Philosophically Secure

Awesome Python module for running external programs

eugenekogan — Mon, 17 Sep 2012 17:31:18 +0000

If you use Python for any kind of system automation (e.g., the stuff most people do with Perl and Bash scripts), then you know it can be cumbersome to call external programs. This new Python module, called sh (http://amoffat.github.com/sh/), makes it a lot easier and cleaner. Here’s an example:

from sh import ls, sudo
with sudo:
    print(ls("/root"))

Isn’t that cool? Sure, there are the usual security implications, and I didn’t choose the example with “sudo” by accident. But from a coding point of view, this is a nice improvement over something like subprocess.Popen. You can install it using “pip install sh” as usual.

Coding skills for infosec folks

eugenekogan — Mon, 27 Jun 2011 13:25:39 +0000

Dave Shackleford has some concerns that most information security professionals nowadays don’t have the software development/coding/hacking background that’s necessary to be really effective in this field. While it’s hard for me to say who does or doesn’t have these skills, I completely agree that they can be critically important when it comes to information security.

Having a background in software engineering makes you a lot more productive when discussing secure coding with full-time software developers. Also, the ability to whip up a quick Python or Perl script to munge through some log data can be a huge time saver, especially in a tense incident response situation. I personally spend good bit of time creating software that other analysts can use to do their jobs more efficiently. Automation is a force multiplier!

Read his blog post for Dave’s full opinion and some good links.

X-Content-Security-Policy

eugenekogan — Tue, 05 Apr 2011 20:42:09 +0000

Content Security Policy (CSP) is a draft specification from W3C, and was recently implemented in the latest version of Firefox. Basically, CSP is a way for a website owner to specify how a browser should treat content that it receives from his site. For example, it’s possible to list which domains you trust to serve JavaScript. Any JavaScript received from a domain not on your list will not be executed by the browser. This feature alone is a great security improvement, and there are many other attacks that can be entirely or partially mitigated using CSP.

Another beneficial side effect of adopting CSP is that it will force organizations to take stock of everything that their site is doing, and perhaps even make some smart some design changes in the process (like removing and disabling all in-line JavaScript). For developers, Mozilla has some great references, like this overview and this detailed list of policy directives.

I look forward to seeing CSP adopted more widely and supported by every major browser. If anyone has some practical experience with deploying CSP, please share some of your lessons learned.

Hackers breach systems of ___ corporation! OMG!

eugenekogan — Thu, 10 Feb 2011 12:54:15 +0000

Sorry for the silly post title, but this situation is getting to be at least a little ridiculous. This morning I read an article entitled “Hackers Breach Tech Systems of Multinational Oil Companies” from the New York Times. I know it makes for exciting headlines to announce that some super-important network got hacked, but is it really news anymore? After all, the breaking news isn’t really the hack at all – it’s the fact that someone finally noticed and decided to report it. The actual breaking in probably took place weeks/months/years ago.

At this point in the evolution of information systems, given the current state of information security, we should all just accept the fact that every organization which has any data of value has probably already been compromised multiple times. This includes corporations, non-profits, and governments. I suppose the value of having this stuff in the news is that it brings security into the consciousness of the general public for a few minutes. But maybe they should start adding “As expected,” to the beginning of all such articles, rather than pretending to be surprised.

From a technical standpoint, I think more organizations need to start treating their internal networks as hostile environments. I know I’m not the first person to suggest this idea, and it’s the basic idea behind mitigating the insider threat. The difference is that these principles now apply not only to governments protecting national secrets, but to every meaningful organization on the Internet. It’s been several years since any reasonable security professional could recommend that you focus on protecting the network perimeter, especially given how porous and interconnected most modern corporations are.

Think of it this way. A determined hacker will get into your network. At that point, he becomes a malicious insider, even if the attack was initiated from the outside. Your incident response plan and team are critical. We can no longer design information systems with a hard, crunchy exterior and soft, gooey interior.

UPDATE: Another interesting perspective on this issue was posted by Marc Maiffret of eEye.

Philosophically Secure

Awesome Python module for running external programs

Coding skills for infosec folks

X-Content-Security-Policy

Hackers breach systems of ___ corporation! OMG!

Recommended reading for February 3rd