Black Hat USA Training 2006
Caesars Palace Las Vegas • July 29-30

System compromise is so common that it seems unavoidable. Very few of us can patch every server every day, but even if we could, we'd be compromised through vulnerabilities that don't have patches yet or through "0-day" vulnerabilities that only the attackers know about!

You don't have to stand for this kind of weakness, though.  There are great defensive technologies and techniques that allow you to deflect attacks even when you're not patched.  It's Unix® Aikido, taught by Jay Beale, the creator of Bastille Linux®, a popular Linux/Unix hardening and audit tool that is the default secure configuration tool shipped with HP-UX.  Bastille runs on the five primary Linux distributions as well as HP-UX and Mac OS X.

This class has been re-designed to take Unix security to the next level.  You will learn how to protect a Linux system from compromise and how to prove that your defense has worked.  We'll attack our systems with live exploits, demonstrating how hard-core hardening can defeat them.

This course starts after the "beginners" hardening courses end.  It starts by showing you how to use Bastille to accomplish core best practices hardening.  We'll discuss how it closes ports, tightens permissions and shuts down other avenues of attack and privilege escalation. We'll demonstrate how to check these steps using the audit functionality in Bastille and other system security checkers. 

The real meat of the course, though, comes in what we do after this core system lockdown. We start with server application defense, where we create defensive, least privileged, and well-confined configurations to avoid or contain vulnerabilities.  This includes jailing server daemons to contain their vulnerabilities, but also tuning their internal configurations to shield vulnerabilities from attack.  For example, we'll configure PHP variables to better protect applications, chroot the Apache™ server, and deactivate Apache modules to reduce the chance that the next vulnerability in Apache comes from code we're running.  Once we've accomplished all of this best practices work, the deep protection comes from applying the latest security technology to better deflect attacks. 

The following are a few examples of that "next level" of defensive technology.  We'll learn how to use free third-party IPS Apache modules that can protect vulnerable web applications from their own flaws.  We'll build host-based and multi-leg firewalls with iptables, but we'll build on this by learning how to use port knocking to make our SSH daemon, web server, or VPN concentrator invisible to attackers.  We'll learn how to apply the newly open-sourced AppArmor to focus SELinux-style exploit disruption and containment on a few key programs without dramatically changing the way the system is configured.  We'll learn how to detect compromises with Osiris, a free next-generation Tripwire-like program that can help us understand how deeply a system was compromised, and chkrootkit, a rootkit detection program.

Students will gain skills in performing system lockdown and applying new defensive technology to prevent or contain a system compromise. While the course specifically covers Red Hat® and SuSE™ Linux, the system lockdown material does apply very directly to all Linux distributions and broadly to all Unix variants.

Students will leave this course with the ability to:

• Configure Linux for much greater resilience to attack using Bastille Linux.
• Audit a Linux system to improve security using free audit tools.
• Configure Web, Mail, DNS, FTP, and proxy servers to break exploits against known and unknown vulnerabilities.
• Confine each of the above servers with chroot jails and AppArmor defense.
• Deploy mod_security and mod_parmguard modules to add IPS functionality to Apache.
• Configure transaction signatures (TSIG) and DNSSEC to protect against DNS spoofing and phishing attacks.
• Add mail filtration to Sendmail to thwart spammers and phishers.
• Create host-based Linux firewalls and multi-leg firewalls to protect internal servers from hostile users.
• Add port-knocking technology to dramatically reduce the exposure of hosting private services on the Internet.
• Deploy Osiris and chkrootkit for scalable compromise detection.
• Use encryption (SSH, PGP/GPG, openssl) to create safer processes and administration.

Jay Beale is an information security specialist, well known for his work on mitigation technology, specifically in the form of operating system and application hardening. He has written two of the most popular tools in this space: Bastille Linux, a lockdown tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. He also focuses his energies on the OVAL project, where he works with government and industry to standardize and improve the field of vulnerability assessment. Jay is also a member of the Honeynet Project, working on tool development.

Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and the now-defunct SecurityPortal.com. He has worked on four books in the Information Security space. Three of these make up his Open Source Security Series, while one is a technical work of fiction entitled "Stealing the Network: How to Own a Continent."

Jay makes his living as a security consultant with the firm Intelguardians, which he co-founded with industry leaders Ed Skoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson, where his work in penetration testing allows him to focus on attack as well as defense. Prior to consulting, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution.