Small Business Attack – Network Reconnaissance

Suppose an attacker gets into your network. Last week, we discussed a few tools that they might use to profile different systems, but we didn’t look that deeply into network scanning. Once they’ve done some of the more-basic and subtle checks, they may go on to more active exploration. The advantage of more active exploration is that an attacker can identify all services on all systems in a very short period of time. The disadvantage, of course, is that they are more likely to be detected.

However, since this is an attack day, let’s look at what the attacker can do here. Once they have control of a system, they can use namp to scan the system. Suppose you have an internal file server, other workstations and printers. In seconds, the attacker will have a list of all systems and what’s running on them. For example, here is a (slightly altered) list of systems available from a wireless network.

# nmap 192.168.4.*

Starting Nmap 4.75 ( http://nmap.org ) at 2009-09-04 14:01 CDT
Interesting ports on 192.168.4.21:
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
8654/tcp open  unknown

Interesting ports on 192.168.4.249:
Not shown: 997 closed ports
PORT      STATE SERVICE
6006/tcp  open  X11:6
9220/tcp  open  unknown
16001/tcp open  unknown
MAC Address: 00:40:63:99:58:E2 (VIA Technologies)

Interesting ports on 192.168.4.254:
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2000/tcp open  callbook
MAC Address: 00:B0:D0:C0:54:11 (Dell Computer)

Nmap done: 256 IP addresses (5 hosts up) scanned in 12.61 seconds

So here, an attacker would know that 192.168.0.254 and 192.168.0.21 are running ssh, and therefore are likely Linux or Unix servers as well as the brands. For example, a Dell Computer that is running ssh may well be a server worth attacking (in this case, it’s not… but it could be). So, in twelve seconds, the attacker will know exactly what to target. Sure, it’s a noisy and noticeable way to profile a network, but if you don’t notice the attack, it’s well worth the risk.

But what can you do about it?

Security Lessons from Nature – Salamanders

All amphibians have poisonous skin secretions, which means that the common salamander is coated with a thin poisonous film. While not terribly useful for finding food or mates (the two things that salamanders really care about), it is a good defense against being eaten by passing dogs (or eagles, whatever). Over time, predators have learned to avoid certain amphibian coloration patterns as, not only is poison pretty bad for you, but it probably doesn’t taste too good either (despite the rumors).

So, what we have is a collection of animals who tend not to stray too far from water, aren’t very fast and have almost no practical defenses. To a predator, they would be little yummy blobs of protein but for the little poison problem. What can we learn from this?

The trick is in adapting this technique to business. It’s important to remember that being poisonous doesn’t really protect the particular salamander, as once the poison is ingested, the salamander probably has been as well (and while some salamanders can handle fire, hydrochloric acid probably still burns them).

Since slathering employees in gelatinous strychnine has certain implementation difficulties, we should probably abstract the idea a bit. What we need is a way to let predators know that an attack would be unwise without actually being attacked.

This is often done through the legal system. As Brett Trout has said, a company that has taken legal action in the past is less likely to require legal action in the future. So, one thing to do is to ready your business should court action be needed in the future. This requires a bit more preparation and a bit more attention, but can pay off hugely. For starters, you need to make sure that terms of access are clear and delineated. Practically, this means that each network-accessible service needs to have a banner that makes it clear what is and is not allowed. It means that employee handbooks should put forth clear policies and that local login pages also lay out the rules clearly.

Secondly, you should have some sort of technology in place so you can detect when policies are violated. This could be as complex as an SIEM and Log Management system, or as simple as just looking at access logs every day. Lastly, you should have a lawyer around so that when you do detect something, you can take immediate action.

This way, you have a defense that only needs to be active when under attack (lawyer) and warning coloration (banners). It may not prevent a predator from attacking you, but it would make them unsuccessful and, in the long run, warn other predators away from your business.

Mythic Monday – The Linnet and the Bat

Aesop’s fable 75, sometimes called The Linnet and the Bat discusses a situation where a bat and a caged linnet* are discussing why the linnet sings at night instead of during the day.  The linnet’s explanation is that he was singing during the day and that’s how he was caught and caged in the first place, so now he only sings at night.  The bat observes that it’s a mite late for caution, since the linnet is already captured.

The point of the fable is supposed to stress the uselessness of regret. However, it applies equally well to system and network hardening. Many businesses will look into remediation after they have been attacked, when it is far easier to do the hardening work ahead of time. Sure, no one wants to spend money they don’t need to, but as with most things in life, it is far cheaper to invest in prevention than correction.

When you build a server, it takes but a few extra initial hours to apply hardening templates and an hour-or-so a month to keep it updated with patches. However, if an attacker gets in, the server will likely have to be completely rebuilt, losing time in addition to the business loss from the outage. Additionally, it is quite likely that the attacker would have gotten into other systems on the network, so the time spent correcting the problem is multiplied by the number of systems on the network.

Really, it’s better not to get caged in the first place.


* There is a great deal of linguistic controversial about the nature of the bird in this story.  The problem is that the word bôtalis, which has been translated as “linnet”, “goldfinch”, “canary”, appears only in this one fable. That none of this matters to the point of the story only serves to illustrate the fact that Classicists have nothing better to do with their lives than debate over ornithological divisions, instead of spending their time on more practical endeavors… such as researching obscure myths and linking them to I.T. security.

Site Review – Twitter

I think that everyone knows about Twitter by now. At first blush, one wouldn’t think that you could cram much information into just 140 characters… and one would probably be right. The signal to noise ratio on Twitter is exceptionally low.

However, despite it’s obvious flaws, people persist in using the site. Some use it keep in contact with friends. Some use it to communicate with business associates. Others just tie third-party systems into twitter and use it as a variant of an RSS feed.

However you use it, though, you should be aware of the security ramifications of the system. At it’s core, Twitter has two modes of operation. Everything you post is either fully public or protected (sorta private). So, the first question you have to ask yourself is whether you trust Twitter’s protection mechanism to keep your private data private. If you do, and you intend to broadcast private information, go ahead and use the protected mode. If, however, you wish to use the system for business, keeping it set to public makes the most sense. After all, you can’t promote a brand if you can’t be seen.

So, assuming that you are using Twitter publicly, you have to assume that anyone and everyone will be able to see your tweets. Thus, you should be careful with what you post. Keep in mind that, as with everything you put on the Internet, it will be there forever. Since you will change (like, both as a person and with regards to your company and career affiliation), your best bet is to just stay honest and polite. It’s pretty much inevitable that you will wind up looking stupid at some point, but you should probably be careful not to say anything that could come back to directly harm you.

So, the basic rules are the same as with most Internet sites.

  • Be aware that everything you do is public.
  • Try not to anything too unredemingly stupid.

Then you’re just left with the challenge of saying something useful in just 140 characters.

Small Business Defense – Network Exploration

Really, once they’re in, there is little you can do. If the attacker gets in too far, you’ll never know where the attacks are originating so unless you’re willing to build a completely new network with all new systems and applications, they’re there to stay.

One thing you can do is to segment your network ruthlessly.  If sensitive traffic doesn’t traverse the weaker zones, an attacker will have a much harder time getting to the parts that matter. Another is to eliminate all the systems you can.  A simpler network is easier to both maintain and to defend.  If you know each and every system on the network and what it should be doing, it is easier to identify when odd things occur.  You should also encrypt everything you can.  Now, this isn’t a perfect solution, as in order to be useful the traffic has to be decryptable, but it does limit the number of targets that the attacker can find useful.

Lastly, you should familiarize yourself with the tools mentioned yesterday: Ettercap, DSniff and p0f.  While it’s not about the tools, it is useful to understand what attackers can do.  All three are available on the Backtrack LiveCD so you don’t even have to worry about installing them yourself (which can be tricky, depending on your OS).

Small Business Attack – Initial Exploitation

Thus far, I’ve talked about ways that attackers get in to your computers or network.  I’ve not talked much about what they do once they’re there.  Though there are a great many things that can happen once they get in, one of the first things done is to make sure that they can stay in.  They may put backdoors into systems, set up secondary VPNs or modems or they may even sneak other systems onto your network.

Given that many networks aren’t fully mapped or even have tightly controlled access, there are many places on a network that a system can hide.  One common trick is to walk into a business with a pre-programmed netbook or wall wart. This machine can then conduct passive network scanning and man in the middle attacks.

With tools like Ettercap, DSniff, p0f, an attacker can alter network traffic in transit while convincing both sides that things are fine. They can identify systems on the network while evading detection and check for important data crossing the network.

Yes, given time (a decreasing amount, sadly), they can do almost anything, but to start, they’ll explore the network and try to identify targets for future exploitation. The question is, what can you do about it?

Security Lessons from Nature – Elephants

As I write this, I am sitting in my living room watching Tomb Raider: The Cradle of Life.  Which, when you think about it tells you several things.  First of all, modern technology is pretty neat.  Second, if you believe the movie, the technology of the ancient Romans was even cooler.  Third, my taste in movies could stand some improvement.  However, one thing is certain… the movie has elephants in it, even if only by reference. Since elephants are profoundly more interesting than firing guns and shattering glass, I think I’ll talk about them instead.

Elephants are big. Really big. They’ve also been around for a long long time. (Despite the fact that the Wikipedia entry on their evolution is the most pathetic I’ve ever seen.) They’ve lived this long by staking their survival on their size and the fact that they’re big enough and strong enough to handle anything that comes their way. This strategy, of course, has it’s own costs.

  • They have to eat hundreds of pounds of food each day.
  • It takes them almost two years to gestate their young, and even then, it’s only one at a time.
  • Babies require a significant amount of care, monopolizing the attention of several adults.
  • It takes a lot of time to move… or to stop.

In exchange for all of this, they get to be the biggest, baddest, floppy earsyest animal on the savanna.  They get to rip up trees with their noses… which is useful when they need to smack lions around.  And on top of all of this, they have two spears sticking out of their faces for when they are in a stabby mood (and those pesky lions just won’t take a hint).

And there in lies the problem.  The ivory in the tusks and the fact that they make “good” trophies caused a hunting spree that dropped their population to 1,300,000  by 1981 and to around 50,000 today. Though they were well adapted for life before humans invented guns, they’re not faring so well now (along with many others, actually).

The business lesson here is, I suppose, to not take anything for granted. A business model could work perfectly well for years and then one small change can come along and reduce your profit to 1/26th of what it once was. It’s happened before.

Just as, over time, elephants can develop new strategies, so can we.  If something isn’t working, or a strength becomes a weakness, it can be changed.  Who knows, if they survive, maybe elephants will eventually evolve shootable tusks or bulletproof skin.  Maybe I will learn that sequels to action movies are never good.  Perhaps your business can change and adapt to new conditions.

The good news is that you’re not an elephant, and businesses can adapt faster than genomes can.  You just have to keep your eyes open.

Mythic Monday – Stables of Augeas

Cleaning the stables of Augeas, for those that do not recall, was the fifth labor of Heracles. His task, as one of many to gain the forgiveness of the gods for accidentally killing his wife and children, was to remove all the dung that was produced by the immortal cattle of King Augeas’s. Unlike most of his other labors, this one was deemed to be impossible, not due to the inherent danger but for the shear amount of work. On the positive side, if Heracles did it, he would get one tenth of the cattle.

Heracles managed the task by thinking outside of the box. Instead of cleaning the stables in the traditional manner, he rerouted two rivers to wash it all out (and, presumably, causing a fish kill somewhere downstream).I n one day’s work, Heracles managed to make the stables more efficient and eliminate many of the legacy problems equated with an unclean stable – bacteria, fungus, pests, misplaced pitchforks. Then, King Augeas was perfectly positioned to make improvements and run his stable better than ever before. Of course, he doesn’t do this… preferring instead to try to steal from Heracles and got killed.

But our security lesson today isn’t about Augeas (though “don’t tick off demigods” isn’t a bad general rule). Instead it’s about cleaning things up. Just as various threats lurk in manure and compound over time, the same applies to source code. If you develop software, I’m sure that your developers have come to you at various times and suggested that the code base be wiped clean and they be allowed to start over. Odds are that you’ve said “no”. Odds are that you were right.

It usually doesn’t make sense to throw work away and start over. Doing so would give your competitors a time advantage and while you’re making the newest whizz-bangiest system out there, you’re losing marketshare. However, if you let the bad code pile up too deeply, the internal threats will grow and you may not be able to handle them. Then, like King Augeas, you may choose to ignore the problem and hope for a hero to come by. In the meantime, other systems will be getting whizz-bangier and you’ll be losing marketshare.

So where’s there to do?

You basically have two options. You can hire yourself a hero (consultant) to throw away what you have and start over, which could cost you one tenth of your profits, or you could just get better at cleaning your own stable in the conventional manner. When your developers come to you, you know that it is impossible to clean the entire stable (code base), but you could allow them to clean a few stalls (modules). By taking such an approach, you can prevent pests (vulnerabilities) from mounting up without needing to worry about losing your stable entirely or even one tenth of your cattle.

So, your stables may never be completely clean, but they might be able to be kept “clean enough” so that the vulnerabilities don’t mount up and cause you problems.

Review Review – ComputerWorld's Free AV Wrapup

This week, ComputerWorld released a review of free anti-malware systems.  The conclusions were much as one would expect, mostly that the free stuff works OK but the pay stuff is probably better.  The free systems are ranked here, if you are so inclined.

So, really, there’s nothing new here.  However, I do want to point out a few things:

  • Only one system has phone support, and that costs $50 per instance.
  • Many of them fund themselves with advertisements.
  • Heuristic detection was pretty poor across the board.
  • None of them update very frequently.
  • Most of these companies have a for-pay version available as well.

I know that most of us are always looking to cut costs, but the sheer number of times that I have removed expired or non-functional anti-malware systems indicates to me that this is very important.  Do not scrimp when it comes to security software. The good stuff costs real money for a reason.

If there is a problem, a reliable company will take care of you. The goal of a business in this space should be to help you maximize your profits.  Sure, they have to cover their costs and make a bit of profit themselves, but attitude is extremely important.  If they approach the problem of “people don’t want to pay for anti-malware” with “let’s constantly distract the users with popup ads”, do you think that they have your interests at heart?  If they charge as much for one support instance as it does to buy a license with unlimited support, do they really want to help you?  (And, do you think that they have an incentive to have you not experience problems?) If they make no distinction between “I am unable to login to World of Warcraft” and “I am unable to make payroll”, do you really want to work with them?

I mean no disrespect to ComputerWorld here.  I know that they serve both the consumer and business markets.  I know that there is a place for free anti-malware systems in the consumer space (though I think it’s quite small).  However, to answer the question “Can You Trust Free Antivirus Software?”, I’d have to answer unequivocally “no”. If you are in business, you should use a business-quality anti-malware suite.  Even if you’re at home, if your business requires you to use your home system, it should also be protected by a business-class anti-malware suite. 

Odds are that you know the cost of your time, and if you are unable to work because you get sick, you know what it’s worth to protect against that, that’s why we have health insurance (however it winds up being paid for in the U.S.).  Similarly, if your computer gets sick, how will that impact you?  Does your computer need health insurance too?

Small Business Defense – Steganography

First of all, I have to stress that this is a good news / bad news situation.  The good news is that the vast majority of you have nothing to worry about from steganography.  The bad news is that the reason steganography isn’t a threat is that you probably have a great many more holes that are easier for an attacker to exploit.

If an attacker can email out random files, that’s much simpler.  If they can burn CDs or write to USB drives (remember that many MP3 players are also USB drives), they could do that.  Some data could simply be printed out can carried off.  Attackers could also transfer files away directly via many protocols such as HTTP, FTP and SCP.

So, realistically, you only have to worry about steganography if you’ve managed to close off all these other leak vectors.  Most businesses haven’t, so the rest of this is probably not of much use to you.  If you haven’t, start identifying valid outbound traffic and blocking everything else.  That alone will likely take several months.  Then come back and read the rest.

The easiest way to prevent steganography is to prevent the sharing out outbound files.  This means blocking attachments in email, and severely limiting access to all other websites.  This means no eBay, no Flickr, no Facebook.  No external websites of any kind.  Any site that allows users to post content should be off limit.

This leaves one major vector – public-facing web sites.  Luckily, you have control over these, so you can directly manipulate the files.  There are tools that can help you identify files that might contain hidden data.  They work by mathematically analyzing the files and seeing if they are altered from a “normal” distribution. Another method would be to collect hash signatures for each file, and check for alteration. This does, however, require that you have absolute trust in the person creating the files and depends on the hash algorithms being secure. These days, that may not be such a safe bet.

So, as cool as this technology is, it’s important not to rely entirely upon it. There may be file types it cannot identify or new techniques to hide data. It may be better to configure the web server to only allow certain types of files (such as .jpg and .png files) and then attack the data source directly. Simply alter each image file and randomize the lower order bits. This way, it doesn’t matter if there was steganography in them or not. It’s removed before it goes online.

So, in conclusion, steganography is a real threat, but it is also more difficult to use than many other commonly existing holes in infrastructure. It’s not easy to deal with, and if you have other holes open, it’s probably not worth going after. However, if you can manage to deal with all the other threats, it’s worth considering.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.