computer, melt everything meltable, burn everything burnable and pass a nice strong magnet over the rest. Then, bury it in a lined hole in your backyard.
Secure enough for you?
The book comes lightly packaged in a metaphor about the training of samurai
Does this mean I can look forward to lots of MSCE admins comitting seppuku when they get cracked?
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
...and replace your PC with a Timex Sinclair. In over twenty-two years of use, not a single one has ever been infected with a virus.
For the rest of us, my advice usually follows something like this:
Still not satisfied? You can still get these pretty cheap!
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
One man ends up on the floor with a broken arm, the other remains standing, I'd say that's a fight.
And not all of Aikido is purely defensive moves. There are no backflips or flying side-kicks, but those are a waste of energy anyways. If you successfully counter an attack, the battle is yours. If your opponent refuses to attack you because he knows that you will counter his attack, then the battle is yours.
It was called the Art of War by some guy named Sun Tzu. I think he worked for IBM or something ;-)
www.linux-skunkworks.com
Some people might not like reading the books on your monitor, but it doesn't bother me. I think the electronic search features (in a specific book, across all books, etc.) really makes the service much more useful.
Again, I'm not trying to plug, but after years of spending at least $50 a month on books I'm really satisfied with safari.
Computer security is almost an oxymoron in a networked environment. On the one hand we want to be connected to everyone and seamlessly share data, software, and functionality. And so we connect to large numbers of people, like the poeple we meet on /. and other forums.
On the other hand, we want to restrict access to all but a "trusted" few. Yet the tools for creating trust on the internet are poor or illusory.
Trust takes time to develop. Only after we have a breadth and depth of experience with the coutnerparty can we truely trust them. The existence of people willing to create a trusted persona over the months or years in order to gain black-hat access or run a scam is at odds with the natural speed of the internet were it only takes a few months to become a trusted veteran.
Trust also requires tokens of commitment -- the idea that each party has something to lose in the relationship. Unfortunately, most online venues lack this because it is too easy to abandon a troll/criminal persona and create a fresh persona.
I applaud the work of computer security professionals -- its an extremely hard job made harder by the conflicting demands on computer infrastructures and the mismatched timescales of trust and the internet.
Two wrongs don't make a right, but three lefts do.
1. Pull network cord
2. Pull power cord
3. ???
4. Security!!!
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Using mod_security I replaced mod_redirect since I can achieve the same thing. One thing I've been doing when vulnerable Windoze hosts connect (/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMV
MoFscker
I think it's like that old joke about how to protect yourself from being killed by a bear. (I don't need to outrun the bear, I just need to outrun you). I only need to be slightly more secure than the rest of you. Right now, frankly, that's not too hard.
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
IMHO, computer security is like trying to make something idiot-proof...as soon as it is (idiot-proof) someone perfect a better idiot. In regards to computers, there is no 100% safe way to fully protect your data -- except by rendering the machine inaccessable and turning it off. Of course, that's highly counterproductive.
So, at the end of the day, all a sysadmin can do is operate the machine in a prudent manner (set it up to have security reasonable to the risk), keep it patched and raise the bar to keep as many potential foes out as possible. But bear in mind, no matter what you do, if one is determined enough, they WILL be able to break into your machine.
After all, the best hackers are the ones you hve never heard of. Their best exploits are the ones that no one knows about. Children brag about their shenanigans, a wise criminal keeps his tools to himself so they keep working.
Linux and other OSS projects have a community to identify the risks, but not even a community nor the author(s) of a given piece of code as complex as a working modern Linux system can identify them all.
now I have to learn another fundamental force? Darn you to heck!
Yeah, many computer hackers in recorded history have come in through Windows.
Computer security problems almost always fall into a few well-known (beaten to death is more accurate) patterns. One such pattern is the "buffer overflow attack". Why does anyone accept this? There is absolutely no reason for modern software to be subject to buffer overflows. We have languages like Java which run everything within a protected virtual machine and don't use buffers. We can design CPUs which allow sections of memory to be marked "execute only, don't write". We can use safe string libraries instead of creaky old standard lib. And yet I still hear people saying that buffer overflows are a given.
Same with root escalations. For years we have had ideas of how to have systems that are compartmented and don't have root. In the Unix world, we have the idiocy of "trusted ports" (ports I could go on and on. The only reason why computers are so insecure is because we have accepted that they are and decided to live with it. This is just wrong.
--------
Create your own WAP site, or become a Wireless-Enabled Hosting(tm) provider
Unfortunately I find that too many "do-it-yourselfers" are leasing dialups and servers from hosting companies and reselling these dialups and server space without really knowing anything about server work.
The use of server tools such as plesk makes being an admin for a server an easy job for someone who's never even logged into a shell.
A class or certification in ISP/Web Server management and server security would greatly benefit from using this type of reading. I've got a friend of mine who is this type of "point and click admin" and he's had to move servers twice now because the leased server became compromised and he had no idea how to fix it. Each time he did learn how to keep the problem from happening again though.
Best security practice- get rid of your Windows first.
I'm sure one too many admins have seen this. Something else that one can do that costs nothing to very little, is find those l337 hacker sites. Something to test your skill and/or knowledge. The book referred to "thinking or seeing through a hackers eyes", well put up or shut up. Real world experience trying to compromise either a webpage or a server is worth a few chapters in a book. I admit I was drawn into computers for the glamour, or the romance of the hack. I wanted nothing more than to be an elite skript kiddie. Then something happened, I was actually learning why this snippet of code does this. How it affects the CPU register to overflow this or that buffer. I have read tons of stuff, and still find my self on a quest to learn more. I have found that these sites put into practical examples of what not to do, and also give a good idea of how to test your own security. I am by no means good. I do know right from wrong, I choose to use the knowledge I have gained, to design and build as secure a network as possible. Tutorials, tools, sites, whitepapers on hacking aren't the problem. It's that one jerk, who thinks it's funny to destroy something someone put forth alot of time, thought, money, and effort to build design, and maintain. Knowledge is power, but try wisdom is knowing when to use and not to use that power.
I am Bennett Haselton! I am Bennett Haselton!
Even with the best of hardware and software locks and keys, the weak link is still the human. There have been many /. articles on social engineering and the current crop of books (The Art of Deception by Kevin Mitnick for example) shows how the best laid security plans can be circumvented by a minimum wage clerk. Education for all employees should be a big factor in securing systems. An email from the IT department just won't cut it - we need to teach people how and why to make a difference.
Here are the top 10 reasons:
.vbs & .exe attachments at the mail server because he is an amature (read: terrible) coder. Moreover, his amature programs cause as much if not more trouble than the virus-laden attachments he keeps opening. He also has crazy ideas about putting "stamps" on email.
10) You've just been ordered to migrate from sendmail to Exchange server.
9) Your boss, let's just call him Bill, insists upon being given root priviledges, in spite of the fact that he constantly breaks things even with mere user priviledges.
8) Your boss won't let you filter out
7) You are told by your boss, who (mis)read a computer security advisory to put the company webserver (which handles online sales) on a non-standard port "so the hackers won't be able to mess with it."
6) Your boss expects you to find a way to make your Solaris servers, with tons of ancient, crufty legacy code which is vital to the company, run ASP pages just so they can use (read: justify the rediculous expense of) some crappy B2B application they bought without consulting IT. Preferably sometime next week.
5) Your boss thinks that some 'internet accelerator' software (read: spyware) should be made mandatory for all employees to improve productivity.
4) Your "security policy" is more like a list of who to blame for what.
3) Your boss is negotiating a SCO IP license, since "any publicity is good publicity."
2) Your boss thinks you should be more thankful, because the management is so "IT-savvy" and always ready to help you out.
1) You ignore all this bad advice, pretend you took it anyway (he'll never actually know...), and waste your time posting on Slashdot instead of working.
"Shut The Door, They're Coming Through the Window"
You have no idea what you're talking about. Mathematicians and computer scientists prove negatives and non-existence all the time. For example, it is proven that there exist no non-zero rationals a, b, and c, and integer n > 2, such that a^n + b^n = c^n.
The reason it's not possible in practice to prove anything about computer security is that the languages and protocols we used were not designed with this ability in mind. You can't prove anything useful about unix, C, or HTTP. It's true that it would take a massive overhaul of our computer infrastructure, but it's possible to have systems that you can reason about.
Even then, it's true that you can only prove things in a model, and it's always possible that there will be a real-world attack that isn't reflected in the model. But the situation could be much, much better than it is today. If you use a safe language and design your library carefully, you can probably provably protect yourself from some vulnerabilities.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
If you really think you're not going to seal all the cracks, or that you create new ones as you rebuild your electronic foundation, you need to track what goes on inside the house at all times.
The best way to do this is to log all significant events in your infrastructure:
Without knowledge of your history you can't see new trends or look back and see how often in the past newly discovered exploits by external attackers and internal were used. The company I work for (Addamark) discusses the log-everything approach to security. It's a tough problem because of the scale of info required. Sorry for the shameless plug but this is the problem we address, and do so rather well at several real-world companies.
cool!
If you can find out where I allegedly copied that from, please let me know, because that means I must have some telepathic power I'm not aware of, and I would certainly be curious about that.
"Encyclopedia salesman!"
Seriously, that's what e-mail viruses are turning into these days. Now they're encrypting zip attachments and expecting the idiots to remember a five-digit number for more than a few seconds. And it's actually working.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
an idealist. Now get a job. You wont last 5 minutes.
I wouldn't really say "gently"... most techniques in Aikido take advantage of many laws of nature such as gravity, inertia, etc.
For example, if some fool is running at me with a weapon, it's no problem to allow him to keep moving in that direction, having him fly through the air and land face first into the ground, or whatever.
Someone grabbing my wrist will also find themselves on the ground, face down, in maybe one second of time, even less time is possible. Well, either that or their arm will be painfully twisted behind them, to an extent that it would be no problem to severely damage the person's arm (although that's not the intention of the technique)...
There's little that is "gentle" about Aikido but it's still definitely not about offense. It's not about kicking someone in the head and spinning around 5 times in the air, and so on. It's not about putting someone in a coma or killing them by poking some random spot on their body... the whole idea is to defend yourself to the best of your ability, without unneccesarily harming the person.
$15/month is not the cheapest. They have $110 per year for 5 books/month. That's less than $10/month or with access to 50 books roughly $2.20 per book.
Sounds like you need to buy a can of RAID and spray it all over the place. Also, Home Depot sells those ant baits that are supposed to kill off the entire colony (the ants take the poison to their nest and kill all their relatives, including the queen). Other than that, I'd say get a professional pest control company to take care of it.
Ah, the joys of ant invasions.
Damn, this how-to on ant extermination is the most practical advice I ever got from Slashdot!
I've been hearing a lot about how IT stinks these days, so I've been thinking about getting a masters in Information Security after I finish my undergrad because it seems to be the hot thing lately. What do you guys think?
What would you recommend on ITIL/BS7799? ...
Also, why would you mention BS7799 but not ISO 17799? Books of these type are usually pricey. Any free / PDF-type documentation? I am collecting docs of this kind. Thanks
Collection of my books is here. See the section on security.
-- br