Josh More – Starmind Blog

Though there is a saying in the Security profession, it's not about the tools some tools are pretty cool. In general business, common tools are things like Microsoft Word and Excel (or their open source equivalents in OpenOffice). On the defense side, we use antimalware suites like Sophos. Generally speaking, attack tools aren't as polished and are very narrowly focused. However, that's starting to change.

To attack tool I want to discuss today is Metasploit. This tool has one primary purpose -- to break through your defenses. It's built using a framework methodology. You can think of it as having "plugins" like Firefox. In Firefox, plugins can extend the functionality of the browser by Blocking Ads or Blocking Scripts. In Metasploit, the plugins are a bit more dangerous and add functionality like exploiting a service and escalating users.

Basically, the tool works as follows:

1. Pick your target
2. Break in

That's pretty much it. If there is a flaw in the system, an attacker can probably get in. And since this tool is so easy to use, an attacker doesn't have to be particularly skilled to take over a system. They just point, click, and get your data.

Related posts

• Small Business Attack – Metasploit Defenses (0)
• Small Business Attack – Vulnerabilities and Exploits (0)

Crabs have claws. Some of them have ridiculously oversized claws, some are stronger than the jaws of a wolf and some can give you wicked papercuts.

However, there are a few crabs that just don't think that's good enough. Instead, they pick up anemones and carry them around. Since anemones have tentacles, the crabs look a bit like high school cheerleaders carrying pompoms, but they don't mind. After all, it's a great defense. An attacker girds itself to fight against pinching and instead it gets a face full of stinging pain... quite the surprise.

Businesswise, it would be pretty ineffective if you have your employee carrying around anemones. Not only would it make typing difficult, but they would also have to kept underwater, which might present issues with keyboards. Instead, the lessons are, I think, misdirection and non-localized advantage.

Your business has a brand, so an attacker would naturally expect that a defense would match what your company is best at. For example, if you make surveillance cameras, one might expect that your network is well watched, but perhaps not well protected in other ways. So, if an attacker can manage to encrypt traffic or otherwise hide what they are doing, they can likely expect a fairly easy time of it. However, if you manage to partner with a company that produces a more active defense, such as HIPS, an attacker may find themselves blocked, traced and served with a face full of stinging tentacles (or a lawsuit... the modern equivalent).

Related posts

• No related posts.

Recently, I was reading about African mythology, I ran across the story of the sky god Amma and it's creation of the half-human half-fish hermaphroditic creature Nommo, which split into four pairs of twins and, after normal mythical events, become the ancestors to the contemporary Dogon people. Due to mistranslations of early ethnographic studies, these creatures were identified as coming from Sirius, which if true, would indicate that the ancient Dogon people either had powerful telescopes (unlikely) or were visited by aliens (which some people seem to view as more likely).

Now, as I read this, I thought "hermaphroditic human/fish hybrid that some point to as proof as alien contact... I've got to blog about this!" Sadly, though, I just couldn't come up with a good business or security angle (there's something to the "one twin goes evil, so the other has to be sacrificed" story... but there are other such stories in myth that are far more accessible).

Then I started researching Binu shrines. The story goes that one of the Nommo twins was evil, and to make up for this, another twin had to sacrificed, dismembered and scattered all over the earth. Wherever a piece of Nommo landed, a Binu shrine was built. I was curious, and wondered what a Binu shrine looked like. Looking on Flickr, I ran across this photo by sunshinerythym. I looked at the terms of use and saw that it was marked "All rights reserved", so I didn't embed it. I sighed and moved on.

Shortly thereafter, I saw this page on the Sacred Sites of the Dogon, Mali. Well, that photo sure looks familiar, doesn't it? It's lightened up a bit, but it looks awfully close. And that link below it? Order Fine Print?

Very interesting.

Now, it is quite possible that sunshinerythym was contacted by the people that run SacredSites.com and gave permission for the photo to be used in this manner. I know that I've gotten requests to use my photos in such a way.

However, I also want to point out that there are some untrustworthy people out there who make money by selling other people's work. If you post a photo in full resolution, anyone can download it and do whatever they want with it. If you license it appropriately, you can take legal action against them... but you have to catch them first. Of course, if you screw up your licensing, you probably don't have a leg to stand on (unlike Nommo, who being half-human had legs (look, I tied it back in!)).

The security lesson here is that if you are generating content, be careful with it. Though I have chosen to make my full resolution photos available, I do so with the understanding that others may steal them. To help mitigate this, I have licensed them for non-commercial use only. For me, photos are fun, but not my main business. I am fine taking the risk if it means that zoos and similar educational organizations can use my photos to help other people learn. The point is that I know I am taking the risk to begin with.

The other security lesson is that if you are a business, keep track of rights of the things you use. If such use is not previously authorized, it could be construed as intellectual property theft and could be quite costly.

The mythological lesson less clear.   :)

(Before writing this post, I sent an email to sunshinerythym, as we Flickr users have to help protect each other. It is quite possible that by the time you read this, the links may be broken.)

Related posts

• Site Review – Flickr (0)

A year or so ago I ran across the American Girl Smart Girl's Guide series. I had heard some good things about the company and the books looked well written, so I picked up a few at a booksale and gave them to a friend whose daughter was approaching the right age. Recently, he reported that his daughter was finding them useful.

So, when I ran across A Smart Girl's Guide to the Internet at a used bookstore, I picked it up. The book is clearly written for younger readers. It's segmented by what kids do online and written in a way so as not to be insulting but still be useful. What I particularly liked is how it directly addresses real issues while still referring the kids to parental authority if they have any questions.

Some items of interest:

• There is a general stress on intelligence, or as they put it: smarts not software.
• An ongoing discussion about privacy and why it's important, including what counts as personal information and why it should be protected.
• A running analogy of online threats to real-life threats.
• What to do when the inevitable happens and a kid is put in an uncomfortable position due to either social interaction or accidental browsing.
• Bullying and social snubbing.
• How to only connect with people you know personally instead of strangers.
• How to create content without putting yourself or your friends at risk.

To someone who has been working in the I.T. Security industry for a while, there is nothing new here.  However, if you are a parent of or know parents of young girls, this is a great book for them to read.  (Technically, it would be good for young boys too, but it's unlikely that the  majority of them would actually read it, as it is clearly branded for girls.)  It's nice to see a book like this being made available.

Related posts

• Twenty years of X11 (0)

The best way to prevent rogue wireless access points from appearing on your network is to set up the network to make it more difficult.  Though it is more work to lock down a network to only allow connections to specific MAC addresses and on specific ports, it does go a long way to prevent unauthorized devices from magically appearing on the network.

Of course, this sort of approach is not always feasible. In those situations, you have to go one step further and run periodic scans for unauthorized devices. Commonly used in wardriving, tools like NetStumbler and Kismet can also be used to find WAPs in your own building.

Using such a tool, it is important to first identify what "normal" is.  Begin with a visual scan of every network port in your location. Make sure that you're not starting with a rogue WAP on your network. Once you have done a visual sweep, run one of the tools and get a feel for what is normally present in your environment. Then, after a day or so (sometimes more), you should have a list of the wireless networks around. Each of these should be tracked down and identified as legitimate.

Then, on a periodic basis, you can check for new wireless access points and make sure that the list isn't changing on you. If it is, you might have a problem.

It is important, however, to stress that this is not a perfect solution. You will likely need to occasionally visually inspect your network and verify that there are no new devices floating around. You should make sure that no laptops are set up to bridge a connection to the outside world. You should do your best to lock down the network. Then, when you've done all you can do, scan to fill in the holes.

Good luck.

Related posts

• Small Business Attack – Rogue Wireless (2)