Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

On a mission to reveal the truth behind Pere Noel, Mone took time for an interview on NPR’s Morning Edition and did an one hour lecture at MIT. Shaula Clark reporting for the Boston Phoenix on the MIT lecture, exposed some of Babbo Natale’s trade secrets:

• Kanakaloka is not immortal, but retains his jolly vigor with the help of organ printers.
• Swiety Mikolaj does not, in fact, leave toys under the tree; instead, he comes bearing complex chemical reactions — toys assemble themselves in their packaging.
• Ded Moroz’s Christmas Eve rounds are actually accomplished via several teams of Santa-recruited lieutenants, a series of short-distance wormholes, and time travel.
• Papai Noel’s base of operations (actually in Greenland, not the North Pole) is greatly threatened by global warming — to keep his unfathomably large server farm cool, he needs the Arctic chill. Papai Noel’s own green initiatives include planting trees and cloning his elves (“because he wouldn’t want [them] breeding on their own”).

According to Mone, Sinter Klaas uses tools that are hundreds of years beyond what we have at our disposal. For example, “Santa’s suit is laden with what are called metamaterials, which have the effect of bending light around a person so that they turn invisible” — which can come in handy if there are curious children peeking during his Christmas deliveries.

Questions on the Internet have been raised as to where Mone may have obtained his information. At the beginning of the month, Mone traveled to Google allegedly to take part in the Authors@Google series. During the talk Mone discussed how implanted listening devices in the ornaments help Hoteiosho keep the naughty and nice kids straight. Also discussed was the use of cloning and wormhole technology to help Baba Chaghaloo get to every household. A few posts on the Internet question whether Google could be providing information to Shengdan Laoren through advance data mining in exchange for some of the advance technologies.

Could the US government also be involved? Those Internet posts point to the partnership between Google and NORAD (the North American Aerospace Defense Command), a bi-national United States and Canadian organization. NORAD and Google are helping children track the journey of Jolasveinar around the world using Google Maps and Google Earth. In a possible attempt to gain patents and disrupt Google market shares, there are even rumors that Gaghant Baba’s workshop has been purchased by Bill Gates. Could a secret message exist behind the Microsoft Bing commercial about Daidi na Nollag?

Google maintains that they take user privacy very seriously. In this case, I believe them. If there is trickery, Tomten would likely be behind it. How can one trust a person who goes by so many names? And what exactly is his past? Every country provides a different story. If he is a jolly old elf, there are reports that elves have used trickery as a means to an end. Local and federal governments across the world have gift policies limiting the the value and number of gifts that can be given to government employees. Gifts can be used as bribes. One could begin to wonder if the gift bearing holiday might be a cover for a massive yearly bribery event. More troubling, attempts to trace those questioning Internet posts lead back to ISPs in Greenland. Maybe Jack Bauer is needed to get at the truth.

I am not saying Chimney John is not a jolly nice fellow. I am just not a great believer in security through obscurity. There is a great deal we don’t know about Samichlaus. As security minded people, we need to be always questioning. Video of Mone’s Google talk has been made available. View it below and judge for yourself:

Wishing you a great holiday, wherever you may be and whatever you may believe.

To deal with administrative accounts at Twitter, Adam O’Donnell provides some great advices to corporate CSOs in his article, “A roadmap for the Twitter CSO.” Dave Goldsmith post, “My Pentest Secret: Password Guessing,” provides more advice to mitigate risk of password guessing attacks.

Today’s post focuses on Dave’s point:

FAILED LOGIN DELAYS. What to do when someone is grinding passwords on the same account? Account lockout is pretty unpopular as it can lead to a denial of service attack. Doing nothing is pretty unpopular because attackers can grind forever. Enter the exponentially increasing login delay. Every failed login on an account causes the system to delay more and more on that account until a reset on that counter after a reasonable period of time or a valid login.

The Open Web Application Security Project (OWASP) has begun a podcast focused on web application security. The podcast is hosted by Jim Manico, a Web Application Architect and Security Engineer for Aspect Security. In Podcast #2, Stephen Craig Evans, an independent software security consultant, talks about Lua and the OWASP Summer of Code project wiki, Securing WebGoat using ModSecurity. The project goes through the steps involved in securing WebGoat using the combination of ModSecurity and Lua. To quote Ivan Ristic, creator of ModSecurity, the project “stretched the boundaries of what ModSecurity could do.”

To help address the problem of dictionary attacks against your web server, today’s post will be using ModSecurity with the scripting language Lua. First, let’s setup WebGoat for testing purposes.

WebGoat

For those unfamiliar with OWASP WebGoat project, WebGoat is:

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!

WebGoat is intended to teach a structured approach to test and exploiting vulnerabilities within an application security assessment. Also being developed is the OWASP Testing Project, which provides a full application security assessment testing methodology. Through WebGoat, companies have a way to teach web application security lessons to their developers. There are over 30 lessons dealing with such issues as:

The YGN Ethical Hacker Group has made available a series of video on walking through WebGoat v5.2. The videos consist of:

Please recognize that WebGoat is a vulnerable server and therefor you will want to set it up so no one but you can access the WebGoat server. By default WebGoat only listens on the loopback address. Below are the steps to pull down WebGoat and install it on a Linux server. Since this is not a production system, we will be installing the WebGoat developer release.

Installing JDK

WebGoat will require Sun JDK 6 to be installed. Get the Sun JDK 6 from Sun’s website. Sun requires you to agree to terms, so you’ll need to go there and agree. Run the installer which gets downloaded. Agree again to the terms. The installer will install a few rpms and jars.

root# /bin/sh jdk-6u11-linux-i586-rpm.bin
root# ls -la /usr/java
default  jdk1.5.0_17  jdk1.6.0_11  latest
root# declare -x JAVA_HOME="/usr/java/latest"
root# declare -x PATH="${JAVA_HOME}/bin:${PATH}
root# java -version
java version "1.6.0_11"
Java(TM) SE Runtime Environment (build 1.6.0_11-b03)
Java HotSpot(TM) Server VM (build 11.0-b16, mixed mode)

Running WebGoat Standard Release

While the documentation for WebGoat says to install Tomcat, the WebGoat zip file will come with its own version of Tomcat. Running WebGoat in this manner can prove to be the easiest path allowing the avoidence of Java software version problems. We will go through both deployments. First, installing WebGoat with Tomcat.

 root# cd /usr/local/src
/usr/local/src root# wget \

http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.2.zip

/usr/local/src root# /usr/bin/openssl sha1 WebGoat-OWASP_Standard-5.2.zip
SHA1(WebGoat-OWASP_Standard-5.2.zip)=
1e8950d8af0a1726ee1c4509cb64ee4ee6da7584
/usr/local/src root# unzip WebGoat-OWASP_Standard-5.2.zip
/usr/local/src root# cd WebGoat-5.2

At this point, a slight modification needs to be made to webgoat.sh. It checks if the java version is 1.5. This is an odd check, since WebGoat was compiled under 1.6 and will not run under 1.5. Find where webgoat.sh has grep ‘version \”1.5′ and change 1.5 to 1.6. At that point, you are read to start WebGoat.

/usr/local/src/WebGoat-5.2 root# /bin/sh webgoat.sh start8080
Using CATALINA_BASE:   ./tomcat
Using CATALINA_HOME:   ./tomcat
Using CATALINA_TMPDIR: ./tomcat/temp
Using JAVA_HOME:       /usr/java/latest

  Open http://127.0.0.1:8080/WebGoat/attack
  Username: guest
  Password: guest
  Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack

This is running WebGoat accessible only to 127.0.0.1. From your web browser, go to http://127.0.0.1:8080/WebGoat/attack and log in with username guest and password guest. At this point, WebGoat is running and you are set to start going through the lesson plans and exercise.

Installing WebGoat.war

If you have Tomcat on your server, you will want to install only the WebGoat.war file. I am going to make this a little more complicated by going through the steps to install Tomcat. In previous posts, I have stepped through installation of Apache and ModSecurity. Walking through the installation of Tomcat will help get us on the same page as far as configuration and installation.

There is a known issue with the latest stable release of Tomcat, 6.0.18. It requires JDK 5 at the moment, due to incompatibilities introduced by Sun JDK 6. Sun changed the JDBC spec in an incompatible fashion that was discovered after Tomcat 6 went out. There are changes in the trunk to replace the DB connection pooling mechanism with one that isn’t impacted by the 1.6 change. Unfortunately, WebGoat required JDK 6. To get a round this problem, we will use the subversion release of Tomcat.

We first need to install Apache Ant, which is a software tool for automating software build processes. It is similar to make but is implemented using the Java language.

root# cd  /usr/local/src/
/usr/local/src root# wget http://www.uniontransit.com/apache/ant/binaries/apache-ant-1.7.1-bin.tar.gz
/usr/local/src root# md5sum apache-ant-1.7.1-bin.tar.gz
cc5777c57c4e8269be5f3d1dc515301c  apache-ant-1.7.1-bin.tar.gz
/usr/local/src root# tar xzf apache-ant-1.7.1-bin.tar.gz
/usr/local/src root# mv apache-ant-1.7.1 /work/software
/usr/local/src root# cd  /work/software
/work/software root# ln -s apache-ant-1.7.1 ant
/work/software root# declare -x ANT_HOME="/work/software/ant"
/work/software root# declare -x PATH="${PATH}:${ANT_HOME}/bin"
/work/software root# ant
Buildfile: build.xml does not exist!
Build failed

The error above indicate that ant command is recognized by shell but it did not find build.xml file that needed to compile ant projects. So, it’s absolutely normal and the installation was successful.

We are now ready to download and build Tomcat.

root# cd  /usr/local/src/
/usr/local/src root# svn checkout \
http://svn.apache.org/repos/asf/tomcat/trunk tomcat-7
/usr/local/src root# cd tomcat-7
/usr/local/src/tomcat-7 root# ant download
/usr/local/src/tomcat-7 root# ant
/usr/local/src/tomcat-7 root# cd output
/usr/local/src/tomcat-7/output root# mv build \
/work/software/tomcat-7
/usr/local/src/tomcat-7 root# cd /work/software/
/work/software root# ln -s tomcat-7 tomcat
/work/software root# declare -x CATALINA_HOME="/work/software/tomcat"
/work/software root# chmod u+x $CATALINA_HOME/bin/*
/work/software root# mkdir $CATALINA_HOME/logs

Configuring and Using Tomcat

The following modifications can be done to configuration Tomcat files that came down as part of WebGoat or the latest version from the Tomcat site. If you make the modifications to the Tomcat under Webgoat, keep in mind:

1. Set $CATALINA_HOME appropriately
2. Modify webgoat.sh, removing the line “cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml”.
3. Adjust paths based on where WebGoat is installed.
4. Add to the $CATALINA_HOME/conf/tomcat-users.xml file. Do not replace content.
5. You can use $CATALINA_HOME/bin/shutdown.sh to shutdown Tomcat.
6. You can start with $CATALINA_HOME/bin/startup.sh instead of webgoat.sh, provided you have $PATH, $JAVA_HOME, and $CATALINA_HOME set.

Before starting, create a manager username and password. This is set in the $CATALINA_HOME/conf/tomcat-users.xml file. The following is an example only:

/work/software root# vi $CATALINA_HOME/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="manager"/>
  <user username="jerry" password="mousepower" roles="tomcat"/>
  <user username="tom" password="catpower" roles="manager"/>
</tomcat-users>

We can setup secure web authentication through the use of digital certificates using SSL. First step is to use the keytool utility, which is included in the Sun Java Standard Edition JDK, to create a keystore file. Use “changeit” as the password. (If you don’t use “changeit” you will have to state the password in with the keystorePass setting in server.xml). For example:

/work/software root# mkdir /work/software/tomcat/keystore
/work/software root# cd /work/software/tomcat/keystore
/work/software/tomcat/keystore root# keytool -genkey -alias tomcat \
-keyalg RSA -keysize 2048 -keystore /work/software/tomcat/keystore/keystore
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  John Gerber
What is the name of your organizational unit?
  [Unknown]:  SecurityMonks
What is the name of your organization?
  [Unknown]:  OrderOfUnix
What is the name of your City or Locality?
  [Unknown]:  Knoxville
What is the name of your State or Province?
  [Unknown]:  TN
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=John Gerber, OU=SecurityMonks, O=OrderOfUnix, L=Knoxville, ST=TN, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):
/work/software/tomcat/keystore root# ls  /work/software/tomcat/keystore
/work/software/tomcat/keystore root# keytool -list -keystore keystore

The keystore created will not be trusted by JVM until the certificate is imported into JVM’s trusted certificate keystore. We will export the SSL certificate we just generated and import it into the JVM’s keystore.

/work/software/tomcat/keystore root# keytool -export \
-alias tomcat -keystore keystore -file tomcat.cer
/work/software/tomcat/keystore root# keytool -import \
-trustcacerts -keystore /usr/java/jdk1.5.0_17/jre/lib/security/cacerts  \
-alias tomcat -file /work/software/tomcat/keystore/tomcat.cer
/work/software/tomcat/keystore root# keytool -list -alias tomcat \
-keystore /usr/java/jdk1.5.0_17/jre/lib/security/cacerts

Modify the $CATALINA_HOME/conf/server.xml section which defines a SSL HTTP/1.1 Connector on port 8443. It should go with the other connectors in the Service section and looks something like this:

    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100"  maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystore="/work/software/tomcat/keystore/keystore"  keypass="changeit"
           clientAuth="false" sslProtocol="TLS" />

In order to require SSL on a specific site configure a security constrant for that app. Do this by editing the $CATALINA_HOME/conf/web.xml file and adding the following section just before the ending </web-app> tag:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Automatic SSL Forwarding</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

Now startup Tomcat.

/work/software root# $CATALINA_HOME/bin/startup.sh
Using CATALINA_BASE:   /work/software/tomcat
Using CATALINA_HOME:   /work/software/tomcat
Using CATALINA_TMPDIR: /work/software/tomcat/temp
Using JRE_HOME:       /usr/java/jdk1.5.0_17
/work/software root# ps awx | grep tomcat
  783 pts/14   Sl     0:04 /usr/java/jdk1.5.0_17/bin/java
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/work/software/tomcat/conf/logging.properties
-Djava.endorsed.dirs=/work/software/tomcat/endorsed
-classpath :/work/software/tomcat/bin/bootstrap.jar
-Dcatalina.base=/work/software/tomcat
-Dcatalina.home=/work/software/tomcat
-Djava.io.tmpdir=/work/software/tomcat/temp org.apache.catalina.startup.Bootstrap start
/work/software root# /usr/sbin/lsof -iTCP -n -P | grep java
java      6175   root   10u  IPv6 327556       TCP *:8080 (LISTEN)
java      6175   root   12u  IPv6 327557       TCP *:8443 (LISTEN)
java      6175   root   21u  IPv6 327562       TCP *:8009 (LISTEN)
java      6175   root   22u  IPv6 327565       TCP 127.0.0.1:8005 (LISTEN)

Tomcat is now built and running. You can access it by going to:

http://localhost:8080

which will redirect you to:

https://localhost:8443

When you goto https://localhost:8443 you will be asked to accept the certificate. If you have problems, make sure to clear you browser’s cache. Now that we have Tomcat server running, we are ready to download and setup our WebGoat server.

 root# $CATALINA_HOME/bin/shutdown.sh
 root# cd /usr/local/src
/usr/local/src root# wget http://webgoat.googlecode.com/files/WebGoat-5.2.war
/usr/local/src root# /usr/bin/openssl sha1 WebGoat-5.2.war
SHA1(WebGoat-5.2.war)= c5aab7c5496625777a3b9e21b9888cddee5b649c
/usr/local/src root# mv WebGoat-5.2.war /work/software/tomcat/webapps/WebGoat.war
/usr/local/src root# $CATALINA_HOME/bin/startup.sh
/usr/local/src root# ls -la /work/software/tomcat/webapps/WebGoat
/usr/local/src root# ls -la /work/software/tomcat/conf/tomcat-users.xml

Add WebGoat users and roles to $CATALINA_HOME/conf/tomcat-users.xml file. Start Tomcat back up.

 root# $CATALINA_HOME/bin/shutdown.sh
 root# vi $CATALINA_HOME/conf/tomcat-users.xml
    <tomcat-users>
      <role rolename="webgoat_basic"/>
      <role rolename="webgoat_admin"/>
      <role rolename="webgoat_user"/>
      <role rolename="tomcat"/>
      <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
      <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
      <user password="tomcat" roles="tomcat" username="tomcat"/>
      <user password="guest" roles="webgoat_user" username="guest"/>
    </tomcat-users>
 root# $CATALINA_HOME/bin/startup.sh

At this point, WebGoat should be running. Pretend you are an 18-year hacker, and use your penetration skills to break into one of the accounts. Check out the Access Control Flaws material and the Remote Admin Access section. Being aware of what is possible, and that the threats are real, helps motivate a person to defend against them.

Now it is time to examine the work of OWASP Summer of Code project wiki, Securing WebGoat using ModSecurity. With a vulnerable server to test out the vulnerabilities against, we will move on to the required software that will help defend against brute force password attacks. First step, install Lua to use with ModSecurity.

Lua

The Lua language combines “simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode for a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping.”

For a complete discussion of the benefits of Lua, Soumya has written an article “10 Reasons Why You Should Make Lua (A New Programming Language) Your Coding Friend – A Detailed Review.” Erik Wrenholt has also done an interesting benchmark again popular languages to compute the Mandelbrot. We are focusing on Lua is because it can be used with ModSecurity. Plus, we want to take advantage of the work done by Stephen Craig Evans and others who worked on securing web applications.

To install Lua on a linux server by source:

root# cd /usr/local/src/ /usr/local/src root# wget http://www.lua.org/ftp/lua-5.1.4.tar.gz /usr/local/src root# md5sum lua-5.1.4.tar.gz d0870f2de55d59c1c8419f36e8fac150 lua-5.1.4.tar.gz /usr/local/src root#tar xzf lua-5.1.4.tar.gz /usr/local/src root# cd lua-5.1.4 /usr/local/src/lua-5.1.4 root# make linux /usr/local/src/lua-5.1.4 root# make install /usr/local/src/lua-5.1.4 root# cd /usr/local/lib /usr/local/lib root# gcc -shared -o liblua.5.1.4.so /usr/local/lib/liblua.a /usr/local/lib root# ln -s liblua.5.1.4.so liblua.so

ModSecurity

If you are running a version of ModSecurity older than version 2.5, you will need to upgrade. As of ModSecurity 2.5, Lua can be used:

The new SecRuleScript directive allows for the execution of Lua scripts which provide an even more flexible and powerful interface into ModSecurity. When is Lua needed? ModSecurity chained rules can easily implement AND logic to create complex rules that evaluate that specific variables are present and have certain data, however they can not easily create proper OR logic. This is where Lua can help.

A previous blog post, “Implementing a Web Application Firewall with ModSecurity,” goes through the step of installing ModSecurity with an Apache Web Server. Following that post, your Apache httpd.conf configuration files should load the mod_security2.so module and include the modsecurity.conf file. It is the modsecurity.conf file where the additional rules will be added.

Problem with Usernames and Passwords

WebGoat demonstrates a few security issues that need to be addressed. From OWASP’s “OWASP ModSecurity Securing WebGoat Section4 Sublesson 04.2” Forgot Password section, the following points are made:

• Attackers who are attempting to enumerate valid usernames. If you submit an invalid one the html response text includes info stating as such. We can track this.
• Once a specific valid username is identified, the attacker then starts a targeted attack to guess answers to the password hint (favorite color).
• Attackers can initiate reverse brute force attacks – this is when an attacker cycles through different valid user accounts and submits the same common answer to the question (submitting Blue as the answer to different usernames).

The OWASP ModSecurity Securing WebGoat document does such a good job outlining the security issues along with possible solutions, I am going to leave it to the reader to decide what solutions are appropriate for their systems. If I continued stepping through to a more secure implementation, I would end up copying everything in the document. Playing around with the rules, testing the results, is great fun in a geeky security kind of way. Do drop down and read the reviewer’s comments. A very good job by Stephen Craig Evans and all who worked on OWASP Summer of Code project. Of course, a special thank to Ivan Ristic, who gave us ModSecurity.

Recently, I listened to a IT Conversation podcast, from the O’Reilly Media Emerging Technology Conference. Tim O’Reilly spoke about hackers. Not the black hatters, but those folks who work tirelessly to bring about the kind of software and services that make the Internet possible. While the Internet may be at times a dangerous place, thanks to the efforts of these hackers who work out of love for the challenge, often with little regard to financial factors, we have these great tools that go a long way towards helping people secure their applications.

Final Thoughts

In today’s post we examined a security breach that occurred involving a major player in the Internet community. To help understand that problem, and others, we setup WebGoat. Sun Tzu wrote in The Art of War, “So it is said that if you know your enemies and know yourself, you will fight without danger in battles. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.” WebGoat helps us understand the attack vectors against web applications a little better. Once identifying a possible problems, we walked through a solution that can help reduce the risk.

It is easy to find humor in an employee with administrative access using the password “happiness.” The reaction from the Internet community to Twitter’s problems might be a little schadenfreude at play. Theodor Adorno, philosopher and sociologist, defined schadenfreude as largely unanticipated delight in the suffering of another which is cognized as trivial and/or appropriate. Or, maybe it is more like whistling past the graveyard, where folks are a bit cheerful or joyful in the face of a situation that doesn’t warrant it.

When very public security incidents occur, companies need to take a little stock. Not all employees will take training seriously nor follow all policies. That includes people with important roles. Employees make mistakes and it is difficult to guard against every possible mistake that could occur. That is why a layered approach to security is constantly preached. While each layer cost money, security groups at organizations are in a constant battle to monitor and prevent intrusions in a cost effective way. Fortunately, we have the work of many hackers (the good kind), helping us develop solutions to deal with daily new challenges. There are no guarantees. As Albert Einstein once said, “Anyone who has never made a mistake has never tried anything new.” Wisdom comes when we learn from these mistakes. CIOs need to ask themselves, “how safe is my company from being next week’s security headline?” Security groups within an organization must be able to learn and adapt. At the end of the day, the question is how different is your company from Twitter? Insanity is doing the same thing and expecting different results. I’ll close this post with the wise words of Sam Levenson, “You must learn from the mistakes of others. You can’t possibly live long enough to make them all yourself.”

Dave Oliver did a fantastic job discussing mind maps with his post, “Managing your Mind. Mindmaps, a handy tool for the Enterprise Architect.” I am tempted to stop writing, leaving the reader to simply read Dave’s post. I just have a few additional links and comments to provide.

There are many software packages to help with mind maps. Dave recommends Mindjet Mindmanager Pro 7, one of the most popular commercial products. If you want to evaluate the software, there is a free 21 day trial option. Want to try something else? There are plenty of other packages. The folks over at Mind-mapping.org have done an amazing job of maintaining a list of the various mind mapping software. The commercial products are too numerous to include, but if you are looking to experiment with mind mapping, the open source packages might provide a good cost effective starting point. Mind-mapping.org has provided a nice map of open source solutions.

Eric Hebert, has done a post “99 Mind Mapping Resources, Tools, and Tips.” While I won’t list all 99 links, here are the categories covered:

• Free Software
• Resources
• Professional Training
• In the News
• Examples of Mind maps
• Books
• E-Books
• Articles On the Web
• PDF Articles
• Blogs
• People
• Videos
• Noteworthy Paid Software

Dave and Eric posts provide a fairly complete list of available information for learning all about mind maps. Now to add a little connective intelligence. Jerry Manas, author of “Napoleon on Project Management: Timeless Lessons in Planning, Execution, and Leadership” and “Managing the Gray Areas,” president of project management consulting firm The Marengo Group, co-founder of the popular leadership blog site PMThink!, and a two-time Mindjet webinar presenter has a few very useful posting concerning mind mapping:

• Finding Clarity: Using MindManager® Pro 7 to Manage the Gray Areas.
• 101 Project Management Uses for Mind Mapping Software
• Mindmap Productivity Tips
• Think Clear: Mind Map to Innovate …
• Event Map: Mind Map Technique
• Enable Creativity to Generate Ideas …

The Controlling Chaos podcast, hosted by Dina Henry Scott, PMP and Sr. Project Manager at VSP, has two podcasts that have interesting information on mind mapping tools: MindManager Pro 7 with Michael Deutch and Mapping Your Way to Project Success!.

Using mind mapping techniques to help in the area of security, Rudolph Araujo, Senior Principal Consultant at Foundstone, did a posting “MindMapper vs. MindManager.” Rudolph writes:

I was using mind mapping for everything from building threat models and doing code reviews to working out my articles and presentations. I even convinced Foundstone to purchase a bunch of licenses of MindMapper as a lot of other people at Foundstone had become fans as well.

Over at the Security Catalyst, Michael Santarcangelo has been working with mind mapping. Michael writes about the Security Catalyst work with mind mapping to develop a map of the advancement of security. The work is discussed in his posts “What do you think the future of how we practice security looks like?,” “Mind mapping the future of how we practice security“, and “Advancing the Future of Security; a mind-map experiment.” Michael explains his interest in mind mapping when he writes:

I am a visually driven person. I think in non-linear ways, and have a 4′x8′ whiteboard in my office that I use several times a day. Mind mapping, therefore, is a natural fit for me. As a speaker, I’m generally impressed by those who also mind map. If you are also visual, you may find mind mapping works for you, too. In my quest for personal improvement, I have come to enjoy reading the thoughts of Grigor at Behind the Glasses. He’s covered mind mapping a bit, and recently covered the beta of MindMeister – an online, collaborative mind mapping tool.

The resulting map is available on MindMeister or in PDF format. Don C. Weber, Information Assurance Director at Ultimate Solutions, Inc. and a member of the Security Catalyst community, was inspired to use mind mapping to help him develop a security plan based on the ISO 17799:2005 standard. Don discusses his use of both the open source FreeMind and the commercial MindManager software. He also discusses the steps he went through to map ISO 17799:2005 in his posting “Mindmapping ISO17799:2005.”

Mind mapping is not going to help you lose weight, be sexier to members of the opposite sex, add hair to your head, and/or cure you of all that might ail you. Software, at its best, can only help you perform your job better. It does not provide a solution in and by itself. Mind mapping provides a technique which enables you to explore, capture and structure what’s going on in your mind. For some, mind maps will be of no help. There are countless other methods to do the same thing. It is up to you to experiment and find the solution that work best for you. The important thing is to realize that when the old way of doing business no longer works well, you need to stop doing things the way they have always been done. The known is comfortable, but it fails to advance you anywhere. Challenge yourself. Learn to do things differently. You will be glad that you did, and you just might become a little more sexier. When you step off the beaten path, anything is possible.

I found myself coming back to Bruce’s words this week. I was trying to access a SSL site, and I was getting the warning message that the certificate authority was unknownn. Immediately, my mind went to a man-in-the-middle attack. I looked at the source code of the site, and could see the page was accessing a gif image from another server via SSL. The gif image was a 1×1 pixel that blended into the page background. The page coders were probably having problems with table spacing and used this technique, copying code from a server that had a self signed certificate.

I tried reporting it, and found that folks thought me quite mad. I guess they figured I was just getting hung up on a minor issue. After all, no one else was reporting it. I, on the other hand, could not help but realize that all those folks I reported this to had failed to notice the problem. They accepted the self signed certificate and went on to log into the site. They were not using single sign on. This, I found more troubling.

What could an invalid certificate indicate? As Billy Joel would argue, it comes down to a matter of trust. Now imagine if an person came up to you and claimed to be an Nigerian princess, who may just needs to move millions of dollars over to the US. To prove her identity, she pulls out a Nigerian library card. You are not likely to believe her. Now, if the President, the Pope, the Dalai lama, and a whole bunch of security people accompanying her vouched for her, you might be more willing to accept she is who she says she is. An unknown certificate authority can claim to be from any company and issue certifications for any machine. Anyone can create a certificate authority and start issuing self signed certificates.

How do you put this to use? Someone wanting to gain credentials and information from employees at the Acme Corporation might use a man-in-the middle attack. They create their own certificate authority, claiming to be the certificate authority “Acme Corporation Public Issuing CA 01.” People trust things with numbers in it. It seems more authoritative. They issue a self signed certificate for one of their machines, approve it through their certificate authority, and the place the certificate on a machine to be used as a proxy server. This proxy server will intercept communications between Acme employees machines and the Acme mail server. Employees thinking they are signing into the Acme mail server, will end up providing their credentials to the proxy server. The proxy server will use the credentials to sign into the real Acme mail server and transfer data back and forth to the employees. This is made possible by the employee accepting the self signed certificate. SSL and the certificate only insures the data is encrypted from the employee computer to the destination, which is the hacker’s web proxy.

How would a hacker redirect traffic? There are a few ways. Maybe an old time DNS cache poisoning or ARP spoofing. A more interesting way recently discussed by the fine folks at Google and Georgia Institute of Technology involves open recursive DNS servers. At the Network and IT Security Conference: NDSS 2008, David Dagon, Chris Lee, and Wenke Lee presented “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority.” They have discovered that there are over 17 million open recursive DNS servers. About 0.4%, or 68,000, are giving users false addresses to phishing sites. The point is, once an end user’s computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site.

A web developer having problems with a table format, creates a situation where employees trying to access a web page use a self signed certificate from a unknown certificate authority. What is the big deal? Is it just me that answers, “plenty!” Is my brain wired differently? No. Might Bruce be right? Security does requires a particular mindset. It it not unique to security folks, but exists because of the continuous challenges faced by security professionals. Put simply, security professionals share some characteristics. These characteristics exist in people whose job requires them to be constantly learning and are challenged with an ever changing work landscape.

Ed Boyden did a posting, “How to Think.” Now Ed is an assistant professor in the MIT Media Lab and MIT Department of Biological Engineering. He leads the Neuroengineering and Neuromedia Group. When he applied for the job at the MIT Media Lab, he was asked to write a teaching statement. He ended up composing rules to help students “be creative, thoughtful, and powerful in a world where problems are extremely complex, targets are continuously moving, and our brains often seem like nodes of enormous networks that constantly reconfigure.” Here are the rules:

1. Synthesize new ideas constantly
2. Learn how to learn (rapidly)
3. Work backward from your goal.
4. Always have a long-term plan
5. Make contingency maps
6. Collaborate
7. Make your mistakes quickly
8. Write up best-practices protocols
9. Document everything obsessively
10. Keep it simple

I will not go through the rules in detail. Ed’s blog is a fascinating informative site that should be added to everyone’s RSS reader. I did want to pay particular attention to the first rule. Ed’s complete description is:

Synthesize new ideas constantly. Never read passively. Annotate, model, think, and synthesize while you read, even when you’re reading what you conceive to be introductory stuff. That way, you will always aim towards understanding things at a resolution fine enough for you to be creative.

I would argue this is essential for everyone, especially when it comes to security. Put simply, think. Don’t passively move through life. When something does not work, ask why does it not work? Why is a site generating an unknown certificate authority warning? Stop it from occurring so employees don’t get use to clicking whatever they need to in order to get what they perceive as annoying messages to go away.

Ed’s post also serves as a warning. How many times in our busy information filled life, as we attempt to learn rapidly, do we end up reading passively? Sure, we may be obtaining the facts, but does memorization of facts really help? When I first started listening to podcasts, I was jazzed. There was this pool of people willing to give up their time and share their knowledge and experience for those willing to listen. These people challenged me to see IT from a different point of view. As I preached the benefits of listening to podcasts, I heard from others how they were just too busy to listen. Instead, to keep informed, they would read RSS feeds. I read RSS feeds also, but the knowledge transfer is completely different. When reading blogs posts, how frequently do we skim the titles, or the first few lines, and move on? Nielsen Norman Group researchers did a study involving newsletters. They found that the average time allocated to an email newsletter after opening it is just 51 seconds. People scan the text, with only 19% of newsletters being read fully. Eyetracking observations of users reading RSS news feeds showed that people scan the headlines and blurbs in feeds even more ruthlessly than they scan newsletters. One of the reasons I write blogs is because it requires me to stop and think. It is similar to reaching. One learns from teaching because you are forced to question and dive deeper into subjects. You are not just learning a subject, you have to understand it.

Jeff Moser wrote an interesting posting, “What Does It Take To Become A Grandmaster Developer?” In it, Jeff asks the reader to, “See how much of the following sequences of letters and numbers you can memorize in the next 20 seconds:”

• T, E, X, A, S, O, H, I, O, V, E, R, M, O, N, T, R, H, O, D, E, I, S, L, A, N, D
• 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41

Jeff provides a graph of how people performed:

The point being that the results are not based on innate or raw talent. People in Group 1 realized that the letter where grouped by state names “TEXAS”, “OHIO”, “VERMONT”, and “RHODE ISLAND.” The number sequence, Group 1 members probably realized were the prime numbers up to 41. When tasked with remembering, they did so by using the groupings, verses having to memorize each letter and number. The people in Group 1 were able to remembered less overall information but recall everything through these “chunks.” In terms of raw memory talent, one could argue Group 6 won by trying and remembering more letters and numbers, even if it was only 20% of what Group 1 perfectly recalled. The bottom line is that Group 1 performed the task. Thinking, not memorizing, is a major component of learning.

Anders Ericsson editor of the book “Cambridge Handbook of Expertise and Expert Performance” states:

Successful people spontaneously do things differently from those individuals who stagnate. They have different practice histories. Elite performers engage in what we call “deliberate practice”–an effortful activity designed to improve individual target performance. There has to be some way they’re innovating in the way they do things.

John Cloud, staff writer for Time, in an article “The Science of Experience,” examines Ericsson’s book. John summarizes:

Ericsson’s primary finding is that rather than mere experience or even raw talent, it is dedicated, slogging, generally solitary exertion — repeatedly practicing the most difficult physical tasks for an athlete, repeatedly performing new and highly intricate computations for a mathematician — that leads to first-rate performance. And it should never get easier; if it does, you are coasting, not improving. Ericsson calls this exertion “deliberate practice,” by which he means the kind of practice we hate, the kind that leads to failure and hair-pulling and fist-pounding. You like the Tuesday New York Times crossword? You have to tackle the Saturday one to be really good.

Philip E. Ross writes for Scientific America the article “The Expert Mind.” Philip writes

The conclusion that experts rely more on structured knowledge than on analysis is supported by a rare case study of an initially weak chess player, identified only by the initials D.H., who over the course of nine years rose to become one of Canada’s leading masters by 1987. Neil Charness, professor of psychology at Florida State University, showed that despite the increase in the player’s strength, he analyzed chess positions no more extensively than he had earlier, relying instead on a vastly improved knowledge of chess positions and associated strategies.

Learning is about developing chunks of knowledge. This is applicable to how we take in information. Guy Kawasaki, posted an interview with Garr Reynolds, author of “Presentation Zen: Simple Ideas on Presentation Design and Delivery (Voices That Matter).” Garr says, “The goal of the book was not to offer panaceas and rigid rules, but instead to encourage people to think differently about their visuals, the way they present them, and how they connect with audiences. My hope is that people find some things new in the book that stimulate their creativity–helping them to discover a more ‘enlightened’ and more effective approach to presenting.” It is all about getting people to think and be actively involved. Only then can learning occur.

The brain is not a dumping ground of facts. Way back in high school I knew a kid who could tell you the capital of every state. Nice kid, but what the heck was the point? He went away to college, had a real rough time, and fortunately eventually learned life is not about memorizing. Experience does not equal exposure to facts that we store in memory and spit out to impress people. Well, unless you are playing Trivia Pursuit. Expertise comes from continuously building and reorganizing chunks of memory. Experience is the development of these chunks of memory. When a certificate signed by an unknown certificate authority is presented, chunks of memory start forming. First, the brain pulls from system administration experience information concerning how certificate authorities can be created and self signed certificates can be signed. Another chunk pulled involves phishing techniques. Another chunk involves man-in-the-middle attacks. Another chunks involves subverting DNS results. The more experience, the more chunks. All continuously being reorganized.

While we may need to be “repeatedly practicing the most difficult physical tasks,” I do need to put up a cautionary note. Everyone reading this blog is human, as far as I know. Humans need to realize that the brain has its own requirements to help remember and organize. Gregory Kellett, a researcher at UCSF investigating the psychophysiology of social stress, writes, “”Relaxing for your Brain’s Sake.” Gregory makes many great points. Here are a few requirements to deal with stress:

• Stay in the moment – Since our conscious awareness is only able to take and process a finite amount of information at a time, fully engaging our senses limits the amount of (often stress generating) mental chatter our brains are able to entertain.
• Catch zzzzzzs – People who do not get enough sleep not only get more exposure to cortisol during the night, but also have higher resting levels of this stress hormone during the day.
• Get kinetic – Prolonged exposure to stressful situations can inhibit the brain’s ability to generate new neurons (neurogenesis). Exercise by contrast has been proven to promote neurogenesis, counterbalancing damage experienced under times of sustained “non-relaxation”.

So what is so bad about not getting any exercise, sleep, and being stressed out? To quote from Gregory’s post, “Stress and Neural Wreckage: Part of the Brain Plasticity Puzzle:”

Our brains appear to be most vulnerable to the effects of excessive stress in a region called the hippocampus. The hippocampus is a mass of neurons each with multiple branch-like extensions (dendrites and axons) which make connections (synapses) with other neurons all across the brain. Among other things, this region is important in dealing with emotions and consolidating new memories. As with all brain regions, its ability to adapt relies upon being able to alter the branching and connections of its neurons. The hippocampus is also one of the only regions of the brain known to be able to produce new neurons, a process called neurogenesis.

Sometimes, you just have to stop being caught up in daily life. Don’t be in automatic operation mode. Think. Form new ideas. Collaboration is the best way to be exposed to new ways of thinking and challenging your own thoughts. It is okay to make mistakes. In genetic algorithms you learn combining the worse performing algorithm with the best, will often yield the final solution. This is how false peaks can be overcomed. Exam and challenge yourself. Never stop doing so. Take time to sleep. Get some exercise and try to relieve some stress. Some very intelligent people have provided a roadmap above for better learning. It would be wise to listen, think about what has been said, and follow what makes sense.