Security optimize

Five steps to becoming the local security guru


It's not difficult to become the local security expert -- the guy to whom others look when they need network resources secured, the guy they point to when they want to source someone in their attempts to reform security policy, and the guy organizations like TechRepublic ask to write about security. In other words, barring perhaps the ability to compose a well-written essay without grammatical and spelling errors, it's not too difficult to be me. There are really only five steps to it.

  1. Get outside of your comfort zone. Use software that isn't familiar to you. Learn about new technologies. I don't mean you should try a different antivirus solution -- I mean you should use something fundamentally different.

    If you're an MCSE who's done nothing but manage Active Directory domains professionally, set up a network at home using Linux and FreeBSD systems. If you're a multi-OS geek who has Linux, Windows, and MacOS X desktops at home -- and maybe even an old BeOS or Amiga system -- take a shot at setting up a backup server and an automated logging server, and then go on to build a firewall and router from scratch.

    I've done much of that already, but I've got my eye on Plan 9 as a new operating system challenge. Just as I have, if you get out of your comfort zone and learn about different technologies, you'll start to learn things about the technologies you already use when you find your old assumptions about how things work don't hold up to scrutiny.
  2. Learn some programming. Even just a little bit will help you understand more about how software architecture plays a major role in overall system security. More than a little bit will teach you even more about it. When you learn how to write drivers for a given operating system, for instance, you'll learn something about the security weaknesses of that OS. When you learn how to write code that interacts with the file system, you'll learn something about how file system design and OS privilege separation matters where the rubber meets the road, so to speak.
  3. Read voraciously. Join some mailing lists, for a start. Good lists to join include open source community lists, programming lists, and the Security-Basics list at SecurityFocus.

    That's for learning principles of security. To keep up with what's shaking in the security realm, so you're always on top of the latest security news, almost nothing can beat the BugTraq list. While you're at it, read what other security experts such as Bruce Schneier have to say.

    Get your hands on some good books about security and read them. Security "cookbooks" are surprisingly useful, and a keen mind can grow to understand quite a lot about security principles from the "recipes" in these books by considering why and how they work.
  4. Check your assumptions at the door. Secrecy does not equal security, you don't always get what you pay for, and security features don't always make you more secure. I'm not saying you should ignore everything you think you know -- just double-check it, triple-check it, and always be open to the idea that what you think you know may be wrong.
  5. Finally, think for yourself. Don't just take someone's word for it when you're told something about security. Think it through, consider it carefully, and verify it for yourself, if at all possible. Consider what might be missing from what you're told, and consider the source. Everyone has an agenda, so you need to consider the goals of your sources. You also need to be aware of your own agendas, so you can avoid the trap of confirmation bias.

Here's a bonus, a sixth item to add to your list: Stay tuned. I'll be providing a lot more for the would-be security guru to think about right here in the TechRepublic IT Security blog in the near future.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

80 comments
daasdfs
daasdfs

I started as a salesman for a small firm making 35K. They had no IT department or anything else but a basic Unix system and software. I fixed a few things for the company just because no one else would. I now make 150K for the same company and work when I want to. I take care of the computers, networking and security. Life is good.

fanchant
fanchant

The SecurityFocus lists are great, and always seem to be willing to answer newbie type questions. Look for local user groups as well. And of course, there's always sitting with your security geek mom in the living room while she watches movies and says things like "See, son, that's a social engineering breach." which is how my son will become a security guru....

Kozimoto
Kozimoto

Huh? Security and anti-hacking is a science, and you make it sound like anyone running Virtual Server with a number of guest OS's can become a security guru. This is definitely not the case. Your suggestions on how to start don't even scratch the surface. It's all out war I would say, and you're asking the troups to be generals before they pass basic training. Local security guru? Set-up a few OS's? Learn to program "a little?" Come on??? Hire a hacker if you want to keep up. You'll be so far behind the 8-ball if you follow this path you'll never be considered "the local guru" especially when you are hacked. That's when the butter meets the bread, and you're in the middle of a (*#& sandwich professing to be in control of the whole thing. I wouldn't suggest that anyone step up and take this role unless you have taken on the role of a hacker successfully. You're only setting yourself up for failure if you do. Unless you have been in the security "race" for some time, have actually hacked a few systems, and feel like stepping out of the closet and putting on the white hat, then don't take on this role. You will lose and there's too much at risk to say you're the security guru just because you've followed these high-level suggestions. There's FAR more to it than what's listed here.

halibut
halibut

It still goes back to the certification question. What if any security certifications are worth a hill of beans?

Oktet
Oktet

This is a superb article; however, I was wondering if there will be more additional information on the next post pertaining to the information pasted below. 2. Learn some programming. Even just a little bit will help you understand more about how software architecture plays a major role in overall system security. More than a little bit will teach you even more about it. Question: Are there any programming languages you would recommend learning, because there are numerous programming languages and one cannot be the jack of all programming languages. If you???re a multi-OS geek who has Linux, Windows, and MacOS X desktops at home ??? and maybe even an old BeOS or Amiga system ??? take a shot at setting up a backup server and an automated logging server, and then go on to build a firewall and router from scratch. Build a router from scratch, now there is an idea- I did not think that was possible, I thought it was cheaper to buy one. Furthermore, I have a SOHO LAN with four computers. Question: Would my little SOHO LAN require a backup server, or am I in over my head? The idea of building a backup server and creating a firewall sounds exciting, more info will be appreciated on the next post, in addition to the research that I will do on the above mentioned information. Thank you.

the1whodidit
the1whodidit

I think the security field has a big scare factor to it. When it comes down to it, there are just not many serious "threats" out there to the general public. I've been in computers for 20 years and that includes admin, support, developer, qa, etc. I've never used any anti virus software and never gotten a virus. If you know what you're doing, they're easy to avoid. To me it's kinda like the Y2K scam. If that wasn't the biggest hyped up scare. What a crock that was. Every time I posted or talked about it, everyone said "but what if" and stuff. I would say there's no "what if"....I've programmed in cobol and other languages and it's just not that big a deal to find and fix....I also done embedded systems and it's just not that big a deal. I'd go into detail about code, integers and memory storage and that's when people would just glaze over. I've also talked to a manager of a "real" security team and he talked about his people hacking into a network through printer....and I'm saying...ooo, they can print out a bunch of tests pages, but what else can they do. He didn't know. He was a manager though. Now don't get me wrong, there's definately a security factor out there, but just like the prez, the scare factor helps rule the general public. I'm sure there's a ton of ignorance in all this, but I'm just going from experience and what little security knowledge I have so.... I really would just like to see some examples of some serious security issues that have happened in the past. And I'm talking about general public here...they aren't running a server on their machines. No IP spoofing either. Just plain "here's the hole and here's the code that was used to exploit it." And I'm not talking about an email attachment that someone opens. Of course that's going to be a problem. I'm talking about something like one of these thousands of security patches for IE. Where's an example of how one of these problems actually caused a hole that someone used to hack into the general public's computers. As for companies and all, yes, there are serious threats since they are running all kinds of services and servers. But I'm only interested in general public where folks spend tons of time and resources on dealing with security, not to mention CPU and crashes from symantec's and others full line of "protection".

Neon Samurai
Neon Samurai

"mom on the couch pointing out security breaches" Oh damn that was a great way to include learning the family trade (from whichever side of the firewall). It's even funnier when I invision my owm dear mom saying it (she's not a technical person).

apotheon
apotheon

"[i]And of course, there's always sitting with your security geek mom in the living room while she watches movies and says things like 'See, son, that's a social engineering breach.' which is how my son will become a security guru....[/i]" That put a big smile on my face. Keep up the good work, educating the next generation of computer users so they'll know something about security.

mindilator
mindilator

i'm sorry, but you sound like a football coach with all the metaphors. "It's all out war I would say, and you're asking the troups to be generals before they pass basic training" "You'll be so far behind the 8-ball" "That's when the butter meets the bread and you're in the middle of a (*#& sandwich" -- a two-fer!! "the security 'race'" "stepping out of the closet and putting on the white hat" -- another two-fer!! i dismissed the ones that are used much more commonly like "scratch the surface" or "step up" as they wouldn't normally raise my brow. tell me you're a motivational speaker.

medullaoblongata
medullaoblongata

For one thing, this is a short blog post. It should be obvious that this is not intended to be a comprehensive guide to everything there is to know about security. The second point is the meaning of the word "guru". Miriam-Webster Online defines it as "a teacher and especially intellectual guide in matters of fundamental concern". If you break down that definition you'll notice the word "fundamental". Fundamental is defined as "serving as a basis supporting existence or determining essential structure or function : BASIC." Therefore, if you want to know the basics of local security, I think the post hits on exactly the skills you need to start developing. Everyone starts at the bottom and works their way toward higher goals. A blog post isn't going to show a toddler how to win a marathon. It is going to help teach it how to start putting one foot in front of the other. If you don't know how to do that, you'll never win the Boston Marathon or how to be effective at securing your computer system.

apotheon
apotheon

No certification guarantees that someone knows anything. Once you've learned how to game the system for one certification, you pretty much know how to do so for all of them. There are a couple of certifications that try to avoid this by requiring a certain amount of real, on-the-job experience, and other factors, but I've met people whose only skills were gaming the system and whose only experience is in pretending to be useful. On the other hand, if you're inclined to learning quickly and well, the process of preparing for a certification can provide a fair bit of guidance for learning more than you already know -- and the real "expert" is the guy who keeps learning. Not all of that self-education "guidance" is what you'd expect, either: some of it takes the form of giving you plenty of opportunity to learn about things that others (like certification test writers) think is important knowledge, but isn't -- which gives makes it easy to learn about the myths of security as well as the facts. Of course, certifications can help you get hired, too. Adding to the string of letters after your name is probably the most concrete benefit of certification. Toward that end, the most valuable certifications are generally those that are the most work to get and cost the most. The relative value of various certifications for employability changes from one employer to the next, however, and vendor-specific certifications are the most volatile in relative value from one employer to the next. The short answer to your questions is, really, "it depends". There's no certification that is completely without value, however, because like any other credential there's at least some tendency to get out of it what you put into it.

apotheon
apotheon

My next post to the IT Security blog after this one is already in place, and is not about the questions you raised. The next one after that is already spoken for in terms of its subject matter. I will almost certainly deal with matters related to actual software architecture security more than once, the future, however. I may also prevail upon Justin James in the Programming/Development blog to address the matter at some point, if it seems like a good idea to do so. In the meantime, however, I'll offer a quick answer: "It depends." Unfortunately, it really does depend. You make the good point that you can't just learn [b]everything[/b] (though I'm hoping the Singularity happens, and we [b]can[/b] learn everything after that), but unfortunately every distinct programming language has at least one new thing to teach about secure software design. Using languages like Ruby, Perl, and PHP for web development, however, can teach you about data validation. C for driver development will help with understanding operating system architecture better. SQL-based languages, and any language with a robust database interface library (such as Perl or Java, for instance), can help you learn about database security concerns. If your interests with regard to computer security are fairly general, I recommend you start with whatever language you like. Once you start learning programming concepts in general and become competent and confident with your first language, you'll start to have the skills necessary to choose your next language for yourself. I find that Ruby is an excellent choice of a first language, if you want to immediately get into a language that's both useful in its own right and useful for learning object oriented programming concepts. "[i]Build a router from scratch, now there is an idea- I did not think that was possible, I thought it was cheaper to buy one.[/i]" If you have an old Pentium II lying around, and have at least two network adapters you can stick in the thing, you've got the makings of a router with any of the major open source Unix-like operating systems. The Web is littered with tutorials and other information about setting up a router/firewall with operating systems such as various Linux distributions, FreeBSD, and OpenBSD. There are also ready-made, drop-in router/firewall OSes you can use such as [url=http://m0n0.ch/wall/]m0n0wall[/url] and [url=http://ipcop.org/]IPCop[/url]. "[i]Would my little SOHO LAN require a backup server, or am I in over my head?[/i]" If you have enough time, and a small enough amount of data you need to protect, you can get by with just a CD burner in each machine and a lot of recordable CDs. On the other hand, it's a pain in the butt to do backups that way, and having to swap out CDs like that tends to lead to letting your backups slide for weeks or months at a time. If you're maintaining business-critical data on those computers, I'd definitely recommend looking into some kind of automated backup solution, or at minimum checking out these two articles about Subversion so you can maintain directories with important files in them and make sure those directories get backed up regularly: 1. [url=http://articles.techrepublic.com.com/5100-3513_11-6167205.html]Use open source Subversion for personal document management[/url] 2. [url=http://articles.techrepublic.com.com/5100-3513_11-6172851.html]Take a tangible step toward sustainable software development with TortoiseSVN[/url] Between the two, an industrious person might be able to figure out how to set up a document management system using Subversion on MS Windows systems. Even then, however, you have a computer acting as a storage location for backups -- so perhaps setting up a backup server is the way to go anyway, if you want to learn about more operating systems. I'll add firewalls and backup servers to my list of potential article topics for the future. Thanks for showing interest and offering suggestions of subject matter.

jmgarvin
jmgarvin

This is why there are millions of botted computers out there...security is a very real concern.

apotheon
apotheon

I decided against giving you my answer here, regarding the supposedly unreal "threat" of computer security issues. Instead, I think I'm going to post a new article to the IT Security blog here at TR in a couple of days. If you really want examples of how much security really does matter to the general public, keep an eye out for it.

andrew.houghton
andrew.houghton

The reality of a security threat depends on who you are. In my industry, a little paranoia from the industry regulators means the threat is very real.... but in reality, it possibly isn't. Take an example of an old, relay driven control circuit, replaced with a PC / PLC driven control system. Someone jumped up and down and shouted 'security' and 'passwords'... yet, had they thought about it, the original relays could be pulled and damaged with no password control. In that instance, the regulator didn't consider security until the word computer was used. I'm one of those whose gradually getting sucked into the security field. Yes, sometimes there's a case, and sometimes there's a risk. The question is always down to balance, that is, until the regulators ask...... or there's a problem..

michael.brodock
michael.brodock

I disagree with your position that Y2K was a scam. It might have been hyped by people who didn't really know much (as most hype comes from the uninformed) but it was a real event that would have had circumstances for some software if they were not fixed. I personally put in a lot of time (on salary no less, not as a consultant) in the 2 years prior to y2000 and I know it made a difference where I worked to ensure a smooth transition to the roll over. Did some people scam, yes, but you can't say it was all a lie. BTW: a good article on how to keep up your skills in IT.

tcunningham4
tcunningham4

I've read most of replies to your post, and the rebuttals, and I agree with your comments to others: managing security, like life, is a process. I read an article earlier that some branches of the government is combining the various aspects of security (physical, computer, authentication, etc.) under one office. Not a job for someone a specialist. Coupled with the expectation that people will have multiple careers, not just jobs, and the future looks bright for those who can know many things, but mostly how to learn. Lifelong learning is the model you have described, and I think it's right on target. One of the hardest lessons I have had to learn ove the past few years is that I may not really know what I think I know, and I think you already know that. Kudos... Tom Cunningham System Administrator (currently)

Kozimoto
Kozimoto

Hello? Cutting and pasting your life away...

Kozimoto
Kozimoto

Sounds like you have not taken on this role, or haven't been hacked just yet. Just trying to save fellow IT folk a bit of embarrassment (and maybe more) jumping into the deep end professing to be the "local security guru" before they are ready. This article makes it sound like it's just a few steps to achieve "guru" status. I don't mean to offend, just warn. Best thing I can suggest is to pick a security discipline (ASP, .NET, PHP, Java, OS, web platform IIS, Apache, etc.) before you tell your manager you're the new security guru. I'm just saying this makes it sound too easy and I wouldn't put it on my resume or call the boss to announce until I was confident I could compete with a true hacker. Keep your patches up-to-date...this the best advise I can provide. Lock down your systems and turn off unnecessary services, ports, etc. Second, hire a company to do some penetration testing of your systems if you're that worried and have them document how they did it. A quantum leap in your education in a short period of time. It's well worth the money if they provide the documentation. I think it all boils down to knowing your own systems better than anyone else. How well do you know your own systems? Could you hack in from the outside the DMZ for example? Probably not. Are you blocking HTTP headers for outward facing IP's on your web server? Probably not. Probe NAT addresses from there? Not get caught port scanning from your ISP? Like I said, there's more to it than this, and what was mentioned was a warning to the wise before they step up and take ownership of that kind of responsibility in 5 easy steps.

the1whodidit
the1whodidit

I'M NOT SAYING IT'S NOT A CONCERN!!!! For many businesses it is, but for the general public... I need some proof how big it really is. Got any? As I said.... no server software running, a basic zone alarm free firewall, and show me the code or at least specifics. And no spoofing. Throw in you typical router with NAT and especially then...please show me....

the1whodidit
the1whodidit

Sweet. What I would really like is an example of code when someone hacked into a computer over dial-up (because I'm thinking of security in the past when dial-up was all there was) and that computer wasn't running a server or any non-stardard software. I don't really want the code as some folks could take it and probably run with it, but really specifics as to how it was done and what damage was done. As I said, I'm relatively ignorant about security so I'm betting you'll blow me out of the water, but I have done some network security with hardware and software so I'm not totally clueless. If you would, please followup this thread with a link to you article when you post it. Thanks.

sgt_shultz
sgt_shultz

imho, it WAS a scam. mostly. and yes, you are right about folks milking the security scare factor. imho what you are saying when you brag you have not had a virus is that PROCEDURES are really the important thing. based on KNOWLEDGE of how stuff (hacking) works. you will change your tune first time you are hacked. i wouldn't go by the last 20 years. the times they are a changing. and fast.

the1whodidit
the1whodidit

I was kinda harsh there, but what I really wanted to say was that is was something that was not going to stop business and cause any major problems since it could be fixed and handled as you stated you did. And what article are you talking about IT skills?

apotheon
apotheon

I appreciate both the kind words and the clear summary/paraphrase that indicates you really understand my point(s). I think the fact our brains have evolved so that learning is addictive may be the biggest survival advantage of the human race. Too bad so many people are turned off of learning by associating it with a miserable public school experience where rote memorization replaces learning, and as such never really gets much opportunity to become addicted to learning. If they did get that opportunity, and ran with it, I think more people would come to the same conclusions you have.

apotheon
apotheon

Perhaps mindilator's point was that koskovickrd was using empty platitudes in place of actual reasoning (which is true). On the other hand, mindilator may have been trolling -- simply pointing and laughing rather than contributing. It's not easy to tell from the text of mindilator's post.

Neon Samurai
Neon Samurai

Did you really need all the buzwords to make your simple point completely conveluted in an attempt to sound more important than it actually was? I too am very much into comp security but I don't need to use a bloated paragraph full of marketing spin and motivational speaker BS to express it.

medullaoblongata
medullaoblongata

[i]"The title reads 5 steps to becoming the local security guru"[/i] Yes, that is exactly what the title says, but it seems that you're reading it like this: (The) five steps (,which you can learn in minutes,) to becoming (an instant grand master) local security guru. I think it should be read more like this: Five (fundamental) steps to (someday, in the future,) becoming the local security guru. The author of the blog nowhere states that you only need to know five things and after you know those five things you gain your "guru badge" that you can pin to your chest and parade around. If someone does make this mistake you seem to think they will after viewing the post, then they really didn't read or follow the advice laid out. It is very noble of you to try to save such individuals, but it's hard to save someone from their own congenital incompetence. Although, I'm not sure why you think the author is [i]"asking the troups (sic) to be generals before they pass basic training."[/i] The post is all about the basics. If you take your own questions about security knowledge and examine how one learns such information, an interesting pattern emerges. For example, to learn how to block HTTP headers on your web servers, you would read books and articles about it, experiment with different tools and configurations, conduct your own testing to verify what you've read and heard, and also keep your mind open to different possibilites and solutions. Hmm, guess what? That sounds curiously similar to the five basic steps mentioned in the blog post. That sure doesn't sound like guidelines that are asking the troops to just run right into battle on their first day.

Kozimoto
Kozimoto

And that's what these posts are about...to get people thinking outside any box, not just your box.

apotheon
apotheon

"[i]Good blog, just don't run out, set-up a little home system to work on. That really won't cut it.[/i]" Who suggested that all you should do is set up a little home system? I don't even know what you're talking about at this point. Nobody said anything of the sort. (edit: Thanks for the compliment, though. I do appreciate feedback.)

Kozimoto
Kozimoto

Good blog, just don't run out, set-up a little home system to work on. That really won't cut it. Might as well try and do some of your own real penetration testing on the systems you plan on saying you're the security guru for.

apotheon
apotheon

I'm going to assume that the way you've been using "hacker" is in the uninformed, uneducated sense: as a synonym for "malicious security cracker" or "computer vandal". You don't have to have experience being an unscrupulous criminal to be an effective enforcer of the rules. Yes, being on the wrong side of security can provide you with a certain amount of useful knowledge about what you're up against if you come to your senses and adopt some kind of ethical principles later, but that doesn't mean breaking and entering is necessary to the task of creating, maintaining, and patrolling the security measures that keep your property safe. The truth is that you don't seem to know what a "true hacker" is. If you really want to be among the bet security experts out there, I'd agree that you have to be a "true hacker" -- but I'd quickly disagree with your apparent definition of the term "hacker". The true hackers who know the most about security are the guys who write software like tripwire and OpenSSH, the guys who audit code for projects like NetBSD and OpenBSD, and in general the guys who spend much of their time learning about the intricacies of their systems and the software that runs on it because everything about it is fascinating to them. A true hacker is someone who benefits from a transcendant enthusiasm for learning about computer systems -- not someone with a brutish urge to break them. "[i]Keep your patches up-to-date...this the best advise I can provide.[/i]" That's one of the most naive statements I've seen about the idea of maintaining secure systems. Not only does that not even begin to make a difference with some software, but if you're not careful you can run afoul of problems like that of the SQL Slammer worm. Do you remember Microsoft's press releases about how the SQL Slammer worm was already patched by Microsoft, and it was just lazy or incompetent admins who didn't patch their systems that were getting hit by the worm? Well, something you probably don't remember -- because Microsoft didn't publicize it, and many people never found out about it -- is that it eventually turned out many of those admins [b]had[/b] patched their systems. The problem was that there were two patches involved, and if you updated them in the "wrong" order, one would invalidate the protection the other was supposed to provide. Running Windows Automatic Updates in many cases led to this circumstance occurring, leaving many systems unprotected against the worm thanks to shoddy patch development from Microsoft. You can't just keep patches up to date: you have to know what you're doing, and test those patch deployments, before you declare yourself protected. You give a couple of good pieces of advice, of course, but they're not only obvious: they're also simplistic. Yes, close unneeded ports, and shut down unneeded "services". Yes, test perimeter defense by attacking them yourself (or, even better, through a proxy like a professional penetration tester). There's a lot more to security than these two factors (and automatically applying all security patches), however. There's even a lot more to each of these factors than you let on. You offer panaceas, or placebos, while the article was an attempt to point out that the real key to security expertise is not a checklist -- it's learning, and ensuring that you [b]continue to learn[/b]. If you paid attention to the five points recommended, you might notice that the two things they have in common are: 1. They never end. They're ongoing processes, approaches to becoming a security expert that have no end-point where you say "Now I'm done." 2. They all expand, and grow, with the dedicated security expert. They never stop being valuable, because they're principles of action that ensure you're always improving. The core point that seems to escape you is that being an expert isn't about having done certain things or developed certain practices -- it's about continually growing, and continually striving for more. Everything you suggested as a policy is a subject that should be investigated by the would-be expert, to be sure, but these are just details. The details go on forever. The important thing is to keep learning them, and to develop principles and understanding based on details, rather than to substitute knowledge of certain details for a deeper understanding. Given a choice between the creator of the MS Blaster worm and the creator of the OpenBSD project, I'd choose the latter as my security expert every time. "[i]what was mentioned was a warning to the wise before they step up and take ownership of that kind of responsibility in 5 easy steps.[/i]" I find it difficult to believe you actually bothered to think about those five steps if you think they're "easy".

medullaoblongata
medullaoblongata

I was concerned that I might have messed up the URL when posting, but I tested the link on my system just moments ago and it works. So perhaps it had been down for just a short period of time.

the1whodidit
the1whodidit

I'll check it out when the website comes back up. I can ping it, but the site doesn't come up. There's hope... thanks!

jmgarvin
jmgarvin

"I give up. I'm not going to get an example because there isn't one or you people are clueless. I've surfed and tried to find ANYTHING remotely close to what I've asked for.... NOTHING!" WHAT IS THE QUESTION!!!??? "Some quick responses... He brought up the BOT and it obviously is not what I'm looking for. It may be evidence, but that's not what I asked!" What do you want? "I'm not needing the code if you can give me a specific example. PLEASE!!!" OF WHAT!!?? "Spoofing... context?!?!? What is this whole thread about. PLEASE!!!!" This word...I do not think it means what you think it means. "If there billions then finding one should be easy, eh?" Finding one WHAT!!?? "RPC... now there you go. I searched and didn't come up with anything. Maybe you can?" What are you seaching, the floor under your feet? http://www.google.com/search?hl=en&q=define%3A+remote+procedure+call&btnG=Search "Spoofing... HELLO. THEY CAN USE IT OF COURSE, BUT IT'S USUALLY CAUGHT AND ILLEGAL AS HELL AND EASY TO HACK PEOPLE WITH and that's why I'm excluding it." aarrrggg...WHAT!!?? So people legally crack your machine? "FTP is used by a typical user doesn't even use passwords. "Wide open" c'mon!!!!" FTP is all done in plain text. "'some answers'... all I want is ONE ANSWER." ONE ANSWER TO WHAT!!???

apotheon
apotheon

"[i]I've surfed and tried to find ANYTHING remotely close to what I've asked for.... NOTHING![/i]" That's mostly because you apparently don't know enough about the subject to ask meaningful questions, and to compound the problem you consistently misunderstand the answers you're given and questions that are asked of you to clarify what you want. Despite this, jmgarvin and I have tried to offer some kind of meaningful responses. In thanks for the effort, you become belligerent. "[i]Some quick responses... He brought up the BOT and it obviously is not what I'm looking for. It may be evidence, but that's not what I asked![/i]" What do you want, then, if not some kind of evidence you're at risk even if you're running a standard desktop system with a firewall application installed? Wasn't that the point? "[i]I'm talking window and FREE!!!! PLEASE!!! YOU JUST DON?T GET IT! Why bring up ipchains and other PAID software!?!?![/i]" Are you saying ipchains is paid software? Where do you get that sort of notion? In any case, not only is it not paid software, but it's not anything I brought up. I brought up iptables, ipfw, ipfilter, pf, and iSafer to point out that while ZoneAlarm is better than some firewall software, it's far from the best. You seemed to have completely missed that point, however, and just looked for opportunities to hurl imprecations. By the way, the iSafer firewall (which I mentioned in my last response to you) is an MS Windows firewall application. Did you happen to miss that fact in your eagerness to find reasons to declare me some kind of idiot? "[i]Spoofing... context?!?!? What is this whole thread about. PLEASE!!!![/i]" That statement doesn't even mean anything, other as an insulting implication. "[i]NAT... 'only provides a hurdle of sorts' what?!?! You contradict yourself! PLEASE!!![/i]" I suspect you're imagining I contradict myself because you misunderstood what I said. Please explain how I contradicted myself so I can be sure I haven't done so, however. "[i]Example... billions? I just want 1. PLEASE!!! You obviously don't get what I'm aiming at here. If there billions then finding one should be easy, eh?[/i]" Where exactly do you imagine I would get this one example? There are three problems with your assumption about how easy it is to provide such an example: 1. The people for whom I've done work don't tend to get compromised. This means that out of those millions or billions of potential examples, I don't have personal, hands-on experience with very many. 2. Even in those cases where I do have hands-on experience with people being compromised, it's generally a case of getting hired to clean up after someone else's mess -- and their circumstances don't generally match the very exacting, contrived specifications you specify as qualifying. 3. Even given such an example, sharing it with you would require getting permission to do so. Good luck with that. "[i]RPC... now there you go. I searched and didn't come up with anything. Maybe you can?[/i]" RPC means "remote procedure call". It's a server process that allows a client system to connect to another system and execute specific processes there. If by "come up with anything" you mean "provide a specific example of someone getting security cracked via an RPC vulnerability in winlogon", I'm afraid you're out of luck because the IT trade press doesn't tend to publish individual case studies for every single MS Windows exploit. If it did, it wouldn't have any time to publish anything else. "[i]Zonealarm again... sure, everything's got holes, but show me the money where it was exploited in a way like I'm talking about. PLEASE![/i]" Again: There have been numerous cases of ZoneAlarm exploits occurring. The individual cases don't tend to get published, however, so the likelihood of finding such an example for you approaches zero. I don't know what you think is going on here. Do you think that when news of an exploit in the wild is published people are lying just to convince you that there's a threat when there isn't? If so, you're welcome to your belief, I suppose -- but the realities of confirmation bias pretty much guarantee that at this point nothing will convince you otherwise unless you, yourself, get compromised by a malicious security cracker. "[i]Spoofing... HELLO. THEY CAN USE IT OF COURSE, BUT IT'S USUALLY CAUGHT AND ILLEGAL AS HELL AND EASY TO HACK PEOPLE WITH and that's why I'm excluding it.[/i]" Um . . . what? Most of that is nonsensical or simply incorrect. Perhaps you think IP spoofing is something other than what it is. "[i]quit scaring people about using FTP. The typical way FTP is used by a typical user doesn't even use passwords.[/i]" I can only assume you paid no attention to the context in which I brought up FTP -- which was in relation to managing a webhosting account, not anonymous FTP for downloads. You might be surprised by how many people use unencrypted FTP in that manner. "[i]So anytime I download using FTP I'm wide open eh?[/i]" I said nothing of the sort, and you're ignoring the context of what I [b]did[/b] say. "[i]all I want is ONE ANSWER[/i]" . . . to a meaningless question. Actually, I think what you want is to try to "trap" someone with an intentionally absurd question so you can make it look like you know what you're talking about, and everyone else is wrong. I'm not entirely sure that's what you want, though, so I'm not operating on that assumption.

the1whodidit
the1whodidit

forget it. You're like the other guy. Just talk and talk until they just give up. I wanted a specific example and I looked through those site you gave and found nothing like what I'm talking about.

the1whodidit
the1whodidit

I give up. I'm not going to get an example because there isn't one or you people are clueless. I've surfed and tried to find ANYTHING remotely close to what I've asked for.... NOTHING! Some quick responses... He brought up the BOT and it obviously is not what I'm looking for. It may be evidence, but that's not what I asked! Zonealarm... sheez, a linux freak. I'm talking window and FREE!!!! PLEASE!!! YOU JUST DON?T GET IT! Why bring up ipchains and other PAID software!?!?! I'm not needing the code if you can give me a specific example. PLEASE!!! Spoofing... context?!?!? What is this whole thread about. PLEASE!!!! NAT... "only provides a hurdle of sorts" what?!?! You contradict yourself! PLEASE!!! Example... billions? I just want 1. PLEASE!!! You obviously don't get what I'm aiming at here. If there billions then finding one should be easy, eh? RPC... now there you go. I searched and didn't come up with anything. Maybe you can? Zonealarm again... sure, everything's got holes, but show me the money where it was exploited in a way like I'm talking about. PLEASE! Spoofing... HELLO. THEY CAN USE IT OF COURSE, BUT IT'S USUALLY CAUGHT AND ILLEGAL AS HELL AND EASY TO HACK PEOPLE WITH and that's why I'm excluding it. In this case, I can PROBABLY find issues where a home system has been "hacked" to the degree I'm talking about. BUT I HAVEN'T YET. Does that make sense now why I bring it up? I'll even take this condition away if you'd like, but I'd really like one without using it. NAT is what it is. Just one more thing? quit scaring people about using FTP. The typical way FTP is used by a typical user doesn't even use passwords. "Wide open" c'mon!!!! So anytime I download using FTP I'm wide open eh? Try to use some discretion when talking like this in public and GET A REAL LIFE! "some answers"... all I want is ONE ANSWER.

jmgarvin
jmgarvin

"A server to run a bot? What are YOU talking about? Oh, I think I see... you mean a bot is a security concern that doesn't need a server to "get you". Dude, get real. You're obviously not getting it. I read you profile too and it says you're into security. Then c'mon and see if you can understand this...." What don't I get? Millions of infected Windows XP machines are botted and are not servers. "First, bot shmot. I just read what the wiki said about malicious bots... real scarry...NOT. How is one of these going to get into my computer and "hack it" to the point where I'm "vulnerable"." Do you want the whole flow? A bot is installed after you are compromised. May I point you to trojans, viruses, worms, and rootkits? "That's what I want to know and I want to see a freakin example!" An example of what? "Next, Zone alarm rules. For a free program that's been around forever, you can't beat it. Sure it has holes, but SHOW ME THE MONEY!" Ok, iptables is more robust, flexable, and scaleable. "I want a freakin example!" OF WHAT? "Next...SHOW ME THE CODE! What I put was not hard to understand, was it?" No. If you really want to see code try sites like Security Focus and Phrack. "Just plain "here's the hole and here's the code that was used to exploit it."". I point you to Security Focus. "Spoofing...you HAVE TO KNOW WHAT THAT IS, EH? You're a "security" person in your "profile". But I guess not since if you did, you wouldn't be asking. I'm sure there's a wiki on it." I know what spoofing is, but I've no idea of the context that you are using. Spoofing for what? What kind of spoofing? "NAT... learn, please, learn. From the wiki:" NAT IS NOT SECURITY. A NAT is there to help obfuscate your topology from the world, but the reality is that there are plenty of ways to find out what is behind your NAT. The best terminology I've seen for a NAT is that it is a poor mans firewall...and even that that's taking what a NAT can do too far. "And your pofile says you're teaching? Ouch!" I like the Ad Homs. Please do continue to make yourself look bad. "I want an specific example of where a person was hacked to the point of having there files readable by the hacker." The millions of compromised computers out there, the high profile security breaches that make the news, and the never ending list of security problems on security sites isn't enough for you? "1. No server software running like a websever or anything. And not even "file and printer sharing" or "client for MS networks" services. (now these are on by default, so if you have to use one of these in an example, then fine go ahead.)" Like Apo brought up RPC flaws. I'll point you to ANI and WGA flaws. Let's not forget the fun exploits like remote plug and play. "2. Zone Alarm or another comparible firewall was running" What about it? Zone Alarm is ok, but the company that produces it is slimy. What do you want to know about firewalls? "3. No IP spoofing. Do you get this now, or do I need to explain more?" Why no IP spoofing? How about email spoofing? Social engineering? "4. And a router with NAT. The explination above hopefully gets through to you now." A router with NAT is not security. "5. No email attachements." I've yet to see this be a reality... "PS I'm really not trying to bust your balls, but rather trying to get you (or anyone) to bust mine." You need to try harder than. You don't know enough about security to even have a civil discussion.

apotheon
apotheon

"[i]First, bot shmot. I just read what the wiki said about malicious bots... real scarry...NOT. How is one of these going to get into my computer and 'hack it' to the point where I'm 'vulnerable'.[/i]" I don't think you understood jmgarvin's point. A bot isn't something that cracks security -- it's something that is implanted once security is cracked. He was referring to the fact that security is cracked on non-server systems, and those systems are added to botnets, all the time. Millions of desktop client systems are compromised in this manner, thus showing that non-server systems are compromised regularly. It's evidence that it happens, not an explanation for how it happens. "[i]Next, Zone alarm rules. For a free program that's been around forever, you can't beat it.[/i]" Zone Alarm is okay. It's better than nothing, and it's better than Symantec's desktop firewall software. It's certainly a heck of a lot better than Microsoft's "Windows Firewall". It's not, however, better than the Linux firewall, iptables, nor is it better than *BSD firewalls like ipfw, pf, and ipfilter. It's not even better than the iSafer Firewall for MS Windows, in terms of the security and configurability it offers -- though its interface is a little more user-obsequious than iSafer's. Perhaps more importantly, however, ZoneAlarm can't be trusted. It's a product of Check Point, a company with absurdly suspicious policies regarding how it values customer computer security. "[i]Next...SHOW ME THE CODE![/i]" I don't develop exploit code. It's not in my job description, as I'm neither a penetration tester nor a vulnerability analysis expert by trade. I suspect the same is true of jmgarvin. Perhaps you should do your own Google searching. "[i]Spoofing...you HAVE TO KNOW WHAT THAT IS, EH?[/i]" I know for a fact that jmgarvin knows what "spoofing" means in computer security context. He was asking what you were referring to when you threw "And no spoofing" into your confusingly arranged paragraph, since it seemed thrown in there apropos of nothing. In other words, he was asking for context -- not for a definition of "spoofing". "[i]NAT... learn, please, learn. From the wiki:[/i]" Again, jmgarvin knows what network address translation means. He was just saying that a NAT/router device does not constitute effective security. The statement to which you referred about NAT preventing compromise of "protected" systems from contact initiated by the malicious security cracker isn't exactly accurate, by the way -- the truth is that it only provides a hurdle of sorts to attempts to directly connect to systems on the far side of the NAT device. If you aim to compromise the NAT device itself, you can then use that as a staging point for attacking any system on the network. "[i]I want an specific example of where a person was hacked to the point of having there files readable by the hacker.[/i]" There are billions of such instances out there. Take, for example, the people who were affected by Sony rootkit exploits, and those affected by WGA exploits. I don't think anyone's going to name specific victims, however, as doing so would be something of an invasion of privacy. "[i]No server software running like a websever or anything. And not even 'file and printer sharing' or 'client for MS networks' services.[/i]" How about the MS Windows RPC service? You literally cannot turn that off without breaking your ability to log in (one of the stupidest design decisions I've ever seen). "[i]Zone Alarm or another comparible firewall was running[/i]" I suppose you're not aware that ZoneAlarm itself has had a number of remotely exploitable vulnerabilities over the years, including at least one each (of which I'm aware) of port scan and shell execution vulnerabilities. "[i]No IP spoofing. Do you get this now, or do I need to explain more?[/i]" I'm not even sure why you bring this up as a condition. Why isn't the security cracker allowed to spoof an IP address? "[i]And a router with NAT. The explination above hopefully gets through to you now.[/i]" So compromise the NAT/router device first, then use that to stage attacks against the network it "protects". So what? All NAT really does to protect you is get in the way of certain types of automated, bargain-basement attacks. Directed, intentional compromises are often unaffected by network address translation. "[i]The typical user isn't using secure ftp and doesn't even know what it is.[/i]" That's part of the problem. When you use standard FTP, you leave yourself wide open. When you use SFTP, you don't. (edit: typo)

the1whodidit
the1whodidit

A server to run a bot? What are YOU talking about? Oh, I think I see... you mean a bot is a security concern that doesn't need a server to "get you". Dude, get real. You're obviously not getting it. I read you profile too and it says you're into security. Then c'mon and see if you can understand this.... First, bot shmot. I just read what the wiki said about malicious bots... real scarry...NOT. How is one of these going to get into my computer and "hack it" to the point where I'm "vulnerable". That's what I want to know and I want to see a freakin example! Next, Zone alarm rules. For a free program that's been around forever, you can't beat it. Sure it has holes, but SHOW ME THE MONEY! I want a freakin example! Next...SHOW ME THE CODE! What I put was not hard to understand, was it? "Just plain "here's the hole and here's the code that was used to exploit it."". Spoofing...you HAVE TO KNOW WHAT THAT IS, EH? You're a "security" person in your "profile". But I guess not since if you did, you wouldn't be asking. I'm sure there's a wiki on it. But for the others out there, it's a way to trick a computer into thinking the information it is getting from one place (a hacker) is really coming from another. NAT... learn, please, learn. From the wiki: "To the extent that NAT depends on a machine on the local network to initiate any connection to hosts on the other side of the router, it prevents malicious activity initiated by outside hosts from reaching those local hosts. This can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans. Many NAT-enabled firewalls use this as the core of the protection they provide." And your pofile says you're teaching? Ouch! Since it looks like you do better with numbers: I want an specific example of where a person was hacked to the point of having there files readable by the hacker. Now, this is with the following CRITICAL allowances I pointed out before which are basically "standard" setups for a home computer: 1. No server software running like a websever or anything. And not even "file and printer sharing" or "client for MS networks" services. (now these are on by default, so if you have to use one of these in an example, then fine go ahead.) 2. Zone Alarm or another comparible firewall was running 3. No IP spoofing. Do you get this now, or do I need to explain more? 4. And a router with NAT. The explination above hopefully gets through to you now. 5. No email attachements. So, show me the money. Please. PS I'm really not trying to bust your balls, but rather trying to get you (or anyone) to bust mine. I've been thinking of getting into security for a long time and just want some proof of the vulnerablilities of the typical "user". The original author posted a "followup" with a specific example, but it was with FTP and passwords. The typical user isn't using secure ftp and doesn't even know what it is. What started all this was when I had a "user" ask me what she should do about her spyware subscription expiring.

jmgarvin
jmgarvin

1) You don't need a server to run a bot 2) Zone Alarm does have holes and needs patching from time to time 3) Show you the code for what? bots? 4) No spoofing what? 5) Router with a NAT is NOT security.

apotheon
apotheon

I didn't end up answering your statements and questions as directly as I expected, when I first conceived of the idea for this post a few days ago, but the IT Security blog post I promised is now available at: [url=http://blogs.techrepublic.com.com/security/?p=259]Myth: I'm not really at risk.[/url] Hopefully you find something worth the read, there.

the1whodidit
the1whodidit

I believe you hit the nails on the heads. Mainframes and cobol... yep, this combination was the "worst" for y2k. And if you're in a bank, you probably had these two around and this combo was going to take some serious time to test, especially with the size you're talking about. I'm betting this was your situation. Good to hear you didn't get ripped off like many others I knew that did. Still, taking your time and planning ahead took care of it. If you were one of the windows shops (or any non-cobol for that matter) then you wouldn't have had nearly the trouble. I bet you saw like I did that some folks were stocking food and water like crazy, and even buying guns. It's situations like this where the fear takes over and becomes a threat of its own....it's just human I guess. And that brings me back to this security thing. I'm not saying it not real, I just want someone to show me why the general public needs norton's "suite" of products to keep their home computer safe. AVG, zone alarm, and a free spyware would seem all they need. And with vista, most of this functionality is included. Really I want a specific example of a home computer getting hacked... expecially over dialup.

JamesRL
JamesRL

In that company the IT initiatives for 2 years were focussed solely on Y2K related stuff. At that comapny they had to replace an old mainframe, go through millions of lines of code, test 500 COBOL apps and a couple hundred other apps. They replaced the hardware and software at 5000 customer sites. And it wasn't all obvious or easy. My company didn't hire any expensive bodies. The guy putting in the new financial system needed for Y2K got paid twice as much as me(and earned it I think). James

the1whodidit
the1whodidit

I'm not saying it wasn't a problem, but that it was easily handled as you stated....you test the software and fix it. Not very hard when you're dealing with a "date change". C'mon folks. The scam was people charging $350/hr to do it. And there a mistake... arrogant programmers... leave the stupid coding stuff for them and put your faith in a high quaility QA expert.

JamesRL
JamesRL

I was the Y2K Program manager for a billion dollar company whose revenue depended on the clock(think if its not on time, its free). Y2K would have been an absolute disaster if we had ignored it. We would have had to walk up the stairs to our offices the next work day, we couldn't have sorted our bills to provide customers with a monthly invoice, and worse. I had some arrogant programmers who thought their programs were fine wilt when we tested them. I had one contractor guarentee his program would pass, and it failed. Of course its not the hype that was in the papers, no one would have died, but we could have lost 10s of millions in revenue. Some businesses had a greater potential impact than others. James