JUST READ THIS INTERESTING ARTICLE, AND DECIDED I SHOULD SHARE IT WITH ALL MY FRIENDS IN HERE.
Article originally posted on the Infoworld website.
Recently, I was asked by an instructor at a technical college if I
would mind responding to some of his students' questions. I happily
agreed. Ultimately, this resulted in a lively back-and-forth session, so
I decided to share the exchange with you. Enjoy!
Question
1: Microsoft just announced a huge list of security patches for "Patch
Tuesday." Why doesn't it just focus on a single product and fix all of
the security holes in one shot?
Finding bugs in products
doesn't work that way. Every product that Microsoft codes goes under
dozens of manual and automated tool reviews. That scrutiny is vital
because Microsoft is the biggest target, and as a result Microsoft
products actually have fewer vulnerabilities than those of its nearest
competitors. But even with the right tools and processes, you can't
catch everything.
New techniques are found, mistakes are made, and until
you have perfect humans, you'll never have perfect code and you'll
never have perfect bug detecting.
Here's
a good example. Years ago someone discovered they could buffer-overflow
the HTLM color attribute field located on Web pages as it was rendered
in a popular browser. No browser vendor at the time ever thought the
color attribute field could be abused. The vendor's security reviewers
didn't know to look for it and neither did any of the private or
third-party tools, despite the fact that every field should be
boundary-tested. Now all vendors check for it. Everything looks easier
in hindsight -- improving software is an evolving process.
Question
2: In one of your blog posts, you mentioned something like: "The NSA
could be hiding small snooping programs in, let's just say, a picture of
a cute kitten or a fun Android game." So how can the average Joe ever
know that what they download is the real picture or app with no hidden
malware in it?
The short answer is you can't -- not even
close. The only thing you can do is decide to trust the entity that
created the device or code, especially if it is digitally signed.
Because as long as their digital-code signing cert wasn't compromised or
the machine the code was signed on wasn't compromised, at least you can
say that the code the developer signed was what they signed when they
signed it. But the truth is you really don't know.
It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet
and make hacking and snooping, even by the NSA, easier to prosecute and
easier to detect. It disturbs me greatly that what the NSA does is
completely legal ... and most countries don't even have the laws that we
do. I wish everyone's privacy laws were stronger. In the United States,
we need to modify our Constitution to guarantee more personal privacy. I
thought the amendment against unreasonable search and seizure did that,
but it's not even close to being enough these days.
Question 3: I liked your article "Crazy IT security tricks that actually work."
Someone dismissed your points of "security through obscurity." If these
things work, then why would the IT Industry be so quick to discount
them?
People repeat dogma as fact, when all you're
really talking about are cute little sayings that were a stretch from
the beginning. Obscurity is one part of security. It shouldn't be relied
upon as the only defense, but it certainly plays a big part. If it
didn't, every army would tell the other army what all their capabilities
were, where all the weapons and troops were, and make everything
"transparent."
The best thing I can say to anyone trying to learn
is not to accept everything you hear at face value. Respect what other,
more learned people say, but don't accept anything as gospel unless you
do it or see it yourself. Stay skeptical.
Question 4: If Stuxnet was the most complex piece of malware
ever created, then couldn't the "sons of Stuxnet" wreak havoc across all
of the Internet and not just at the Iranian nuclear facility?
This
is a huge, huge fear of a lot of people. However, I expect that one day
a much less complex piece of malware will "crash" the Internet.
Sophisticated malware is needed only for sophisticated scenarios.
Crashing the Internet or stealing from banks is easily accomplished with
conventional malware. Hackers are likely stealing tens of millions of
dollars every day, if not hundreds of millions. They are allowed to get
away with it, and the public accepts it as a cost of doing business
because they stay below a certain threshold. One day one of them will
make a mistake, steal too much, and the world will freak out and finally
fix the Internet.
Question 5: It has been widely
reported that the NSA put backdoors into a bunch of different programs.
How do we know these backdoors have been closed?
Most of
them probably haven't been closed. Until we get their complete list of
software exploits, which is highly unlikely, we'll never be able to do
it. And it's not just the NSA you have to worry about, but every
sophisticated government and hacker group. Software is full of
exploitable holes that only certain people have knowledge of.
Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
Hacking
is actually fairly easy. It's like a cookbook recipe: Once you know how
to hack, it's mostly a repeatable process. Most hackers simply mimic
what someone else did. They seldom think of anything new. You want to
impress me? Do something new. Most hackers are followers.
The
smartest hackers are the good guys. It's easy to hack; it's much harder
to defend. It's easy to tear down a barn with a saw and a sledgehammer;
it's much harder to build the barn. It's even more impressive to build a
barn that can resist the saw and the sledgehammer.
You shouldn't
hack illegally for the same reason you shouldn't assault someone. It's
morally wrong. I've had the skills to hack illegally for over two
decades. I get paid to hack legally all the time. Over the past nine
years it's never taken me more than an hour to break in (except one
time, when it took me three hours). This includes banks, hospitals,
government agencies, and Fortune 500 companies. It's not that hard to
hack. And guess what? I make a very good living -- far better than I
could ever have imagined. I am living the dream.
Legal hacking
allowed me to accomplish this, and I don't have to worry about the feds
arresting me. If you go the illegal route, it's going to catch up with
you eventually. It always does. You can make more money and sleep well
at night by hacking legally. You'll have a better career and a better
life doing the right thing.
Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
In a sense. PtH (pass-the-hash) attacks
require that the attacker obtain local administrator status on the box
they are stealing hashes from (or obtain domain administrator on a
domain controller). If you have that sort of access, then what can't you
do?
That said, if attackers steal the ultimate authentication
secret -- for example a password, a password hash, a Kerberos token, a
ticket, and so on -- they have the ultimate authentication they need to
do almost anything. Length of password, hash, digital certificate key,
and so on will not protect you.
PtH attacks are a valid concern,
but if they went away completely (Windows Server 2012R2 has plenty of
PtH defenses built in), it would not stop attackers in the slightest ...
because they already own the box. They can just do keylogging, Trojan
the machine, or modify the operating system. We should be more concerned
about how attackers get that elevated access in the first place, not
focused on what they do with it once they have that access. ... Because
sky is the limit and there is no defense.
Question 8: Is the NSA leaker a hero or a traitor?
He's
a bit of both. Ultimately, he broke his NDA and many laws. He has put
other people's lives at risk. He should be punished for that. The only
rationale to do what he has done is if what you are revealing is illegal
or unconstitutional. So far nothing he has revealed is either of those
things. Nothing he has revealed is a surprise to those of us who follow
the NSA.
Just read any James Bamford book. He was writing about
the NSA's capabilities 25 years ago. The only new things that he
revealed, to those of us who follow the NSA, is names of programs and
perhaps some individual exploits.
That said, he is to be
applauded for bringing the excesses of what the NSA is legally allowed
to do to the public masses. I'm hoping that everyone being upset with
the NSA will lead to laws being changed, so the NSA cannot legally
collect everything they are already collecting. It upsets me, and
others, that it took a single employee breaking the law to make the rest
of the world up in arms about something we've known for years if not
decades.
Question 9: We discussed the FBI takedown of the
Silk Road in class and I was wondering: If the NSA has all of the
access to our personal lives, why did it take the FBI three years to
take them down?
Law enforcement is always slow, especially
when it crosses multiple jurisdictions. It takes time to start legal
projects, collect evidence, obtain warrants, and proceed. But I suspect
that most of the time was spent just getting on the FBI's already busy
radar. The FBI, like your own company, has a budget and a project plan
each year. I bet Silk Road wasn't on the radar until enough people
started complaining. Plus, many times the investigation goes on far
longer than what's needed to collect evidence, as perpetrators go after
bigger targets and commit more crimes, resulting in easier-to-prove
court cases and longer jail sentences.
Also, the NSA and the FBI
don't always share information. The NSA, for the most part, doesn't care
about drug trafficking, money laundering, theft, and a lot of the other
things the FBI cares about. As bad as our laws are, the NSA can't
simply share what it has with other legal entities.
Question
10: I want to work in information security, first as an administrator
then ultimately as a consultant. What is the best certification to
pursue?
I have about 50 certifications, and I learned
something new from each one of them. Each cert made me a more
knowledgeable technician, and each gave me something that made me more
employable. But if you're talking about which ones count the most,
that's a slightly different answer: It's the certification most relevant
to your potential employer or its customers.
Fortunately or
unfortunately, experience counts more. Because of that, you want to pick
certs that give you both credentials and real hands-on experience. I
like the CompTIA stuff. It teaches a lot. But their certs are basically
thought of us "base" certifications. When you earn one of those, you
know the basics. Still, great to know, and you will learn something.
Personally,
I'm not a huge fan of the CISSP (because it's a lousy test), but it's
probably the one cert that most employers and clients like to see. I
think it's because bosses and clients often have it and think it was
hard, so they like to know other people they are hiring had the same
hard time with it.
I'm a huge fan of anything SANS does or
offers. I think the SANS courses, books, instructors, and certs teach
you more hands-on experience than any of the other relative certs. When I
see someone with a SANS cert, I immediately trust them. It's the
security geek's CISSP. I also like the CEH and other certified auditor
exams. Each has its benefits. Each teaches you something.
Question 11: What kind of tools should I run to make sure my PC is clean (or as clean as possible)?
I
never recommend a particular product. They are all fairly accurate, and
they all fail miserably on a daily basis. Don't believe any of the
"accuracy tests" you read. It's not that the tests are inaccurate, it's
that they often set specific parameters that (accidentally or otherwise)
benefit particular products.
I've been in the AV field since
1987. Accuracy goes up and down on every product over time. Just pick
one that is reasonably accurate and one that doesn't kill your system's
performance. You should run AV, but remember that 99 percent of all
successful exploits are caused by unpatched software.
Question 12: How can I detect if my computer has been turned into a bot to help perpetrate a DDoS attack?
It
can be hard, especially if your computer has been hit with a rootkit.
AV is supposed to detect that sort of stuff, but it often misses it. I
love to do two things to look for bot programs myself. First, I use the
free utility Autoruns.
It will show you everything that is running when your PC starts. It
will be a hundred things. Research anything you don't recognize. When in
doubt, uncheck the program and reboot. If it breaks something, run
Autoruns again and recheck.
Second, download TCPView from
Sysinternals. Close every program you think could possibly be
communicating with the Internet. Then run TCPView. Research any programs
or processes that are communicating with the Internet. Most of the time
you'll see one or more things connecting to the Internet that you
didn't know about. This is normal. Usually they are just legitimate
programs connecting back to the vendor doing something the vendor
programmed them to do. Research the destination connection points. If
you can't figure out what the program is connecting to and whether it is
legitimate, consider using Autoruns to disable it.
But the truth
is that malware programs can be very difficult to discover and remove.
When in doubt, back up all your data, reformat (or reset), and reinstall
everything again. This is the only way to truly know that you are
starting with a clean state.
Question 13: I use a MacBook Pro. I know it is built on Darwin Unix, but is it truly more virus-resistant than Windows 7 or 8?
Yes
and no. No, in that OS X has far more vulnerabilities than Windows --
and I don't mean a little. Windows gets about 120 to 200 bugs a year. OS
X gets two to three times as many, if not more.
With that said,
because OS X runs on only 5 to 10 percent of the world's computers, it
still isn't a very big target. Bad guys target popular things because
they are more likely to get something of value. Running OS X will
probably incur less risk compared to a Windows computer -- probably
significantly less risk.
Note that computer viruses aren't nearly
as common as worms, Trojans, and other sorts of malware. Use the term
"malware" or "malicious program" instead of "virus." Virus indicates
only one type of malware.