FA Profile:Rain Forest Puppy, Security Specialist, Part II

 
Mar 20, 2000
by J. Dinowitz and S.M. Cohen

Most developers who are diligent about the security of their sites have come across the pseudonym "Rain Forest Puppy" (known affectionately as "RFP" in many circles) at one point or another. Among his past exploits was the uncovering, analysis and publication of information on important security holes in ColdFusion. Last week, we presented the first part of this two-part profile.

Playing the Security Game

We asked RFP for his advice on how to approach security issues: "If you're in charge of security, you have to realize that it's not an afterthought. You can't say, 'OK, I've done all the apps, now I'll see if everything's secure.' It has to be consistent, ongoing. Set aside time to check out the forums, BugTraq and NTBugTraq, looking for problems that could affect you. Granted, there's a lot to wade through. Say every Friday, or even twice a week -- just go to the archives and scan the topics to see if there's anything ColdFusion- or Microsoft- or ODBC- or IIS-related."

He also recommends a free service from SANS, at www.sans.org, called Security Alert Consensus. This is a weekly scan of all the archives on BugTraq and the other sites to pull together the applicable data and regurgitate it into usable "solution-centric" chunks: Here's a problem and here's the solution. If there's no known solution, at least the problem is aired so that the user KNOWS that there IS a problem. Subscribers can pick the server and OS platforms needed and what applications to

How Quick IS "Quick Enough?"

RFP is firm in saying that "You cannot afford ANY time on a security issue. By the time it hits BugTraq or NTBugTraq, it's likely that someone has known about it for months."

RFP also notes that not everyone in the industry reads Phrack: "Some people in the corporate security IT world do, and so does most of the hacker underground. That's why I was surprised when my first Phrack article on ColdFusion was picked up on by someone in the ColdFusion community and [he] contacted me."

Many ColdFusion people come from a corporate, rather than a technical, background and may not know where to go for the resources. For instance, when the CF-Talk list was told about the source code posted to BugTraq, RFP was rather dismayed to get e-mails asking "What's BugTraq? Is there an Allaire BugTraq, a CFBugTraq?" [The BugTraq and NTBugTraq mailing lists were created in 1993 and are considered by many to be THE prime source for security problems on the Internet.]

Getting a Security Education

Many ColdFusion programmers were not programmers to begin with but were drawn from other departments in the company. They've never been involved in programming before. "If you're not involved in programming BEFORE you get into ColdFusion, you may not know anything about the programming community. Where would you go to find out?"

On the other hand, RFP feels that there SHOULD be a division between those who make the Web pages and code the applications and those who maintain the servers, and that it is the server team that should be maintaining server security.

However, learning secure coding concepts (the proper and secure way to make an application) is a matter of education, and, at the moment, there is no clear, viable source for such learning.

"Programmers in general need to learn secure or good programming concepts. Most people think, 'I'm making a Web page, I don't need to think about security.' Or 'We need a ColdFusion template to list files on the web server. No big deal,' and just code it, not thinking about, 'OK, can it be used to gain server access or look up and grab files that they don't need to see?'

"So many people take shortcuts. [But] that shortcut may cause security problems. So you may have to be more formal in it.

"Combine that with the ease of learning ColdFusion. It doesn't take much to start doing development. It's so simple that people can start doing stuff right away, without spending years in programming research. They jump in unaware of programming concepts, as it is, and how to do things securely. They can follow sample apps, rig stuff up, take someone else's stuff, see if it works for them and say, 'Here you go.'

"That's not a bad thing, but at the same time, say, an accountant can learn to do programming simply because we made it so simple to do, and he's just interested in getting things done and out there fast. What are the odds that he's going to have in mind security issues and implications and actually do it right?"

We asked him what he recommends to minimize security problems. "Unfortunately, that's a very hard question. It's going to be very hard to fix, because of the big surge in Internet and computers in commerce. There are people who can do the job, ... but really don't know technically about security concerns.

"It's a matter of research and learning thoroughly what you're doing. There are no classes or institutes that teach computer security. They're starting to show up, but they're not in the mainstream. Wading through something like BugTraq and NTBugTraq is likely to leave someone lost, saying 'OK, here's obviously security problems, holes and solutions,' but it doesn't teach them anything about the PROCESS of finding these problems or WHY they're bad or WHY that's a hole.

"There is nowhere to go, unless you want to sit down and dig through yourself, which is the kind of stuff I'm doing. That's why, in my RDS advisory, I didn't make it into a two-page, 'Here's a hole, created by this script, and here's the solution.' I sat down and detailed out what I tried first, next, etc. It shows the process. Not just the problem, but how I went about finding it."

Traditionally, in many industries, there is some kind of apprenticeship program to learn from other, more experienced workers, but that's just not out there. RFP feels that there's a need for such a thing, but that there's no demand yet. He noted that "A lot of corporations have the attitude or presumption that 'no one will want to hack us.' When I tell them, 'Your web server is insecure; it has a hole in it,' they say, 'Well, we don't think that's a priority because we don't have anything they'd want.'

"But doing security is tricky, because defending is a lot harder than attacking. To attack, all you need is to find one hole. To defend, you have to patch ALL of them, even the ones you maybe don't know about!" Doing it needs both education and experience. "A lot of it is experience, and it's a long term education. You need to know what you're doing so well, knowing how the web server works, knowing the HTTP protocol, getting down to that level, that you get down to where the problems are. If you DO know it well, you kind of KNOW where the security problems are going to creep up, so you're well on your way.

Is Easier Better?

Microsoft in particular has put on a big push for ease of administration. NT 5.0 will feature a bevy of wizards to automate many administrative tasks. RFP believes that that's going to lead to even lesser-experienced administrators. It makes it easier, fine; but is easier necessarily better? "But," he says, "I don't see that there's much we can do about that."

He points out that Allaire's Spectra is similarly point-and-click simple. Is so much delegation of administrative tasks going to lead to longer-term problems?

"It's nice to make things easier, but by making it easier, we're also requiring less experience to operate. Is less experience necessarily a good thing? There's a huge demand in staffing issues. With a little experience and products so easy to use, your people can go off and do better things. That's good for corporations, because they can hire people with less experience, for less money, who can do more things. In the long run, it's kind of scary."

RFP noted that Microsoft has in the past granted its special title of MCSE (Microsoft Certified System Engineer) to a 12-year-old. A junior high school student sat down, read the MCSE texts, and took the six tests, one of which he failed four times before passing it. The MCSE certification is supposed to assure the user that the holder is an experienced IT administrator. Does this child KNOW system administration, infrastructure, corporate IT?

RFP saw something similar while working in the computer repair shop: People would bring in a computer and ask them to install NT. Then, during the course of conversation, he would learn that they were studying for the MCSE.

"I'd think, 'You want to be an NT administrator, but don't know how to install it? You're paying someone else to do it?' And then what happens when they need repairs or upgrades on a holiday when the repair shop isn't open?"

A lot of corporations are hiring the lowest denominator system administrator, who just got his certification, like that 12-year-old to do the job, then they hire a security person with a little more experience. RFP suggests that this may be the best approach, as long as the corporation asks key questions about how that person got his security experience and how thorough it is.

"If you have a staffing issue, where you need to hire a dozen security administrators or a dozen system administrators to maintain your servers, realize that maybe not EVERYONE knows the security end. Try to go the extra step and find someone who DOES know about it and hire him or her." That raises an interesting question. Who are the people who probably KNOW about security and can fit that need? There is a big pool of them, obviously: the hacker community.

The hacker community is not looked upon so favorably, or even understood, yet notable hackers have been hired by IT departments in a running lead IT position. Corporations are realizing these are the people who know what they're doing. They are very viable employees and more experienced than half the MCSE's that are being cranked out right now.

Advice from the Expert

We asked RFP to give our readers the benefit of his advice: "The biggest advice I can give anyone is just QUESTION WHAT YOU'RE DOING. Question everything. You're administering a web server; what exactly does that mean? Look at every little detail. Under IIS, there's lots of extra sample apps in virtual directories. What are they? Why are they there? Do you really need them? Question everything.

"My second piece of advice is THE LESS, THE BETTER. Be minimal. If you don't need it, get rid of it. It may or may not be a security problem in and of itself, but if you don't need it, delete it and don't worry about it.

"If you keep those two ideas in mind, you'll be well on your way." He also recommends staying current with as many of the public resources as you can. However, he has a problem with some of even the best of them. For instance, NTBugTraq has published their policy, which is not just to announce ALL security problems, but to put the better-researched security problems and solutions out there.

"My position is that ANY security problems should be out there immediately. Let people know. Even the smallest of problems should be known. If there's any potential of your server being hacked by it, causing potential downtime, people should know about it, not someone deciding, 'Well, it's not a real big one; we'll just let that slide.' Even if only one person has that hole, and that site is hacked and causes two weeks downtime, costing the corporation $2,000 in clean-up costs, recreating content, etc., obviously it's a problem! Withholding security information is detrimental, end of story."

RFP also recommends remembering the old cliche of "You're only as strong as your weakest link." The problem could technically be in a Microsoft database, but if it runs on YOUR NT server, through YOUR ColdFusion program to YOUR site, it's YOUR problem.

You can find out more about RFP at his site, http://www.wiretrip.net/rfp/.


Privacy | FAQ | Site Map | About | Guidelines | Contact | Advertising | What is ColdFusion?
House of Fusion | ColdFusion Jobs | Blog of Fusion | AHP Hosting