I made the mistake the other night of watching Blade Trinity. The movie, as a whole, is irrelevant to this point (and all others, really). However it occurs to me that the evil villain, Dracula (yeah, that’s original), suffers from a flaw that is common in many stories. Basically, he is so confident in his skills that he ignores the fact that the hero of story already defeated two movie worths of baddies.
To be fair, other major villains suffer from this same problem: Darth Vader, Lord Voldemort, Lord Sauron… as do heroes: Oedipus, Gilgamesh and Dr. Gregory House. The problem with them all is that their overconfidence leads directly to their eventual downfall. Sometimes, it is dramatic and impressive, other times (like this) it just involves a lot of bright shiny pixels that fly every which way until the filmmaker’s budget is used up.
The lesson to learn, I think, is that hubris kills… often at an appropriately-delayed climactic plot point. Here in the real world, of course, we tend not to have impressive glorious pixely deaths, which just leaves the problem of supreme overconfidence.
In I.T. Security, this sort of thinking often manifests itself as a general feeling of invulnerability against attack. This can be due to an existing investment giving a greater feeling of security than actual security. It can be due to a belief of general supremacy that is undeserved. Most often, though, it is due to a fundamental misunderstanding of the enemy.
Just as Lord Voldemort couldn’t conceive of a bunch of school kids as a threat, and Oedipus allowed himself to think that he had outwitted fate (never, never wise), if you ignore I.T. threats, you render yourself vulnerable to them and, through them, invite your inevitable comeuppance. If you accept your business in all it’s flaws, you’ll know where to protect yourself. If you do not, you may well go out in a blaze of shiny glory that is just as logically inexplicable as Dracula’s shape-shifting powers in this horrible movie.
There is a Bulgarian creation myth where in the beginning, the earth was just a tiny island. Cohabitating on this island were God and the Devil (guess they were more friendly then). One day, perhaps following an Oscar and Felixian roommate dispute, the Devil suggested that God take a nap, planning that whilst the almighty creator was slumbering, he could be tipped into the ocean. I guess that, in Bulgaria, one can be omnipotent and omniscient, and still somehow fail to gain their B.S.C and S.S.C..
Anyway, as the Devil attempted to push God off the island, the island magically expanded in each direction (it’s clear from this story that the Devil wasn’t omniscient), so that nary a toe got dampened. The shoreline simply grew in each direction and, by the time the Devil gave up, the island had expanded to the size of our current Earth. Which basically means that the state of the Earth today is due entirely to Devil-induced scope creep.
It explains a lot, doesn’t it?
Scope creep is a danger in all projects. It doesn’t matter whether you’re developing an application, enacting a security program or just shopping for groceries, scope creep can blow both your budget and deadline. It’s tempting when you’re working on something to just add a little piece here and there because it will make future work easier. Unfortunately for the business, integer math insists on summation, and so long as businesses are profit-focused, integer math is going to be important. From a security perspective, scope creep is additionally dangerous because it complicates things. Complicated things are harder to secure than simple things. The simpler you can keep a project, the better you can understand it, so the easier it is to secure.
Scope creep, of course, is most dangerous when shopping. A while back, I stopped by the store to pick up some basics (apples, bananas, yogurt, etc), and I noticed that winter squash was on sale… so my scope expanded a little bit and two squash wound up in my cart. Later, once I got home I realized that I had no idea what to do with them (other than the basic roast squash, which is boring). After consulting one of my cook books, I discovered that I needed a few more things. After another shopping trip that involved carrots, celery, onions, garlic and broth, I soon had two soups a simmering. Regrettably, the last step for each soup involved a blender, and the blender I had was incapable of dealing with the increased complexity of my soups. It quickly suffered what I must refer to as a catastrophic containment failure which necessitated another trip to the store to get a new blender.
All told, my initial scope creep of two impulse-bought squash cost me over a hundred dollars in ingredients and blender replacement, not to mention the ridiculous amount of time wasted in the endeavor. While I am thankful that I was able to find the blender-related security hole and believe that I have effectively mitigated the risk, life would have been much simpler had I not needed to.
I’m blaming the devil.
According to Aztec myth, after the previous inhabitants of the Earth had been turned into fish, the gods wanted to make more people. Now, one would rationally expect that if the gods liked people so much, they wouldn’t have flooded the Earth in the first place and turned all the previous people into fish, but the Mesoamerican myths don’t seem to be much for rationality and forethought.
Anyway, to create the people, the gods need the magical bones where were guarded by the Lord of Death. After a fairly typical quest followed by a challenge and the reneging by the Lord of Death on the deal, the hero carrying the bag of bones fell to the bottom of a pit and the bones were broken. That, of course, is why the people come in a variety of shapes and sizes.
Of course, we are quite lucky that the Aztec hero was such a klutz. The numerous variations in humanity have rendered us resistant to various plagues. (Technically, this is only partly true as there is evidence that humans are more genetically identical than most animals (except for cheetahs), but we’re ignoring that here.) The more variation there is in a genome, the greater the resistance to threats. Though similar concern has been raised about the ongoing homogenization of our food supply and how it renders us vulnerable to threats. this blog is about I.T. and business security.
For quite some time, I have been arguing against homogenization within certain businesses. The current practice of having all systems identical makes things very easy to manage. It makes it easy for auditors to verify that proper security standards are in place. It also can tie into automatic patching plans and keep everything up to date. However, it means that every person in the organization has adapt themselves to the same software and that if an attacker manages to get into one system, they can march right into every other one.
Like all things, using system images is a tradeoff. It seems that many organizations implement imaging just because it’s best practice. Sure it solves some problems, but any change also creates others. Often, an imaging project identifies numerous applications to drop out of the environment. This is great for general security, as it reduces attack surface, but often many of these are there because they make the business more effective.
Given that the whole point of “the computer revolution” was that we are now able to adapt technology to our lives are very small levels. It seems like questionable logic to take devices that are capable of enhancing individual abilities and compensating for individual flaws and turn them all into identical machines and then force people to match them. Richard Bejtlich gets into this in more depth over in his post Let a Hundred Flowers Blossom.
My point isn’t that imaging is bad. In some environments, it’s a necessity. (Mostly regulated environments or those lacking a technically-skilled workforce who can select the appropriate applications to enhance their productivity.) It just shouldn’t be a goal without consideration of the total business impact.
After all, people are all different. If the technology is all the same, it obviously won’t work as well for some people than it will for others. The question to ask is whether the benefit of uniformity outweighs the cost of productivity.
In case you haven’t figured it out, I fall back to blogging about an Aesop fable when I’m stuck for other things. In this case, I am stuck underneath a cat and all of my mythological references are about half a meter out of reach. Luckily, many of Aesop’s fables are available online. Like, for example, this one.
In this story, a sleeping lion is startled awake when a mouse runs across his nose. Looking all around for whatever woke him up, he checks all over his cave and finds nothing. A fox observes this behavior and, knowing that he can outrun a sleepy lion, makes fun of him for being afraid of a mouse. Attempting to safe face, the lion claims not to have been afraid, but more affronted by the bad manners.
As usual, Aesop completely missed the point of his story. Instead of being a droll observation of class structure of ancient Greece, it’s obviously a better lesson for dealing with initial network probes. Probes are a fact of life on the Internet. All sorts of attackers on the Internet want to take over your systems. The first step is to send out a small probe and uncover various things about the potential targets. This is part of what firewalls are supposed to prevent.
A lion needs a few things as it sleeps. Air, probably being the most important. However, if it wishes to stay asleep, it helps to have a way to keep the mice out of the lion cave.
As an aside, I personally question how common it was for lions to sleep in caves. Modern lions don’t seem to do this… though perhaps that has less to do with lion slumber preferences and more to do with a general lack of caves in subSaharan Africa.
So, if you have a lion that wish to keep vermin-free, it would help to put up some sort of chicken wire fence over the “cave”, thereby allowing in air and preventing mice (and rats… it’s a twofer!). In much the same way a firewall keeps out known malicious traffic so your servers can crunch their numbers in piece. Admittedly, our firewalls block worms. Worms are smaller and trickier than mice, which is why the firewalls are more complex and expensive than chicken wire.
Running without a firewall would be like trying to coax a lion into sleeping while they are being trampled flat by a veritable cascade of members of the family Muridae.
Another one of Aesop’s fables that isn’t that well known is that of the aging lion and the fox. You can click the link and read it, but for those of you that are linkaphobic, here’s a short version:
A lion was getting old and having trouble hunting. He decided, instead, to pretend to be sick and went back to his cave, moaning all the way. Over time, as each of his neighbors stopped by to check on him, he ate them.
Then, one day a fox came by and asked how the lion was doing. The lion moaned and asked the fox to come closer. The fox then observed that the footprints all led into the cave, and none came out.
Clearly, the fox is the fable animal to be. He’s smart. He’s observant. He’s… umm… red and furry? (Are Greek foxes red? . . . Yes, after googling a bit, it seems that the red fox is global, and the grey fox is only native to the Americas… which has nothing whatsoever to do with this blog entry.)
No, the point of this blog entry is that of evidence. If the lion had been wise, he would have either wiped the tracks after each meal or (more preposterously) fabricated tracks going back out. The fact that he didn’t, is what allowed the fox to escape and presumably tell the other animals what the lion had been up to (and Aesop, since he wrote it down). So, not only was the lion caught, but he lost his lovely little racket and probably starved to death shortly thereafter.
Most attackers are aware of this story (sorta), and do take some effort to reduce evidence. A burglar usually wears gloves, a bank robber usually wears a mask, and a hacker usually clears system logs. So, if we want to make it hard for the lion to wipe away the footprints, we have a few options. The first is to replace the dirt outside his den with fast-setting concrete… which would prove somewhat troublesome if you analyze this ridiculous analogy too far. The second is to set up a camera trap and record everyone who enters the cave. (For those purists who would point out that there were no cameras in ancient Greece, let’s just say that Hephaestus is there cranking out a vase for each animal. (Happy now, picky people?))
In the modern world, we actually use both of these techniques. Instead of fast-setting concrete, we have a hard drive technology called WORM, or Write Once Read Many. With this drive, you can store the logs in such a way that they cannot be altered. They are, however, quite expensive and can be difficult to set up properly. Instead, we generally prefer to use the camera/vase trap system. For this, we use one of many remote-logging technologies. The simplest is probably the venerable syslog server.
This solution simply involves setting up a dedicated server and installing one of the many syslog systems on it. Then you do a bit of configuration on each of the other servers you have and basically tell them to go log over there. Whenever there is an event, it goes over the network and is stored off the server. That way, if an attacker gets in, even if they wipe their own traces, there is a backup elsewhere that is (in theory) a lot harder to alter.
Of course, you still have to actually be the fox and look at the logs now and then, but at least you’ll be safe from a smart lion.
There is a Persian creation story that goes much the same way as the usual creation myth. First, there was nothing, then there was a god (Ohrmazd). The god made stuff and then people. Then the people screwed up.
People screwing up is really a common theme in myth, when you think about it. Maybe that says something about life?
In this case, though, the type of the screwup is a bit different. There’s nothing here about wanting to the equal of the gods, disobeying orders or even just desiring to be more than they are. Instead, the people wind up having children (a popular activity). Then since they can’t bear to be separated from their kids, they eat them.
Ohrmazd the creator god is understandably surprised at this turn of events. What’s interesting is the solution. Knowing that the people just love too greatly, he reduced their love by 99%.
(As an aside, it’s worth noting that the Persians did a lot of interesting mathematical exploration and that this is the only myth I know of that uses numbers like this instead of something like “reduced their love as if love were water in the cap of an acorn, and when emptied, the moisture that remained was as the love that remained within the man the woman”. Are the two related? I don’t know, but it’s interesting.)
With the amount of love they could feel, reduced, the people were able to have children and let them live long enough to have children of their own. Thus, did humanity prosper.
Now, in the original, this was but a small piece of the story of creation (which also involved a devil and a bull, much conflict and blood and all the fun stuff you find in creation myths). However, for our purposes, it is enough.
There is a lot of talk in the business community these days about the power of love. I have no doubt that there is something there. If you love what you do, you can do it without feeling the burden. You can more easily justify risks and you can share the load by letting your love inspire others. However, there is a dark side.
The same love that makes it easy to get started on a project is what makes it hard to stop. Love can get you through the boring 20% of the work that takes 80% of the time. However, it’s not so good at allowing you to stop when you get to 100% complete. I’ve seen projects that fail because the quest for perfection goes too far. I’ve seen businesses falter and fail because the founder loves it too much to allow it to change.
That form of love is stifling, and while it’s becoming more acceptable to recognize the harms of excessive love within personal relationships, it’s still not well considered within the business world.
This is the sort of emotion that makes security practitioners secure things for the sake of their being secure… they’ve fallen in love with the idea of “security” instead of “protection”. There are many ways to protect an asset. Keeping out the bad guys is but one.
It’s a tough balance, I know. We have to love enough to keep us going in the face of incredibly difficult odds and constantly changing threats, but then, once a project is complete, reduce our love by 99% and allow our project to continue on without meddling with it and destroying it in the process.
While learning to let go is difficult and messy, if we’re lucky, we can do it without the massive quantities of blood and death that the Persians seem to have required.
There’s often something lacking when I read Native American mythology. Perhaps it’s that that form of mythology uses a different form of logic, perhaps they are fragmentary, or perhaps it’s because the original tellings were oral and participatory and it just doesn’t carry over to the written word. However, once in a while, you get a myth like this:
Why the sun rolls along
Sun was warned by a messenger, “Someone is coming to kill you.”
Soon a person came along and seized the Sun. He threw him toward the East, but Sun came back. He threw him toward the South, but Sun came back. The evil one came toward Sun again, but Sun began to roll along. Sun rolled and rolled and rolled along. He rolls along to this very day.
(From Shasta Indian Tales by Rosemary Holsinger.)
Clearly, there is something missing here. Such myths raise more questions than they answer… but lucky for us, this isn’t a mythology blog, so we can leave the questions alone. The point here is that the sun just keeps on rolling, no matter how the evil person tries to kill him. As with many things, it’s all about persistence.
I’ve had numerous projects in the works for years, and at some point, they just stopped moving forward. Due to a lack of energy on my part and other pressing concerns, progress just ceased. There’s only so much time a day (mostly because Sun keeps on moving), and it’s sometimes not possible to keep everything progressing and something has to stop in order for other things to continue. Last week, my blog stopped. I had taken a week of vacation to make some progress on another project. I had worked up a buffer of blog posts to cover the time I wouldn’t be paying attention to the blog… but I forgot about the post-push resting period.
The nice thing about being a mythic character such as Sun, is that you only have one thing on which to focus. (Well, two if you count “rolling along” and “being glowy”.) Here in the real world, we often have too many things going on to “keep on rolling” on more than one. For me, the one thing that is always 100% consistent is monitoring security posture. Things change every day. In fact, just over the weekend, we got reports of an iPhone attack, a discussion on legacy systems, and a revival of an old attack. Last month, there was a huge amount of malware to keep on top of as well as numerous patches from major vendors. The threats never stop, so those of us in security have to keep on rolling.
Unfortunately, this means that other things have to be dropped sometimes. But hey, even Sun sometimes takes a day off, so I don’t feel that bad. I’ll just try to pick things back up and get to posting again. Hopefully I won’t miss to many days as I get things running again.
This isn’t one of Aesop’s more commonly known fables. Like most of them, it quite simple. Essentially, a dog and rooster are friends (we ignore the improbability of that bit), and taking a bit of a holiday. As they came do the end of the day, they decide to go to sleep. As is their nature, the rooster perches atop a hollow tree and the dog curls up to sleep inside the tree.
When morning comes, the rooster crows, and attracts the attention of a fox. The fox invites the rooster home for breakfast. The rooster, being wise (demonstrating again, that this is a fable and not reality), tells the fox the he is regrettably unable to accept such a generous offer, but instead invites the fox to join him inside the tree. The fox (seemingly unable to smell the dog within) enters the tree and is promptly devoured.
Clearly, the lesson that Aesop wished us to learn was to beware the rooster. However, it is also quite possible that Aesop was covering for the known illegal leanings of roosters and dogs. This dastardly duo was singlehandedly responsible for the massive reduction of the fox population in ancient Greece. This is much as how modern phishers work.
Security attacks have gotten sufficiently complex that different people are better at different aspects. Some attackers are best at writing malware and others are best at sending the emails that distribute the malware. So, just like the dog and rooster, they have gotten good at working together. By each relying upon their their best skills, they can take over (attract and eat) various targeted computers (foxes).
Of course, this only works on foxes that aren’t paying attention. If the fox in the story had simply stopped to realize that:
- Roosters tend not to live in hollow trees.
- Dogs have a noticeable odor. . . especially for foxes.
The same applies to phishing emails.
- Organizations such as the FBI and IRS are generally not in the habit of emailing people.
- Phishing spam also has a noticeable odor (spear phishing is a bit different).
At the core, email is not 100% deliverable. If anything is extremely important (as someting from the FBI or IRS would be), it would come in a manner that is more reliable. Registered letter and phone calls tend to be popular. Similarly, if someone has your email address, wouldn’t it make sense that they already have your name, phone number and other personal information? If an email asks you to “verify” your information, it’s good to be suspicious.
Above all, unlike the fox in the story (and just like foxes in real life) it pays to be wary.
A bit of poetry to start your week:
Ozymandias by Percy Bysshe Shelley
I met a traveller from an antique land
Who said: “Two vast and trunkless legs of stone
Stand in the desert. Near them on the sand,
Half sunk, a shattered visage lies, whose frown
And wrinkled lip and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed.
And on the pedestal these words appear:
`My name is Ozymandias, King of Kings:
Look on my works, ye mighty, and despair!’
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare,
The lone and level sands stretch far away”.
Ozymandias (who we now know as Ramesses the Great) was an Egyptian king who many consider to be the most important one ever.
( probably translates as “World’s Greatest Pharaoh” and was found on a mug*, probably given by Prince Ramesses-Meriamen-Nebweben in a desperate plea for attention.)
As tempting as it is to go off on the typical history geek listing of great accomplishments, I’ll just point you to the Wikipedia Link instead. Besides, it’s more fun to look at Shelley’s poem. The point, fairly obviously, is that Ozymandias was one impressive guy in his day. He was the Grand Poobah of all of Egypt, did a lot of impressive stuff and was well neigh irreplaceable. Today, little remains of what he did, we get his name wrong in history and make fun of him in blog posts. He was vital in his day and was utterly erased by the sands of time.
(Granted, due to advances in archeology, we know that this isn’t historically true… but we’re talking about a poem from from 1818 (and this blog is ostensibly about IT security anyway, so we’re going to ignore the truth in favor of the lesson.))
We all know people like Ozymandias. Many of them, for some reason, seem to find jobs as IT administrators or developers. They may protect their knowledge within a little silo whilst claiming “job security”. They may build large and complex systems and brag about how they are so complex that no one can ever figure out how to support them. They may resist applying updates or integrating their systems in with everything else, because it’s their legacy. They may also be laid off in the next round.
The problem is that actually, Ozymandias was pretty impressive. He was the most important person in his sphere (being Egypt between 1279 BC to 1213 BC). However, he was clearly not the most important person ever (Bing says that was Juanita Gooden’s mother, Google is less certain) and his works have clearly not survived. The same applies to those special isolated IT systems.
The sad fact is that people don’t last forever, and whether they retire or move on, the systems they leave behind won’t last forever either. In fact, if there is a system that others were never allowed to maintain, it will often age even more quickly than other legacy solutions. No one will be able to troubleshoot it or update it for changing business conditions. It will begin to fail and then the business owners will likely look at purchasing a system to replace it.
Sadly, when this occurs, it serves to commoditize the business just a little bit more. Over time, that which makes a business unique will be eroded by the sands of time and when the business fails, nothing will be left but ruins. Then, three thousand years later, some historico-business-poet* will write something about the former technology and how greatness doesn’t last.
*OK, you tell me when they’ll call industry analysts in three thousand years.
The thing is, this could have been avoided. An empire does not exist solely for one man… nor does a business. If the business can identify those protectionist silos and work towards integrating them with the rest of the operations, not only can technological similarities be leveraged but it would be possible to add developers or maintainers and accelerate the adaptability of the business. This would drive the business away from becoming a commodity… then they just have to wait for the other businesses to slowly crumble into dust and they emerge victorious.
(Image by Hajor.)
Yesterday (as I write this), I was privileged to attend the Iowa State University Cyber Defense Competition. The basic idea is that you have students build a handful of servers that must withstand attack from the “red team” while simultaneously providing services.
Though I generally specialize in Linux defense, I did manage some successful attacks against both operating systems. There was one team that watched the network and blocked some of the IP addresses that were attacking them. There was another that was hiding behind a firewall appliance. However, what was most interesting was the level of awareness that different teams had about what I was doing. Generally, once I connected via an encrypted session, the admins let me do whatever I wanted to do. I could try exploit after exploit with no interference at all. Odds are, if they were watching me at all, they were looking at network traffic. As such, I was hidden from their view due to encapsulation.
TechTarget defines encapsulation as: “In general, encapsulation is the inclusion of one thing within another thing so that the included thing is not apparent. Decapsulation is the removal or the making apparent a thing previously encapsulated.” . . . but this is boring. I could go on at length about how TCPIP has layers like an onion (or an ogre), or I could just point you over to the The TCPIP Guide. However, since TCPIP is also boring, I’ll let you go read about it yourself.
Instead, I want to talk about the Mayans. After the competition, I was relaxing at home by reading a book of Mesoamerican Myth, and I got to a part that told how Xbalanque and Hunahpu (let’s call them Xbally and Huna for short) were contacted by their grandmother. Apparently, the spread of the Internet had not reached the Yucatán Peninsula by 250AD, so when their grandmother wished to send them a message, she didn’t send them an instant message. Instead, she told a louse.
Now, it is clearly ridiculous to think of a louse able to carry to a message all the way to the Eastern end of the Earth (likely Tulum), which is why it was most fortunate that the louse was swallowed by a toad. The toad, of course, was eaten by a snake, which was gobbled up by a hawk. The hawk then flew to Xbally and Huna. Of course, the hawk could not give them the message directly. He had to first disgorge the snake, which spit up the toad which vomited up the louse (you can’t keep a good louse down), which delivered the message. At which point, our pals Xbally and Huna went off to the underworld to work for some strangely-named underworld gods, avenge their father and otherwise exit the interesting part of our story.
See, the message couldn’t get there on it’s own. No matter how loud someone shouts, there’s a limited distance along which the message may be understood. Thus, it helps to encapsulate the message inside a louse (SSH). If anyone looks at the louse, they just think “eew, louse!” and not “hey, maybe that louse contains a secret message”. Even if the louse were cut open, it wouldn’t reveal anything other than louse guts. The message is well concealed.
However, even though a louse is a good way to hide in plain sight, it’s not so good at crossing distances. Particularly if the terrain is somewhat marshy. That’s why, if you don’t want the message to drown, you’d better put it in a toad (UDP). This way, the delivery is more robust.
(As an aside, I chose UDP over TCP for this analogy, because otherwise at the end of the story, Xbally and Huna would have to find another louse, give it a message that says that they got the message, shove it in the toad, feed the toad to the snake, let the hawk eat the snake and send the snake back to their grandmother… and that would just be silly.)
A toad, however, doesn’t do so well in all environments. It may be able to hop over a desert, but it would take a while and it could get lost. That’s why toads are more comfortable inside of snakes (IP). The snake has a more complex brain and can remember more of the environment than a toad can. Thus, instead of just hopping from puddle to puddle in the hope that it’s going the right way, the snake can take a more direct route… within it’s own little area. Snakes are, alas, not so good at crossing barriers like mountains and chasms. For that, you want a hawk (Link Layer). The hawk is used to flying and tends to have a good solid understanding of it’s environment. When it flies, even if snake-laden, the hawk can get where it needs to go quite quickly by flying through the air (Layer 1).
Thus, by combining all four animals (or Link, IP, UDP and SSH), you can get a message securely to where it needs to go. True, these days we use somewhat obscure mechanisms to do so, but hey, these days lice are relatively rare.
It’s a good tradeoff.