If you use Python for any kind of  system automation (e.g., the stuff most people do with Perl and Bash scripts), then you know it can be cumbersome to call external programs. This new Python module, called sh (http://amoffat.github.com/sh/), makes it a lot easier and cleaner. Here’s an example:

from sh import ls, sudo
with sudo:
    print(ls("/root"))

Isn’t that cool? Sure, there are the usual security implications, and I didn’t choose the example with “sudo” by accident. But from a coding point of view, this is a nice improvement over something like subprocess.Popen. You can install it using “pip install sh” as usual.

 

Coding skills for infosec folks

On June 27, 2011, in uncategorized, by Eugene

Dave Shackleford has some concerns that most information security professionals nowadays don’t have the software development/coding/hacking background that’s necessary to be really effective in this field. While it’s hard for me to say who does or doesn’t have these skills, I completely agree that they can be critically important when it comes to information security.

Having a background in software engineering makes you a lot more productive when discussing secure coding with full-time software developers. Also, the ability to whip up a quick Python or Perl script to munge through some log data can be a huge time saver, especially in a tense incident response situation. I personally spend good bit of time creating software that other analysts can use to do their jobs more efficiently. Automation is a force multiplier!

Read his blog post for Dave’s full opinion and some good links.

 

X-Content-Security-Policy

On April 5, 2011, in development, security, web, by Eugene

Content Security Policy (CSP) is a draft specification from W3C, and was recently implemented in the latest version of Firefox. Basically, CSP is a way for a website owner to specify how a browser should treat content that it receives from his site. For example, it’s possible to list which domains you trust to serve JavaScript. Any JavaScript received from a domain not on your list will not be executed by the browser. This feature alone is a great security improvement, and there are many other attacks that can be entirely or partially mitigated using CSP.

Another beneficial side effect of adopting CSP is that it will force organizations to take stock of everything that their site is doing, and perhaps even make some smart some design changes in the process (like removing and disabling all in-line JavaScript). For developers, Mozilla has some great references, like this overview and this detailed list of policy directives.

I look forward to seeing CSP adopted more widely and supported by every major browser. If anyone has some practical experience with deploying CSP, please share some of your lessons learned.

 

Sorry for the silly post title, but this situation is getting to be at least a little ridiculous. This morning I read an article entitled “Hackers Breach Tech Systems of Multinational Oil Companies” from the New York Times. I know it makes for exciting headlines to announce that some super-important network got hacked, but is it really news anymore? After all, the breaking news isn’t really the hack at all – it’s the fact that someone finally noticed and decided to report it. The actual breaking in probably took place weeks/months/years ago.

At this point in the evolution of information systems, given the current state of information security, we should all just accept the fact that every organization which has any data of value has probably already been compromised multiple times. This includes corporations, non-profits, and governments. I suppose the value of having this stuff in the news is that it brings security into the consciousness of the general public for a few minutes. But maybe they should start adding “As expected,” to the beginning of all such articles, rather than pretending to be surprised.

From a technical standpoint, I think more organizations need to start treating their internal networks as hostile environments. I know I’m not the first person to suggest this idea, and it’s the basic idea behind mitigating the insider threat. The difference is that these principles now apply not only to governments protecting national secrets, but to every meaningful organization on the Internet. It’s been several years since any reasonable security professional could recommend that you focus on protecting the network perimeter, especially given how porous and interconnected most modern corporations are.

Think of it this way. A determined hacker will get into your network. At that point, he becomes a malicious insider, even if the attack was initiated from the outside. Your incident response plan and team are critical. We can no longer design information systems with a hard, crunchy exterior and soft, gooey interior.

UPDATE: Another interesting perspective on this issue was posted by Marc Maiffret of eEye.

 

Recommended reading for February 3rd

On February 4, 2011, in news, by Eugene

Exploiting Networks with Loki on Backtrack 4 R2
Loki is a handy protocol manipulation tool, especially useful for penetration testers. This post gives a good, brief intro.

The Noise
Sometimes you get caught up in the “noise” of your daily work and then suddenly realize that you haven’t gotten around to the “signal” in months.

Jury Says it’s Okay to Record the TSA
Go figure, we still do have some rights left at the airport!

Cloud Government
A fun idea about reinventing the US Government in a way that actually works, using technology.

10 Surefire Ways To Live Below Your Full Potential
This is a good reminder about how not to live your life.

Security Scoreboard – “Yelp” for Enterprise Security Products?
It can be hard to know if an IT product really does what it claims. This site provides reviews of IT security solutions.

Google Refine
Yet another awesome tool from Google. This one helps you clean up and make sense of messy, inconsistent data. It looks very helpful for people who want to write code against public databases.

The Incredible Freedom Of A Facebook Engineer
A day in the life of a Facebook engineer. Yes, they probably do have it better than you.

Amassing a Small Army Against a Growing Enemy
Some more research into using statistical anomaly detection on the Internet. I haven’t given up hope, yet.