Interview with Lance Spitzner, Security Expert

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

Lance SpitznerLance is a former officer in the Army’s Rapid Deployment Force, and the author of numerous Whitepapers on computer security.

In his own words: “I’m a geek who constantly plays with computers, especially network security. I love security because it is a constantly changing environment, your job is to do battle with the bad guys.”

Your whitepapers have been a great success. When are you going to release something new? You mentioned getting back to “research mode” for a while.

I’ll be releasing something new when I learn something new. I like to share information as I learn it. This tends to happen in spurts. I learned a great deal this summer when the honeypots were compromised by the script kiddie community. Not only did I learn about the tools and tactics of the black-hat community, but I learned a great deal on how to monitor them, such as passive fingerprinting or network traffic analysis. I wrote several papers to share this knowledge.

I and several others are now rebuilding our research, so we can learn more about the more sophisticated black-hats. Once we learn more from that research, we will be sharing our lessons learned once again with the security community.

I always like to be doing research, it keeps me on my toes 🙂

In your articles you write about Solaris, Linux, etc., but what is the operating system you prefer and why?

Depends on what I am doing, but I feel the most comfortable with both Linux and Solaris. Both have their uses. I like linux for use with my laptop, it also makes a great platform for auditing networks and systems. I find Solaris to be more robust for server use, such as firewalls or application systems.

Which Security Tools you prefer? You mentioned Nessus a couple of times…

I would have to say my three favorite tools are:

– nmap
– snort
– hping2

All three tools allow you to see what is happening at the network level. They are highly customizable, and the authors of all three tools are extremely helpful. Almost everything I learned from networking is based on these three tools.

Nessus is my tool of choice when I want to take a snapshot of existing vulnerabilities in an organization. It is highly customizable, and the output is simple to query and easy to read.

In your “Know Your Enemy” series you describe script kiddies. What’s your opinion on the mass spreading of script kiddies and what influence do you think it will have?

Script kiddies pose a huge risk, and it is only growing. I perceive them as such a threat because:

1. Random: They do not care who their target is, just as long as they can find them. Sooner or later they probe everyone. So, regardless who you are, they will find you. If you have a vulnerable system, they are going to find it.

2. Numbers: These people are growing in numbers, and so are their scans. Its nothing for them to scan millions of systems with a single tool. I have personally found kiddies with files containing over 1.9 million systems that they have already found. Statistics are not in the favor of security.

Script kiddies have been extremelly successful in using these tactics. However, this does not prove how good they are, instead this proves how poorly secured a large percentage of the Internet is. If people addressed only the most basic security issues, I feel far fewer systems would be compromised. I feel the security community is growing in awareness because of this threat, however not as fast as the growth of the Intenet in general.

As regards vulnerabilities, do you agree with them being posted before they are fixed?

Yes, but if only done properly. If a vulnerability is identified, this vulnerability should be reported to the vendor first. The vendor should be given proper notification and time to resolve the issues. If the vendor fails to meet these standards, then the vulnerability should be released. Rain Forest Puppy has published a reporting standard that can be used for the reporting process.

Unfortunately, the threat of release is the only way to motivate some vendors to address these issues.

Since you’ve released so many papers, are you by any chance planning a book on computer security in the future?

I do not have the patience to write a book. I’m always playing with new ideas and I like to share them. I like writing Whitepapers because I control the information. Also, I can keep them updated, so the information does not become out of date. If I slow down in the future, I may write a book. Untill then, I’m too busy playing.

And your favorite computer security book is?

Practical Unix and Internet Security. This book is where I started. The book is comprehensive, covering a variety of security issues in excellent detail. One of the best places to start.

Do you have a message for our visitors?

Don’t be the easy kill. Just by taking some basic steps, you greatly enhance your organization’s security, stopping the threat of the script kiddies. The three biggest steps I feel you can take are:

1. If you don’t need the service, turn it off.
2. If you do need the service, secure it by updating patches and limit access to only resources that require the service.
3. Use ssh.