Ask Fyodor Your Network Security Questions

Fyodor is the driving force behind Insecure.org and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.

My Question...

[tx_kanuck]

As networks become more complex, and hackers become more sophisticated, how do you see the use of honeypots evolving? Do you think they will have to become mini-networks that can actually be used in-order to prevent them from being detected as honeypots? Or do you think the use of honeypots will just be phased out like many other security tools in the past?

Work guidelines?

[eaddict]

How do you find what you do surviving the likes of DCMA/Patriot Act II/etc???

If you could change one thing.

[Neck_of_the_Woods]

If you could get the computer world to agree to change one fundamental thing in computer security on all OSs across the board what would it be?

What is your favourite tool?

[Noryungi]

I have just read your top 75 security tools [insecure.org] list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Thanks in advance!

DMCA?

[Anonymous Coward]

Has the DMCA hindered your company in any way, do you see it as working against security professionals around the US or helping those of us who are interested in security as a career path?

libnet

[sfraggle]

Why doesnt nmap use libnet [packetfactory.net]?

What's your ratio of love:hate mail?

[lewp]

On any project like this where there's potentially evil uses mixed in amongst the various good ones, you're bound to get a few angry people who don't understand how helpful your work is to the community at large.

How much criticism do you have to deal with? And how does it compare to the kudos you receive, quantity-wise? Has it ever made you doubt what you're doing?

PS- Thanks. nmap proves its usefulness to me every day.

Security Updates

[rf0]

It seems that the numbre of security exploits and updates seems to be growing as more people start experimenting with trying the break systems. Now I'm subscribe to BugTraq et all but find it hard to keep on top of what is going on and what I need to update. What would you say are good tools for keeping up to date across multiple systems and platforms?

Rus

Recent increases in anal-retentiveness...

[Zeriel]

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kick out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

RTFM

[smittyoneeach]

What are 'good' dead-tree references for the following categories:
FNG--Fscking New Guy
-Terminology, broad-brush concepts, checklists, good reference list
Suit
-Management concerns, planning
Expert
-Detail, performance considerations

Categories are arbitrary; others will segment the market differently. Mainly seeking recommended authors/titles. Full-on reviews too space consumptive.

The human element

[mental_telepathy]

The Honeynet project seems to focus a significant amount of attention to the culture of the attackers (extensive logs of IRC chats, for instance.) Do you think the research the honeynet project is doing might make some headway in preventing social engineering attacks (The only hole nmap can't tell you about)?

What tool(s) are we missing from our toolbox?

[adturner]

I saw the Top 75 Security Tools survey you did. Lots of great tools there. But I can't help but think that the security community still has plenty of tools that need to be written. So I'm curious what kind of new tools would you like to see written , re-written from scratch, or merged together to create a better tool? Basically, where do you see the missing pieces in the security community toolkit? What kinds or pieces of software would you encourage people in the slashdot community to write?

Super-DMCA

[ziggy_zero]

What is your opinion on the proposed "Super-DMCA" acts being proposed in several states, which would make honeypots illegal?

Here's [securityfocus.com] the article on it that ran in Slashdot awhile ago.

Basically, the law says you can't "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." - thus making honeypots, even when used to thwart illegal computer activity, are illegal.

Curious Yellow?

[griffjon]

Do you think that Brandon Wiley's thought-design of "Curious Yellow" (paper at: http://blanu.net/curious_yellow.html or http://www.securiteam.com/securityreviews/6U00L1P5 PY.html) will come about as he's laid out? It seems like not an unlikely scenario once someone puts some effort into actually designing it. What are your thoughts about the evolution of 'smart' worm attacks balanced agains thre need of good network security scanners?

IPv6

[binaryDigit]

Since ipv6 is supposed to address many of the security issues inherent in ipv4, should there be more of an industry push to adopt it quicker? OR having many years now since ipv6 was drafted, have we learned more about the types of attacks/tactics, and therefore should ipv6 be updated. Seems like now would be the time to do it since ipv6 still has not been adopted and changes could be made without too much disruption or cost (time or money).

will exotic OS's help?

[Anonymous Coward]

I've heard that using "exotic" OSs for network security like OpenBSD on SPARC, NetBSD on SuperH, and Windows NT on Alpha will help increasing my security. Could you verify this?

Thanks?

You'll have seen a lot of breakins.

[Hulver]

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Weakest link: Between systems and people

[Simon]

"Given the choice between dancing pigs and security, users will pick dancing pigs every time." -- Ed Felten

examples:

* "SSH shows a warning that the host key has changed. The user ignores it and continues on."

* "The browser warns the a SSL certificate doesn't match the host IP. The user ignores it and continues on."

* "The browser asks if you trust the signer before running some piece of ActiveX. The user ignores it and continues on."

* "The sysadmin warns not to share passwords. The users ignore that too."

Now the question. It seems to me that despite all the work being done in the security field, back in reality things have gone from bad to worse. People constantly sidestep the very systems that are put in place to protect them. Is anything being done in the computer security field to address this important "Human Factors" aspect?

--
Simon

Re:Idea

[zeeble]

How crazy is the idea of having a hardware based(where all security tools are hardcoded to the chip, and there is some way of updating, lik BIOS flashing) security system installed on machines, rather than using software to detect flaws? Also, do you see buffer-overflow related problems decreasing? As a followup, is gcc a secure enough compiler, or are commercial compilers like say Intel's C++ compiler more effective?

Stepping into a network security carerer.

[Anonymous Coward]

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work througout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

The Relevance of Low-Level Tools

[Jouster]

As more and more applications are written from a standard base (servlets on a J2EE server, PHP under Apache interfaced via HTTP instead of a proprietary protocol, etc.), how relevant are low-level tools? The proliferation of high-level applications means that that OS becomes almost irrelevant--the firewall only allows HTTP through, and a load balancer tosses requests to different servers that might very well be hetrogenous insofar as operating systems and other low-level implementation details are concerned.

Given all of this, what motivation is there for a modern CS student to learn things like the 3-way TCP handshake, or the differences in implementations in various TCP/IP stacks, when the base level of the equation is irrelevant from a security standpoint? How can I convince our network administrators that it's worthwhile to learn something other than JNDI when it comes to network protocols; that for security and network troubleshooting, nothing will ever top a simple Ethereal packet trace?

Jouster

Perception of Access

[Lieutenant_Dan]

What would you say is the line where someone's activity could be considered "unauthorized access"?

How do we preferentially improve white-hat work?

[swordgeek]

Given that effectively ANY tool can be used for good or evil, and also given that we can't completely eliminate risk...

How can we develop and promote the state-of-the-art in security (tools, understanding, knowledge) while giving as few gems as possible to the criminal wannabes of the world? In other words, how can we bias the work and research towards the defensive, rather than progress that's either neutral or preferentially offensive?

Legal implications

[paranode]

A recent SecurityFocus article talks about possible legal implications for people who administer honeypots (here [securityfocus.com]). Do you feel that this is a legitimate concern, and have you or your colleagues run into any legal issues with honeypots or the use of Nmap and similar tools? Thank you.

Interesting stories involving nmap?

[Neologic]

nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

What could best be done to create secure networks?

[drinkypoo]

Currently attempts to secure networks depend on "band-aids" over inherent problems in the design of protocols and protocol implementations (software.) Relatively little effort has gone into solving security problems before they are created. I know IPv6 has taken some steps in the right direction - where would you start?

Open port... what now?

[Anonymous Coward]

Why do you think system administrators (more so NT) do not have the ability to figure out what program/daemon is keeping the port open on their systems?

After a user uses nmap to enumerate open ports on their systems, what tools should they use to determine what prgram is keeping that port open?

Have you ever been tempted to use your gifts

[Tim_F]

in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Kitchen-Sink-over-HTTP

[Jouster]

A modern firewall administrator has a very easy job, it seems--all her users care about is their DNS service and their Web access (and, with a good Web proxy, you don't even really need to have an inward-facing Internet-recursive DNS). Indeed, most users blithely assume that "The Internet" and "The Web" are the same entity.

A modern protocol designer has to choose between efficient data representation and firewall penetration. She will almost always choose the latter. Thus we have a thousand X-over-HTTP protocols, most of which are replicating services (like RPC) that are exactly what the firewall administrator was trying to block.

As everything becomes X-over-HTTP, how long will it be before we see stateful HTTP firewalls to block malicious kinds of data flowing over HTTP? And when firewall administrators again take the easy way out, blocking everything but "plain" HTTP, how do vendors send their data? Are we, in fact, turning the Internet into the Web? Eventually, it seems that application communication will just be a special case of a Web browser fetching a URL. By tunneling everything over HTTP, and eventually dropping even the tunneling, is the Internet in danger of becoming nothing but the Web--sure, there are other services running, but nobody but the occasional network admin on an un-firewalled network can reach them?

Jouster

Are you still hacking slashdot users?

[Real World Stuff]

I recall last year you hacked a slashdot user and publicly posted that information to your site. Fortunately it was archived prior to you removing it, and is available via cache search.

Odds are this will be modded down as it is contrary to the blind doe-eyed fan-boisticism. I am genuinely curious.

Feature for nmap

[CausticWindow]

I've been using nmap for quite some time now, and it's an excellent tool by all accounts.

My question is, do you plan to implement firewall discovery? Instead of just reporting what ports are open, you could report:

- closed
- opened
- filtered (no reply)
- firewalled (firewall reply)

Like suggested in the latest phrack.

Re:Stepping into a network security carerer.

[Anonymous Coward]

>I'll be graduating this month with a shiny new BS in Computer
>Science. I've done plenty of Unix sysadmin work througout college and
>even deployed some high-interaction honeynets. I'm very interested in
>network security and systems programming. Do you have any advice for
>people in my situation who want to head into a career in network
>security?
>

I've recently landed my first job as a pen-tester. To get here I spent the last eight years reading everything I could get my hands on regarding information security: books, white papers, man pages etc. More importantly it's important to get direct experience of as much of the theory as possible. Run up a few machines as a local network. Sniff the wire. See how a Windows box looks from Linux, and vice versa. Use and understand the differences between OpenBSD and Linux. Try to download, compile and test new tools whenever you see them mentioned. Break into your own machines. Ask yourself how you would prevent that attack working. Fix it, start again. Put up an undefended default install on a cable modem with a stealth IDS / tcpdump running; watch the kiddies come running. Watch them at play (important: do NOT let them jump out of your box and attack others!) repeat with other OSes. read bugtraq, full disclosure, nanog, incidents. Read as many O'Reillys as possible. Learn Perl. Learn C. Learn Visual Basic. (no, really,.. you'd be surprised how useful that can be when it comes to ASP apps :) Always remember you have more to learn. Try to get a broad AND deep knowledge - you want to avoid the trap of becoming a guru of a very narrow field; security people have to be generalists to some extent (you know what AppleTalk looks like on the wire? NetBIOS? ftp?) Read, read, read. If you're still doing it after five years (during which time you are working in IT, but unlikely to be in a security role: sadly very few companies, except the biggest, spare resources for dedicated info-sec people) *and still enjoying it* - that is, you would still be doing it even if you weren't trying to break into the field - then you'll be good when you finally get what you want.
Stick at it: it's soooo worth it. I've had more fun in the last six months than in the previous 8 years combined. And, to my surprise, I've found myself feeling a strange... pride? no, 'responsibility' is closer I think - when I was told that a pentest I performed on a local utility, during which I got some sensitive personel data and some highly sensitive, uh, 'test results', was being conducted due to the generalised review of security post Sept. 91. And I realised that in a a very small way, I'm making the world a better place. I really hadn't expected that, hadn't really thought about it in the context of work (Free software, yes! :) and it really did make all the fucked relationships, tedious nights curled up with a boring mad page or another vacuous commercial whitepaper on "the hacker threat!" and abottle of wine for company, worthwhile.

Best of luck!

Best Security Advice?

[Krieger]

I've been doing network security for a while now, but I still have yet to find a nice single sentence summary for why security is necessary, that is easily understood by everyone who hears it from the techie to the manager.

Do you have any suggestions?

What makes a honey net enticing?

[cornice]

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I that that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

ipv6 support in nmap

[nnet]

At present, nmap has limited ipv6 capabilities, are you going to add more ipv6 functionality in the near future?

Trusted Computing

[Anonymous Coward]

All security experts have opinions on Trusted Computing, which goes under various names such as TCPA, Palladium, NGSCB, TCG, DRM,... The Slashdot community tends to say that this is security at the cost of freedom, and disapproves it. But not all rolemodels in the world of computers seem to agree with this. Linus Torvalds, who gave Linux its name, for example, openly blesses DRM. What do you think about Trusted Computing? Do you see it as an additional value to computers, or more as an erosion of our freedom? And even more important, why do you think so?

Background info: Linus Torvalds blesses DRM [theregister.co.uk]

End User Training

[truffle pig]

I spend a lot of time reading and training myself on how to prepare myself and the systems I manage against attacks and other hostile acts. I find much of this to be a fairly linear technical task.

I often find myself at a loss as to how to help train the end users at my company on how they can help insure the security of their systems and help prevent things like social engineering attacks and what good password practices are.

I usually run into problems of user apathy, training materials or discussions being too technical, or trying to apply to technical training techniques to sometimes non techncial problems such as the aforementioned social engineering attack.

Have you found a good way to educate largely non technical end users on ways that they can help contribute to the overall security of the systems of the company they work for. What should be included in the training? What should be left out?

Thanks

OS fingerprinting

[neoThoth]

What are the latest advances in fingerprinting networked devices that seem most promising to you?
I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture.

What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Re:What is your favourite tool?

[Anonymous Coward]

In that list only two "information management" or "intrusion management" applications are listed. GFI Languard (actually mentions lanscan but calls it Languard) and possibly etherape. There is no mention of any commercial products (Contego [trigeo.com] NetIQ [netiq.com] Tivoli Risk Manager [ibm.com] ArcSight [arcsight.com] NeuSecure [guarded.net]) or free (ACID [cmu.edu] SnortSAM [snortsam.net]) products.

What is your opinion of this class of products in their ability to allow a network admin to be knowledgable about the security of their own network and respond to threats?

LAN security in todays environment

[Triode]

Given the many ways in which I can make a machine
a passive listening device on the LAN to gather information (even in a switched environment), do you
see future security focusing on authentication mechanisims on the LAN, even for the simplest of things (e.g. to get connected to a switch, to allow a MAC address, etc)? Going to a larger scale, do you see something like this taking place on the WAN? Lets say (putting on my lets get nasty hat) Microsoft Palladium (.net, NM$FPSG, whatever they call it now) authentication + your MAC addres s just to get connected to the net?

Re:Best Security Advice?

[calethix]

"I still have yet to find a nice single sentence summary for why security is necessary"

Have you tried this one:

Please give me your name, SSN, address, mother's maiden name credit card numbers/expiration dates and the keys to your home.

If that one doesn't work then try this: Please point a gun to your head and pull the trigger.

Wheee!!!

[TyrranzzX]

Obviously, as time goes on we'll be getting new technologies such as self-configuring networks and networks with some level of conscienceness capable of detecting and stopping break-ins as well as doing a number of mundain things such as patching automatically and updating software. The current nearly 20 year old approach to compromising these networks through software exploit or social engineering will be nearly impossible to do from right off of the bat as we've all seen them before; what kinds of attacks do you anticipate happening on these kinds of networks and what do you think the technician will be doing to stop them?

Advice for people who aren't security experts

[Anonymous Coward]

I host a domain on my Linux server at home with a DSL line. I do this because I'm interested in underdtanding how everything works.

The problem is that between keeping the server up to date, learning PHP, learning Postgres and developing the content I really don't have the time to be an expert in security in the same way as someone who focuses solely on security. What kind of advice would you give to someone in my situation?

standalones and small home nets

[zogger]

--it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Re:Recent increases in anal-retentiveness...

[Zeriel]

Well, why not legit? If I scan all of my dorm's IP range (well-documented) on port 80 (the offense that nearly got me in trouble except for knoweldgeable judicial affairs types in the office), there are three possible results for any given IP address.

People who have a webserver on port 80, which is out and open to the public because they had something to say. (unless they password it)

People who have a default web server install with a default page (the most common in those days of (not necessarily legal) Win2k Pro/Server boxes everywhere)

People with nothing running on port 80.

Now, if I was scanning for open BackOrfice or SubSeven ports, or open ssh/telnet servers, then I might be suspect. But in reality, my problem came about because many of the no-server types had BlackICE running, and it decided to interpret nmap's scan (using the politest settings I could) as an "attack".

One packet to each machine on your LAN does not an attack make, and I don't understand why this should be considered not legit.

Anti-intrusion network software

[pitr256]

We've made a lot of progress with open source intrusion detection devices (IDS) in the last few years, with SNORT many times beating out similar offerings from commercial companies.

But so far, we have only been attempting to detect and report possible intrusions into private networks or studying attack vectors using Honeypots.

There has been a lot of talk lately about the possibility of using independent worms that fix vulnerabilities in network hosts so that those hosts aren't used as an attack vectors to compromise/disable other hosts.

Instead of just detecting and reporting intrusions or active worms fixing vulnerabilites, how do you feel about having IDS systems reporting to a host/daemon that would then launch protective countermeasures against the possible detected intrusion?

Thanks. BTW, Nmap ROCKS!

How can I Measure, Understand and Control?

[HidingMyName]

Informed design decisions in classical engineering use estimates of cost, correctness and performance to pick the best solution. In security, much of the selection seems to be "a matter of taste", but perhaps it shouldn't be. Given two competing solutions to security problems, how do you propose that the user measure the solutions fitness to make an informed design decision?

Re:Recent increases in anal-retentiveness...

[Zeriel]

I HAD root (at least on the machine I was scanning from =P).

As I recall, I'd elected to use a less stealthy TCP scan because I wanted to be as aboveboard as possible, sorta like the LAN equivalent of yelling "Hey, anyone home?" from the sidewalk as opposed sneaking up and trying the doorknobs with a stealth SYN scan. =P

IPv6

[caluml]

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

What should a hacker be?

[djeaux]

On your 'myworld' page, you have a couple of paragraphs about "some aspects of the hacker community that disgust me", things like arrogance, information leeching & crime. Since Slashdot may have a slightly larger reader base than insecure.org, this could be your bully pulpit to expound a little more on that theme. Care to take a moment & tell us all how to "shape up or ship out?" :-)

P.S. For everyone else, I've had the privilege to work in a small way on an information sharing project to build on Fyodor's mailing list archives & I'm here to testify that he lives up to the standards he sets.

Re:Recent increases in anal-retentiveness...

[arcade]

This is exactly the kind of anal-retentiveness he is commenting on. If you put a box on the internet, it will receive packets. As long as it isn't flooding the network, nor tries to exploit anything - shut up about it.

Nmap delays

[Old Wolf]

I think I speak for many people here: why is Nmap 3.0 so much slower than 2.53 ?
For example, I use it to ping-sweep my local /24 network. 2.53 would take about 1.5 seconds, but 3.0 takes up to 3 minutes to complete. Even using the -T switch it's still much slower.

Security / Cleanliness.

[Nevyn]

As an author of a security book and of a well known security application, how much do you feel code cleanliness/quality affects security of products? ... Or do you feel that only a very few products should worry about security?

For instance from looking at nmap-3 it's, ignoring the style, littered with magic numbers _esp_ for things like size of an array of char (which is the only concept like a "string" that nmap has) and also more than a few obvious misuses of strncpy() etc. to go along with it.

Contrast this with other security concious programs, like vsftpd and postfix, and it's like the difference between night and day.

Obviously anyone putting nmap at the end of a CGI is just asking for pain, but one traditional view is that this isn't wouldn't be the problem of nmap ... but of whoever decided that it was security concious, not just a "security" application.