However, one of my projects involved getting a new laptop.  Since getting a new laptop is a good excuse to redo things and do them better, I decided to take a closer look at my Firefox profile setup.

I play a lot of roles, ranging from security researcher to consultant.  There are different Firefox configurations that I need for each, but it's a pain to constantly log in to different user accounts.  To make this process simpler, I decided to create four different Firefox profiles, each tuned to a specific set of tasks.  What follows is a description of what I did under Linux.  The same process should apply to other operating systems... but I've not testing them there.  With one exception (noted) all add ons are from addons.mozilla.org.

Warning, geekery below this line.

• Adblock Plus to prevent those annoying ads (and ad-based malware infections)
• Neo Diggler to give me a quick way to clear the location bar and give me the ability to add custom stuff
• No Script to prevent scripts from running.  I did a quick whitelisting of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
• Web of Trust to give me a hint before I click on a link.
• Tiny Menu to maximize screen real estate.  (I love me the tiny laptops)
• TorButton for quickly accessing The Onion Router (requires installing additional software to utilize)

Sadly, LongURL is not supported on the new Firefox yet.

I restarted Firefox to activate everything and configured the plugins the way I like.  I also customized the Nav bar and moved everything up to the Menu bar that TinyMenu made nice and small.  Then I used the View menu to turn off Navigation and Bookmarks.

Then I went into Preferences->Privacy and set Firefox to "Never remember history" and suggest "Nothing".  I also cleared my history that was created thus far.  In Preferences->Security, I told it to never remember passwords, block reported attack sites, web forgeries and add ons.  (By not remembering passwords, I render myself less vulnerable to risk from theft of my profile directories, but more vulnerable to keyloggers... it's a good tradeoff to me.)

I then shutdown Firefox and went into ~/.mozilla/firefox.  I did a cp -a of my profile directory to other names (this bit would be different on Windows):

cd ~/.mozilla/firefox

cp -a blahblah.default research

cp -a blahblah.default paranoid

cp -a blahblah.default webdev

Then I edited profiles.ini and copied the four top lines of [Profile0] to new blocks of Profiles 1 through 3.  I edited the Name and Path to reflect each of my new profile directories (research, paranoid, webdev).  I edited the Firefox launcher and appended "-ProfileManager --no-remote" to the "run command".  This way, when I click on the little icon, Firefox will prompt me for the profile I want each time I launch it, and it lets me run multiple profiles at once.

I then launched it and selected my "research" profile.

Here, I went back into Preferences->Privacy and told it to go ahead and remember history and make suggestions (as when I'm researching things, I often forget where I found things and what I searched on.)  Then I installed the following add ons:

• Add N Edit Cookies for cookie manipulations
• HackBar for SQL injection fun
• PassiveRecon for exactly what it sounds like
• RefControl for mangling HTTP headers
• DeeperWeb for those occasional rambling searches.

Then I added the following search engines to the dropbox:

• Offensive Security Exploit Database
• Security Focus Vulns Search
• Security Wire Search

I'll probably add more as I play with it.  I'm still not used to using this feature to search the deep web.  (Wonder if one could be written to access our corporate wiki?)

Then it was time to restart Firefox and activate, set preferences, yada yada yada.

After that, I restarted to access the "paranoid" profile.  I went into Preferences->Security and turned on ALL warning messages.  It's annoying to use now, but that's partly the point.

I set StartPage to my initial home page, using the "Generate Custom URL" feature on the site.  Since I'm not storing any cookies at all, this is how it has to be done.  I removed all search engines and added IxQuick HTTPS, Startpage HTTPS and Scroogle SSL.   On the AddOn side, I added:

• Force-TLS to force HTTPS connections (though it really doesn't do all I'd like it to)
• Certificate Patrol to track certificate details
• Perspectives for a paranoid check against SSL certificate alteration.  This one is linked to from the Mozilla add ons site, but not installable from there.

I then disabled the CNNIC SSL certficate (Preferences->Advanced->Encryption->View Certificates->Authorities, scroll to "CNNIC ROOT" click "Edit" and unselect "This certificate can also identify web sites".)  It's a matter of debate as to whether or not this is necessary... but so long as it's being debated, my paranoid side will be careful.  (The other profiles don't care. :)

Lastly, I installed the Orange Fox theme, which is ugly and garish, but since I wanted a visual reminder that I was in the paranoid profile, it was exactly what I wanted.

After another restart I entered the webdev side.  The fun new add ons here were:

• Firebug for tracing DOM and CSS issues, which I don't do much anymore, but it's still nice to have.
• CodeBurner For Firebug to add reference to Firebug
• FlashGot for massive download fun on archive.org
• Greasemonkey for fixing stupid sites (and integrating with FlashGot to bypass trivial Javascript-implemented "security" checks)
• Live HTTP Headers for watching traffic in real time, when I don't want to launch a real proxy
• Web Developer for the same reason as Firebug

From here, I am in a position to fire up the profiles as I need them, and am able to work on the web without worrying about my tools being available.

Related posts

• Security Sprint – Firefox Profiles (4)

Sadly, this technique is all too effective against the undefended.

Happily for us, it's easily defended against.

If you run Firefox, you're in the best shape. There's an Add On called Adblock Plus. Once you install it, you'll be prompted to select a subscription from the list. (I just pick the top one.) This list matches most ads and keeps things up to date for you, so if the location of the ad changes, it's still blocked. So, not only do you not see the annoying ads, but you're also protected against the "malvertisers".

I don't have much direct experience with the non-Firefox browsers, but if you want to use something else, check out Ad Block IE for IE8, IE7Pro for IE7, this technique for combining AdBlock Plus Filters in IE, and PithHelmet for Safari.

I do have to point out that some developers have gotten clever, and code their applications to make sure that ads are loaded, so if you use this trick, expect things like Facebook games not to work. But then, you shouldn't be playing them anyway.

Related posts

• No related posts.

So what does this mean in the business/IT world? Well, the obvious analogy is to distract an incoming attacker by abandoning your resources and letting them go nuts while you relocate your business to Sri Lanka. However, some might consider this approach somewhat impractical.

However, if we stretch the analogy to the point of breaking (much like a lizard's tail), perhaps it makes sense to build a business strategy around distracting attackers. There are some technologies that could assist with this. A honeypot is often used to trap attacks so that people can learn from them. This has become even easier now that virtualization has become prevalent. All you have to do is join one of many projects and you'll have a nice fake network to distract attackers.

Another technique is tarpitting. This technology looks at incoming connections, and if they are not approved, it doesn't reject them right away, but instead extends the time before the connection is closed. Thus, attackers are delayed and, in theory, you gain the time to build a defense.

In practice, of course, you need to actually be watching for the attack and take defensive action. This technique wouldn't work very well if the lizard dropped it's tail and then stared dumbly as the dog wrestled the tail into submission, ate it, digested it, napped for a bit, woke up, got a bit hungry than then saw a nearby tasty tailless lizard. So, if you decide to go after this option, you have to remember to "run and hide". In other words, keep an eye out for the attacks and be ready to block them.

Related posts

• Security Lessons from Nature – Glow Worm Cave (1)

To be fair, other major villains suffer from this same problem: Darth Vader, Lord Voldemort, Lord Sauron... as do heroes: Oedipus, Gilgamesh and Dr. Gregory House. The problem with them all is that their overconfidence leads directly to their eventual downfall. Sometimes, it is dramatic and impressive, other times (like this) it just involves a lot of bright shiny pixels that fly every which way until the filmmaker's budget is used up.

The lesson to learn, I think, is that hubris kills... often at an appropriately-delayed climactic plot point. Here in the real world, of course, we tend not to have impressive glorious pixely deaths, which just leaves the problem of supreme overconfidence.

In I.T. Security, this sort of thinking often manifests itself as a general feeling of invulnerability against attack. This can be due to an existing investment giving a greater feeling of security than actual security. It can be due to a belief of general supremacy that is undeserved. Most often, though, it is due to a fundamental misunderstanding of the enemy.

Just as Lord Voldemort couldn't conceive of a bunch of school kids as a threat, and Oedipus allowed himself to think that he had outwitted fate (never, never wise), if you ignore I.T. threats, you render yourself vulnerable to them and, through them, invite your inevitable comeuppance. If you accept your business in all it's flaws, you'll know where to protect yourself. If you do not, you may well go out in a blaze of shiny glory that is just as logically inexplicable as Dracula's shape-shifting powers in this horrible movie.

Related posts

• No related posts.

The question often comes up: Should we allow our employees to engage in social networking? The debate has raged for years, and surprisingly, it is still not settled. In general, the discussion tends to fall down four possible paths:

1) Social media reduces productivity
2) There are a lot of threats that comes from social media
3) Social media is a new technology and therefore is scary
4) Employees don't really need social media anyway

So let's take a look at these:

1) Productivity

Many times the "productivity" topic rages within the security field, which has always surprised me. Keeping employees productive is the responsibility of the business owner, and while I've often seen it delegated, I've never seen it delegated to either the security people or the admins. Realistically, this is the responsibility of management or HR.

Even then, it seems that every place has slightly different rules as to what is and is not been permitted. In some places, it's customary to spend hours each Monday morning talking about the previous weekend's hunting or sporting events. In others, everyone takes off Friday afternoon and sits around socializing before "closing time" hits. In still others, there are required breaks every two hours as well as a mandatory lunch. However, in absolutely none of them is social interaction categorically denied. The prevailing attitude seems to be that so long as the work gets done, the specifics are irrelevant.

Different people work differently and some need the occasional long social break to limit distraction. Humans are social beings and there is considerable evidence that socialization is a deep-seated need in our species*. It seems unlikely that many people could be truly productive without a form of socialization... do the technical means really matter?

Perhaps, instead of banning the technology, it would make more sense to monitor productivity and ensure that any employees that begin to stray are quietly corrected. This would enable you to take advantage of the benefits that the technology offers without necessarily experiencing a productivity hit.

* This could be a long discussion in of itself, but, fascinating though it may be, would distract from the point

2) Threats

A considerable amount of malware and no-tech attacks come from social sites. Twitter is particularly bad, due to the inherent obfuscation used in the TinyURLesque sites (though they're working on it). However, you can't live a life that is entirely devoid of risks, and in most cases we don't approach risks by banning the technology. Instead we take a balanced view and assess risks before we take action. For some reason, many people tend to approach these problems as if it were a game of whack-a-mole, which is a shame.

To draw the over-used analogy to automobiles (a similar technologically-induced societal change), in the rural states, a common threat is deer. We could address this threat by building fences along each highway (Banning) or by constructing a massive array of detectors, implanting RFID chips in each deer and building weapons-equipped automated flying drones that kill any deer wandering onto the road (Intrusion Prevention). Instead, we put up little yellow signs that tell people to be careful. For some reason, we find this a more economical solution, even though it places a slightly higher burden on the drivers to pay attention.

I think that a lot of security professionals avoid the "educate the users" tack because it's traditionally not worked too well. Of course, a lot of us are also far more comfortable with technology than we are with people, so it is possible that the past failure of education was due to our own failure to educate ourselves on education processes. Maybe, if we were better at making little yellow signs, many people would manage to avoid the majority of threats.

3) New Technology Is Scary

I am sorry to say it, but we security professionals tend to say "no" a lot. I ran into this problem myself recently and used what I call a "shortcut no" -- where I said "no" when I meant "yes we could do that, but I think it would be prohibitively expensive". However, within the security community, when one person's "shortcut no" is heard as a "true no", we tend to build up an echo chamber effect and think "no one else is permitting this technology, so there must be a reason, so let's just say 'no'". This, I think, results in the regrettable state of things being banned "for security reasons".

Changes to technologies and processes must be first analyzed and the risks then be explained to management. At that time, it is their decision. I have encountered businesses that prefer to believe that regulations such as PCI-DSS, the FTC Red Flag Rules and HIPAA/HITECH do not apply to their business. In some cases, I have disagreed, but it is, in the end, their decision. Perhaps the failure was on my part, and I was less than ideally effective in explaining the risks. However, an alternate perspective is that many experience an unconscious resistance to change. The impact of new regulations is change, and in many cases, change may be scary.

Of course, fear of change is part of being human. Luckily, if you know this, you can take steps to address it. One common approach is to take a social media class. If you lack the budget for such a thing, you can also spend a day reading about it online. Good Google terms are social media in business, twitter marketing, facebook marketing, Internet Business Mastery and search engine optimization.

4) Do They Really Need It?

Four years ago I gave a presentation to a group of entrepreneurs about how to leverage technology in a start up. One question I was asked was "Do I really need a website?" I was stunned. I couldn't imagine a new business without one. Most people I know first check out a business on the web, both for contact information and for reviews. If a business isn't on the net, it's invisible. If it's on the net but no one is talking about it, it's probably not worth much.

This is even truer today. I don't think I've opened a phone book once in the last year. I've found many great resources through word of mouth via the Internet. Social media allows me to research a company in minutes. I can get information faster than ever before on prospective clients, partners and employees. I can check my thinking against that of others in my field. I can research threats, responses and technologies without having to do the test implementation myself. (Though test implementations are still important.) If it weren't for social media, I would be unable to do my job.

These networked social efficiencies exist pretty much across the board. Alliance Technologies tends to "run light". Our marketing, sales, support and administration are staffed at a level far lower than other comparable companies, simply for this reason. If we didn't have social media, we'd have to double our staff.

Clearly, not all companies are the same. However, the effectiveness of social media in all aspects of our business leads me to believe that it's generally useful to most businesses.

A) We Can't Stop Them Anyway

Trying to stop people from socializing is a doomed effort. You can draft and implement all the polices you want, but if they go contrary to human nature, they will not be followed. Moreover, if they are burdensome, they will be actively rebelled against. Do you really want to spend your time protecting against outside attacks while your inside people are working to bypass your web filters, firewalls and IPS systems? I know that I don't.

Practically speaking, web filtering technology works, but nothing is perfect. You can block most sites in a category, but there is always a way around it. You can block gambling sites, but you can't prevent an employee from placing bets via email or SMS on their cell phone. You can block porn sites, but can't keep someone from bringing a magazine into the office if they really want to. Generally, you just raise the barrier high enough to say "management would rather you not do this stuff" and people will take the easier path. Even then, saying "don't gamble" and "don't look at porn" are vastly different messages from "don't talk". Banning social media is equivalent to banning talking at the water cooler, over the cube walls or in the hallways. If you try, you'll experience a lot of pushback... and as employee generations shift, the pushback will grow.

Personally, I'd rather focus my efforts towards bringing the employees in line with business goals and then combating actual threats against the business. To do otherwise is just spinning in circles.

(This post originally appeared over at Alliance Technologies)

Related posts

• No related posts.

What makes this little critter particularly interesting is that it eats Portuguese Man o' Wars (should that be "Men o' War"?). Not only is it immune to the venom, but it also has the ability to absorb the stinging cells (sciency term: nematocyst (aka cnidocyte, 'cause they're cool too)). It can then concentrate the cells of all the Portuguese Mens o' Wars it eats and thereby pack a stronger wallop than the original predator.

Business-wise, our friend Glaucy basically performs a hostile takeover, absorbs the general features of the acquisee (proteins) and concentrates that which make them unique (nematocysts/cnidocytes). The lesson here, I think, is to look at what makes others unique and not necessarily one what you have in common. That's not to say that commonality isn't important... no acquisition is going to work out if you don't share common proteins. However, a strategic acquisition isn't going to be massively successful unless you can take advantage of and preserve the uniqueness.

The same holds true of employees. If we hire employees, it is presumably because they have skills that set them above the rest. (After all, everything else can be automated these days.) Does it really make sense to push them all towards the same lowest denominator? Wouldn't it make more sense to give each the tools they need (both technical and cultural) to maximize their success? By doing such, you have effectively turned them into little stingers that can pack quite a punch. Then, the trick would be to set them up in teams, so their punch can be concentrated.

Of course, the other lesson to learn from Glaucy is that it's not just a mass of stinging cells. In order to be a successful organism, it must still move around, hunt and eat. Thus, priority one is successful operation (not uniformity), and priority two is concentration of attack/defense. I often find myself falling into the trap of forgetting about operations and trying to promote uniform environments and tool consolidation in the name of security. After all, that's best practice right?

Wrong.

Best practice is protecting the business. That means making the business as successful as possible. I'm afraid that we security practitioners often mistake the process for the result. Uniformity is a tool to promote control and control is a tool to promote security. However, as soon as the costs of uniformity and control get in the way of the success of the business, they harm security instead of benefiting it.

Related posts

• No related posts.

Anyway, as the Devil attempted to push God off the island, the island magically expanded in each direction (it's clear from this story that the Devil wasn't omniscient), so that nary a toe got dampened. The shoreline simply grew in each direction and, by the time the Devil gave up, the island had expanded to the size of our current Earth. Which basically means that the state of the Earth today is due entirely to Devil-induced scope creep.

It explains a lot, doesn't it?

Scope creep is a danger in all projects. It doesn't matter whether you're developing an application, enacting a security program or just shopping for groceries, scope creep can blow both your budget and deadline. It's tempting when you're working on something to just add a little piece here and there because it will make future work easier. Unfortunately for the business, integer math insists on summation, and so long as businesses are profit-focused, integer math is going to be important. From a security perspective, scope creep is additionally dangerous because it complicates things. Complicated things are harder to secure than simple things. The simpler you can keep a project, the better you can understand it, so the easier it is to secure.

Scope creep, of course, is most dangerous when shopping. A while back, I stopped by the store to pick up some basics (apples, bananas, yogurt, etc), and I noticed that winter squash was on sale... so my scope expanded a little bit and two squash wound up in my cart. Later, once I got home I realized that I had no idea what to do with them (other than the basic roast squash, which is boring). After consulting one of my cook books, I discovered that I needed a few more things. After another shopping trip that involved carrots, celery, onions, garlic and broth, I soon had two soups a simmering. Regrettably, the last step for each soup involved a blender, and the blender I had was incapable of dealing with the increased complexity of my soups. It quickly suffered what I must refer to as a catastrophic containment failure which necessitated another trip to the store to get a new blender.

All told, my initial scope creep of two impulse-bought squash cost me over a hundred dollars in ingredients and blender replacement, not to mention the ridiculous amount of time wasted in the endeavor. While I am thankful that I was able to find the blender-related security hole and believe that I have effectively mitigated the risk, life would have been much simpler had I not needed to.

I'm blaming the devil.

Related posts

• No related posts.

As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other "doesn't get it". For a quick read, check out Richard Bejtlich's post and MANDIANT's post and, for a counterpoint, check out Gunnar Peterson's.

Of course, they're both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere... mostly, I suspect, because in the enterprise security space you only call the consultants when it's something particularly troublesome (like APT). Of course, once you've focused on APT, that's what you get called in on, so the problem probably looks bigger than it is.

In contrast, those of use that don't consult in those spaces don't get those calls, so we don't see it. We also probably don't have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.

So what do you do about APT?

I suggest that you consider the following checklist:

1. Do you have a firewall?
2. Does your firewall block outgoing connections?
3. Do you have local antimalware running on all your endpoints?
4. Do you have a web filtering solution in place?
5. Is all access to all systems monitored and audited regularly?
6. Do you have a process in place to pull all legacy systems off your network?
7. Do you have a patch management system in place?
8. Do you have a vulnerability management process in place?
9. Do you matc all system configurations against hardened templates?
10. Do you have a data classification policy that applies to all your data?
11. Are you encrypting your important data?
12. Do you have a log retention and management infrastructure built?
13. Are you running an IDS/IPS system?
14. Do you have third party management systems in place?
15. Are all of your web applications running in hardened stacks?
16. Are you using web application firewalls?
17. Are you using database firewalls?
18. Do you have regular employee awareness training?
19. Are complete penetration tests conducted against your organization?
20. Do you have an Internet data monitoring and scrubbing policy in place?

If the answer to each question is "yes", then you should worry about APT. This is not to say that if any of these are "no", you don't have APT going on in your environment. I'm saying that there's no point pursuing a full on anti-APT strategy until you have the basics in place... and there are a lot of basics. I'm also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.

If you don't have a minimal and sufficient security solution in place, it's not that APT isn't a threat or that an unknown enemy isn't out to get you... it's that you probably have more important things to be working on.

Related posts

• No related posts.

Take, for example, the concept of risk. In the security field, risk is bad and the steps that can be taken to avoid risk seem reasonable. However, in the business field, risk is viewed in terms of the potential gains that the risk can provide whereas the steps to avoid risk seem likely to cause problems and will therefore impact the bottom line. Similarly, admins and developers are likely to resist the perceived difficulties in implementing the mitigation strategies.

Again, there are both offensive and defensive capabilities to this bias. Offensively, simply knowing a target's profession can give you a good chance at predicting their responses. If you have a planned proposal, you can practice it against others in the same profession and tweak it before you present it to the people that matter. You can be aware of the context in which they will likely view your ideas and work on expanding their context before you get to the hard stuff.

Defensively, like most biases, you just have to be aware that you will likely view things within the context of your profession. Thus, if you are having conversations with those outside of your profession, there is a higher likelihood of misunderstanding. If you find yourself reacting negatively to something someone else says, you should check and see if maybe that reaction is because you are coming at things from different contexts.

As an note to this particular bias, I have occasionally been asked why I blog the way I do. Other than the fact that the Internet doesn't need yet another voice in the Security echo chamber, I find that forcing myself to consider issues from different contexts (mythological, natural, psychological, etc) allows me to understand the issues at a deeper level. I don't know if it gives me any advantage over the usual advantages that one gains by taking time to think things through and write them up... but it doesn't seem to be hurting.

Related posts

• Bias Thursday – Pseudocertainty Effect (0)

For example, I have my normal browsing profile which includes a bare minimum number of add ons Adblock Plus, LongURL Mobile Expander, Web of Trust, BetterPrivacy, Cookie Safe and NoScript. Then, if I am conducting offensive security work, I use a profile that is loaded with some attack tools like SQL Inject Me and XSS Me. Similarly, when I'm doing web development or troubleshooting, I have a separate profile that loads Web Developer and Live HTTP Headers. This approach keeps my normal use fairly light and allows me to load the extensions that I need when I need them.

In theory, it also keeps my passwords and cookies a bit safer than usual.  It's not as secure as using a completely separate user account or even computer for doing dangerous activities, but it's better than not doing anything at all.

To do build your own profiles, go here and launch the Profile Manager. Then, when you start Firefox, you will get dialog asking you which profile you wish to run. From there, it's just a matter of picking which mode you wish to work in and selecting the appropriate profile before you start.

Related posts

• Firefox Profiles (0)