My interest in computer security long predates the modern internet.
For many years I was adept at finding holes in UNIX systems that allowed
me to escalate to root privileges. Whether it's breaking root on the
VAX/11-780 in college with the vi editor or writing a mini debugger
to subvert the kernel's ptrace() mechanism on the AT&T 3B2,
most systems "have a way" for those aspiring to root to acquire it.
I was a very early user of the "dialup dassword" facility and provided
some of the first real HOW-TO documentation on how to use them (published
in the late 3B Journal, a publication for AT&T 3B2 computer users).
I used dialup passwords to secure customer modem lines from intruders and
have never had a report of unauthorized system use.
But the internet has clearly changed the security landscape. Now,
instead of wondering if you can trust your "trusted" users (the only
ones with physical access), the entire world is now your "user base".
Even the best firewalls won't protect your systems in the event of
- To remain secure, you have to "get it right" 100% of the time
- The bad guy has to get lucky just once
It's very hard to maintain vigilance for any stretch of time, so a secure
system design - whether it's the internet or just a user program - that
obviates vigilance and contains damage is key to being able to sleep at night.
My Security Work
I've had a fulltime internet connection at my house since 1994 and
have been responsible for setting up customer routers and firewalls
since that same year. I had years of experience with TCP/IP and system
administration before connecting to the internet, so I was very well
prepared to understand the technical and security issues involved. I
currently manage around a dozen customer networks and firewalls.
Specific areas of practice:
Network Audits and Penetration Testing
I've been performing formal network reviews and audits since 1999,
plus doing informal security reviews for years before.
My customers range from small local companies, to law enforcement
and city government, to nationally-known web sites. You can find more
information about my network review services here.
Forensics and post-intrusion cleanup
- I've been called in
to clean up machines that have been compromised from the outside to
assess the damage and create a cleanup plan. In most cases we merely
determine that the machine was only used for a launchpad to attack
other systems and no internal data was compromised: in this case, we
generally reload the entire operting system, secure it, and move on.
But in other cases we have determined that the customer was targetted
directly, and we take other steps as needed to find out what was
taken, how it was taken, and how to stop the damage going forward.
- I've become adept with the user of a disassembler
(the fantastic IDA Pro)
and have reverse engineered several bits of internet technology
related to security.
- These include BackStealth,
the Code Red II and
the Iraq Oil worms.
- I have long been writing my own tools for
security work, some of which are publicly available. For instance,
my very popular nbtscan program
directly speaks the NETBIOS Nameserver protocol and is able to map
a remote network. Many of my other tools speak low-level protocols
directly. Most come with full source.
My Tools Page has the full list.
Secure Application Environment Design
- Even for non-internet uses, applications can be made more secure. A
long-time customer adopted a manufacturing accounting packet (Data Works)
that ran on his UNIX system, but the design was such that all files were
visible to all users: clearly, no thought had been given to security,
and any clever user would have been able to read or change anything
on the system.
I designed a "wrapper" that put the database files in a protected area
and provided set-group-ID access to the entire area. No user could ever
get to the raw database files directly, but could only access them via
the vendor-provided accounting software with its own access controls.
This kind of wrapper design should have been the responsiblity of
the vendor, but thankfully they were much better at manufacturing than
they were with security.
- With more than 20 years C programming experience, I'm able to make
reasonable assessments of code quality simply by inspection: I speak C
as fluently as I speak English, and many of the more dangerous practices
stand out like a sore thumb. In addition, the use of more formal tools
(test skeletons, automated code reviewers, and the like) I'm able to find
bugs that may or may not be exploitable from a security perspective.