According to some professionals, the aphorism "Given enough eyeballs, all bugs are shallow," coined by US hacker Eric S Raymond and credited to Linux inventor Linus Torvalds, defines the security business. Also called "Linus's Law" it suggests that an open community of experts, working together for the greater good, can outdo the efforts of a multinational giant.
A keen proponent of Linus's Law is Paul Johnstone, the security head of business consultancy Think Smart Systems, who names open-source privacy suite GPG as one of his favourite tools. "I use it because it offers everything the commercial vendors do, but it's open source. So with tens of thousands of developers and security analysts working on it and improving it, I can sleep safe at night knowing I haven't been sold a lemon," he says. Johnstone is also a fan of Wireshark, an open-source on-the-network packet sniffer and analysis tool.
In short, cost is not the driving force behind the appeal of open source, and neither is it an overriding concern for security professionals. However, they are paranoid about making a bad purchase. So how do you know you have found the right tool? Marko Ruotsalainen, a Finnish security expert and blogger at Liquid Information, points out that some vendors offer trial versions that allow you to test their product before buying.
"For example, if you need to start doing periodic vulnerability assessments, you can evaluate different vendor tools against a known set of targets with known remote and local vulnerabilities," he says. "Comparing a tool against all the available options can be a tedious affair, but I would always advise doing it."
Factors to compare are scan thoroughness, false positive/negative rates, the level of customer support and the amount of detail offered by the reporting function. Ruotsalainen recommends the Talisker security wizardry website (www.securitywizardry.com), a vendor-independent portal that claims its product listings are unbiased.
Frustratingly for infosec professionals in some parts of Europe, selecting the right kit for the job has just become a bit more complicated. For example, last August Germany moved to bring in draconian anti-hacker measures to criminalise the creation or possession of dual-use security tools. An update to the country's computer hacking laws brought a number of improvements, including the criminalisation of denial-of-service (DoS) attacks.
However, the controversy was centred around the new offence of creating or distributing "hacking tools", a highly ambiguous term considering the widespread use of these tools by the "good guys". The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run DoS attacks and one intended to stress-test a network, are not clearly set out by the new law. Many of these tools are used legitimately by system administrators and researchers to identify vulnerabilities in corporate systems; anything from nmap to perl can be used for both constructive and illicit purposes, in much the same way a hammer can be used for DIY or vandalism.
The amendments to the German law were similar to measures proposed in the UK's Police and Justice Bill, which had previously been scrapped due to industry pressure but now look set to be revived and brought into force by May this year. The Government's move is widely perceived as bad news, since the effects of Germany's anti-hacker crusade have bitten deep, with security consultancy Sunnet Beskerming claiming that tool developers were packing up shop within days of the new laws being announced. For example, the developers of KisMAC, an OS X wireless network scanning tool, have ceased development in Germany and opted to relocate to the more liberal Netherlands. Proof-of concept exploit code from the Month of PHP bugs project, patched together by German coder Stefan Esser, has been taken down from his site, and Phenoelit has closed its German presence.
Chaos Computer Club (CCC), the notorious Berlin-based hacker group, jibed that the law must mean German politicians were satisfied that the country had been liberated of computer security problems. Sunnet Beskerming plainly states its belief that "the law will have the unintended consequence of making legitimate research just that much harder, only deterring the legitimate researchers and the opportunistic attacker. The serious criminal will just keep on going with their malicious activity."
The UK has taken a slightly different approach to Germany, publishing guidelines to address some of the ambiguities in its upcoming law. However, many industry veterans are unconvinced. Richard Clayton, a security researcher at Cambridge University and long-time contributor to UK security policy working groups, takes issue with the imprecise wording of the document, pointing out that "prosecutors seem to think that 'software is generally sold'" and that the writer "rather misses the point of dual use by talking about using the tool in a different 'context'."
Thankfully, despite these legislative changes, the tools that make life easier for the infosec professional are unlikely to disappear, as those who develop and distribute updated software for legitimate users are sure to find ways around the problem - even if that means physical relocation. In the UK law, an emphasis is placed on those who "supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of (an offence)."
There are also the many applications that escape "dual purpose" status that have become a popular mainstay of the professional's toolkit due to their usefulness in other areas. UK ethical hacking group Darknet (www.darknet.org.uk) recommends Eraser, an advanced Windows tool that enables users to completely remove sensitive data from their hard disk by overwriting it several times with carefully selected patterns. On its blog, Darknet describes Eraser as "an excellent tool for keeping your data really safe, if you've deleted it. Make sure it's really gone - you don't want it hanging around to bite you in the ass." That sounds ideal for IT staff looking to safely dispose of those old hard drives.
Darknet also gushes over the Nessus Remote Security Scanner, which it hails as "the world's most popular vulnerability scanner used in over 75,000 organisations". It claims organisations can make significant cost savings by using Nessus to audit business-critical enterprise devices and applications. Apparently Nessus recently went closed source, but is still essentially free.
Another tool that fits into this category is software indexer Splunk. One of the essential features for even a small network is a centralised logging solution, and Gary Williams, a London-based networks and server consultant, finds Splunk to be just the right tool for the job. "It's much easier for trouble shooting, as it becomes possible to review logs and search for related events, or even look for the same event on separate machines," he explains. "Traditionally that's required quite expensive software, such as HP OpenView, but Splunk might be about to put an end to that. It is the Google of IT data. It'll happily collect all sorts of different logs once configured, and the configuration is not too difficult."
Next up is the newly emerging business of security software as a service (SaaS). Although still in its infancy, some early adopters are already reaping the benefits of weaving together multiple offerings to bolster their IT security infrastructure. One such company is ICI, the paints and chemicals maker that was recently acquired by Dutch conglomerate Akzo Nobel. With global business operations and an annual research and development budget of nearly $60 million (£30 million), ICI is putting a lot of effort into securing its intellectual property and other assets. By combining several SaaS applications, including email and anti-spam from MessageLabs, vulnerability-scanning from Qualys and web-filtering from ScanSafe, IT staff at ICI claim they are achieving an efficiency rate and value for money that traditional on-premise security products would not allow.
Paul Simmonds, global information security director at ICI, says the company is "pushing the envelope" with SaaS and has been looking into hosted binary-code scanning tools offered by Veracode, a type of scanning that "is very complex to do on your own." However, Simmonds warns that it is important to be selective in what you move into the cloud. "Some things will never work for this model," he says. "There's a danger that when something like SaaS becomes an industry trend, the market goes overboard."
Some elements of ICI's network and data security will always remain on site. Naturally, Endpoint-focused products, including data-leakage prevention software, are among the applications unlikely to take off via SaaS, as outsourcing would defeat the purpose of the technology.
This brings us to some final words of wisdom from Ruotsalainen: "A tool that is good for me isn't necessarily good for you," he points out. "Only when you truly understand and have practical knowledge of the subject itself, can you choose the right tools for the job. If you don't know your stuff, the tool's usefulness will drop as you might not be able to configure it."
His advice? "Don't blindly follow other people's reviews. Concentrate on developing your own knowledge and test things for yourself."
LIST OF TOOLS
GPG (also known as GNU Privacy Guard and GnuPG). Part of the Free Software Foundation's GNU software project, GPG has received major funding from the German government. http://gnupg.org/
Wireshark Formerly known as Ethereal until a trademark dispute in Summer 2006. A popular open-source network protocol analyser for Unix and Windows. Wireshark has suffered from a string of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks. http://www.wireshark.org/
Nmap This port-scanning and host discovery tool runs on Unix-like systems such as Solaris, Linux, Mac OS X, as well as Microsoft Windows. http://nmap.org/
Nessus Remote Security Scanner Updated frequently, with more than 11,000 plugins for the free feed. Registration and EULA-acceptance required. http://www.nessus.org/nessus/
Splunk The IT search engine can scale to allow for indexing up to terabytes per day, with licences costing anywhere from $5,000 (£2,500) for 500MB to $30,000 (£15,000) for 10GB per day. Enterprise support is an additional outlay. http://www.splunk.com/
ScanSafe Fully managed service to block spyware and viruses. Based in San Mateo, California, and London, the company was named one of the top 100 tech startups in the world by Red Herring last year. http://www.scansafe.com/
EXPLOITS FOR SALE
Switzerland-based WabiSabiLabi first came to the world's attention in July 2007 as "the eBay for zero-day exploits" - a site that made it possible to auction off vulnerabilities to the highest bidder. But the site re-entered headlines recently when its founder, Roberto Preatoni, was arrested in connection with a spying scandal at Telecom Italia.
At the time of writing, there were still only 32 items in the site's "marketplace history", with the most lucrative exploits appearing to be related to SAP and fetching upwards of EUR5,000. It's hardly earth-shattering, probably because many security researchers have reservations about auctioning off their work to the highest bidder.
WabiSabiLabi claims its work is ethical because it compensates security researchers for their time and effort. According to the company, many independent researchers report bugs without ever getting paid; opening their work up to the marketplace ensures they are rewarded.
The organisation says it vets all buyers and sellers to "minimise the risk of selling the right stuff to the wrong people", as well as verifying the information being auctioned. Auction winners will receive the necessary exploit information along with a proof-of-concept demonstration, and Swiss law ensures that users are not allowed to buy and sell anonymously - to WabiSabiLabi, at least, as the public isn't able to view personal information.
This sounds reasonable, but after Preatoni's arrest, the site has come under further suspicion. Its DNS provides little information, as it is a GoDaddy private registration. The site itself is hosted through California Regional Intranet.
"If I was a hacker and wanted access to the latest vulnerabilities, I could find them, or pay for them, or set up an auction site and steal them before they were even officially sold, in the window that is supposedly used for verification," says Paul Johnstone, head of security at Think Smart Systems. "I could have a source of vulnerabilities safe in the knowledge I'd have them eight hours before anyone else. I could even make money out of my theft."
He claims this is the flaw of the auction model. "It goes to show, an enterprising hacker can get access to all the vulnerabilities by simply giving the impression he was trying to increase security. It's called social engineering."
Software: The right choice
By Barry Mansfield on Mar 18, 2008 3:49PM