Slashdot Mirror
Ask Slashdot: Do-It-Yourself Security Auditing Tools?
An anonymous reader writes "I'm a 'prosumer' website builder, have a few sites that are mainly hobbies, but I would like to know that they're at least fairly robust. I'm thinking of the equivalent of a 'dental clinic' — where someone interested in the white hat security field might be willing to take on an audit for the experience and to build a resume. Or, tools such as websites that let you put in a password and see how long it takes to crack it. Or sites where you can put in a URL and it gets poked and prodded by a number of different cracker tools and a 'score' is given. Ideally with suggestions on how to improve. Does anything like that exist? I'm not talking FBI/CIA level security, but just common-sense basics. I've tried to use techniques that improve security, but I don't know how well they work. And I've realized that in the ever growing, fast changing field of computers I'm not going to ever get the knowledge I need to do this myself. I know there are software suites that allow you to sniff and test things on your own, but I'm afraid it's overwhelmingly foreign to me and I just feel like I can't reliably do this myself. Any ideas?"
I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.
This is a nifty suite of programs made for a lot of what you want that runs on a Raspberry Pi. If you don;t want to get a Pi you can look at the list of software and download then into your favorite Linux distro. Most (if not all) of these are open source.
http://pwnpi.sourceforge.net/
You say things that offend me and I can deal with it. Can you?
Post your site on /b for maximum security pokes
And I will tell you how long it took to crack it.
What's the point of "basic" security check?
But a quick search for metasploit should get you going, perhaps add a Nessus scan and go watch some Def Con presentations on SQL injection and penetration testing http://www.youtube.com/user/ChRiStIaAn008 is a good place to start.
Nessus is the big cheese with the big price but OpenVAS is the way to go. Do have a machine with plenty of power.
If you have a decent hosting company, they'll do this for you. Mine will send out alerts if a popular CMS install has a known hole in it, and require people to upgrade the software.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
You have no idea what you're doing, you have no idea what you WANT to do, and you have no idea what you need to do in order to get the knowledge to do whatever that is.
Please, re-think your idea.
The last one is pay for, but I swear by it. I do penetration testing full-time.
There are plenty of web (vulnerability scanners) that you could use, some requiring no experience and point and click, otherwise will require prior knowledge.
http://sectools.org/tag/web-scanners/
Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.
From the way you describe your goal, you are building mostly one-off websites. For small companies and the like? You'll be best off just using popular open source products like Drupal, WordPress, or ModX and keeping up to date with security updates. Many of these will automatically notify you of security updates and you can apply them right away. Don't try to host the websites on your own server either. Get a hosting product from a company that will keep the underlying OS, Apache, and PHP up to date and secure. This will reduce your exposure quite a bit. You still need to make sure to choose good passwords. Nessus or OpenVAS are also an option.
Ceci n'est pas un post
honestly, its all so tough now.
outside of obvious holes that can made for skids (like outdated wordpress installs), its all pretty indepth fuzzing
anything useful to you will cost an arm and a leg. and then you will still need expertise to interpret it all
Two articles on arstechnica recently covered booters (paid services to attack your sites using a large set of vectors), and password cracking for script kiddies.
Here they are :
http://arstechnica.com/security/2013/03/details-on-the-denial-of-service-attack-that-targeted-ars-technica/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
That should give you a first hint...
Posting as AC because for some annoying reason Slashdot won't let me log ion right now...
https://www.owasp.org/index.php/Web_Application_Penetration_Testing
Not really a free web service tool but it is a paid desktop app that will give you HARM scores and test your web applications against common vulnerabilities. Updates daily and will even suggest ways to fix your apps. We use it heavily at our organization.
Whether you wanted to or not, just by having a site, you've already asked the whole Internet to check it out. One way to find out if you've done things right, is to look for evidence that you've done things wrong. And there's a little tip I learned...
Grep your logs for your table names.
If you have an injection hole, for example, then automated spiders have already found it and exploited it, and (so far) they don't obfuscate or even escape/character-encode their requests, so you'll plainly see their injected queries in your logs.
Preferably, look for site-unique table names, so that you'll know they could have only gotten the name by successfully querying the schema. You're going to see lots of scary-looking things in your logs, but some of those are just unsuccessful attempts. A unique table name (hint: use tables names with the word "user" or "password" in them) will be a dead giveaway they succeeded.
Don't ask me how I know what that looks like. Hey, it wasn't my fault. Mostly. Ok, partly but mostly not. Look, it's complicated, and involves an inherited legacy, OKAY?! Everybody just back off. ;-)
Anyway, when you see that, then it means you screwed up, so you'll learn something and know you need to fix something. If you don't see it .. sadly, you won't really know much more than you did before.
And I gather you (the OP) is getting worried; the problem is that you're not paranoid enough.
Do you, for example, validate your code using the HTML validator from w3c?
You also need to learn to run tools. I mean, online website tools are nice... as long as you're *SURE* that they've not been hacked, nor are they actually crackers trying to lure you in.
Determining what tools to use is another issue: are you writing for Windows or *Nix? There's a lot more free tools on the latter, but you will have to learn more. For example, there are older, free versions of nessus.
Get yourself a good book, maybe from the publisher O'Reilly, on security.
mark "not even getting a kickback from O'Reilly for the plug"
One of the best places to start (IF your a linux user, yes I know a stupid statement for someone using slashdot) is with Backtrack. Has almost all of the tools a security professional could need for normal pen testing. They have even released a new version Kali Linux that makes it even easier to use.
I run it on my test linux laptop for the exact purpose of analysis, pen testing, and sometimes malware disassembly.
Some web hosting companies will not take kindly to you pounding away at their servers, even if you are only hitting your site. Similarly, some ISP's will also not appreciate "malicious" traffic from your computer to a webhost.
Sectools.org has a comprehensive list of tools with explanations of what each one does. Look at the web tools and the vulnerability scanners and you will find something you feel comfortable using. Most of the other tools mentioned so far can be found there. Also, the Open Web Applicaiton Security project (owasp.org) has some good information on secure app development.
good luck.
Average Intelligence is a Scary Thing
If yours isn't a mass-market, mass-profit, hugely-popular site, you don't need to secure it. You just need to be different enough that the standard chinese attack vectors looking for standard run-of-the-mill popular web-site building packages don't find any.
Trust me, no one's going to your tiny site and trying to find the holes -- no matter how big they are.
We secure bank vaults with big heavy locks. Your house with a tiny mediocre lock. Your car door with a tinnier very crappy lock. Your car trunk with a down-right shitty lock.
Just be different. It'll get you through the 99% that you care about.
This suite of tools used to go under the name of "BackTrack", most recently BackTrack 5. It has now been named Kali Linux.
This is a full-blown Linux distro with all the security tools you are ever likely to need. Metasploit? It's there. Nessus? It's there. The actual list of tools is huge.
Kali won't teach you everything about using the tools (though there are good instructions available online). But it does offer all you could want in one package.
When it comes to security, take the time to learn the trade or don't do it yourself. Technical controls (like firewalls and intrusion prevention) and configuration (at the server or app level) are only part of security. Unless you know enough to think like an attacker, you can't adequately protect yourself.
Brute-force password crackers and the websites that evaluate passwords are a joke. It will take you X trillion years to crack your password? False. It will take someone with access to rainbow tables a short amount of time to create a password that hashes to the same as yours. Done. Or a "police officer" showing up with a warrant that demands access to your server. Or that a secretary turn over theirs. Someone physically (or wirelessly) connecting to the network bypasses firewall/intrusion detection completely (for most implementations anyway). Security appliance and operating system zero-days don't give you much of a fighting chance either. Common, VPN clients from well-known companies in the industry allow for credential gathering via MITM, for both IPSec and SSL VPNs. If you don't know about the methods that an attacker can use to attack you, how can you even begin to protect yourself?
Security is putting all of the technical controls in place to keep out intruders, and then realizing that you're going to get hacked anyway. It's impossible to avoid it, so realize that you can only make it less likely. Then put in controls to detect when you've been hacked. Are traffic patterns different than normal? Is there a flood of encrypted traffic going to a China IP address? Controls should detect that and tell you when something's up. Then there's the policies; define what is and is not allowed, and by whom. Is data backed up? How often? Are the backups readily available? Were controls able to gather enough data so that the source of a breach can be identified, because bringing a compromised system back on-line without identifying and fixing the method of compromise isn't going to do you much good. Follow that up with procedures to make sure that policies and best-practices are enforced. A seemingly simple firewall change could have drastic implications, like allowing all ICMP through a firewall to get pings or traceroutes working. It doesn't really matter if Person A configures a firewall correctly and avoids some of the more common pitfalls if Person B comes along and doesn't do something correctly.
Seriously though, either get yourself a good security guy or prepare to dive in. Security is like surgery, you probably don't want to experiment on yourself or learn as you go.
...an open source software scanner like OpenVAS (make sure conditions for your applications are covered), or a paid scanning service for small business like nCircle Purecloud.
Disclaimer: I'm affiliated with nCircle, but don't mind recommending a solid product for your situation.
Give these Linux distributions a try.
These are designed for pen testing and vulnerability scanning/analysis.
http://www.backtrack-linux.org/
http://www.kali.org/
I do quite a lot of testing and assessment work for my company as well as use/sell security and network equipment.
We use these extensively along with several others so I can speak from some experience.
http://www.netassurity.com
Try the OWASP website: https://www.owasp.org/index.php/Main_Page. They have a lot of free tools for doing security testing of websites.
Comment removed based on user account deletion
Check out https://purecloud.ncircle.com/solutions/en/WebApp/. It is not free, but it covers common web applications, and it is very easy to use. Disclaimer: I work for nCircle
Hopefully, you know this and have tested out your recovery procedure many times, but I have to say it.
You should have your entire website backed up to a clean drive at home. If one of your sites gets hacked, you just login and delete everything, then restore from a clean backup. Then you can start looking into how you were hacked and how to prevent it. You will only have minimal downtime, your customers will appreciate how quickly you took care of it. Tell your customers that you only do base level security, they may want to pay for a higher level of security. Let them pay for it.
Do a google search for hacker forums, perhaps even that one from a week or so back about those kids installing/activating remote control software although you're looking for someone with different skills and goals so maybe a different hacker forum related to website hacking.
Register an account, with your real website added to your signature and stir up the hornet's nest! How you do this is up to you; You can go the direct route and ask them to try. You can ask silly annoying questions that make you seem like an idiot and easy target, or just go outright trolling people and being a real jerk but the key here is to get noticed.
Alternatively, just go to 4chan and try to start a crusade against yourself*. Make up a story about what a piece of crap you are, and make sure to mention hatred for cats.
If you do it correctly the port scans, SQL queries, and DDOSes should happen quickly. Free of charge.
*not responsible for SWATs, pizza deliveries, photoshops, and real life repercussions that may occur. use at your own risk.
Check out the "Security Technical Implementation Guides" (STIGs) put out by DISA at:
http://iase.disa.mil/stigs/
and the "Security Configuration Guides" put out by the NSA at:
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml
while following them fully is probably overkill for you they have a lot of good information on hardening systems and applications.
The only things tools can tell you is whether another person running the same tool could get in. For anything else they are pretty worthless. Also, the FBI/CIA does not have a clue about IT security. If you must name a TLA, make it at least the NSA.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Can you elaborate on this? A friend is looking for a VPN solution & is asking me for advice!
No matter what an intruder tries, if you put your operating system on read-only media, intrusion becomes limited.
Of course, installation and changes become more difficult because you must reboot with your media set to read-write, then reboot again to read-only. SDHC memory works well for this, since it has a read-write switch like the old floppy drives. Put the memory in a
USB "card reader" for SD
(microSD doesn't appear to have a read-write switch).
You can insert the SDHC in something that looks like a flash drive, then insert the whole in a USB slot.
Or, you can use something like the Adonics eSATA/USB Digidrive
http://www.addonics.com/products/aepddesu.php
to connect to your computer's eSATA port (if you have such a port on the back of your computer),
which is probably more efficient (fewer waits) than a USB 3.0 connection.
In Linux, you might choose to put most of your operating system on SDHC switched to read-only,
then put a variable area on a regular disk drive for logs, although you can put logs into a memory area that disappears on reboot.
Or you might put your webpages on a separate SDHC,
so your webpages get no intrusion changes.
You could then unmount your webpage SDHC, switch to read-write, make changes, unmount, switch to read-only.
In Debian Linux, the foundation for most Linuxes (eg, Ubuntu), you can look at the "Securing Debian Manual",
http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.pdf
Debian has a highly tailored Aide (like tripwire) that uses checksums to detect any file changes.
In Debian, "dar" Disk Archiver (like tar) makes backups on external disk drives, but dar probably requires some tailoring (I use dar).
For a firewall, you could use Debian's easily used Guarddog.
In some sense, Debian is the administrator's operating system -- for the serious.
Completely OT, but I've got Karma to burn
The last line of the first verse should read "You're a pal and a confidant". None of the Golden Girls went into space, though I'm sure they thought about sending Sophia there.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
You can use this free scanner to test your FTP or SFTP access.
http://www.filetransferconsulting.com/low-and-slow-ftp-scanner/
Set this utility up with about four garbage usernames, then your actual admin credentials in the username list, and put four junk passwords before your admin password in the password list. Then run the utility with one-second intervals. If your FTP server (or SFTP service) is set up well, your IP (and possibly your username) should be locked out before the utility gets to your legit credentials on its 25th try. (In other words, if the utility can sign on as you, your FTP or SFTP service could use some additional security.)
You may want to see if any of your local colleges have computer security tracks. You may be able to do an Internship, or someone may
be available to just do it for experience. YMMV
While you are doing these scans, please note, you may clog up your pipes to the Internet. If you are using hosted services
DO NOT RUN SCANS WITHOUT NOTIFIYING THE HOSTING SERVICE.
There are many sites with CVE information, Secunia is ok, search for applications you care about.
http://secunia.com/community/advisories/historic/
Be careful scanning log files, at least sanitize them before you read them.
You should probably know what ports should be open on which systems.
A spreadsheet of systems/applications/versions of SW OS... would be a good start.
Look for ports that are open, or Listening that shouldn't be...
I'd recommend you proxy your web site through CloudFlare -- www.cloudflare.com -- by having them handle your DNS. You can read more about them at their web site -- I'm not affiliated with them in any way. They offer a free proxy service that acts as a web application firewall and will do a good job at blocking hack attempts.
From there, you should restrict your webserver's firewall to only allow traffic from CloudFlare's known IPs, so people cannot directly hit your webserver.
If Linux, install fail2ban on the SSH daemon + require SSH-key based access (no passwords!)
Finally, get a copy of the home version of Nessus from Tenable and use that to scan your server. It's interface is relatively easy to use, and if you hit your webserver IPs every couple months with this, in addition to using CloudFlare and hardening your SSH daemon, you should be in good shape and not have to worry about silly hacks.
I'd venture acunetix from http://www.acunetix.com/ it does a decent job
https://code.google.com/p/skipfish/
If you don't understand the application-layer issues which might be present in your programs, then you won't necessarily understand what the tools (whichever) are trying to tell you. Read and learn, grasshopper. You can get a ton of info from OWASP (http://owasp.org) for free, including some issue-specific "cheat sheet" pages. Next, buy the Web Application Hacker's Handbook. Really, do it now, or at least after you've read the OWASP stuff. It's in dead-tree and e-book versions, now second edition.
Tool-wise, go to portswigger.net, and download the freebie version of Burp Suite. It doesn't have the scanner portion, but you can proxy all your traffic through it, and see what happens when you twiddle all the things that might be twiddled. Buy the pro version (few hundred bucks/year) when you're ready for the other features. By then, you'll know why you want them. The author is Dafydd Stuttard, one of the WAHH book authors. Great support, helpful and responsive.
Oh, and the suggestions for Nessus, OpenVAS and Backtrack/Kali aren't bad, they're good tools. Mostly for the infrastructure-level things such as the operating system and known services which are exposed, though this does include your web server. They mostly won't tell you much about your one-off apps though.
Your intent is clear as mud.... "you'll never get the knowledge, so what tools/suites are available?" is not a feasible approach to security, and will teach you absolutely nothing (using pre-canned tools shows what someone else *might* know about security at best). Following this route you'll end up like a site I visited once where they had insane password policies, and unwieldy access control, only to find that all that complexity was pointless because their passwords are being exposed via telnet/rsh.
Security isn't "Black Magic" (though sometimes it might seem so), and the same principles that applied decades ago still apply today and for the foreseeable future.
Security is a systematic process (be it top down, or bottom up)... identify what you are exposing, understand the purpose of each exposure and why you need it, and then reduce what you have exposed to the bare minimum. This will solve the vast majority of blatant security issues, and you will likely learn a significant amount in the process.
Once you have a "core" to work from, you can start to focus in specific attack vectors for what is left... which is likely far less overwhelming then trying to just dive in from the start, trying addressing problems that may not even be the at the root of your security issues.
If you are going to get into active testing, then I think professional ethics demand you take precautions to avoid harming other users or their systems, even (or especially) by mistake.
If you have two computers, then set up a little testing lab for yourself. Take both machines off the Net but put them on the same LAN (preferably a wired LAN but wireless will do). Set up one box as the target with a Web server and the site of your design. Use the other to run your attacks, Kali Linux or whatever.
The reason to do all this on a LAN is quite simply to avoid accidentally scanning/attacking some unintended host, and to avoid violating any laws or terms of service that prevent you running attacks. If you test a target on the real Internet, you may accidentally hit something else by mistake, especially if you're a beginner. Whereas on your own LAN you can be as wild and experimental as you want and no one will complain.
It may sound like a lot of work to set up an isolated network, but explaining to an ISP or a judge that you really had perfectly innocent intentions is also a lot of work.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
"Do-it-yourself Cryptography"
"Home Heart Surgery"
"Roll Yer Own O.S."
"Kernel and Driver Programming for Dummies"
A lot of this conversation has been about remote security scans, but once you find a vulnerability, how do you remediate it? How do you maintain your security posture, and continue auditing your hosts on a regular bases? To what standard?
The National Institute of Standards & Technology provides a lot of help to those attempting to implement security standards.
First is the Security Content Automation Protocol (SCAP) - scap.nist.gov. This defines how you manage, measure and evaluate vulnerabilities.
Second would be SCAP content. You'll note on the NIST SCAP page the word "community" appears 5 times in the first paragraph. That's not on accident. SCAP content is generally community generated, and there are lots of great lists of people working on SCAP content for a variety of operating systems.
Red Hat maintains the gov-sec mailing list and fedora, for example has loads of content available for Red Hat Enterprise Linux based systems.
Our friends at NIST also publish what is called the US Gov't Configuration Baseline (USGCB for short). USGCB content is available in SCAP format for Windows & RHEL. These standards are certainly a good starting point.
If your standards come in the form of a STIG - that content is available as well from the Aqueduct project.
[Disclaimer - I work for Red Hat, I support the US Gov't, and I think making security easier is probably an important thing to do]
While they are out of date for most new operating systems (they probably ran out of funding), the NSA security guides are a good place to get started in securing your system. You can find them for most major operating systems here:
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
On Linux it is good to install rkhunter to scan for rootkits and it does several other security checks like tripwire, etc.:
http://rkhunter.sourceforge.net/
I would only do the following tools if you are trying to get scanning for an entire corporation or institution. These tools are not free:
CIS Benchmarks - Scans for most of the NSA guide suggestions. Requires member$hip,
but does have 30 day eval: http://benchmarks.cisecurity.org/membership/categories/
McAfee Vulnerability Manager - Site wide patch and vulnerability scan: http://www.mcafee.com/us/products/vulnerability-manager.aspx
The SDHC read-write tab? It's more like a vague suggestion than a lock. I've yet to find a card reader that will actually refuse to write to a "write-protected" card.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Mainly in efficiency - it runs in Ring 0/RPL 0/PnP Kernelmode (on Windows), as merely a filter for the IP stack (no overheads of more driver layers OR browser level slower less efficient addons):
21++ ADVANTAGES OF CUSTOM HOSTS FILES (how/what/when/where/why):
Over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs).
1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program). A truly "multi-platform" UNIVERSAL solution for added speed, security, reliability, & even anonymity to an extent (vs. DNS request logs + DNSBL's you feel are unjust hosts get you past/around).
2.) Adblock blocks ads? Well, not anymore & certainly not as well by default, apparently, lol - see below:
Adblock Plus To Offer 'Acceptable Ads' Option
http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option )
AND, in only browsers & their subprogram families (ala email like Thunderbird for FireFox/Mozilla products (use same gecko & xulrunner engines)), but not all, or, all independent email clients, like Outlook, Outlook Express, OR Window "LIVE" mail (for example(s)) - there's many more like EUDORA & others I've used over time that AdBlock just DOES NOT COVER... period.
Disclaimer: Opera now also has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..
3.) Adblock doesn't protect email programs external to FF (non-mozilla/gecko engine based) family based wares, So AdBlock doesn't protect email programs like Outlook, Outlook Express, Windows "LIVE" mail & others like them (EUDORA etc./et al), Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.
4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).
5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, OR make you reach them faster since you resolve host-domain names LOCALLY w/ hosts out of cached memory, hosts do ALL of those things (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions (in-addr.arpa) via NSLOOKUP, PINGS (ping -a in Windows), &/or WHOIS though, regularly, so you have the correct IP & it's current)).
* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!
6.) Hosts files don't eat up CPU cycles (or ELECTRICITY) like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can since hosts files run in MORE EFFICIENT & FASTER Ring 0/RPL 0/Kernelmode operat
I would bump Kali Linux as the true DIY solution.
-OR-
You could just leave it up to someone else and have someone to blame. These guys would make a good scapegoat:
http://sitecheck.sucuri.net/scanner/
I have actually used their scanner to find a backdoor in a common PHP script that shall remain nameless. They did report exactly where the vulnerable file was. After I deleted the file they told me the site was secure. Simple.
Not really DIY and I wouldn't trust anyone 100% but if you pay for a service you have done due diligence to CYA and you can just bill your customer.
The operating system often seems to write to a lock-switched memory card, and "ls" indicates it has.
But removing the card reveals data has not been written.
I'll keep an eye out for actually writing when actually lock-switched.
I have now actually checked this.
I switched an SDHC to read-only, wrote a file to it on Linux, took the SDHC to another computer, and the file was indeed written.
So, the SDHC lock is no guarantee against writing, and is apparently useless.
I stand corrected, and thank Carnildo for ending my misadventure.
I prefer using read-only hardware to "chattr -i" immutability plus a Linux kernel enforcing this,
since the software approach is cumbersome and changes files' ctime attribute.
What is available?
The following in the alternate model AEPDDESUWP will not write to any memory it can read,
and outputs to either eSATA or USB computer ports,
http://www.addonics.com/products/aepddesu.php
I still need to put my operating system on flash memory before I insert it into such a read-only device.
Thanks for the follow up. I'm a fan of good USB3 memory sticks and virtual machines with Vbox/xen/HyperV as needed for my link clicking :) Pretty easy to set the file read only and check the hash when done/revert as needed.