Category Archives: Security

A Common Security Fallacy? Too Big to Fail (KISS)

Often I have journalists asking me to answer questions or send advice for a story. My reply takes a bit of time and reflection. Then, usually, although not always, I get an update something like this:

Loved what you had to say but had to cut something out. Editors, you know how it is. Had to make room for answers from my other experts…I’m sure you can understand. Look forward to hearing your answer next time

I DO understand. I see the famous names of people they’re quoting and the clever things they’re saying. They won, I lost. It happens. And then I started to wonder why not just publish my answers here too. That really was the point of having a blog. Maybe I should create a new category.

So without further ado, here’s something that I wrote that otherwise probably never will see the light of day:

Journalist: Tell me about a most common security fallacy

Me: let me start with a truism: KISS (keep it simple stupid)

this has always been true in security and will likely always be true. simpler systems are easier to secure because they are less sophisticated, more easily understood. complex systems tend to need to be broken down into bite-sited KISS and relationships modeled carefully or they’re doomed to unanticipated failures.

so the answer to one of most common security fallacies is…

too big to fail. also known as they’re big and have a lot to lose so they wouldn’t do the wrong thing. or there’s no way a company that big doesn’t have a lot of talent, so i don’t need to worry about security.

we’ve seen the largest orgs fail repeatedly at basic security (google, facebook, dropbox, salesforce, oracle!) because internal and external culture tends to give a pass on accountability. i just heard a journalist say giant anti-virus vendors would not have a back door because it would not be in their best interest. yet tell me how accountable they really are when they say “oops, we overlooked that” as they often do in their existing business model.

for a little historic context it’s the type of error made at the turn of the century with meat production in chicago. a book called “the jungle” pointed out that a huge fast-growth industrial giant could actually have atrocious safety, yet be protected by sheer size and momentum from any correction. it would take an object of equal or greater force (e.g. an authority granted by governance over a large population) to make an impact on their security.

so the saying should be “too big to be simple”. the larger an organization the more likely it could have hidden breaches or lingering risks, which is what we saw with heartland, tjx, target, walmart and so on. also the larger an organization the less likely it may have chemistry or incentives in place to do the right thing for customer safety.

there’s also an argument against being safe just because simple, but it is not nearly as common a fallacy.

Roll Your Own Kali 2.0 ISO

I noticed the good Kali folks have pre-released steps to make your own ISO for their upcoming 2.0 release.

# Workshop 01 – Rolling your own Kali 2.0 ISOs

I also noticed the steps do not work as written, mostly because files moved from archive to www. So here’s what worked for me:

Use existing Kali instance to prepare

$ sudo apt-get install live-build

This will install debootstrap 1.0.48+kali3, live-boot-doc 4.0.2-1, live-build 4.0.401kali7*, live-config-doc 4.0.2-1, and live-manual-html 1%3a3.0.2-1

Clone the builds

$ git clone git://git.kali.org/live-build-config.git
$ cd live-build-config

Add tools

$ echo “cryptsetup
> gparted
> amap” >> kali-config/variant-light/package-lists/kali.list.chroot

Enable SSH service at boot

$ echo ‘update-rc.d -f ssh enable’ >> kali-config/common/hooks/01-start-ssh.chroot
$ chmod 755 kali-config/common/hooks/01-start-ssh.chroot

Add your own public SSH key

$ mkdir -p kali-config/common/includes.chroot/username/.ssh/
$ cp ~/.ssh/id_rsa.pub kali-config/common/includes.chroot/username/.ssh/authorized_keys

Add unattented install option

$ vi kali-config/common/hooks/02-unattended-boot.binary

#!/bin/sh

cat >>binary/isolinux/install.cfg <
$ chmod 755 kali-config/common/hooks/02-unattended-boot.binary
$ ls -al kali-config/common/hooks/

Create the unattended seed

$ wget https://www.kali.org/dojo/preseed.cfg -O ./kali-config/common/includes.installer/preseed.cfg

Install wallpaper (BlackHat or DEFCON blue)

$ wget https://www.kali.org/dojo/wp-blue.png -O kali-config/common/includes.chroot/usr/share/images/desktop-base/kali-wallpaper_1920x1080.png

NOTE: the images/desktop-base directory has disappeared in later builds. just add it back in with mkdir

Build the ISO

$ ./build.sh –variant light –distribution sana –verbose

After successful build the live-build-config/images subdirectory will have a 900M “kali-linux-light-sana” iso file.


* NOTE: If you want to use another platform such as Ubuntu 14.04 you may find the usual package (sudo apt-get install live-build) causes problems. When you run the build.sh script it checks versions and fails like this:

ERROR: You need live-build (>= 4.0.4-1kali6), you have 3.0~a57-1ubuntu11.2

It should be possible to meet the dependencies and edit config files using the Debian live-build:

$ git clone git://live-systems.org/git/live-build.git

However because “kali” is specified in the live-build version check…after several attempts on other systems to work around I gave up and took the easy path — use an old kali system to build a new kali.


Updated to add: Rolling a trusted ISO is fun but obviously a docker pull is far easier and more risky. Note the need for signed repository images if you’re going this route instead.

  • docker pull kalilinux/kali-linux-docker
  • docker run -t -i kalilinux/kali-linux-docker
  • /bin/bash apt-get install metasploit-framework

Saving the Bobcat: Lessons in Segmentation and Surveillance

California has just passed a statewide law banning harm to the bobcat.

The decision of the Commission reflects a growing sensibility in this state that wildlife should not be stalked, trapped, shot, or beaten to death for sport or frivolous goods

The move came after it was revealed that attackers had advanced in two significant ways: monitoring the Internet to find targets and then using lures to pull the targets out of state parks where they were protected.

trappers monitor social media for wildlife lovers’ bobcat photos to determine where to set their traps

Bobcats under attack

The state finally was forced to react after 30,000 signatures called for action to deal with the obvious social harm. California decided to expand scope of protection from porous safe zones to the entire state.

Those familiar with PCI DSS compliance realize this is like a CIO agreeing to monitor every system under their authority for motivated attackers, instead of defining scope as only those few servers where PII should be found.

Justification of a statewide ban was based not just on evidence of attackers bypassing perimeters with ease. Conservationists pointed out that the authorities have failed to maintain any reasonable monitoring of harm to state assets.

[California] could not determine whether trapping jeopardized the species because they had no current scientific data

Thus we have an excellent study in nature of what we deal with constantly in infosec; a classic case of attackers adapting methods for personal gain while community/defenders are slow to build and examine feedback loops or reliable logs of harm.

Should it have taken 30,000 signatures before the state realized they had such obvious perimeter breaches?

Fortunately, bobcats now are protected better. The species will have a chance of survival, or at least protection from attack, as scientists figure out how best to design sustainable defenses.

Action taken sooner is far better than later. Once the species is driven to extinction it may be impossible to restore/recover, as has been the case with many other animals including the bear on the state flag.

Howto: Delete old Docker containers

I’ve been working quite a bit lately on a secure deletion tool for Docker containers. Here are a few notes on basic delete methods, without security, which hints at the problem.

  • List all current containers
  • $ docker ps -a

    CONTAINER ID  IMAGE        COMMAND   CREATED             STATUS                        PORTS  NAMES
    e72211164489  hello-world  "/hello"  About a minute ago  Exited (0) About a minute ago        ecstatic_goodall
    927e4ab62b82  hello-world  "/hello"  About a minute ago  Exited (0) About a minute ago        naughty_pasteur       
    d71ff26dbb90  hello-world  "/hello"  4 minutes ago       Exited (0) 4 minutes ago             hungry_wozniak        
    840279db0bd7  hello-world  "/hello"  5 minutes ago       Exited (0) 5 minutes ago             lonely_pare           
    49f6003093eb  hello-world  "/hello"  25 hours ago        Exited (0) 25 hours ago              suspicious_poincare   
    6861afbbab6d  hello-world  "/hello"  27 hours ago        Exited (0) 26 hours ago              high_carson           
    2b29b6d5a09c  hello-world  "/hello"  3 weeks ago         Exited (0) 3 weeks ago               serene_elion          
    
  • List just containers weeks old
  • $ docker ps -a | grep “weeks”

    CONTAINER ID  IMAGE        COMMAND   CREATED             STATUS                        PORTS  NAMES
    2b29b6d5a09c  hello-world  "/hello"  3 weeks ago         Exited (0) 3 weeks ago               serene_elion          
    
  • List all containers by ID
  • $ docker ps -a | grep ‘ago’ | awk ‘{print $1}’

    e72211164489  
    927e4ab62b82         
    d71ff26dbb90          
    840279db0bd7          
    49f6003093eb    
    6861afbbab6d         
    2b29b6d5a09c          
    
  • List all containers by ID, joined to one line
  • $ docker ps -a | grep ‘ago’ | awk ‘{print $1}’ | xargs

    e72211164489 927e4ab62b82 d71ff26dbb90 840279db0bd7 49f6003093eb 6861afbbab6d 2b29b6d5a09c          
    
  • List ‘hours’ old containers by ID, joined to one line, and if found prompt to delete them
  • $ docker ps -a | grep ‘hours’ | awk ‘{print $1}’ | xargs -r -p docker rm

    docker rm 49f6003093eb 6861afbbab6d ?...
    

    Press y to delete, n to cancel