Does this site look plain?

This site uses advanced css techniques

About Steve Friedl

Security Work

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

My interest in computer security long predates the modern internet.

For many years I was adept at finding holes in UNIX systems that allowed me to escalate to root privileges. Whether it's breaking root on the VAX/11-780 in college with the vi editor or writing a mini debugger to subvert the kernel's ptrace() mechanism on the AT&T 3B2, most systems "have a way" for those aspiring to root to acquire it.

I was a very early user of the "dialup dassword" facility and provided some of the first real HOW-TO documentation on how to use them (published in the late 3B Journal, a publication for AT&T 3B2 computer users). I used dialup passwords to secure customer modem lines from intruders and have never had a report of unauthorized system use.

But the internet has clearly changed the security landscape. Now, instead of wondering if you can trust your "trusted" users (the only ones with physical access), the entire world is now your "user base". Even the best firewalls won't protect your systems in the event of a misconfiguration.

• To remain secure, you have to "get it right" 100% of the time
• The bad guy has to get lucky just once

It's very hard to maintain vigilance for any stretch of time, so a secure system design - whether it's the internet or just a user program - that obviates vigilance and contains damage is key to being able to sleep at night.

My Security Work

I've had a fulltime internet connection at my house since 1994 and have been responsible for setting up customer routers and firewalls since that same year. I had years of experience with TCP/IP and system administration before connecting to the internet, so I was very well prepared to understand the technical and security issues involved. I currently manage around a dozen customer networks and firewalls.

Specific areas of practice:

Network Audits and Penetration Testing

I've been performing formal network reviews and audits since 1999, plus doing informal security reviews for years before. My customers range from small local companies, to law enforcement and city government, to nationally-known web sites. You can find more information about my network review services here.

Forensics and post-intrusion cleanup

I've been called in to clean up machines that have been compromised from the outside to assess the damage and create a cleanup plan. In most cases we merely determine that the machine was only used for a launchpad to attack other systems and no internal data was compromised: in this case, we generally reload the entire operting system, secure it, and move on.

But in other cases we have determined that the customer was targetted directly, and we take other steps as needed to find out what was taken, how it was taken, and how to stop the damage going forward.

Reverse Engineering

I've become adept with the user of a disassembler (the fantastic IDA Pro) and have reverse engineered several bits of internet technology related to security.

These include BackStealth, the Code Red II and the Iraq Oil worms.

Tools Creation

I have long been writing my own tools for security work, some of which are publicly available. For instance, my very popular nbtscan program directly speaks the NETBIOS Nameserver protocol and is able to map a remote network. Many of my other tools speak low-level protocols directly. Most come with full source.

My Tools Page has the full list.

Secure Application Environment Design

Even for non-internet uses, applications can be made more secure. A long-time customer adopted a manufacturing accounting packet (Data Works) that ran on his UNIX system, but the design was such that all files were visible to all users: clearly, no thought had been given to security, and any clever user would have been able to read or change anything on the system.

I designed a "wrapper" that put the database files in a protected area and provided set-group-ID access to the entire area. No user could ever get to the raw database files directly, but could only access them via the vendor-provided accounting software with its own access controls.

This kind of wrapper design should have been the responsiblity of the vendor, but thankfully they were much better at manufacturing than they were with security.

Code Reviews

With more than 20 years C programming experience, I'm able to make reasonable assessments of code quality simply by inspection: I speak C as fluently as I speak English, and many of the more dangerous practices stand out like a sore thumb. In addition, the use of more formal tools (test skeletons, automated code reviewers, and the like) I'm able to find bugs that may or may not be exploitable from a security perspective.