Interview with Lance Spitzner

[InfoSec News <isn () C4I ORG>]

Forwarded By: "Berislav Kucan BHZ" <bhz () net-security org>

http://www.net-security.org/text/articles/interviews/spitzner.shtml

Lance is a former officer in the Army's Rapid Deployment Force, and the
author of numerous Whitepapers on computer security
(http://www.net-security.org/text/articles/spitzner/lance-spitzner.shtml).

In his own words: "I'm a geek who constantly plays with computers,
especially network security. I love security because it is a
constantly changing environment, your job is to do battle with the bad
guys."


Your whitepapers have been a great success, many of our visitors asked
for more. When are you going to release something new? You mentioned
getting back to "research mode" for a while.

I'll be releasing something new when I learn something new. I like to
share information as I learn it. This tends to happen in spurts. I
learned a great deal this summer when the honeypots were compromised
by the script kiddie community. Not only did I learn about the tools
and tactics of the black-hat community, but I learned a great deal on
how to monitor them, such as passive fingerprinting or network traffic
analysis. I wrote several papers to share this knowledge.

I and several others are now rebuilding our research, so we can learn
more about the more sophisticated black-hats. Once we learn more from
that research, we will be sharing our lessons learned once again with
the security community.

I always like to be doing research, it keeps me on my toes :)


In your articles you write about Solaris, Linux, etc., but what is the
operating system you prefer and why?

Depends on what I am doing, but I feel the most comfortable with both
Linux and Solaris. Both have their uses. I like linux for use with my
laptop, it also makes a great platform for auditing networks and
systems. I find Solaris to be more robust for server use, such as
firewalls or application systems.


Which Security Tools you prefer? You mentioned Nessus a couple of times...

I would have to say my three favorite tools are:

nmap
snort
hping2

All three tools allow you to see what is happening at the network
level. They are highly customizable, and the authors of all three
tools are extremely helpful.  Almost everything I learned from
networking is based on these three tools.

Nessus is my tool of choice when I want to take a snapshot of existing
vulnerabilities in an organization. It is highly customizable, and the
output is simple to query and easy to read.


In your Know Your Enemy series you describe script kiddies. What's
your opinion on the mass spreading of script kiddies and what
influence do you think it will have?

Script kiddies pose a huge risk, and it is only growing. I perceive
them as such a threat because:

1. Random: They do not care who their target is, just as long as they
can find them.  Sooner or later they probe everyone. So, regardless
who you are, they will find you. If you have a vulnerable system, they
are going to find it.

2. Numbers: These people are growing in numbers, and so are their
scans. Its nothing for them to scan millions of systems with a single
tool. I have personally found kiddies with files containing over 1.9
million systems that they have already found. Statistics are not in
the favor of security.

Script kiddies have been extremelly successful in using these tactics.
However, this does not prove how good they are, instead this proves
how poorly secured a large percentage of the Internet is. If people
addressed only the most basic security issues, I feel far fewer
systems would be compromised. I feel the security community is growing
in awareness because of this threat, however not as fast as the growth
of the Intenet in general.


As regards vulnerabilities, do you agree with them being posted before they are fixed?

Yes, but if only done properly. If a vulnerability is identified, this
vulnerability should be reported to the vendor first. The vendor
should be given proper notification and time to resolve the issues. If
the vendor fails to meet these standards, then the vulnerability
should be released. Rain Forest Puppy has published a reporting
standard that can be used for the reporting process.

Unfortunately, the threat of release is the only way to motivate some
vendors to address these issues.


Since you've released so many papers, are you by any chance planning a
book on computer security in the future?

I do not have the patience to write a book. I'm always playing with
new ideas and I like to share them. I like writing Whitepapers because
I control the information. Also, I can keep them updated, so the
information does not become out of date. If I slow down in the future,
I may write a book. Untill then, I'm too busy playing.


And your favorite computer security book is?

Practical Unix and Internet Security. This book is where I started.
The book is comprehensive, covering a variety of security issues in
excellent detail. One of the best places to start.


Do you have a message for our visitors?

Don't be the easy kill. Just by taking some basic steps, you greatly
enhance your organization's security, stopping the threat of the
script kiddies. The three biggest steps I feel you can take are:

1. If you don't need the service, turn it off.
2. If you do need the service, secure it by updating patches and limit
access to only resources that require the service.
3. Use ssh.


Interview conducted by Mirko Zorz aka LogError (logerror () net-security org)


Berislav Kucan aka BHZ
bhz () net-security org
http://net-security.org

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".