← Back to the main 'Using Fedora' page.

Steve, Information Security Analyst

Steve Milner is an information security analyst from North Carolina. He uses Fedora to audit web applications for security issues. Steve walks us through some great apps in Fedora for security analysis and has some tips for you in keeping your systems safe, too!

Steve Milner

Where are you from?

All over the USA. Currently live in Raleigh.

What is your profession?

Security Analyst/Developer.

What's your IRC nick? Where does it come from?

Ashcrow. When I was in middle school I really liked The Crow. I would use many different Crow references in my IRC nicks but ashcrow was the one that I ended up sticking with.

When did you first learn about Fedora?

My first use of Fedora was Fedora Core 2. At that time I was a pretty hard Debian user. Since I had used Red Hat Linux in the past I decided to give Fedora Core 2 a chance. I honestly thought Fedora Core 2 was just OK at the time but Fedora Core 3 impressed me so much that I decided to put it on my parents machine. My Mom really liked it!

How did you first become a developer?

Reading code. In high school I was very interested in code but most of the programming books were way to expensive for me. I remember getting a copy of an old C book in the mid 90's which had a accompanying 5 1/4 floppy which taught me a little. The biggest thing that taught me to code was watching Free and Open Source coders at work. From there I started writing code and submitting patches to projects and ended up being hired at a small yet before it's time web app development firm in Orlando, Florida.

Can you explain what security auditing means? How did you get into security auditing?

In a nutshell security auditing is looking for security problems in an application or system. Once found, the issues are recorded and brought to developers with information on how to fix the problems. I primarily do web application security audits and pentests (Penetration tests.)

What kinds of issues are you typically looking for when performing a security audit?

The first line of issues I look for are the same listed on OWASP's Top Ten. Of the 10 listed I start off looking for what I find to be the most common: injections, cross-site scripting, cross-site request forgeries and unvalidated redirects. After looking for the most common I start looking deeper into the application to find logic issues, error messages, etc.. which will help uncover other security issues.

Tell us which 3 applications in Fedora you find most helpful for security auditing work?

Nmap, ratproxy and python.

Python? How do you use python to test out the security of web applications?

When doing an audit it's important to be able to write up quick proof-of-concept attacks. Python has a plethora of modules which make doing POC attacks a joy. To list a few:

  • urllib/urllib2
  • BeautifulSoup
  • python-nmap
  • sulley

ipython and bpython also are great code-as-you-go environments for trying quick variations on POC attacks. Using Python's modules as well as general security tools being controlled by Python easily make the programming language an indispensable tool.

Tell us a bit about nmap. How does it work? Can you use it to analyze machines that are not running Fedora? Is it something that you automatically, constantly run to check for issues, or do you run it manually to answer specific questions?

Nmap (http://nmap.org/) is a network exploration tool. Nmap scans a host or set of hosts and responds back with information. It is commonly used as a general portscanner.

Nmap can find or scan pretty much any machine on the network. I've used it in the past when auditing Windows or OS X based machines as well.

I use Nmap as a part of my audits along with NSE (Nmap scripting engine) scripts most of which come directly from the Nmap project itself. I usually use it to check firewall status, open services of a system along with said service versions. It helps get a recon baseline.

What does ratproxy do? Can it analyze systems that aren't running Fedora? Can it analyze systems that don't run Linux? Is it a program you run manually or does it constantly run in the background?

Ratproxy (http://code.google.com/p/ratproxy/) is a passive web application auditing proxy. It sits between your browser and the web application you are auditing and records information as you move through the site. It can analyze most any web application no matter what OS it's running on. Since Ratproxy is passive it can be used with ajax applications.

Tell us about some interesting desktop customizations you've done to your Fedora desktop to help your security auditing workflow.

I use a two machine/three monitor setup with GNOME and synergy. I'm really looking forward to GNOME Shell to be considered stable. I use it on my own personal machines and love it! If I can, I try to run most everything through the terminal. I find using terminal applications much easier especially since I can run it all through byobu/screen.

Can you tell us about an exploit you recently uncovered using Fedora?

Chaining together an unvalidated redirect and a cross-site request forgery I crafted a link which would do the following:

  • Allow the user to login normally
  • After login, user would be forwarded to my 'malicious' site
  • The site would do a javascript post into the original application and perform actions as the user which could include things such as adding or modifying accounts.
  • The user would then be forwarded back to the original application as if nothing happened.

From your experience discovering security holes in applications, do you have any single trick or tip for developers looking to avoid having security exploits in their code?

Don't trust your users! You should write code with expectation that there will be at least one malicious user who will stop at nothing to find issues in your application.

Do you have any tips for Fedora users in keeping their systems safe?

Don't forget the basics! Keep updated, use sane firewall rules (and use the firewall), turn off services you don't need and use sane passwords.

Thanks, Steve!

← Read more interviews with Fedora users.