Interview with Jacob Carlson, co-author of “Internet Site Security”

Jacob Carlson is a senior security engineer for TrustWave Corporation. His primary role is leading the penetration testing and vulnerability assessment team.

In his copious free time he likes breaking things and writing code.

Jacob Carlson is also the co-author of the acclaimed “Internet Site Security“. The recent review of this book at HNS was a perfect opportunity to get him to answer a few question. Here we go…

How did you gain interest in computer security?

Hrm….I think that it was the same curiosity that had me taking apart door knobs and clock radios when I was a kid. I’ve always just been curious about how things work, and more importantly how to make things work in ways the designer didn’t intend.

You do a lot of penetration testing for your company, what are your favourite tools and why?

Most of the tools I use I either wrote myself or are one-offs/modifications of publicly available tools. The main publicly available unmodified (well, only slightly modified 🙂 tool that I cannot live without is netcat. It is exactly the correct tool for a billion different tasks; most of the reconnaissance and exploitation that I do is manual and netcat allows me complete control over the network connections.

In your opinion what are the most important things an administrator has to do in order to keep a network secure?

#1: disable everything not in use.
#2: patch patch patch patch patch. then patch.
#3: do not trust any users.

What was it like to be a co-author of “Internet Site Security”? Any major difficulties?

Writing a book is very similar to giving breach birth to a porcupine. We didn’t get time off of our normal jobs to write (like other people out there :), so we were constantly facing book deadlines in addition to work deadlines. Last September, right as we were wrapping up the first draft of the completed book, I had to go to Germany and France to teach some classes. Because France has weird laws concerning cryptography I didn’t bring my laptop, but since I only planned on being gone a short while I thought that I would still be able to get everything completed. Well, I was in Germany on September 11 and ended up not getting back to New York for 2 and a half weeks or something. Obviously the book delay was not the greatest of my worries (my wife and I live about a mile and a half from the former World Trade Center), but by that point I thought that we would never finish.

What books, articles, whitepapers would you recommend to people that are starting to learn about computer security?

I get this question a lot and have never been able to come up with decent succinct answer (well, except of course for Internet Site Security ;). Knowledge of computer security requires not only a wide breadth of knowledge about many different aspects of computer science, but practical application as well. So it’s not as easy as just saying, “read the Cheswick and Bellovin book, the Stevens books and every Phrack ever written and you’ll be fine”. That’s kind of like giving someone the MIT guide to picking locks and then asking him or her to be a thief or a locksmith. So while the books and papers are incredibly valuable, they aren’t worth much unless you also experiment. For anyone interested in security I recommend learning to program in at least C and writing little programs to perform security-related tasks. Start off by trying to write a port scanner. Move up to something that imitates netcat. Then start writing OS-specific tools like a passwd utility for Windows. Just silly little things with a security bent. Even though it may seem useless to duplicate the functionality of programs that already exist, you are gaining insight into how stuff works and obtaining ancillary knowledge along the way.

Do you think that cyber terrorism will be a threat as large as the media is making it today?

That’s a bit of a loaded question (since ‘Cyber Terrorism’ is a term that can be applied to a wide range of activities), but I’ll bite. The threat to critical infrastructure is certainly a concern, but I think that computer and network security is, if not easier, at least less complicated than traditional national security. With computer security one has absolute control over almost every aspect of an infrastructure.

For instance, think about borders. By necessity all entrances into a network must be built by humans. There cannot be a way into a network without some person somewhere doing something. There is always a finite number of ways into a network. Even if someone builds an entrance into a network without explicit permission or knowledge of the administrator, it’s still a rather simple task to find this entrance and close it. Compare this with national borders; there are infitinte ways into this country. It’s impossible to watch every inch of coastline, check every airplane, x-ray every cargo container, etc. If you want to sneak into this country, you can. So with networks the person responsible for security has a much less daunting task when he or she is trying to keep people out.

Now, just because you know where all of the entrances are, you don’t necessarily know identities of those using the entrances. But you can take much stronger action in the name of security on a computer network than you can in a civilization. For some reason people are far happier to subject themselves to monitoring and the hassle of constantly presenting credentials when it comes to computers than they are in real life. For instance, if you buy batteries and Radio Shack and they ask you for your address you get pissed off. But you’ll visit myriad web sites that record your IP address without much of a thought. People are afraid that their supermarkets are recording the fact that they buy more boxes of cookies than they do apples, but are seemingly unphased by the fact that the AOL’s proxy servers have copies of pretty much every web page visited. It’s a hassle to supply a password every time you log onto your ISP or when you read a newspaper online, but people are okay with it. But people would never show their passports every time they got on the subway. So again, it’s much simpler to enforce security on a computer network than in real life.

And then there is fact that with computers the worst thing that can happen- to the computer that is- is that you have to restore from backup and maybe lose some data. If someone decides that it’s cute to DoS Yahoo and CNN or tag the front page of the New York Times people can’t read news or whatever for a little while, but a couple of days later everything is fine. Even if someone was able to disable an electric company’s power grid for a little while, while the immediate effect may be devastating the effect would only be temporary. But buildings can’t be brought back from tape.

So, if I am to attempt to bring this all to some sort of conclusion, I do think that there is certainly a risk of ‘Cyber Terrorism’ (or whichever name is in fasion today), but I don’t think that addressing the threat is nearly as complex as addressing the threat to the physical infrastructure of our country. Nor do I feel that the effects could be as substantial.

What are your future plans? Any exciting new projects?

I’ve found that my definition of exciting can be drastically different from that of others, but I do have a few ideas. I’d like to move into more of an R&D role and away from the penetration testing. Believe it or not, breaking into computers can get boring after a while. More and more I find myself excited by theory rather than what new vulnerabilities exist in what software. I’ve always said that you have to know offense to play defense, but the offense has always been more exciting to me :). So the stuff I’m working on now is more in the offensive arena, particularly with regards to attacking web-based applications. In 5 years that’s pretty much all there will be, and finding out now how web services are broken is extremely important. I do have some ideas for defensive projects, but they are all at the hardware level so I’ll need TrustWave to kick down a couple more R&D dollars before I can proceed :).

My immediate plans, however, are to go lie on the couch with my brand new wife and take a nap.