Randomness in Security Configuration

We were deploying a new web service. Because of the nature of the service, we wanted it to listen on a non-standard port. Security by obscurity doesn’t work against a real attacker or well-written malware. However, if someone was just attempting to check for a web server by doing the standard http:// or https://, they wouldn’t find the web service. It wasn’t the only countermeasure we employed, but it was the first. 

This brought up a discussion of what port to use. Immediately, 8443 was suggested. Except this port is little better than 443. Then someone threw out 1701. That isn’t a well known port, at least not for a web server. However, that was still not a good choice. The person who made the suggestion was a huge Star Trek fan. This wasn’t a secret. Therefore, from a social engineering perspective, an insider could possibly guess what the port was by knowing the security pro in question. 

Tired of the back and forth, which had gone on for the better part of an hour, I reached into my bookbag and pulled out these:

Dice. If we wanted a random port, one that couldn’t be tied back to one of our preferences, this method was as good as any for selecting the value. The six-sided die is intentional due to the max port value. And we rolled. That’s how we chose the port. 

When it comes to security configurations, we can fall into the trap of trying to be too clever. We devise a method that surely will fool everyone. However, in a lot of cases a determined adversary who has done his or her research can puzzle together our plan unless we seek steps to randomize things or intentionally break from known patterns. That’s what the dice did for us: it broke us from known patterns. 

That shouldn’t be all we do. Determining the port was the easiest thing we implemented to protect that web service. Also, when we make choices, we do still have to consider the operational ramifications. For instance, if we have a SQL Server that will be accessed by business users, does throwing it on a random port make sense? It likely doesn’t. In the case of the web service, it was only going to be accessed by back-end applications. Therefore, going to a non-standard port was perfectly reasonable. Had we expected end users to access it, that would have been a different story. 

Just Say No to Social Engineering Memes

These memes, from a security and privacy perspective, are nothing but trouble. Here’s an example I just saw a friend respond to:

The reason I say trouble is because if you play along, they reveal a tremendous amount of personal information about you. That information is often used to secure your information for healthcare, banking, investments, etc. Let’s play along with this one just to see what an adversary might obtain by seeing a social media post. 

John Doe posts, “I am an Oracle of Profound Wisdom!” If we know John looks to be 30-40 years old, we can conclude:

  • John was born in 1976 or 1986 (from profound)
  • John was born in January (combo of oracle and wisdom)
  • John was born on January 16-19 (also a combo of oracle and wisdom)

We get the last 2 because Capricorn stretches from December 22 – January 19. Oracle is 16-20. That rules out December. And since John is a Capricorn, that rules out January 20. 

In other words, someone looking to use this information has narrowed down John’s birthday to one of 8 dates. And if the challenge is birth month and year, the adversary only needs 2 guesses. Most systems allow 3 or more. Just by posting his response to this meme, John has given someone enough information to compromise him. What looked like a little fun is actually a bigger security issue. 

Therefore, don’t play along. These memes reveal information you’d never reveal willingly to most folks. Yet because at first glance it seems harmless, we play along. Meanwhile, someone willing to work through the choices gains the information. The only way to protect yourself is not to play. 

#TSQL2sday: Interviewing Patterns

T-SQL Tuesday LogoThis T-SQL Tuesday is hosted by Kendra Little.

I’ve been told interviewing is an art. Perhaps it is. I view it more as an information exchange. The organization you’re interviewing with is trying to obtain information on you. You should be trying to obtain information on the organization. The interview provides an opportunity to get that information first hand for both parties and from both parties. When it comes to interviewing, I only have two main suggestions.

Be Honest, to a Point

You want to be honest about your experience, your expectations, and your personality. The first two are self-explanatory. With respect to personality, let me give an example. If you do better working in a cave with little interruption, then you should make sure that’s known. The work environment at that organization may not be conducive to you if they believe in an open office work space. There you’ll be less productive, more miserable, and wondering why you took the job. If you’re trying to get a job, any job, it’s understandable if this isn’t a priority. But that’s part of your personality, too. What can you compromise on? What can you accept?

Where you need to hold your words is when it’s obvious that the interviewers are trying to use your knowledge to solve a problem they’re having. I’ve had several friends go to an interview, be given a “hypothetical situation” that clearly wasn’t hypothetical, give out the solution freely, and then not get the job. Actually, in each case the job was pulled shortly thereafter. In reality, the interviews were nothing more than attempts to get free consulting. Don’t fall for this trick.

Ask Your Own Questions

Always remember that an interview is supposed to go both ways. It’s not just to determine if the organization is interested in your services. The interview also exists to help you determine if you want to work in the organization on that team in that particular role. Therefore, make sure you ask questions like:

  • What’s the work environment like, with specifics like traffic, meetings, and work space?
  • What are the specific duties of the team?
  • What will your duties be?
  • What’s the management structure and how does it impact your team and your role?
  • What technologies will you be working with?
  • What is the corporate and team culture like?

The last one is a big one. I had a friend who ended up working in an environment where everything was kept extremely quiet. Almost all conversations were handled by instant messenger. Some folks thrive with this kind of work culture. Others wither up and feel trapped and isolated. You’ll want to know what culture is before you take the job.