There Is No Spoon

Mon, 21 Apr 2008 10:22:11 GMT
by pdp

Our guest blogger for this month is Paul Asadoorian, one of the crew behind PaulDotCom Security Weekly - the best security podcast on the Web. Paul is a holder of various security degrees and qualifications and he is incredibly active around the embedded devices hacking research. Paul is also co-author of the "Linksys WRT54G Ultimate Hacking" book, a must read reference for everyone who is interested in the WRT54G architecture. In this post, Paul is suggesting several things to keep in mind no matter which side of the fence you are at. These are his words:

I just completed teaching a SANS course here in RI called "Cutting-Edge Hacking Techniques". Its a fabulous course written by none other than Ed Skoudis, SANS instructor extraordinaire, and one of the biggest fans of the Matrix movie series (seriously, I swear he watches it at least one, maybe twice, a week!).

In any case, the course is a fantastic voyage through some of the latest methods and techniques used by hackers today. It covers virtual machine detection, the latest Nmap & Metasploit features, and several techniques used by hackers to create covert channels and hide malware on systems. While all of this is cool, one of the most valuable lessons we can take away from this course is that security is not about building a perimeter, nor is about software vulnerabilities and exploits.

If you're an "evil bad guy" security is about outsmarting your opponent and exploiting their weaknesses. If you're a good guy, its about not getting outsmarted and ensuring that you strengthen your weaknesses. Many focus too much on building a perimeter, and patching our software. While this is important, these two methods of defense alone leave you vulnerable to many attacks:

  1. Social Engineering - While some penetration testers may see this as a "cheap shot", attackers have no problem tricking your users to do evil things. Handing out USB thumb drives with malware, posing as employees, and calling users on the phone pretending to be the help desk are all fair game. What does this ultimately give the attacker? Why access to your internal network of course!
  2. Internal Weak Protocols - On just about every assessment there is at least one insecure internal network communications protocol in use that can be easily exploited. Typically there are FTP servers and systems administrators using RDP (Remote Desktop Protocol) to manage systems and transfer files. Using sniffers and MITM (Man-In-The-Middle) attacks, you can abuse these protocols to steal sensitive information.
  3. Wireless - No matter what, an open or poorly secured wireless network can almost always be used to collect sensitive information. In some cases it can be an easy way through the hard and crunchy outside, giving you access to the "soft and chewy center". Some of the most popular data loss cases have been carried out due to the exposure of wireless networks (TJX for example). Companies are still trying to protect wireless networks using MAC address filtering or WEP, and it just doesn't work.
  4. Web Applications - Its been reported that 7 out of 10 web sites are vulnerable to XSS (Cross-Site Scripting) attacks. The advancement of the Internet and the usability of web development tools and languages has allowed the web to explode with new web sites and applications. These are actively being abused by attackers, bypassing the firewall and often several other protections put in place by organizations.
  5. Passwords - When attacking systems it is highly unlikely that 80% of them will have a remotely exploitable buffer overflow vulnerability. But thats okay, because accessing just one system can often give you enough information to exploit several others. This is done in two ways, 1) exploiting trust relationships 2) Stealing/cracking user's passwords. People use weak passwords and trust relationships get created for essentially the same reason, people are too busy to implement security properly (laziness plays a factor as well). Attackers take advantage of this, defenders often overlook this in favor of focusing on applying patches or updating anti-virus software, both of which does little to stop these types of attacks.

So what do we do about it? Below are some tips to get you started and get back to basics:

  1. There is no "inside" - Treat your network as if it is always exposed directly to the Internet, because essentially, it is (see points above). For example, use secure protocols (SSH, Radmin) on the "inside" of your network.
  2. Process, not product - Improving your security process and embedding it into everything that you do will have a much more significant impact than buying vendor X's shiny new security appliance. For example, have a password policy and enforce it.
  3. Harden Systems - Go back to basics and focus on hardening your systems. Lock down your USB ports so they are not vulnerable to attacks from U3 enabled smart drives, turn off the services that you are not using (i.e. FTP), disable the default or sample web applications that come with your systems, and implement multiple levels of filtering and protections for your applications.
  4. Monitoring & Logging - I'd rather know that an attack has occured, than only block 50% of the attacks coming at my network and not even know about the other 50%. Configure IDS systems, keep the signatures up-to-date, monitor egress, and have a process to check the logs and respond to incidents. Log information from your systems and develop a similar process for checking and responding. This is not to say that you need to log every packet coming in and out of your firewall, but be selective (maybe only log what is allowed on certain systems). Most importantly log and alert on who is logging into all your systems.

Whether you are an attacker (penetration testing) or responsible for defending your network(s) remember, there is no spoon...

Archived Comments

I recently attended a training seminar on business decision making and one of the most interesting things the speaker pointed out was that the best solution to a problem is to recast the situation so that the problem is no longer a problem. This is classic "out of the box" thinking. It's interesting to see network security evolve a paradigm shift that treats the network as hostile (even the internal network). It is this kind of shift that allows you to remove many traditional "problems" of security by assuming they're actually the norm rather than anomalous. I think the crux of this approach is to recognize that most servers provide open services to the internet. When an attacker attempts a brute force of a service it's not actually an attack, or even an exploitation of the service, the attacker is utilizing the service *exactly* as it was intended. While the behavior may be the harbinger of "very bad" things to come, the system itself is operating according to design. In order to remove the attacker's brute force attack you have to fundamentally change the design of the public service, or accept the attack as part of the normal state affairs.