Josh More – Starmind Blog

I've been absent from this blog for a while.  Other projects are occupying my time.  I hope to return to regular blogging soon... but it may be a bit longer yet.

However, one of my projects involved getting a new laptop.  Since getting a new laptop is a good excuse to redo things and do them better, I decided to take a closer look at my Firefox profile setup.

I play a lot of roles, ranging from security researcher to consultant.  There are different Firefox configurations that I need for each, but it's a pain to constantly log in to different user accounts.  To make this process simpler, I decided to create four different Firefox profiles, each tuned to a specific set of tasks.  What follows is a description of what I did under Linux.  The same process should apply to other operating systems... but I've not testing them there.  With one exception (noted) all add ons are from addons.mozilla.org.

Warning, geekery below this line.

---

I started with my basic add ons:

• Adblock Plus to prevent those annoying ads (and ad-based malware infections)
• Neo Diggler to give me a quick way to clear the location bar and give me the ability to add custom stuff
• No Script to prevent scripts from running.  I did a quick whitelisting of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
• Web of Trust to give me a hint before I click on a link.
• Tiny Menu to maximize screen real estate.  (I love me the tiny laptops)
• TorButton for quickly accessing The Onion Router (requires installing additional software to utilize)

Sadly, LongURL is not supported on the new Firefox yet.

I restarted Firefox to activate everything and configured the plugins the way I like.  I also customized the Nav bar and moved everything up to the Menu bar that TinyMenu made nice and small.  Then I used the View menu to turn off Navigation and Bookmarks.

Then I went into Preferences->Privacy and set Firefox to "Never remember history" and suggest "Nothing".  I also cleared my history that was created thus far.  In Preferences->Security, I told it to never remember passwords, block reported attack sites, web forgeries and add ons.  (By not remembering passwords, I render myself less vulnerable to risk from theft of my profile directories, but more vulnerable to keyloggers... it's a good tradeoff to me.)

I then shutdown Firefox and went into ~/.mozilla/firefox.  I did a cp -a of my profile directory to other names (this bit would be different on Windows):

cd ~/.mozilla/firefox

cp -a blahblah.default research

cp -a blahblah.default paranoid

cp -a blahblah.default webdev

Then I edited profiles.ini and copied the four top lines of [Profile0] to new blocks of Profiles 1 through 3.  I edited the Name and Path to reflect each of my new profile directories (research, paranoid, webdev).  I edited the Firefox launcher and appended "-ProfileManager --no-remote" to the "run command".  This way, when I click on the little icon, Firefox will prompt me for the profile I want each time I launch it, and it lets me run multiple profiles at once.

I then launched it and selected my "research" profile.

Here, I went back into Preferences->Privacy and told it to go ahead and remember history and make suggestions (as when I'm researching things, I often forget where I found things and what I searched on.)  Then I installed the following add ons:

• Add N Edit Cookies for cookie manipulations
• HackBar for SQL injection fun
• PassiveRecon for exactly what it sounds like
• RefControl for mangling HTTP headers
• DeeperWeb for those occasional rambling searches.

Then I added the following search engines to the dropbox:

• Offensive Security Exploit Database
• Security Focus Vulns Search
• Security Wire Search

I'll probably add more as I play with it.  I'm still not used to using this feature to search the deep web.  (Wonder if one could be written to access our corporate wiki?)

Then it was time to restart Firefox and activate, set preferences, yada yada yada.

After that, I restarted to access the "paranoid" profile.  I went into Preferences->Security and turned on ALL warning messages.  It's annoying to use now, but that's partly the point.

I set StartPage to my initial home page, using the "Generate Custom URL" feature on the site.  Since I'm not storing any cookies at all, this is how it has to be done.  I removed all search engines and added IxQuick HTTPS, Startpage HTTPS and Scroogle SSL.   On the AddOn side, I added:

• Force-TLS to force HTTPS connections (though it really doesn't do all I'd like it to)
• Certificate Patrol to track certificate details
• Perspectives for a paranoid check against SSL certificate alteration.  This one is linked to from the Mozilla add ons site, but not installable from there.

I then disabled the CNNIC SSL certficate (Preferences->Advanced->Encryption->View Certificates->Authorities, scroll to "CNNIC ROOT" click "Edit" and unselect "This certificate can also identify web sites".)  It's a matter of debate as to whether or not this is necessary... but so long as it's being debated, my paranoid side will be careful.  (The other profiles don't care. :)

Lastly, I installed the Orange Fox theme, which is ugly and garish, but since I wanted a visual reminder that I was in the paranoid profile, it was exactly what I wanted.

After another restart I entered the webdev side.  The fun new add ons here were:

• Firebug for tracing DOM and CSS issues, which I don't do much anymore, but it's still nice to have.
• CodeBurner For Firebug to add reference to Firebug
• FlashGot for massive download fun on archive.org
• Greasemonkey for fixing stupid sites (and integrating with FlashGot to bypass trivial Javascript-implemented "security" checks)
• Live HTTP Headers for watching traffic in real time, when I don't want to launch a real proxy
• Web Developer for the same reason as Firebug

From here, I am in a position to fire up the profiles as I need them, and am able to work on the web without worrying about my tools being available.

Tags: add ons, firefox, profiles

Related posts

• Security Sprint – Firefox Profiles (4)

Introduction

The question often comes up: Should we allow our employees to engage in social networking? The debate has raged for years, and surprisingly, it is still not settled. In general, the discussion tends to fall down four possible paths:

1) Social media reduces productivity
2) There are a lot of threats that comes from social media
3) Social media is a new technology and therefore is scary
4) Employees don't really need social media anyway

So let's take a look at these:

1) Productivity

Many times the "productivity" topic rages within the security field, which has always surprised me. Keeping employees productive is the responsibility of the business owner, and while I've often seen it delegated, I've never seen it delegated to either the security people or the admins. Realistically, this is the responsibility of management or HR.

Even then, it seems that every place has slightly different rules as to what is and is not been permitted. In some places, it's customary to spend hours each Monday morning talking about the previous weekend's hunting or sporting events. In others, everyone takes off Friday afternoon and sits around socializing before "closing time" hits. In still others, there are required breaks every two hours as well as a mandatory lunch. However, in absolutely none of them is social interaction categorically denied. The prevailing attitude seems to be that so long as the work gets done, the specifics are irrelevant.

Different people work differently and some need the occasional long social break to limit distraction. Humans are social beings and there is considerable evidence that socialization is a deep-seated need in our species*. It seems unlikely that many people could be truly productive without a form of socialization... do the technical means really matter?

Perhaps, instead of banning the technology, it would make more sense to monitor productivity and ensure that any employees that begin to stray are quietly corrected. This would enable you to take advantage of the benefits that the technology offers without necessarily experiencing a productivity hit.

* This could be a long discussion in of itself, but, fascinating though it may be, would distract from the point

2) Threats

A considerable amount of malware and no-tech attacks come from social sites. Twitter is particularly bad, due to the inherent obfuscation used in the TinyURLesque sites (though they're working on it). However, you can't live a life that is entirely devoid of risks, and in most cases we don't approach risks by banning the technology. Instead we take a balanced view and assess risks before we take action. For some reason, many people tend to approach these problems as if it were a game of whack-a-mole, which is a shame.

To draw the over-used analogy to automobiles (a similar technologically-induced societal change), in the rural states, a common threat is deer. We could address this threat by building fences along each highway (Banning) or by constructing a massive array of detectors, implanting RFID chips in each deer and building weapons-equipped automated flying drones that kill any deer wandering onto the road (Intrusion Prevention). Instead, we put up little yellow signs that tell people to be careful. For some reason, we find this a more economical solution, even though it places a slightly higher burden on the drivers to pay attention.

I think that a lot of security professionals avoid the "educate the users" tack because it's traditionally not worked too well. Of course, a lot of us are also far more comfortable with technology than we are with people, so it is possible that the past failure of education was due to our own failure to educate ourselves on education processes. Maybe, if we were better at making little yellow signs, many people would manage to avoid the majority of threats.

3) New Technology Is Scary

I am sorry to say it, but we security professionals tend to say "no" a lot. I ran into this problem myself recently and used what I call a "shortcut no" -- where I said "no" when I meant "yes we could do that, but I think it would be prohibitively expensive". However, within the security community, when one person's "shortcut no" is heard as a "true no", we tend to build up an echo chamber effect and think "no one else is permitting this technology, so there must be a reason, so let's just say 'no'". This, I think, results in the regrettable state of things being banned "for security reasons".

Changes to technologies and processes must be first analyzed and the risks then be explained to management. At that time, it is their decision. I have encountered businesses that prefer to believe that regulations such as PCI-DSS, the FTC Red Flag Rules and HIPAA/HITECH do not apply to their business. In some cases, I have disagreed, but it is, in the end, their decision. Perhaps the failure was on my part, and I was less than ideally effective in explaining the risks. However, an alternate perspective is that many experience an unconscious resistance to change. The impact of new regulations is change, and in many cases, change may be scary.

Of course, fear of change is part of being human. Luckily, if you know this, you can take steps to address it. One common approach is to take a social media class. If you lack the budget for such a thing, you can also spend a day reading about it online. Good Google terms are social media in business, twitter marketing, facebook marketing, Internet Business Mastery and search engine optimization.

4) Do They Really Need It?

Four years ago I gave a presentation to a group of entrepreneurs about how to leverage technology in a start up. One question I was asked was "Do I really need a website?" I was stunned. I couldn't imagine a new business without one. Most people I know first check out a business on the web, both for contact information and for reviews. If a business isn't on the net, it's invisible. If it's on the net but no one is talking about it, it's probably not worth much.

This is even truer today. I don't think I've opened a phone book once in the last year. I've found many great resources through word of mouth via the Internet. Social media allows me to research a company in minutes. I can get information faster than ever before on prospective clients, partners and employees. I can check my thinking against that of others in my field. I can research threats, responses and technologies without having to do the test implementation myself. (Though test implementations are still important.) If it weren't for social media, I would be unable to do my job.

These networked social efficiencies exist pretty much across the board. Alliance Technologies tends to "run light". Our marketing, sales, support and administration are staffed at a level far lower than other comparable companies, simply for this reason. If we didn't have social media, we'd have to double our staff.

Clearly, not all companies are the same. However, the effectiveness of social media in all aspects of our business leads me to believe that it's generally useful to most businesses.

A) We Can't Stop Them Anyway

Trying to stop people from socializing is a doomed effort. You can draft and implement all the polices you want, but if they go contrary to human nature, they will not be followed. Moreover, if they are burdensome, they will be actively rebelled against. Do you really want to spend your time protecting against outside attacks while your inside people are working to bypass your web filters, firewalls and IPS systems? I know that I don't.

Practically speaking, web filtering technology works, but nothing is perfect. You can block most sites in a category, but there is always a way around it. You can block gambling sites, but you can't prevent an employee from placing bets via email or SMS on their cell phone. You can block porn sites, but can't keep someone from bringing a magazine into the office if they really want to. Generally, you just raise the barrier high enough to say "management would rather you not do this stuff" and people will take the easier path. Even then, saying "don't gamble" and "don't look at porn" are vastly different messages from "don't talk". Banning social media is equivalent to banning talking at the water cooler, over the cube walls or in the hallways. If you try, you'll experience a lot of pushback... and as employee generations shift, the pushback will grow.

Personally, I'd rather focus my efforts towards bringing the employees in line with business goals and then combating actual threats against the business. To do otherwise is just spinning in circles.

(This post originally appeared over at Alliance Technologies)

Tags: policies, social media

Related posts

• No related posts.

There has been a great deal of discussion in the security community about APT. The link covers it at a high level, but in a nutshell, it's type of hacking that is distinguished by people who have the time and money to target specific individuals and organizations. Since the number of resources (time and money) available to the attackers are at a much larger scale than what the defenders can muster, a lot of people are calling this a game changer.

As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other "doesn't get it". For a quick read, check out Richard Bejtlich's post and MANDIANT's post and, for a counterpoint, check out Gunnar Peterson's.

Of course, they're both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere... mostly, I suspect, because in the enterprise security space you only call the consultants when it's something particularly troublesome (like APT). Of course, once you've focused on APT, that's what you get called in on, so the problem probably looks bigger than it is.

In contrast, those of use that don't consult in those spaces don't get those calls, so we don't see it. We also probably don't have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.

So what do you do about APT?

I suggest that you consider the following checklist:

1. Do you have a firewall?
2. Does your firewall block outgoing connections?
3. Do you have local antimalware running on all your endpoints?
4. Do you have a web filtering solution in place?
5. Is all access to all systems monitored and audited regularly?
6. Do you have a process in place to pull all legacy systems off your network?
7. Do you have a patch management system in place?
8. Do you have a vulnerability management process in place?
9. Do you matc all system configurations against hardened templates?
10. Do you have a data classification policy that applies to all your data?
11. Are you encrypting your important data?
12. Do you have a log retention and management infrastructure built?
13. Are you running an IDS/IPS system?
14. Do you have third party management systems in place?
15. Are all of your web applications running in hardened stacks?
16. Are you using web application firewalls?
17. Are you using database firewalls?
18. Do you have regular employee awareness training?
19. Are complete penetration tests conducted against your organization?
20. Do you have an Internet data monitoring and scrubbing policy in place?

If the answer to each question is "yes", then you should worry about APT. This is not to say that if any of these are "no", you don't have APT going on in your environment. I'm saying that there's no point pursuing a full on anti-APT strategy until you have the basics in place... and there are a lot of basics. I'm also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.

If you don't have a minimal and sufficient security solution in place, it's not that APT isn't a threat or that an unknown enemy isn't out to get you... it's that you probably have more important things to be working on.

Tags: apt

Related posts

• No related posts.

I recently picked up Harry Potter 6 on Blu-ray. While I've read all the books, I've generally not been much for the movies. (I prefer the pictures in my head.) However, there is a photographic beauty to these movies that is worth both the time and the money (especially when the box set of 1-5 was on 70% off recently)... so I'm watching them and remembering the stories.

As with most works of art, the easy path to drama is to create a security failure. It makes sense, after all. As a creator, you may have a need to push your characters at time, and the easy (lazy) ways to push a character are to create a situation for them to react to. Thus, viewing the worlds as if they are real is a bit unfair... but on the other hand, nitpicking is fun.

In the world of Harry Potter, there are several security situations. The world of magic has to be kept a secret from all the muggles, the evil people have to be kept out of Hogwarts, and what is kept in Gringotts must stay in Gringotts. In fact, we know that there is some sort of magical muggle spy network, as Dumbledore knows to investigate Tom Riddle prior to his acceptance into Hogwarts. Why this same network can't detect the attack upon Harry by the dementors in book/movie 5 is unclear. Clearly, they need to invest in redundancy for the system.

Similarly, Hogwarts seems to have a surprisingly difficult problem keeping students where they belong. It took until book/movie 6 before they put up a firewall around the school, and even then, attackers manage to encapsulate an attack within a legitimate source (Katie Bell) and also fail to Draco's VPN bypass (terminated by vanishing cabinet). It seems that magic should be able to do better.

In contrast, Voldemort clearly knows a lot about security. He makes backup copies of his soul, just in case something happens (like a backfiring killing curse). Granted, the restoration process leaves a bit to be desired. If he really cared about operational availability, he would have tested the process and avoided that whole 12 year delay issue. (And here I thought 24 hours to deliver backup tapes from the offsite repository was a long time.)

Similarly, given that it's been established that there is a thing called "a trace" that can detect when someone casts a spell. You'd think that they could use the same practice during quidditch matches to prevent the audience from interfering with the play... but they don't. As a result, there are all sorts of amusing and dramatically-appropriate hijinks.

Lastly, in an environment where a bunch of students are awash in teenage hormones AND are constantly playing with potions AND know that love potions exist, you'd think that there would be an emergency bezoar in each dormitory. But there's not.

It would be interesting to see what the world would be like if there were more audit-focused monitoring points, reactive responses points and preventative spells. However, just as in the real world, these sorts of technologies are tempered by the economics of the situation, in the fictional world, there is a trade-off with dramatic tension. Sure, there are a lot of things that Dumbledore could have done to increase the relative safety of his charges, but to do so would have drastically reduced the possibilities for dramatic tension.

This would have reduced the number of books from 7 to likely 1 or 2. In our universe, Dumbledore lives for six whole books. If he had been a more protective head of Hogwarts, Voldemort may have been defeated much more quickly and the series would have been reduced. So, like most people, Dumbledore made a self-interested decision that had ramifications outside of himself. He got to live longer and be in an incredibly popular series of books and as a result, many of his students were placed in some wonderfully dramatic jeopardy.  That's something to consider, I suppose, when there are security decisions that you have to make.

Tags: harry potter

Related posts

• No related posts.

There are three ways to approach this problem. The most common method is to ignore it, and apply patches as time permits. The logic here is that since applying patches can often require a maintenance window, it's hard to balance the business's needs against the risk of an attack by an unknown party. Since an increasing number of attacks are subtle, it's quite easy to convince yourself that it's not a big deal, and inadvertently accept more risk than you'd like. I don't really recommend this method.

The second method is to fully embrace the situation and fork out the cash for a full patch management system. These solutions aren't cheap, but it does allow you to view your entire environment from a single console. This way, you basically outsource the tedious job of keeping on top of everything and use the tool to make sure that all machines on the network are kept fully updated. Now, this solutions doesn't eliminate the need to schedule downtime to get the patches applied, but it does simplify matters significantly... at least when you are only running software that is monitored by tool.

The third method is something of a middle solution. In situations where you either lack the budget for a patch management solution or are still investigating the varied options, you can simplify the process by doing a quick audit of each of your systems and uninstalling anything that isn't needed. The key here is system classification:

• Development systems should not directly face the Internet.
• Production systems should not have development software on them.
• Production servers should not have workstation software on them (Office, Adobe reader/flash, Web Browsers)

By eliminating all unnecessary software, you can massively reduce your attack surface. Simply put, if software isn't there, it cannot be exploited. Now, this doesn't eliminate the necessity to keep the software that is there up to date, but in the process of removing what's not needed, you can get a good idea as to what is there and monitor the patch releases for those few projects. It's not pleasant, but it is doable.

Tags: patching

Related posts

• Small Business Attack – Patch Tuesday (and others) (0)