Security Warrior

Peter Wayner writes with a review of O'Reilly's Security Warrior: "Close the doors and they come in the windows. Bar the windows and they slip through some cracks in the foundation. Seal those up and the find another way in through the door. Computer security is an odd pursuit because it's just not possible to have a strong, theory of everything when cracks can appear anywhere. Into this field comes Security Warrior, a book on the topic with a wide ranging collection of tidbits and suggestions on sealing as many holes as you can find." Read on for the rest. Security Warrior author Cyrus Peikari and Anton Chuvakin pages 531 publisher O'Reilly rating 7 reviewer Peter Wayner ISBN 0596005458 summary Not a deep approach to security, but a great bag of tricks every sysadmin should have at hand.

The book comes lightly packaged in a metaphor about the training of samurai. A security warrior, it is said, must avoid a "superficial study of the subject" because that leads to a "deterioration of the samurai spirit." To avoid this, the authors plunge deeply into a wide variety of ways that attackers might break into your system. The book is meant to help you "know your enemy" and "see through an attacker's eyes."

This chestbeating fluff disappears pretty quickly because the authors dive into reading assembly code in the first chapter and start talking about the registers of the CPU by page 4. The rest of the first part of the book explores reverse engineering software by reading assembly dumps and using good tools to decipher it.

After poking around in binary code, they turn to the bits floating around the network. Chapters 6 through 10 explore how to sit on one end of the Internet and pry your way into another computer. Chapters 11 through 17 dive deeper into the specific defenses of platforms like UNIX, Windows, SOAP and SQL. The rest of the book, Chapters 18 through 22, explore how to figure out just what the attackers may be doing by setting up honeypots and log analysis tools.

Covering all of these topics in 531 pages is clearly not possible and the book reads more like a survey or a catalog of what can go wrong. If you use PHP, for instance, as a frontend to your database, you might want to be sure that some "script kiddie" won't slip in some extra SQL in the form fields. Each topic isn't built up from some bedrock foundation with perfect mathematical pedagogy, it's just defined as a list of bad things that you should avoid doing.

The authors seem to be aware of how this might be misinterpreted. There are many good tricks in the book and it wouldn't be hard to rename it Al K Da's 1337 Haxor Tips . So the authors stress how learning about the enemy is the only way to defeat the hordes.

I think the problem is deeper and more philosophical. There's no way to prove a negative. There are no good mathematical tools that make it easy to prove statements like P!=NP or big numbers can't be factored quickly. In a larger sense, it's not really possible to prove that someone can't break into a system. A more traditional, ground-up approach to the topic can offer some assurances, but books like this one are always necessary. Anyone doing battle against unknowable and unpredictable adversaries must look between the cracks.

If you look at it this way, the book is a good collection of tips and hints that will help someone keep their network a bit more secure. It doesn't provide a deep, elegant and rigorous explication of the topic, but I don't think that is possible. It's a great collection of tricks that should be part of a good warrior's training.

Peter Wayner is the author of Translucent Databases and Policing Online Games . You can purchase Security Warrior from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

scary no doubt

[segment]

It's nice to see there is no lack of someone/somecompany trying to make some money off of the security FUD/Errata scene nowadays. Strangely I've been running webservers, databases, clients without problems for years. I keep a slight watch on lists, and I think (IMO) I keep systems pretty tight either via normal tools, whether they're open source or not.

I still don't understand how hard it is for companies to throw up a so called webserver and have who knows how many ports open. If it's a webserver its a webserver, mailserver then its a mailserver. I call it shoddy administration. Taking the time beforehand to configure something properly will definitely save you a heck of a lot of time down the line, it becomes a matter of watching for new holes and patching them up quickly. If servers are an issue write some script to install patches/fixes to clusters or so.

Sometimes I sit back and wonder what the hell is happening to the security field as a whole. Within the past four years it went from a couple of individuals to everything being overrun by corporations. Security Focus to me pretty much sucks nowadays, but yet aside from lists such as NANOG, Secfocus, ISP-Lists, there are little resources left. I say strong planning nulls out any information you can get from a book. Besides most of the information one could ponder looking for can be found using good old google. Why should I keep waisting money to see the same things over and over again.

The more things change, the more they stay ...

[Doesn't_Comment_Code]

Security has been the same for a while:

Don't open unused ports.

Don't make your system unnecessarily complex.

Don't use software if you haven't inspected it.

Don't give access to those who don't need it.

Handle every exception.

Assume your user is an a**hole/dumbass who will use your system every way except the way it was intended to be used.

Dot your i's and cross your t's.



Now... Who wants to give me a book deal?

Re:The more things change, the more they stay ...

[LostCluster]

Now... Who wants to give me a book deal?

The reason why there's so many security books out there is that people need to be shown how to do all the things that you list. Somebody who doesn't understand that a form which is browser-limited to only send numbers still has the ability to send back characters isn't going to bother to code in the line that bounces non-numeric input.

It's hard to tell somebody who doesn't know what i's and t's look like to dot and cross them correctly.

Perfect Security is infinite...

[LostCluster]

There's no such thing as a physical lock that can't be broken. It's only a matter of how much force needs to be gathered to break down the door, or break a hole in the wall.

An entirely secure site can be breached by a bomb being dropped on top of it. Now, some people might say that's cheating, because demolishing the site, and therefore whatever valuable was being protected too, doesn't give control of the valuable to the atacker. However, it does deny the services of the valuable to its owner as well. That's a security failure, the job is to keep the services of that valuable always available.

Computer security should be thought of in those terms. There's no such thing as unbreachable security, you just want to set the threshholds of what it takes to breach the security high enough so that it becomes highly unlikely that anybody can come up with the force it takes to defeat them.

Clearly, if somebody comes up with a processor that can quickly factor large numbers, then a good chunk of today's security theory will go straight out the window. However, since to our knowledge nobody has done so and nobody's close to doing so, we can consider that a good security technique to use now.

One must always keep up with what tools the bad guys have available, because once they have something that can knock down a defensive tool with ease, that defensive tool had better have another line of defense behind it.

Re:Perfect Security is infinite...

[Chazmyrr]

You're very close. The part that is wrong is how you decide where the threshold should be set.

The correct answer is that the threshold should be set at the point where increasing security further incurs a greater cost than the value of the risk mitigated by the increase. In other words, you perform a risk assessment and a cost/benefit analysis before you spend a lot of time/money on elaborate security measures.

If a security measure is going to cost $50k to mitigate $5k of risk, it isn't worth it.

Re:Perfect Security is infinite...

[Beryllium+Sphere(tm)]

>you just want to set the threshholds of what it takes to breach the security high enough so that it becomes highly unlikely that anybody can come up with the force it takes to defeat them.

That's the classical definition of physical security, which assumes that attackers are controlled by economic motivations. It's highly unlikely that anyone would spend money on bribes and/or tools to steal my 1979 Volkwagen Rabbit, for example.

It doesn't apply to some corners of information security, though.

Technical security measures often amount to setting up a puzzle. There are people who solve puzzles for fun. To them, the harder it is to defeat your technical countermeasures, the more fun and prestige they get by defeating them.

Consider all the people who spend days or weeks cracking copy protection on relatively cheap software packages, and who then don't even get paid for their work.

MIT ran into this. There was one OS that kept going down as people figured out ways to crash it. Every fix just raised the bar and challenged the competitive MIT hackers to find new OS bugs. The administrators finally got some decent uptime by installing a "kill system" command available to normal users. They took away the challenge, took away the fun, and all the puzzle-solvers took their energy elsewhere.

You can't use that particular trick if your threat model includes normal people, but it illustrates the point: there are some people who are motivated by difficulty.

>An entirely secure site can be breached by a bomb being dropped on top of it.

This is also true and insightful. I call it the platform-independent denial of service attack. Notice that off-site backups will limit the damage from both an air raid and from a zero-day exploit.

>One must always keep up with what tools the bad guys have available, because once they have something that can knock down a defensive tool with ease, that defensive tool had better have another line of defense behind it.

I'd go one step further and argue that the additional line of defense should be there in the first place, because we know that the abilities of bad guys increase over time.

Good post! I'm adding you to my friends list.

Re:Hrmm...

[SquadBoy]

Yes yes it is. I have my copy in my bag right now. This is worth reading no matter what you do in IT. But I would come to this after reading Beyond Fear at least once and Secrets and Lies at least twice.

http://www.schneier.com/

Unbreakable?

[SharpFang]

Is it impossible? I mean, there are known vulnerablities, know secure tricks (i.e. passwords that would require unreachable computational power, "security areas" accessible only by people invulnerable to social engineering, after special training, system routines written with security in mind, hardware that is sealed in such a way that it cuts off any attacker on attempt of attack, and physically assaulted self-destructs?

Things slipped out of control because growth wasn't followed by quality control. It would need to be designed from scratch. I think it would be possible - system completely unbreakable, without ANY holes.

But I guess building it would be so expensive, that EVERYBODY prefers systems that work so-so and contain unknown bugs and nobody would be willing to buy it.

Computer Security In General

[ausoleil]

IMHO, computer security is like trying to make something idiot-proof...as soon as it is (idiot-proof) someone perfect a better idiot. In regards to computers, there is no 100% safe way to fully protect your data -- except by rendering the machine inaccessable and turning it off. Of course, that's highly counterproductive.

So, at the end of the day, all a sysadmin can do is operate the machine in a prudent manner (set it up to have security reasonable to the risk), keep it patched and raise the bar to keep as many potential foes out as possible. But bear in mind, no matter what you do, if one is determined enough, they WILL be able to break into your machine.

After all, the best hackers are the ones you hve never heard of. Their best exploits are the ones that no one knows about. Children brag about their shenanigans, a wise criminal keeps his tools to himself so they keep working.

Linux and other OSS projects have a community to identify the risks, but not even a community nor the author(s) of a given piece of code as complex as a working modern Linux system can identify them all.

Social Engineering

[pizzicar]

Even with the best of hardware and software locks and keys, the weak link is still the human. There have been many /. articles on social engineering and the current crop of books (The Art of Deception by Kevin Mitnick for example) shows how the best laid security plans can be circumvented by a minimum wage clerk. Education for all employees should be a big factor in securing systems. An email from the IT department just won't cut it - we need to teach people how and why to make a difference.

Re:Paradox of Open yet Closed

[LostCluster]

"Trustworthiness" is created when somebody given the opportunity to screw up does not do so, and is the best predictor we have for whether somebody will screw up in the future.

To banks, in order for you to have perfect credit credentials, you must have taken loans before and not violated the terms. Never taking a loan is a nuetral value... you haven't screwed up, but on the other hand you haven't had the chance to either. There's no data on you, which means the system has nothing upon which to make a decision, and therefore it's the system's least confident prediction.

Tokens of committment can only be used to prevent somebody from breaching trust when what they've put up at stake is more valuable to them than what they might get as a result of breaching the trust. A token that isn't strong enough doesn't really create trust. However too strong of a token also will turn away those who don't trust you, which can deny the project you're trying to protect from getting the help it needs.

The paradox of open yet closed is not one that can be solved, it just has to be dealt with.