Security Warrior 124
| Security Warrior | |
| author | Cyrus Peikari and Anton Chuvakin |
| pages | 531 |
| publisher | O'Reilly |
| rating | 7 |
| reviewer | Peter Wayner |
| ISBN | 0596005458 |
| summary | Not a deep approach to security, but a great bag of tricks every sysadmin should have at hand. |
The book comes lightly packaged in a metaphor about the training of samurai. A security warrior, it is said, must avoid a "superficial study of the subject" because that leads to a "deterioration of the samurai spirit." To avoid this, the authors plunge deeply into a wide variety of ways that attackers might break into your system. The book is meant to help you "know your enemy" and "see through an attacker's eyes."
This chestbeating fluff disappears pretty quickly because the authors dive into reading assembly code in the first chapter and start talking about the registers of the CPU by page 4. The rest of the first part of the book explores reverse engineering software by reading assembly dumps and using good tools to decipher it.
After poking around in binary code, they turn to the bits floating around the network. Chapters 6 through 10 explore how to sit on one end of the Internet and pry your way into another computer. Chapters 11 through 17 dive deeper into the specific defenses of platforms like UNIX, Windows, SOAP and SQL. The rest of the book, Chapters 18 through 22, explore how to figure out just what the attackers may be doing by setting up honeypots and log analysis tools.
Covering all of these topics in 531 pages is clearly not possible and the book reads more like a survey or a catalog of what can go wrong. If you use PHP, for instance, as a frontend to your database, you might want to be sure that some "script kiddie" won't slip in some extra SQL in the form fields. Each topic isn't built up from some bedrock foundation with perfect mathematical pedagogy, it's just defined as a list of bad things that you should avoid doing.
The authors seem to be aware of how this might be misinterpreted. There are many good tricks in the book and it wouldn't be hard to rename it Al K Da's 1337 Haxor Tips . So the authors stress how learning about the enemy is the only way to defeat the hordes.
I think the problem is deeper and more philosophical. There's no way to prove a negative. There are no good mathematical tools that make it easy to prove statements like P!=NP or big numbers can't be factored quickly. In a larger sense, it's not really possible to prove that someone can't break into a system. A more traditional, ground-up approach to the topic can offer some assurances, but books like this one are always necessary. Anyone doing battle against unknowable and unpredictable adversaries must look between the cracks.
If you look at it this way, the book is a good collection of tips and hints that will help someone keep their network a bit more secure. It doesn't provide a deep, elegant and rigorous explication of the topic, but I don't think that is possible. It's a great collection of tricks that should be part of a good warrior's training.
Peter Wayner is the author of Translucent Databases and Policing Online Games . You can purchase Security Warrior from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Another good book - Counter Hack (Score:5, Informative)
Here's amazon's page on it [amazon.com]. It's ranked 5 out of 5 stars.
It's Good (Score:5, Informative)
A good security policy is paramount. This book does a good job pointing out some not-so-obvious places that are often over-looked in our haste to meet deadlines.
Samurai (Score:5, Funny)
First rule: know when to commit seppuku.
Re:Samurai (Score:3, Informative)
Re:Samurai (Score:2, Interesting)
Heh, yes, Hagakure (In the Shadows of Leaves) has many insights on a lot of topics :). For the one at hand, a slightly more productive reflection from the book might be:
Top 10 (Score:4, Funny)
10) You've just been ordered to migrate from sendmail to Exchange server.
9) Your boss, let's just call him Bill, insists upon being given root priviledges, in spite of the fact that he constantly breaks things even with mere user priviledges.
8) Your boss won't let you filter out
7) You are told by your boss, who (mis)read a computer security advisory to put the company webserver (which handles online sales) on a non-standard port "so the hackers won't be able to mess with it."
6) Your boss expects you to find a way to make your Solaris servers, with tons of ancient, crufty legacy code which is vital to the company, run ASP pages just so they can use (read: justify the rediculous expense of) some crappy B2B application they bought without consulting IT. Preferably sometime next week.
5) Your boss thinks that some 'internet accelerator' software (read: spyware) should be made mandatory for all employees to improve productivity.
4) Your "security policy" is more like a list of who to blame for what.
3) Your boss is negotiating a SCO IP license, since "any publicity is good publicity."
2) Your boss thinks you should be more thankful, because the management is so "IT-savvy" and always ready to help you out.
1) You ignore all this bad advice, pretend you took it anyway (he'll never actually know...), and waste your time posting on Slashdot instead of working.
Sample Chapter on Oreilly site (Score:5, Informative)
Re:Sample Chapter on Oreilly site (Score:3, Informative)
Because all I read was descriptions of some old attacks, SMB and UPnP exploits, some proof of concept code..
Nothing about methods or philosophies to protect in the future, it looked more like every other O'Reilly book I've read, just info scraped from relevant forums and faqs to fill pages.
Reads more like a script kiddy cookbook than a tool for Admins.
Hrmm... (Score:2)
Re:Hrmm... (Score:4, Insightful)
http://www.schneier.com/
Re:Hrmm... (Score:1)
Re:Hrmm... (Score:5, Informative)
Re:Hrmm... (Score:1)
Other books (was: Re:Hrmm...) (Score:1)
What would you recommend on ITIL/BS7799? ...
Also, why would you mention BS7799 but not ISO 17799? Books of these type are usually pricey. Any free / PDF-type documentation? I am collecting docs of this kind. Thanks
Collection of my books is here [insan.co.id]. See the section on security.
-- br
scary no doubt (Score:5, Insightful)
It's nice to see there is no lack of someone/somecompany trying to make some money off of the security FUD/Errata scene nowadays. Strangely I've been running webservers, databases, clients without problems for years. I keep a slight watch on lists, and I think (IMO) I keep systems pretty tight either via normal tools, whether they're open source or not.
I still don't understand how hard it is for companies to throw up a so called webserver and have who knows how many ports open. If it's a webserver its a webserver, mailserver then its a mailserver. I call it shoddy administration. Taking the time beforehand to configure something properly will definitely save you a heck of a lot of time down the line, it becomes a matter of watching for new holes and patching them up quickly. If servers are an issue write some script to install patches/fixes to clusters or so.
Sometimes I sit back and wonder what the hell is happening to the security field as a whole. Within the past four years it went from a couple of individuals to everything being overrun by corporations. Security Focus to me pretty much sucks nowadays, but yet aside from lists such as NANOG, Secfocus, ISP-Lists, there are little resources left. I say strong planning nulls out any information you can get from a book. Besides most of the information one could ponder looking for can be found using good old google. Why should I keep waisting money to see the same things over and over again.
PS... (Score:2)
If you use PHP, for instance, as a frontend to your database, you might want to be sure that some "script kiddie" won't slip in some extra SQL in the form fields. This can easily be fixed using mod_security [politrix.org]. Remember - for the PHPNuke/Postnuke, or any other content management based site - there needs to be a connection to your admin page at some point in order to manipulate anything. Another fix:
one more thing on mod_security (Score:2)
for those using apache, if you haven't had the chance to play with it you should, and you should also check out the snort2modsec perl script [infiltrated.net] if you're too lazy to make your own SetFilter rules. Sorry for the multiple postings
yet another neat thing (Score:2)
Using mod_security I replaced mod_redirect since I can achieve the same thing. One thing I've been doing when vulnerable Windoze hosts connect (/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMV E R=4&CAPREQ=0), is sending them to the support.microsoft.com fix page for their machine. They won't connect period unless they put a patch on. I know it sounds a bit cheesy, and I don't think the end user knows why they get redirected, but I know if I didn't know compsec that much I would want someone
Re:scary no doubt (Score:2)
Re:scary no doubt (Score:3, Interesting)
Re:scary no doubt (Score:2)
Ive dealt with the bosses from hell at one point or another. Currently I'm working at an ISP so I'm more into DS3/OC3/DSL/DUN issues right now. Currently the company I work for is pretty cool, laid back, and even though I could make a killing elsewhere I would have to contend with people not understanding shit and wanting things done like you describe. As a system engineer you're hired to make systems run not argue with management about their uptimes but prove your points. Again on issues of patching anyone
Re:scary no doubt (Score:1, Funny)
Re:scary no doubt (Score:2)
i flipped through this book recently at a borders after i had been given a specific vulnerability testing assignment at my large-lan-going-wireless-in-areas place of employment. (roughly, the assignment was "the box is over there...um...bring it down if you can. if not, make trouble. for us, not users.") and this book gave me some ideas on wireless sniffing (although no Kismet on windows REALLY REALLY
Security a good field? (Score:2)
Re:Security a good field? (Score:1)
The more things change, the more they stay ... (Score:5, Insightful)
Don't open unused ports.
Don't make your system unnecessarily complex.
Don't use software if you haven't inspected it.
Don't give access to those who don't need it.
Handle every exception.
Assume your user is an a**hole/dumbass who will use your system every way except the way it was intended to be used.
Dot your i's and cross your t's.
Now... Who wants to give me a book deal?
Re:The more things change, the more they stay ... (Score:1)
Re:The more things change, the more they stay ... (Score:5, Insightful)
The reason why there's so many security books out there is that people need to be shown how to do all the things that you list. Somebody who doesn't understand that a form which is browser-limited to only send numbers still has the ability to send back characters isn't going to bother to code in the line that bounces non-numeric input.
It's hard to tell somebody who doesn't know what i's and t's look like to dot and cross them correctly.
Re:The more things change, the more they stay ... (Score:2)
Perfect Security is infinite... (Score:5, Insightful)
An entirely secure site can be breached by a bomb being dropped on top of it. Now, some people might say that's cheating, because demolishing the site, and therefore whatever valuable was being protected too, doesn't give control of the valuable to the atacker. However, it does deny the services of the valuable to its owner as well. That's a security failure, the job is to keep the services of that valuable always available.
Computer security should be thought of in those terms. There's no such thing as unbreachable security, you just want to set the threshholds of what it takes to breach the security high enough so that it becomes highly unlikely that anybody can come up with the force it takes to defeat them.
Clearly, if somebody comes up with a processor that can quickly factor large numbers, then a good chunk of today's security theory will go straight out the window. However, since to our knowledge nobody has done so and nobody's close to doing so, we can consider that a good security technique to use now.
One must always keep up with what tools the bad guys have available, because once they have something that can knock down a defensive tool with ease, that defensive tool had better have another line of defense behind it.
Re:Perfect Security is infinite... (Score:2, Interesting)
The issue with net security is that you're inviting people into your foyer, and perhaps even your living room and bathroom, but wish to keep them from sn
Re:Perfect Security is infinite... (Score:3, Interesting)
Unplugging from the 'net is a good idea for servers that offer no services to the 'net. (Software updates can be delivered to it by sneakernet when need
Re:Perfect Security is infinite... (Score:1)
Re:Perfect Security is infinite... (Score:2)
For your specific example decent security might be no open ports, no incomming ports in it
Re:Perfect Security is infinite... (Score:2)
Any time you give network access, you're trading away some unit of security. Sneakernet is more secure than non-routable space. Of course, taking updates in by disk gets too annoying, that's a trade you'll be willing to make, just don't lie to yourself and say you didn't give up any security, j
Re:Perfect Security is infinite... (Score:1)
Re:Perfect Security is infinite... (Score:5, Insightful)
The correct answer is that the threshold should be set at the point where increasing security further incurs a greater cost than the value of the risk mitigated by the increase. In other words, you perform a risk assessment and a cost/benefit analysis before you spend a lot of time/money on elaborate security measures.
If a security measure is going to cost $50k to mitigate $5k of risk, it isn't worth it.
Re:Perfect Security is infinite... (Score:3, Insightful)
That's the classical definition of physical security, which assumes that attackers are controlled by economic motivations. It's highly unlikely that anyone would spend money on bribes and/or tools to steal my 1979 Volkwagen Rabbit, for example.
It doesn't apply to some corners of information security, though.
Technica
...when cracks can appear anywhere.. (Score:4, Funny)
Nuff said.
Dammit! (Score:2)
Re:...when cracks can appear anywhere.. (Score:2)
Soko
Re:...when cracks can appear anywhere.. (Score:2)
otherwise the cracks will just keep coming back through the plaster.
I thought duct tape solves everything.... (Score:1)
Re:...when cracks can appear anywhere.. (Score:1)
Re:...when cracks can appear anywhere.. (Score:1)
Unbreakable? (Score:4, Insightful)
Things slipped out of control because growth wasn't followed by quality control. It would need to be designed from scratch. I think it would be possible - system completely unbreakable, without ANY holes.
But I guess building it would be so expensive, that EVERYBODY prefers systems that work so-so and contain unknown bugs and nobody would be willing to buy it.
Bah, you beat me to it (Score:5, Informative)
Re:Bah, you beat me to it (Score:1)
Re:Bah, you beat me to it (Score:1)
Where the heck did you hear that? Or start saying it? I could have sworn that it was started by accident by my friend and co-actor Mike L, during a puppet show long about 8 years back or so.
The "crap" part came out that way because he was about to say "Christ" and, playing a Moor, realized that would be wrong. so it came out "Sweet Merciful Cr-
Mmm. Dirty Puppet Shows...
Re:Bah, you beat me to it (Score:1)
But seeing as I'm now following up to my own post, I can honestly say that I'm not having the same problems with CRLF inserts that you are. Perhaps you default to HTML posting?
Seppuku (Score:4, Funny)
Does this mean I can look forward to lots of MSCE admins comitting seppuku when they get cracked?
Re:Seppuku (Score:1)
Re:Seppuku (Score:1)
2. MCSE Joke
3. Karma!
Play it safe... (Score:2)
...and replace your PC with a Timex Sinclair [oldcomputers.net]. In over twenty-two years of use, not a single one has ever been infected with a virus.
For the rest of us, my advice usually follows something like this:
I read the first version (Score:4, Funny)
Re:I read the first version (Score:1)
Re:I read the first version (Score:1)
Ummm, who ever modded this as informative, trying stopping by the library and reading "The Art of Warfare" By Sun Tzu, I can assure the parent post was a joke and by your modding skills you must be as well.
Get Safari (Score:5, Informative)
Some people might not like reading the books on your monitor, but it doesn't bother me. I think the electronic search features (in a specific book, across all books, etc.) really makes the service much more useful.
Again, I'm not trying to plug, but after years of spending at least $50 a month on books I'm really satisfied with safari.
Re:Get Safari (Score:2, Informative)
Safari is definately worth a look for any techie, and the first two weeks are free.
Here's a link to the full contents of the book on Safari [oreilly.com].
The book itself is also good. As the review said, it was nicely detailed where needed and skims over points that could be skimmed.
Re:Get Safari (Score:1)
Maybe it's me, but I'm start
Re:Get Safari (Score:2)
Now the only question is what to spend the remaining monthly $230 left out of my training and books stipend on.
Hey I can could save up a few months and by me one of them there Linux licenses from SCO. Then I'll be knowledgable & LEGAL!!! :)
Re:Get Safari (Score:2)
Yeah, I know, it was a joke. So is this.
Cheaper plan (Score:2)
Re:Cheaper plan (Score:2)
They have a variety of pricing plans, including something like $30 a month for unlimited access (assuming you're a corporation willing to commit to licenses for lots of employees). Whatever you decide on, Safari is definitely worth the price.
I'd like to add that although Safari is by O'reilly they've got a number of books by other publishers (including
Paradox of Open yet Closed (Score:4, Informative)
On the other hand, we want to restrict access to all but a "trusted" few. Yet the tools for creating trust on the internet are poor or illusory.
Trust takes time to develop. Only after we have a breadth and depth of experience with the coutnerparty can we truely trust them. The existence of people willing to create a trusted persona over the months or years in order to gain black-hat access or run a scam is at odds with the natural speed of the internet were it only takes a few months to become a trusted veteran.
Trust also requires tokens of commitment -- the idea that each party has something to lose in the relationship. Unfortunately, most online venues lack this because it is too easy to abandon a troll/criminal persona and create a fresh persona.
I applaud the work of computer security professionals -- its an extremely hard job made harder by the conflicting demands on computer infrastructures and the mismatched timescales of trust and the internet.
Re:Paradox of Open yet Closed (Score:4, Insightful)
To banks, in order for you to have perfect credit credentials, you must have taken loans before and not violated the terms. Never taking a loan is a nuetral value... you haven't screwed up, but on the other hand you haven't had the chance to either. There's no data on you, which means the system has nothing upon which to make a decision, and therefore it's the system's least confident prediction.
Tokens of committment can only be used to prevent somebody from breaching trust when what they've put up at stake is more valuable to them than what they might get as a result of breaching the trust. A token that isn't strong enough doesn't really create trust. However too strong of a token also will turn away those who don't trust you, which can deny the project you're trying to protect from getting the help it needs.
The paradox of open yet closed is not one that can be solved, it just has to be dealt with.
Ob (Score:4, Funny)
2. Pull power cord
3. ???
4. Security!!!
Re:Ob (Score:2, Funny)
Not if you're using it as a doorstop.
KFG
How much security do I need? (Score:5, Funny)
I think it's like that old joke about how to protect yourself from being killed by a bear. (I don't need to outrun the bear, I just need to outrun you). I only need to be slightly more secure than the rest of you. Right now, frankly, that's not too hard.
Re:How much security do I need? (Score:2)
Funny? That's insightful. The analogy is physical security. You don't make your house burglarproof. You harden it to the point that the burglar picks on someone else.
The hidden assumption, though, is that you're dealing with an individual attacker who wants or needs to conserve effort and who thinks all targets are equal.
If you're a high-profile target then this doesn't apply. You'll have bad guys aiming specifically at you.
Automated attack
Computer Security In General (Score:5, Insightful)
So, at the end of the day, all a sysadmin can do is operate the machine in a prudent manner (set it up to have security reasonable to the risk), keep it patched and raise the bar to keep as many potential foes out as possible. But bear in mind, no matter what you do, if one is determined enough, they WILL be able to break into your machine.
After all, the best hackers are the ones you hve never heard of. Their best exploits are the ones that no one knows about. Children brag about their shenanigans, a wise criminal keeps his tools to himself so they keep working.
Linux and other OSS projects have a community to identify the risks, but not even a community nor the author(s) of a given piece of code as complex as a working modern Linux system can identify them all.
windows (Score:2, Funny)
Yeah, many computer hackers in recorded history have come in through Windows.
We must not accept this (Score:2, Interesting)
Computer security problems almost
Wrong, O Anonymous One (Score:1)
ISP Certification Course? (Score:1)
The use of server tools such as plesk makes being an admin for a server an easy job for someone who's never even logged into a shell.
A class or certification in ISP/Web Server management and server security would greatly benefit from using this type of reading. I've got a friend of mine who is this type
Some Wisdom (Score:2, Funny)
Best security practice- get rid of your Windows first.
All your base... (Score:1)
Social Engineering (Score:4, Insightful)
Can't prove a negative? (Score:5, Informative)
You have no idea what you're talking about. Mathematicians and computer scientists prove negatives and non-existence all the time. For example, it is proven that there exist no non-zero rationals a, b, and c, and integer n > 2, such that a^n + b^n = c^n.
The reason it's not possible in practice to prove anything about computer security is that the languages and protocols we used were not designed with this ability in mind. You can't prove anything useful about unix, C, or HTTP. It's true that it would take a massive overhaul of our computer infrastructure, but it's possible to have systems that you can reason about.
Even then, it's true that you can only prove things in a model, and it's always possible that there will be a real-world attack that isn't reflected in the model. But the situation could be much, much better than it is today. If you use a safe language and design your library carefully, you can probably provably protect yourself from some vulnerabilities.
Re:Can't prove a negative? (Score:1)
I believe he is either referring to the Logical Fallacy of Relevence: Appeal to Ignorance. where on person states a statement must be true because no-one can prove it wrong.
I think what he is trying to say is that you can't prove that something can't be done (like quickly factor large integers) because it's impossible to know the full scope of the problem, or keep up with the advance of knowl
How do you know what gets through the cracks? (Score:3, Interesting)
If you really think you're not going to seal all the cracks, or that you create new ones as you rebuild your electronic foundation, you need to track what goes on inside the house at all times.
The best way to do this is to log all significant events in your infrastructure:
Without knowledge of your history you can't see new trends or look back and see how often in the past newly discovered exploits by external attackers and internal were used. The company I work for (Addamark) discusses the log-everything approach to security [addamark.com]. It's a tough problem because of the scale of info required. Sorry for the shameless plug but this is the problem we address, and do so rather well at several real-world companies.
Another way in through the door (Score:2)
"Encyclopedia salesman!"
Seriously, that's what e-mail viruses are turning into these days. Now they're encrypting zip attachments and expecting the idiots to remember a five-digit number for more than a few seconds. And it's actually working.
Sounds like an ant invasion rather than a h4x0r. (Score:2)
Sounds like you need to buy a can of RAID and spray it all over the place. Also, Home Depot sells those ant baits that are supposed to kill off the entire colony (the ants take the poison to their nest and kill all their relatives, including the queen). Other than that, I'd say get a professional pest control company to take care of it
Re:Most valuable advice on Slashdot ever (Score:1)
Re:Oh no. (Score:2, Informative)
Aikido [aikidofaq.com] isn't for fighting -- it's a defensive martial art whose purpose is to gently take down your opponent using a variety of joint locks, etc.