Ask Fyodor Your Network Security Questions 274
Fyodor is the driving force behind Insecure.org and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.
My Question... (Score:5, Interesting)
Work guidelines? (Score:3, Interesting)
If you could change one thing. (Score:5, Interesting)
What is your favourite tool? (Score:5, Interesting)
One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).
Thanks in advance!
DMCA? (Score:5, Interesting)
libnet (Score:3, Interesting)
What's your ratio of love:hate mail? (Score:5, Interesting)
How much criticism do you have to deal with? And how does it compare to the kudos you receive, quantity-wise? Has it ever made you doubt what you're doing?
PS- Thanks. nmap proves its usefulness to me every day.
Security Updates (Score:5, Interesting)
Rus
Recent increases in anal-retentiveness... (Score:5, Interesting)
What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?
RTFM (Score:5, Interesting)
FNG--Fscking New Guy
-Terminology, broad-brush concepts, checklists, good reference list
Suit
-Management concerns, planning
Expert
-Detail, performance considerations
Categories are arbitrary; others will segment the market differently. Mainly seeking recommended authors/titles. Full-on reviews too space consumptive.
The human element (Score:5, Interesting)
What tool(s) are we missing from our toolbox? (Score:5, Interesting)
Super-DMCA (Score:5, Interesting)
Here's [securityfocus.com] the article on it that ran in Slashdot awhile ago.
Basically, the law says you can't "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." - thus making honeypots, even when used to thwart illegal computer activity, are illegal.
Curious Yellow? (Score:5, Interesting)
IPv6 (Score:5, Interesting)
will exotic OS's help? (Score:1, Interesting)
Thanks?
You'll have seen a lot of breakins. (Score:5, Interesting)
Weakest link: Between systems and people (Score:5, Interesting)
examples:
* "SSH shows a warning that the host key has changed. The user ignores it and continues on."
* "The browser warns the a SSL certificate doesn't match the host IP. The user ignores it and continues on."
* "The browser asks if you trust the signer before running some piece of ActiveX. The user ignores it and continues on."
* "The sysadmin warns not to share passwords. The users ignore that too."
Now the question. It seems to me that despite all the work being done in the security field, back in reality things have gone from bad to worse. People constantly sidestep the very systems that are put in place to protect them. Is anything being done in the computer security field to address this important "Human Factors" aspect?
--
Simon
Re:Idea (Score:5, Interesting)
Stepping into a network security carerer. (Score:5, Interesting)
The Relevance of Low-Level Tools (Score:5, Interesting)
Given all of this, what motivation is there for a modern CS student to learn things like the 3-way TCP handshake, or the differences in implementations in various TCP/IP stacks, when the base level of the equation is irrelevant from a security standpoint? How can I convince our network administrators that it's worthwhile to learn something other than JNDI when it comes to network protocols; that for security and network troubleshooting, nothing will ever top a simple Ethereal packet trace?
Jouster
Perception of Access (Score:4, Interesting)
How do we preferentially improve white-hat work? (Score:5, Interesting)
How can we develop and promote the state-of-the-art in security (tools, understanding, knowledge) while giving as few gems as possible to the criminal wannabes of the world? In other words, how can we bias the work and research towards the defensive, rather than progress that's either neutral or preferentially offensive?
Legal implications (Score:5, Interesting)
Interesting stories involving nmap? (Score:5, Interesting)
What could best be done to create secure networks? (Score:5, Interesting)
Open port... what now? (Score:2, Interesting)
After a user uses nmap to enumerate open ports on their systems, what tools should they use to determine what prgram is keeping that port open?
Have you ever been tempted to use your gifts (Score:5, Interesting)
Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?
And if you haven't, why is that the case?
Kitchen-Sink-over-HTTP (Score:5, Interesting)
A modern protocol designer has to choose between efficient data representation and firewall penetration. She will almost always choose the latter. Thus we have a thousand X-over-HTTP protocols, most of which are replicating services (like RPC) that are exactly what the firewall administrator was trying to block.
As everything becomes X-over-HTTP, how long will it be before we see stateful HTTP firewalls to block malicious kinds of data flowing over HTTP? And when firewall administrators again take the easy way out, blocking everything but "plain" HTTP, how do vendors send their data? Are we, in fact, turning the Internet into the Web? Eventually, it seems that application communication will just be a special case of a Web browser fetching a URL. By tunneling everything over HTTP, and eventually dropping even the tunneling, is the Internet in danger of becoming nothing but the Web--sure, there are other services running, but nobody but the occasional network admin on an un-firewalled network can reach them?
Jouster
Are you still hacking slashdot users? (Score:-1, Interesting)
Odds are this will be modded down as it is contrary to the blind doe-eyed fan-boisticism. I am genuinely curious.
Feature for nmap (Score:5, Interesting)
I've been using nmap for quite some time now, and it's an excellent tool by all accounts.
My question is, do you plan to implement firewall discovery? Instead of just reporting what ports are open, you could report:
- closed
- opened
- filtered (no reply)
- firewalled (firewall reply)
Like suggested in the latest phrack.
Re:Stepping into a network security carerer. (Score:2, Interesting)
>Science. I've done plenty of Unix sysadmin work througout college and
>even deployed some high-interaction honeynets. I'm very interested in
>network security and systems programming. Do you have any advice for
>people in my situation who want to head into a career in network
>security?
>
I've recently landed my first job as a pen-tester. To get here I spent the last eight years reading everything I could get my hands on regarding information security: books, white papers, man pages etc. More importantly it's important to get direct experience of as much of the theory as possible. Run up a few machines as a local network. Sniff the wire. See how a Windows box looks from Linux, and vice versa. Use and understand the differences between OpenBSD and Linux. Try to download, compile and test new tools whenever you see them mentioned. Break into your own machines. Ask yourself how you would prevent that attack working. Fix it, start again. Put up an undefended default install on a cable modem with a stealth IDS / tcpdump running; watch the kiddies come running. Watch them at play (important: do NOT let them jump out of your box and attack others!) repeat with other OSes. read bugtraq, full disclosure, nanog, incidents. Read as many O'Reillys as possible. Learn Perl. Learn C. Learn Visual Basic. (no, really,.. you'd be surprised how useful that can be when it comes to ASP apps
Stick at it: it's soooo worth it. I've had more fun in the last six months than in the previous 8 years combined. And, to my surprise, I've found myself feeling a strange... pride? no, 'responsibility' is closer I think - when I was told that a pentest I performed on a local utility, during which I got some sensitive personel data and some highly sensitive, uh, 'test results', was being conducted due to the generalised review of security post Sept. 91. And I realised that in a a very small way, I'm making the world a better place. I really hadn't expected that, hadn't really thought about it in the context of work (Free software, yes!
Best of luck!
Best Security Advice? (Score:5, Interesting)
Do you have any suggestions?
What makes a honey net enticing? (Score:5, Interesting)
ipv6 support in nmap (Score:2, Interesting)
Trusted Computing (Score:3, Interesting)
Background info: Linus Torvalds blesses DRM [theregister.co.uk]
End User Training (Score:5, Interesting)
I often find myself at a loss as to how to help train the end users at my company on how they can help insure the security of their systems and help prevent things like social engineering attacks and what good password practices are.
I usually run into problems of user apathy, training materials or discussions being too technical, or trying to apply to technical training techniques to sometimes non techncial problems such as the aforementioned social engineering attack.
Have you found a good way to educate largely non technical end users on ways that they can help contribute to the overall security of the systems of the company they work for. What should be included in the training? What should be left out?
Thanks
OS fingerprinting (Score:5, Interesting)
I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture.
What are the most elusive OS's that aren't on the NMAP OS fingerprint database?
Re:What is your favourite tool? (Score:3, Interesting)
What is your opinion of this class of products in their ability to allow a network admin to be knowledgable about the security of their own network and respond to threats?
LAN security in todays environment (Score:3, Interesting)
a passive listening device on the LAN to gather information (even in a switched environment), do you
see future security focusing on authentication mechanisims on the LAN, even for the simplest of things (e.g. to get connected to a switch, to allow a MAC address, etc)? Going to a larger scale, do you see something like this taking place on the WAN? Lets say (putting on my lets get nasty hat) Microsoft Palladium (.net, NM$FPSG, whatever they call it now) authentication + your MAC addres s just to get connected to the net?
Re:Best Security Advice? (Score:2, Interesting)
Have you tried this one:
Please give me your name, SSN, address, mother's maiden name credit card numbers/expiration dates and the keys to your home.
If that one doesn't work then try this: Please point a gun to your head and pull the trigger.
Wheee!!! (Score:2, Interesting)
Advice for people who aren't security experts (Score:5, Interesting)
The problem is that between keeping the server up to date, learning PHP, learning Postgres and developing the content I really don't have the time to be an expert in security in the same way as someone who focuses solely on security. What kind of advice would you give to someone in my situation?
standalones and small home nets (Score:5, Interesting)
Re:Recent increases in anal-retentiveness... (Score:3, Interesting)
People who have a webserver on port 80, which is out and open to the public because they had something to say. (unless they password it)
People who have a default web server install with a default page (the most common in those days of (not necessarily legal) Win2k Pro/Server boxes everywhere)
People with nothing running on port 80.
Now, if I was scanning for open BackOrfice or SubSeven ports, or open ssh/telnet servers, then I might be suspect. But in reality, my problem came about because many of the no-server types had BlackICE running, and it decided to interpret nmap's scan (using the politest settings I could) as an "attack".
One packet to each machine on your LAN does not an attack make, and I don't understand why this should be considered not legit.
Anti-intrusion network software (Score:5, Interesting)
But so far, we have only been attempting to detect and report possible intrusions into private networks or studying attack vectors using Honeypots.
There has been a lot of talk lately about the possibility of using independent worms that fix vulnerabilities in network hosts so that those hosts aren't used as an attack vectors to compromise/disable other hosts.
Instead of just detecting and reporting intrusions or active worms fixing vulnerabilites, how do you feel about having IDS systems reporting to a host/daemon that would then launch protective countermeasures against the possible detected intrusion?
Thanks. BTW, Nmap ROCKS!
How can I Measure, Understand and Control? (Score:3, Interesting)
Re:Recent increases in anal-retentiveness... (Score:2, Interesting)
As I recall, I'd elected to use a less stealthy TCP scan because I wanted to be as aboveboard as possible, sorta like the LAN equivalent of yelling "Hey, anyone home?" from the sidewalk as opposed sneaking up and trying the doorknobs with a stealth SYN scan. =P
IPv6 (Score:5, Interesting)
What should a hacker be? (Score:2, Interesting)
P.S. For everyone else, I've had the privilege to work in a small way on an information sharing project to build on Fyodor's mailing list archives & I'm here to testify that he lives up to the standards he sets.
Re:Recent increases in anal-retentiveness... (Score:3, Interesting)
Nmap delays (Score:2, Interesting)
For example, I use it to ping-sweep my local
Security / Cleanliness. (Score:3, Interesting)
As an author of a security book and of a well known security application, how much do you feel code cleanliness/quality affects security of products? ... Or do you feel that only a very few products should worry about security?
For instance from looking at nmap-3 it's, ignoring the style, littered with magic numbers _esp_ for things like size of an array of char (which is the only concept like a "string" that nmap has) and also more than a few obvious misuses of strncpy() etc. to go along with it.
Contrast this with other security concious programs, like vsftpd and postfix, and it's like the difference between night and day.
Obviously anyone putting nmap at the end of a CGI is just asking for pain, but one traditional view is that this isn't wouldn't be the problem of nmap ... but of whoever decided that it was security concious, not just a "security" application.