Art of Information Security

The Art of Information Security has the great pleasure of interviewing Michael Rash. Michael holds a Master’s Degree in applied mathematics with a concentration in computer security from the University of Maryland.  He is the founder of cipherdyne.org, a website dedicated to open source security software for Linux systems, and works professionally as a Security Architect on the Dragon IDS/IPS for Enterasys Networks. He also is the author of “Linux Firewalls: Attack Detection and Response with  iptables, psad, and fwsnort”  (Sample chapter and more information here) published by No Starch Press.

When I started the Art of Information Security blog, I felt that it was important to appropriately lock down the host. It would be an unfortunate irony to have the server hosting a security blog “owned” by some script kiddy. So, of course AoIS runs a firewall. I had been using iptables firewalls on Linux for a while, and there were a few things that I felt were lacking from the set-ups that I had in the past. One was the ability to understand that the firewall is working. A solid firewall generates logs – but what do you do with those? And, what do they tell you? Second, I knew that I should be able to detect certain types of automated attacks and block those IPs. There are so many improperly configured hosts to attack that a few simple countermeasures go a long way. Third, I have also been very interested in running host IDS/IPS, but all the requirements to run Snort for a single host seemed a bit too much. Alas, I ran to cipherdyne.org and the great tools sponsored (and authored) by Michael.

Erik: So, Michael, Network Security is obviously more than just a job for you. How did you come to be involved so deeply in Network Security and Intrusion Countermeasures?

Michael: During the late 1990′s I was introduced to intrusion detection on a large ISP’s network, and that experience coupled with learning networking protocols sparked a deep and abiding interest in network security. This interest eventually led me to systems programming on Linux, and to the internals of systems that need to be protected. The constant game of cat and mouse played by attackers and defenders in the network security world never ceases to provide new directions for security research, and thanks to the open source development model, many of the techniques to defend systems can be investigated and contributed to by anyone.

Erik:  So when did you get the idea for PSAD?

Michael: In 1999 I started working with Jay Beale on the Bastille Linux project. At the time, both portsentry and Snort were around and were designed to detect network attacks (with the former only focused on port scans). Because Bastille was designed to harden the security stance of the host, a strong iptables policy was built in by Peter Watkins. With the strategy implemented by portsentry of listening on sockets in order to detect port scans (see the this link for why this is less than ideal from many perspectives), we needed a way to detect port scans in a manner compatible with Bastille’s iptables policy. The result was a portion of Bastille initially called “Bastille-NIDS”, but I eventually split it off as a dedicated project, and called it “PSAD”. An option would also have been to just write a configuration utility for Snort, but there would still have been a void since no tool really analyzed iptables log messages for suspicious activity. I made it my goal to try and fill this void mostly because the data source provided by iptables log is quite rich and has a lot to say.

Erik:  On your website you identify three principles around which PSAD was developed. Why are these important? How does PSAD accomplish them?

1. Good network security starts with a properly configured firewall
2. A significant amount of intrusion detection data can be gleaned from firewalls logs
3. Suspicious traffic should not be detected at the expense of trying to also block such traffic

Michael: Network security is more relevant for more people today than at any other point in Internet history. Important infrastructure is increasingly being put online (such as online banking access), and the threats are evolving to compromise this infrastructure. The default stance of many operating systems is to listen on several services to make things easier for users, and while many OS’s (particularly mainstream Linux distributions) offer to configure firewall policies, many users elect not to go through with this step. Sometimes people are too busy to maintain a properly configured firewall, or they reason that the local border firewall is sufficient. Firewalls should always be configured in a default-drop stance in order to provide an additional layer of protection for any vulnerable services that may be listening. For Linux systems, psad helps to verify that the local iptables policy is configured in this manner.

Firewall logs are also an important area to pay some attention. Although firewall logs cannot replace the full packet capture and logging capability of many intrusion detection systems, they can still be a valuable source of data to highlight efforts to break into systems. With a logging format that is as complete as provided by the iptables logging infrastructure, it is possible to detect and differentiate most types of nmap scans, passively fingerprint remote operating systems, detect probes for back doors, and more. The process of parsing iptables logs to look for these kinds of activities is automated by psad.

Finally, just detecting malicious traffic will always play second fiddle to an effective mechanism for also blocking such traffic. The iptables firewall is a well-tested piece of code that runs inline to the packet data path. Hence, it is a strong weapon to block suspicious traffic with a default drop stance before such traffic is allowed to target internal systems. By using the iptables string match extension, iptables blocking actions can even be tied to the inspection of application layer data.

Stay Tuned for Part 2

Part 2 of this series is coming soon, with more discussion about network security and open source security tools. More information is available on PSAD at http://www.cipherdyne.com/psad/. (Oh, and PSAD will be featured in an upcoming installment of the AoIS Secure Your Linux Host series !)

Cheers, Erik

I was recently  in New York for a two-day briefing on emerging technologies from a key technology partner. During the morning session the presenter asked a number of questions of the room as he worked through his deck.

At one point he asked: “Who likes their Information Security guy ?”

I raised my hand, to which he quipped: “Well, they aren’t doing their job then!”

To which I quipped: “Actually, I do my job quite well.”

Stereotypes…

In ancient times, skillful warriors first made themselves invincible,

and then watched for vulnerability in their opponents…

- “Formation”, Art of War, Sun Tzu, 6th century B.C.

The core of Information Security is Risk Management. The pursuit isn’t an “invincible” password policy, but one that provides reasonable protection against known threats. The goal is often not an “invincible” application, but one which is hardened appropriately and also still usable.

But all too often, many practitioners jump right to NO – I WON’T ALLOW IT. this leap is made without understanding the whole of the problem, or the real risks that are specific to the situation.

Now, there are folks in Information Security (and HR, accounting, etc.) who have to say NO because corporate policy, procedure, etc. require them to. This is really not the case that I am exploring here. Here, I want to focus on the role of the Information Security Architect, Consultant, Vulnerability Manager, Risk Manager, CISO, etc. when they are working with the business and IT partners.

Solid Risk Management requires a partnership between the folks who are the Subject Matter Experts in the risk space, and the folks who have a business or organizational need that must be met.  The right or proper answer often isn’t the Black-and-White “We never allow X” (sometimes it is ), but generally “We usually avoid X, due to these risks, but in this case we can compensate by applying these additional controls” or “We usually don’t permit X, but in this situation it isn’t problematic due to Y”.

I spent a lot of 2007 learning this lesson.

This lesson was taking hold enough that I started researching some of the business literature on this topic. It was then that I ran into Organizational Consulting: How to Be an Effective Internal Change Agent by Alan Weiss, and this definition on page 4:

Organizational Consultants are basically advisers to management who must provide objective, pragmatic, and honest advice to their clients. If there is a trusting relationship, then the clients will always be confident that their best interests are being served, no matter how threatening, contrarian, or painful that advice may be.

 Organizational Consulting is a book on becoming an effective internal change agent. In a way, when I am acting in an Information Security (Architect, Consultant, Advisor, fill in the blank…) role, I see myself being responsible for not just managing the risk issue at hand, but engaging my IT/LOB/etc in such that they can understand why and how the final state came to be.

So, let’s paraphrase Alan’s definition some…

Information Security Consultants are basically advisors to Information Technology and Line of Business partners who must provide objective, pragmatic, and honest advice to their clients, with the objective of managing risk for the benefit of the organization as a whole.

If there is a trusting relationship, then the clients will always be confident that their best interests are being served, no matter how threatening, contrarian, or painful that advice may be.

It has been my experience that when I take the time to…

• Listen and demonstrate genuine interest in the business problem at hand
• Educate the key players about the risks that various approaches contain
• Make those risks tangible, using examples and data when available
• Work with them, not against them

…that my success rate is very high ! “Success” being defined as both getting the Information Security risks managed, getting the underlying business need met, and being re-engaged pro-actively by the people I worked with the next time around.

Of course, all of these are relationship-building behaviors. All to often, relationship-building is thought of as lunches and golf games, neither of which I do much of. Relationship building is about how you treat people when you are working with them. No one cares that you played golf with them once if you won’t help them solve the problem at hand. Helping them find a way to meet their business needs risk appropriately builds relationships.

Of course, saying NO is a lot less work… for a while….

Cheers, Erik

( If you enjoyed this, check out more Professional Development on AoIS )

A colleague and I are co-presenting at the Central Ohio ISSA chapter on Wednesday morning…

Information Security Awareness Raising – A Example to Critique and Discussion

The aim of this presentation is to provide ISSA attendees with fresh ideas, for increasing the awareness of Information Security issues with their internal customers and partners. The presentation will have two parts. In the first part Justin and Erik will present a Information Security Awareness Presentation which is targeted at an audience of business and IT partners. 

During the second part of the presentation, preliminary information regarding the vital role of Information Security Awareness Raising will be discussed. After this initial introduction, everyone will be asked to participate in a dialog discussing if the materials were or were not effective Awareness Raising materials and to share their experiences and insights.

If you read this post, and then attended the presentation – please let me know. (This will be my tip off that highly un-likely events are occurring in my world, and that I should purchase a lottery ticket… )

Cheers, Erik

My apologies for this “phantom” posting… “Pro Dev: Who are We? What is Our Role?”

While editing that posting, I published it way prematurely. (Can you say miss-click?)  Now, I corrected this within minutes, but due the magic of Google and Feedburner that fragment was whisked onto the net (and perhaps will live forever… )

Now, you would think that you could just delete the post, and all would be well – Wrong !

So, that fragment (which was on-line for less than 3 min), was cached into the google reader and other blog aggregators, and has (embarrassingly) set a record for views in the first 24 hours. 

The good news is that it looks the like Professional Development series I have planned for AoIS is going to be a hit ! The bad news is I need to find a WordPress plugin that asks for a “are you sure” idiot confirmation on the publish button…

BTW, It appears that 2009 will be the year of the series on AoIS. Currently in the pipeline are:

• The Secure Your Linux Host Series
• Professional Development Series
• Cryptographic Controls Series 
• Interviews with Infomation Security, Risk Management, and Privacy Luminaries !

I hope to have at least one installment for all of these series posted by the end of January.

Again, my appologies for the draft fragment – the actual posting (Part 1 in the Professional Development series) is being proofed and should be up in a few days.

Cheers, Erik

So I have been planning a series of podcasts on Cryptographic Controls. In the process of this planning, I fell into one of the classic traps that crypto-geeks fall into: obsessing about random number generators (RNGs).

(FYI, for the impatient, click here.)

There are two ways to generate random numbers on computers: (1) use a software program called a Pseudorandom Number Generator (PRNG) or (2) use a hardware random number generator. A Pseudorandom Number Generator uses a seed value to generate a sequence of numbers that appear random. The problem is that the same seed generates the same random sequence. The hardware based RNG observes and samples some physical phenomenon which is random, such as cosmic rays, RF noise, etc. (aka Entropy).

RNGs are important in Information Security because they are used to generate encryption keys, salts, etc. Historically, attacking RNGs has proven effective, such as the defeat of Netscape’s HTTPS sessions.

Most operating systems utilize a hybrid approach, implementing a PseudoRandom Number Generator that has a seed that is regularly updated through the collection of random hardware events. This process is called Entropy Collection or Entropy Harvesting. For most applications, this approach should be completely sufficient. However, one of the key assumptions is that the operating system has been up and running long enough for the seed value itself to become hard to predict through the collection of Entropy. Also, many of the Entropy collecting events come from properties of hardware devices, such as the minor variations in hard drive rate of rotation. As such, there are a few circumstances where the OS RNG may not be good enough for strong cryptographic key generation:

• Live Boot CD ( The start state of the RNG may be predictable. )
• Virtualized Hosts ( OS may be dependent on simulated events for randomness. )

( Given the exploding popularity of virtualization, this is an area worthy of research. Stay tuned. )

Design of the Got Entropy Service

Many RNGs (such as the one included in Linux, as well as OpenSSL’s) allow the addition of entropy from outside sources. So I started looking to Entropy sources I could use to bolster the RNGs on my virtual hosts (and other uses…). While I was looking into this, it occurred to me that I had an unused TV tuner card, a PVR-350.

When a TV is tuned to a channel with no local station, the ‘snow’ on the screen is RF noise (the same as the static between stations on AM radios). But, for reasons beyond our scope, you never use a direct physical observation as the RNG. You have to ‘de-skew and whiten’ the data prior to sampling it. Here is the process that I use:

1. Collect about 3 minutes of video ( about 130 MB data ).
2. Using a random key and IV, encrypt the data ( using openssl & AES-128-CBC ).
3. Discard the first 32k of the file.
4. Use each of the following 32k blocks as samples.
5. Compress each sample with SHA-256.
6. Discard the last block.

• Steps 2 and 3 remove any patterns, such as MPEG file formatting, from the data.
• Steps 4 and 5 generate a 32-byte random value ( 1024 to 1 compression in the hash ).

Check it out at http://gotentropy.artofinfosec.com

Can an Attacker Broadcast a Signal to Undermine This?

Such an attacker could not remove RF noise from the received signal. Our eyes and brains are good at filtering out the noise in the TV video, but there is a lot of it. Part of the noise comes from the atmospheric background RF, but there are also flaws (noise) in the tuner’s radio and analog-to-digital capture circuitry.

I think this is a pretty strong RNG, and I have provided an interface for pulling just the values.

Also, I have written a script ( getEntropy.sh ) that will pull Entropy from the service and seed it into /dev/random on Linux.

Results from ENT

Here are results, from a sample run of the Got Entropy, analyzed by ENT ( A Pseudorandom Number Sequence Test Program provided by John Walker of www.fourmilab.ch – Thanks, John! ).

• Entropy = 7.999987 bits per byte
• Optimum compression would reduce the size of this 13366112 byte file by 0 percent.
• Chi square distribution for 13366112 samples is 233.85, and randomly would exceed this value 82.48 percent of the time.
• Arithmetic mean value of data bytes is 127.4767 (127.5 = random).
• Monte Carlo value for Pi is 3.143054786 (error = 0.05 percent).
• Serial correlation coefficient is -0.000078 (totally uncorrelated = 0.0).

Resources for the Curious…

• Wikipedia – Pseudo-random Number Generator
• Wikipedia – Hardware Random Number Generator
• NIST – Random Numbers Page
• Netscape RNG Attack
• van Heusden Video Rand

Cheers, Erik