Sunday, February 14, 2010

The only winning move is not to play

Did you ever see the movie WarGames?  This featured a computer called the WOPR.  I really liked this movie.  I thought there was a good balance between the human story and the computer.  I liked most of the movie Twister up until the end.  Both movies climaxed with flashing computer lights.  In Twister it was just numbers scrolling on a laptop, which was lame.  In WarGames the flashing lights showed simulated attacks demonstrating the computer learning, and worked well.

Two recent things reminded me of the movie WarGames.  One item was an article in the Washington Post about students hacking into the school computer and changing grades.  The other was the new release of Oracle WebCache that includes a learning rule capability for request filtering.  In the movie, they use Tic-Tac-Toe to help the computer learn.  To try out the new WebCache learning mode I chose Nikto.  This is a web security scanner that sends thousands of requests to test the security of a web server.  This tool is easy to setup and use, and it rhymes with Tic-Tac-Toe.  Let's try it against the Webcache Oracle Process for Request Filtering (WOPRF), and see how it does.

Sunday, January 24, 2010

Artificial Ignorance - Elementary my dear Watson

Marcus Ranum applied the term artificial ignorance to the process of monitoring log files.  You build a filter of events to ignore, and then look at everything else.  All the items that you consider normal get filtered out.  This reminds me of the Sherlock Holmes quote “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.”  - Arthur Conan Doyle.  It’s impossible to identify all the potential attacks that might be launched against a web site.  New attacks surface every day.  While part of the strategy should be to look for specific types of attacks, an equally important strategy is to look for the unusual.

Sunday, January 17, 2010

Is your web server an all inclusive resort?

The Apache web server is a versatile product with lots of options to configure and support a wide variety of web applications.  It can act as a proxy server, directly run applications such as Perl and PHP, front-end a Java application server, or just serve up content.

This reminds me of the all inclusive resorts like Club Med.  All the activities, food, and drink are available in one place.  However, even these resorts modify their model to appeal to specific clientele.  The resort locations and activities are designed to fit the groups they cater to.  You can go to a resort that is setup for families, for couples, or for singles.  While the overall experience is consistent with the resort's philosophy, the activities available at individual clubs can vary widely.

When you are configuring the web server to support applications are you setting the options to cater to your clientele?  This can improve the overall security and performance of your site.

Sunday, January 10, 2010

Keep a tight lid on HTTP headers

The web server is a common infrastructure component supporting a wide range of applications.  If you manage the web server, then you are the community manager, and you have a responsibility to maintain the reputation of the community.

The weather has been very windy lately.  Some people in the neighborhood put out their garbage and don't put a tight lid on the trash can.  Of course, the trash blows down the street and into other yards.  Now a few of the people in the neighborhood do not see this as a big problem.  After all their yard looks fine, and their trash is gone.  The president of the homeowners association has been sending out emails to remind people to put a tight lid on their trash cans.

Software vendors or application providers sometimes have the same attitude when you report a cross site scripting or HTTP response splitting issue.  The reaction seems to be "How does this affect me"?

Wednesday, January 6, 2010

Checking out Oracle OHS Apache

Taking a tour of the latest Oracle HTTP Server (OHS) release from a security perspective.  This uses a simple red, yellow, green scale to assess how that configuration item was addressed in this release.

Monday, January 4, 2010

Origin of Battle Room

The term Battle Room comes from the book Ender's Game. It refers to a zero gravity environment where battles are fought. Tactics are an important part of winning the battles. If you have not yet read this book, feel free now to go get a copy and read it. You can return to this blog later. Enjoy!

Ender's Game