The security grab bag: Is Treo hacking overrated?

Tech security education courses, the best security newsletter, and more in this week's missive

I’ve been ranting lately about things that bug me. This week, I’ll cover a variety of topics that have nothing to do with one another other than my level of excitement.

Elemental Security

Elemental Security's co-founder and CTO, Dan Farmer, is making headlines again. Farmer is famous for his 1995 vulnerability scanner, SATAN (Security Administrator's Tool for Analyzing Networks). Its release ushered a new age of hacking and hacking defense. Dan’s always a good guy for a quote, and during SATAN’s release he told computer security defense vendors something along the lines of, “You’re not mad at me for releasing SATAN. You’re mad at me for releasing it for free.”

His software, Elemental Compliance, is winning kudos and awards for its unique security approach, including a 2006 Technology of the Year award from InfoWorld. With Elemental Compliance, every managed computer acts like a nosy neighbor, looking for arbitrary applications, open ports, running processes, and the content of configuration files and registry database entries. It excels at rules-based access control defined by easy scripting language. As Farmer says, “We can map the way you talk and think about security.”

Here are some examples of types of policies you can define with Elemental Compliance:

-- West Coast clients running Kazaa cannot connect to our servers

-- Send my Windows policy to my Windows machines in my Sales Active Directory group

-- Block VPN users from accessing the corporate mail servers

All of this is done through Elemental Compliance's clickable GUI. The product relies on an Oracle back end, an Apache/Tomcat server center, and a Python-like interpreted scripting language called Fuel. It works with Windows, Red Hat Linux, Solaris, AIX 5.2/5.3, HP-UX 11i, and Mac OS X (Panther and Tiger).

Treo Hacking

I finally upgraded my aging, clunky cell phone with a new Treo 650. I don’t want to say that my old cell phone was ancient, but whenever I made a trip to Tokyo, I seemed to cause spontaneous laughter from friends and strangers whenever I pulled it out. Old tech is not the way to gain respect in the Land of the Rising Sun.

Treo phones are probably second only to BlackBerries when it comes to customer loyalty. After buying one and using it during the past few weeks, I have to agree: The Treo 650 is a great all-around cell phone.

I was especially excited to download dozens of free Palm OS-ready software programs and games to my Treo. As a professional penetration tester, I downloaded every pen testing and hacking tool I could find. I was delighted to learn that The Hacker’s Choice Hydra brute-force password-guesser program works with the Palm OS. I was also able to find war dialers, port scanners, Telnet programs, FTP servers, VNC, and several SSH tools. I put them all to the test -- go to my Security Adviser blog to see my Treo screenshots.

My conclusions? Hacking from a Treo is more a gimmick than anything else. The software is slow and clunky. Interfaces are bare-bones -- you can’t fit a lot of buttons on the tiny Treo screen -- and what functionality is available is slow. Besides wowing my friends and CSOs by brute-force attacking their Telnet servers, why would I ever want to hack from my Treo? And budding small-form, mobile hackers should beware -- any scans will originate from your cell phone provider’s IP address space, which I’m sure can easily be correlated to your cell phone number.

SANS Goes to College

Established in 1989, the SANS Institute is one of the foremost computer security educational entities in the world. Its GIAC certification is one of the most sought-after computer security certifications, and the SANS leadership team continues to garner my respect.

The SANS Technology Institute recently received a license to teach master’s level college classes in Maryland. SANS teaches two tracks and offers distance learning. Contact for more details.

Bruce Schneier’s Crypto-Gram Newsletter

I can’t say enough good things about this information resource. Bruce Schneier, CTO of Counterpane, produces what's probably the best general computer security newsletter in circulation today. Schneier’s Crypto-Gram Newsletter is a free monthly e-mail newsletter now available as a podcast.

While Schneier is often seen by many as just a crypto expert, his insights across the industry and across the globe are revealing and dead-on. He can cut away the false sense of security from an issue and expose the real problem faster than any other expert I know. If you’re in the computer security field, do yourself a favor and read this newsletter religiously.