Security Manager Dons Hacker Hat for a Change
For about a year now, I've been nodding my head wisely whenever anyone mentions Linux. I have sagely agreed with people that yes, it's definitely a viable commercial operating system; yes, it obviously beats Windows hands down in so many areas; yes, it clearly has so much potential; and so on. Recently, I decided it was time I installed Linux and actually saw it run.
Well, I finally did it, though in the end, I installed it about 10 times because things kept going wrong. Admittedly, some of these errors were due to crass mistakes on my part, but it was still a difficult process.
Most of the mistakes were caused by trying to install Windows 2000 and Linux on the same machine. People have told me that its possible to do it, but in practice, the resulting mess was beyond the abilities of even our resident Linux expert to sort out. I got to the marvelous stage where my machine would power up, check its memory, start loading Linux, display a few dots on the screen and then reboot itself and repeat the process in an infinite loop.
Tools of the Trade
I've been trying to install Linux because more and more hacker tools seem to be available for it. The combination of power, flexibility and the open-source community seems to be very attractive to hackers. Web sites such as the Nomad Mobile Research Centre and Securify Inc.'s Packet Storm regularly offer new Linux tools. I want to be able to try these tools and see what they can do, just so I can keep an eye on new developments and find out how others could see our network.
So far, I've downloaded five tools: Firewalk, Nmap, Sniffit, Swatch and Tripwire. All are publicly available.
Firewalk was designed to determine what filtering rules your firewall uses and to map the network beyonnd it. Firewalk is a means of finding what holes already exist in firewalls to allow authorized traffic; an unauthorized attacker could potentially take advantage of this information to gain access through the firewall. The tool was written by someone who delights in deconstructing systems to find out more about them.
Firewalk is a classic example of a "white hat" hacker tool, because it's designed to provide information; it's based on an elegant exploitation of the way another tool (Traceroute) works; and most important, the author provides a detailed explanation of what Firewalk does, how it does it and how to stop it.
Nmap is a network-mapping tool that's very similar to some of the basic functionality of Internet System Scanner from Atlanta-based Internet Security Systems Inc. (ISS). Nmap runs a ping scan of the local network and then runs a port scan and TCP/IP fingerprinting on any hosts on that network.
In other words, it looks around your local network and tells you what machines are connected to it and what operating systems and network services they're running. It's another white hat tool; it provides a great deal of audit information that I'll probably use to check for unauthorized machines and services, but others can use it to find potential ways into our systems.
Sniffit is a packet analyzer, Swatch is a log analyzer and Tripwire is a file-integrity checker. I don't know much about these three yet, but I'll let you know how I get on.
Finding the Time
I'm starting from a bit of a disadvantage because I know almost nothing about Linux, so it's another trip down to the bookshop to buy a couple of Linux books published by O'Reilly and Associates Inc. (I find O'Reilly titles clear, reliable, concise and professional.) That takes the list of security books I need to finish reading up to about six. I'm going away this weekend on a trip with my wife -- I wonder how she'll react if I bring a couple of Linux textbooks along?
I've managed to find the time to mess around with Linux because my three main projects are all on hold at the moment. We're rolling out ISS technical scanners and intrusion detection -- or we will be when the hardware arrives. We're modifying our antivirus scanners so that workstations pull updates from a central FTP server rather than having them (unreliably) pushed down -- or we will be whenever the hardware arrives for the FTP servers.
And I'm supposed to be evaluating the Windows 2000 file-encrypting system against a few commercial cryptography products like PGP from Network Associates Inc. in Santa Clara, Calif., Ironware from AEC Ltd. in the Czech Republic and SafeGuard from Utimaco Safeware AG in Oberursel, Germany -- when purchasing gets me my new Windows 2000 laptop.
Purchasing isn't my favorite department at the moment. I filed a purchase request (a 5-page form!) for two workstations and attached a copy of the standard workstation specification to make sure that exactly the right kit was bought. A month later, the order finally arrived -- one workstation. After all, as purchasing explained in its defense, the standard specification only mentions one machine.
One month wasted because someone misread a piece of paper. I couldn't have made it clearer -- it was on the purchase request in big, bold capital letters: two workstations! It's beyond belief.
The only reason I've managed to get hold of a machine to run Linux on is that I'm pulling a bit of a scam that I learned from a consultant with whom I used to work. This seems to work in most companies -- as long as you don't try it too often.
The scam works like this: If you want to buy new hardware in most companies, you have to go through a long, slow and painful purchasing process. At the end of it, you get a shiny new PC -- eventually.
However, if you get to know your technical support staff well, it's quitte easy to persuade them to put together a PC from an old kit -- an obsolete CPU here, a battered and dirty keyboard there -- just temporary, you understand. Just for test purposes. At the end of it, you get an old PC that barely works.
What use is that? Not much. But wait for the support guy who gave you the old kit to go off-duty. Then call the help desk and say, "My monitor's not working." Someone will come with a replacement. The following day, grab another passing tech-support person, show him the dirty keyboard, ask for a newer one and so on. Most support teams seem to have spare kits for just this purpose!
Sneaky, but if the alternative is dealing with a nitwit purchasing department, sometimes you've just got to be sneaky.