• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security professional - Bruce Potter

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Mon Oct 17, 2005 10:41 pm    Post subject: Interview with a security professional - Bruce Potter Reply with quote

In our continuing series of “Interview with a security professional” we have the pleasure of having Bruce Potter, founder of the Shmoo group thinktank.

Question

What was the motivation for your founding of the Shmoo group? You also have quite an eclectic group of members. Is there one defining feature, or character trait that all Shmoo members share?


Bruce’s answer

There were two real motivators for forming TSG. The first was pretty simple: I had a lot of friends who did security “stuff” and it made sense to try and band together. We figured we’d be able to get more done as a group than as individuals. The other motivator was to try and help the security community at large. TSG is not a company or any kind of for profit enterprise. We’re a group of security professionals with real day jobs. We do projects under the TSG banner to try and help foster the growth of the community and provide resources for others doing the same thing. It’s a bit altruistic, but it really is what motivates the membership. And it’s probably the one unifying feature in the group. Members come from all manner of different backgrounds from coders to CTO’s to consultants… but ultimately we hope that by writing software, speaking at cons, throwing a con, writing books, etc. we can help make things more secure.

Question

Your group has recently taken aim at some well known hacking tools ie: Metasploit, and Kismet. There have been vulnerabilities found in them. Do you feel that there is a difference in finding bugs in programs, and actually coding a full fledged program? By that I mean can you be a “bug” finder, but not have the ability to say code a program?


Bruce’s answer

I think finding bugs and writing code are two totally different skillsets. Both are an art and science unto themselves. I know great coders who can’t find a security vulnerability to save their life. Further, I know guys who are incredibly good at finding holes but I wouldn’t trust to compile “hello world” without reading the man page. There are also folks who can do both, but it’s not by accident that they can.

It’s a bit analogous to the difference between secure functionality and security functionality. Security functionality is the components within a piece of software that are overtly security related: authentication mechanisms, authorization, encryption, etc.. Secure functionality is when a component is implemented in a manner resistant to attack. For instance, the Microsoft JPEG renderer is not a security specific piece of functionality. However, it does have the ability to process code that has arrived over the network and therefore needs to be secure nonetheless. There have been at least two known vulnerabilities in the JPEG renderer that have allowed remote code execution. This underscore the fact that a software engineer may be able to write a rocking fact image rendering engine but may not know enough about software security to write it securely.

Question

At the recent Blackhat conference there was the Cisco controversy. It seems that the infrastructure of the web itself ie: routers, is not often targeted. By that I mean there is little poc for successful router attacks. Do you believe this to be due to the good code of the IOS, or simply a matter of hackers focusing in the win32 world?


Bruce’s answer

I think that the focus on x86 and not other platforms (like IOS) is due to a variety of reasons. First is access to resources to break apart, analyze, and attack non-x86 software. It’s easy to get your hands on an x86 box, a debugger, some reverse engineering tools, and a compiler than it is to get similar tools for Cisco machines. I can go to Borders and buy dozens of books on building software for a Windows machine and probably at least a dozen on breaking Windows-based software. I’m not aware of any similar book for Cisco devices (or any infrastructure device for that matter). That means finding vulnerabilities in embedded systems takes MUCH more effort than finding vulns in x86 based software. The person finding the vulnerability has a much higher wall to climb and therefore it limits the potential pool of attackers dramatically.

Second is the difference in what you get when you exploit a router. An attacker is looking to break into a system for a reason. Be it to leverage access or simply to exchange warez, the system broken into must be ultimately of some value. Presently there is little storage space and processing power on most embedded devices. Further the common bag of tricks that an attacker may upload to a compromised host (such as port scanners and the like) aren’t available for embedded systems. So really, unless you’re looking to directly attack a network infrastructure, there isn’t much motivation to 0wn a router.

Question

Do you believe that there is a possibility of computer generated code, which could be flawless? Then again though, the program, that would program, would have been written by a human hand. That would in and of itself possibly lead to errors.


Bruce’s answer

Define flaw Wink Provably secure code is a tough thing, though some of the automatic code generators actually do a pretty good job at it. As I recall, aspect oriented programming lends itself well to both automatic code creation and provably secure code. Now I’m no computer science expert (that was the third major I dropped) but my gut says that there will be some big advances in this region in the next two decades. However on the flip side, systems will continue to become more dynamic and complex over the same time. Writing a piece of software that is provably secure on a single user, non-networked host is one thing. Writing provably secure software that lives in a web services architecture and has an insane number of interfaces is a totally different problem. Ultimately I think this kind of concept is a holy grail that will never have the payoffs we’d like it to.

Question

Were you to create a home lab for research, what would you have it made up of? Keeping in mind the budget conscious.


Bruce’s answer

Well, to start I’ll describe my home lab. When I’m working on a book or article, I usually need a bit of a playground to run code, write code, and generally try and make things work the way I want them to. So I’ve got a handful of Pentium II class machines with various amounts of RAM and disk that can run a variety of operating systems. Rather than have VMWare (I’m budget conscious as well) I’ve salvaged a bunch of disks on which I’ve installed FreeBSD, Linux (various distros), and Windows. I can swap in/mirror anything I need to and build a bunch of boxes really quickly. Most of the machines have two NICs so they can be firewalls, routers, etc.. Also, I have a Sun Ultra 10 and a Sun Ultra 60 (IDE and SCSI based respectively) so that I can play around with FreeBSD and Solaris on the Sparc platform. Finally I’ve got a few OS X boxes so I can keep the Mac’s close.

Ultimately I’ve acquired most of these hosts for cheap if not free. When learning security or trying to break things, I’m rarely in need of lots of horsepower. I’d rather have 10 Pentium II’s with a variety of different operating systems then 2 PIV’s that are blazing fast but only run Windows.

Question

Do you feel that programming ability is essential to the security professional to perform their job?


Bruce’s answer

I think moderate programming ability is. In general, most security professionals need to be able to script something in order to do their job. This is not always the case, but it certainly helps.

Only a small part of what defines a “security professional” is software security. There are many operational security aspects that have nothing (directly) to do with code. Patch and configuration management, firewall and IDS administration, and even SOC activities generally don’t have any real software development aspects. However, scripting seems to come up enough that you’re better off knowing how to than not.

Question

Do you feel that Microsoft is making inroads as it pertains to making better programs with secure coding? IIS 6 has yet to fall to a remote code execution vuln, or publicly anyways.


Bruce’s answer

Microsoft is spending an incredible amount of money on securing their software. It’s a part of their culture and it’s a very public initiative for them. I’m sure some of it is a marketing response, but from everything I’ve seen, it’s making a real difference. Some may disagree with their methods (are DREAD and STRIDE the right breakdowns for the problems, for instance) but it seems to be helping nonetheless. Further, it’s highly unlikely it’s hurting anything Wink

A word of advice for those looking to pick up a copy of Writing Secure Code in an effort to help reform their own company’s software development process… WSC is a book that describes how Microsoft tries to write secure code. No one writes code like MS does. They are GIGANTIC. Similarly, it would be folly to pick up that book and try to directly emulate what they do. It’s a great roadmap or book full of ideas that you can use when trying to fix your own software process. But be aware that trying to do exactly what MS did will likely not only be not successful but a potentially alienating experience for your developers.

Question

There are as always many buffer overflows for various products out there. Is the day of the TCP/IP stack hack gone? There does not seem to be a great amount of raw socket sorcery going on. The last one of note if memory serves was the Cisco switch DoS, as done by HPing. Are there any TCP/IP stack hacks left?


Bruce’s answer

Heh.. Microsoft resently announced a vulnerability that I dubbed Land II. The original Land attack involved crashing a Windows box by sending it a packet with the src and dst port and IP the same. I think that was a Windows 95 problem. In the Windows XP version, not only could it crash the box, but it could also cause remote code execution (a nice new twist).

However, these types of attacks seem to be the exception now, not the rule. I remember picking up Stevens UNIX Networking book and writing socket code from scratch in order to lay packets on the wire by hand. However, tools like netcat and nemesis now make sending arbitrary data over the wire easy. And most vendors have refined their IP stack to the point that stupid flag tricks don’t crash the host anymore. It’s taken a while to get here, but we seem to be towards the end of this problem. However, vendors will still periodically make a mistake so I’m sure the community will still see IP tricks pop up once in a while.

Question

Do you have any words of advice for the budding computer security enthusiast who aspires to a career in the field?


Bruce’s answer

I get asked this question a lot and I’m not sure I have a real good answer. Not to be all After School Special or anything, but I think the best advice is to just do it. Don’t get hung up in the mechanics of what you should learn or what certs you should get or whatever. Just get a bunch of hosts, install a bunch of OS’s you’re unfamiliar with and start playing. Learn how networking on each hosts work, learn what all the services too, learn how to communicate between UNIX and Windows boxes, etc.. Just play with it and learn. That’s the kind of personal initiative and curiosity that makes a good security professional… not what firewalls you know how to configure or what version of ISS you’re skilled in.

On behalf of the membership and myself I would like to extend thanks to Bruce for taking the time to provide some insightful answers to our questions.

This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.


Last edited by alt.don on Tue Nov 15, 2005 4:05 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
data
Forum Fanatic
Forum Fanatic


Joined: 08 May 2004
Posts: 16777211
Location: India

Offline

PostPosted: Thu Oct 20, 2005 3:50 pm    Post subject: Reply with quote

A wonderful interview. Thank you Mr.Bruce.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Oct 24, 2005 5:14 am    Post subject: Reply with quote

Yeah very nice and complete answers, great stuff!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register