Great explanation of Tor in Less than 2 Minutes

Ever need to explain Tor to a management team? Yeah, us too. That’s why we wanted to share this YouTube video we found. It does a great job of explaining Tor in less than two minutes to non-technical folks.

The video is from Bloomberg Business Week and is located here.

Check it out and circulate it amongst your management team when asked about what this “Tor” thing is and why they should care.

As always, thanks for reading and we hope these free awareness tools help your organization out.

Watching Malware Evolve with TigerTrax

Recently, I have been spending a lot of my time working with TigerTrax, our intelligence platform, and using it to further my research into emerging threats. One of the most interesting areas has been using to track and trace the fits and starts of malware evolution using social media data and the web.

TigerTrax is really good at finding and analyzing the data for trends. The visualizations make spotting emerging patterns and even outliers very easy. For example, we noticed a trend around side loading of malware payloads recently. Not an overwhelming trend across all of malware, but associated with a specific group of verticals being targeted. This emerged easily from the graph data and analytics engines. We were able to use that information to inform our customers in that space and increase their capabilities in detection and incident response.

We have only just begun to find the deeper use cases for TigerTrax, but it is already changing the way MSI does work, even the core work of assessments. For example, with a small window of lead time, we can generate specific pattern analysis and cases to support findings in risk assessments, vulnerability and pen-testing work. The engines can keep our scenarios refreshed, keep us up to date with the latest attack vectors and exploits being used in the wild.

All in all, TigerTrax has given us a larger view of infosec, and watching malware evolve through its lens has become an interesting part of what we do at MSI. We look forward to the day when we can discuss more publicly what we are doing with TigerTrax and some of the findings we are generating, but for now, just know that the platform is being used in a myriad of ways, and that new developments are occurring on a daily basis. If you’d like to discuss what TigerTrax can do for your organization, give us a call. We’d be happy to sit down for a briefing with your team.

See You at the Columbus ISSA InfoSec Summit

Remember, the Columbus InfoSec Summit is this week. It starts Monday afternoon and runs through Tuesday.

I will be speaking on Monday at 5:30 in Track 1 and my topic is a deep dive into Tor hidden nodes, including how to get business intelligence from them.

Come and say hello. Have a cup of coffee or just a chat. We look forward to seeing you and wish the ISSA a great event!

Child Pornography Resource Materials for Businesses

Sadly, as an information security professional, we are sometimes engaged with clients who either suspect or have discovered the presence of child pornography in their computing environment. Another way that such materials come to our attention, is during pen-testing or incident response work, we may discover the materials on a system and be forced to bring the materials to the attention of law enforcement.

In many cases, clients ask us why we are required to notify law enforcement, and/or why they are required to notify law enforcement about this material. Perhaps your organization has struggled with this in the past. In any case, we hope the following information helps organizations understand the US legal requirements for handling such materials. (If you live outside of the US, please consult local legal assistance for your laws and procedures.)(NOTE: MSI is not providing legal advice of any kind, consult your attorney or council for legal advice. This material is simply meant to be a pointer for education. MSI is NOT qualified to offer legal advice under any circumstance.)

The Department of Justice lists the following federal statutes for online child pornography:

  • 18 U.S.C. § 2251- Sexual Exploitation of Children (Production of child pornography)
  • 18 U.S.C. § 2251A- Selling and Buying of Children 
  • 18 U.S.C. § 2252- Certain activities relating to material involving the sexual exploitation of minors(Possession, distribution and receipt of child pornography)
  • 18 U.S.C. § 2252A- certain activities relating to material constituting or containing child pornography
  • 18 U.S.C. § 2256- Definitions 
  • 18 U.S.C. § 2258A- Reporting requirements of electronic communication service providers and remote computing service providers
  • 18 U.S.C. § 2260- Production of sexually explicit depictions of a minor for importation into the United States

A summary of these laws is that it is the federal law that mandates this duty to report specifically requires that “electronic communication service providers” report child pornography. (18 USC § 2258A. Reporting requirements of electronic communication service providers and remote computing service providers.) An “electronic communications service” means “any service which provides to users the ability to send or receive wire or electronic communications.” The term “electronic communication,” for purposes of the reporting requirement, means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” All of which is to say that both the business/employer that provides the computer or phone system over which the data is communicated, as well as the IT company that helps the employer maintain those systems, are covered by this law. A business or IT service company ignores child porn at its peril. Failing to report the information to the National Center for Missing and Exploited Children violates the Section 2258A reporting requirements. Deleting the material might make the company an accessory to the underlying crime of possessing the information in the first place. Making copies of the material and then transmitting the copies, except at the direction of law enforcement officials or as required by section 2258A, also runs afoul of the laws proscribing possession of child pornography. A first violation of Section 2258A carries a penalty of up to a $150,000 fine. A second violation can be penalized by up to $300,000.

A full summary of other elements of Child Pornography laws from the Department of Justice website is here.

According to the Department of Justice website, to report an incident involving the production, possession, distribution, or receipt of child pornography, file a report on the National Center for Missing & Exploited Children (NCMEC)’s website or call 1-800-843-5678. Your report will be forwarded to a law enforcement agency for investigation and action as detailed here.

It may be required or optional to report to local law enforcement as well, and is dependent on state and local laws and statutes.

According to the National Conference of State Legislatures website, the state of Ohio does not have explicit state policies requiring businesses to report the incident, as detailed here (as of Sept 2013), though again, local statutes may vary by location.

We also found this article, which might be helpful in understanding risks from a legal perspective for businesses who might find child pornography on their server, as it lays out a process for organizations to follow.

Lastly, this white paper from the American Bar Association may also prove useful for organizations.

HoneyPoint Security Server Console 4.0 Released


MSI is proud to announce the immediate availability of the HoneyPoint Console version 4.0!

The new version of the Console for HPSS is now available for Windows, Linux and Mac OS X. In addition to the Console, new installer tools and documentation is also available.

The new Console finally includes operation as a service/daemon WITHOUT the need to have the GUI running. That’s right, finally headless consoles that work immediately with SEIM and other monitoring tools. Configuration of the Console and management is still available through the GUI, but headless operation is now at the core of the Console product line!

Other improvements include bug fixes, increased error handling, better memory management, improved installers and installation tools and much much more. If you haven’t upgraded your Console or seen the new 4.0 Console yet, we think you will find it much improved.

To obtain the new Console, refer to your QuickStart Guide. It is now available through the HoneyPoint distribution site. No changes to the database or license key are required, however, you must have a current license to qualify for the upgrade. Please back up your Console databases prior to upgrading, though we have experienced no issues with the upgrade process.


Thanks, as always, for choosing HoneyPoint Security Server and MSI. We value your partnership and trust.

Let’s Get Proactive with End User Security

Where do most of the threats to the security of our IT systems lurk? The Internet, of course! Powerful malicious software apps are all over the Net, like website land mines, just waiting to explode into your computer if you touch them. And how about accessing social networks from your company work station? Do you really think that content on these sites is secured and only available to those you chose to see it? If so, then Im sorry to disillusion you.

So why do most concerns still let their employees casually access and surf the Web from their business systems? Especially in the present when most everyone has a smart phone or pad with them at all times? Businesses should embrace this situation and use it to their advantage. Why not set up an employee wireless network with all the appropriate security measures in place just for Internet access? (This network should be totally separate from business networks and not accessible by business computers). Its not expensive or difficult to administer and maintain a network like this, and employees could access websites to their hearts content (on their off time of course). And for those employees that are without a smart phone (an ever dwindling few), you could stand up a few kiosk computers that they could access using their employee wireless network password.

As for employees that need Internet access to perform their work duties, you should lock their access down tight. The best thing to do is to add needed websites to a white list and only allow those employees with a business need to access only those websites that are necessary and no others. Black listing and web filtering are partially effective, but they dont really work well enough. I cant tell you how often we have seen such filters in place at businesses that we assess that prevent access to gaming and porn sites, but still allow access to traps like known malicious websites in foreign countries! Go figure.

And dont forget to properly segment your business networks. Users should only be allowed access to those network resources that they need for business purposes. Users in workstation space should never be allowed to seeinto server space. Preventing this will go a long way in curtailing attacks from the other big danger the malicious insider. 

Thanks to John Davis for writing this post.

Heartbleed: Picking your pocket 64k bytes at a time


By now most of you have likely heard of the recently announced coding error in some versions OPENSSL that can expose sensitive information stored in memory to any Internet attacker.   I want to take a moment to consolidate some of the things I’ve learned about it over the last week and provide my – hopefully correct – answers to some of the questions I’ve been asked. I’ve placed a companion audio commentary here.

1)  It’s real – and serious.  Blocks of memory data can be retrieved by anyone. 

Below is a snapshot of what an exploit of an actual vulnerable Internet-facing system revealed to me – simply by connecting to to the site and taking advantage of the vulnerability (no login/password or other credentials required). 


That “PHPSESSID” string is associated with a “session id” – a string established to indicate the associated user is logged in. By collecting enough memory you can obtain the full session id of the logged in user. You then insert it in your own browser environment, point your browser at the site, and potentially “hijack” the session. You are now logged in as that user.  Anything stored in memory is potentially retrievable as a result of this vulnerability  – including login credentials and private keys.  

2) What IS OPENSSL itself?

OPENSSL is a collection of open-source software widely used by many applications, both free and commercial, to provide secure SSL-based communications of sensitive information over a network. 

Quoting from the OPENSSL project site:

“The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library”

Short answer:

For a lot of the sites you have logged into over the last few years, its what is making the “s”  ( for “secure”) in https://<>  possible.

Software applications can use OPENSSL to ensure that the connection between your browser and the website is encrypted.   It’s used for more than just that – but that usage is the one most people have direct experience with.   Whenever an application needs to communicate over an encrypted path, affected versions of OPENSSL may be in play. Think FTPS (encrypted FTP), SMTPS (encrypted mail), etc.

If yours is a large and diverse organization, the affected versions of OPENSSL are almost certainly present.

3) Only specific versions of OPENSSL are affected

From the OPENSSL project sites advisory:

“Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.”  

4) A fairly large number of systems are affected – 17% of Internet sites.

Internet web-sites using open-source web servers like Apache and such can be affected.  That is what I have primarily seen on the Internet. Windows systems are less likely to directly affected – but could be indirectly affected if an intervening web proxy that handles the SSL part is between the attacker an the Windows server.

But note this:  Client systems can also be affected. And by “client” I mean your PC or smart-phone or your internal applications that communicate out to third-party systems via SSL (e.g  https ).  Any of these that use affected versions of OPENSSL may be affected.  See:

5)   What’s actually happening?  

The affected versions of OPENSSL have a piece of functionality called “Heartbeat”.    The intent was to allow two systems that have established a secure SSL-based connection to maintain an awareness of one another during the connection.  An “are you there?” heartbeat request can be initiated by either side of the connection to ensure the other side is still up.  Blocks of of data are sent back and forth during the process.   As a result of a coding error in the implementation of the heartbeat check, one side or the other of the connection can specify a larger block than they actually send.  The coding error causes the responder to reply back with a block as large as what the requester claimed. So: I’ll claim to send you 64K bytes of data as part of the heartbeat but only actually send 1byte.   You’ll send me back 64K bytes.  The first byte is what I sent you – the remaining 64K bytes are random portions of YOUR memory – stuff I should never see.   That’s what you are seeing in the image that starts this post.

Here’s an amusing cartoon that explains it nicely:

Note that either side of the “secure” connection can play this game.  Attackers can harvest memory from vulnerable servers, and malicious servers can harvest memory from clients.

6)  What do I do? 

The vulnerability was just recently disclosed – but its been in place for 2 years!.   You must assume that it has been exploited by attackers for at least months and – worst case – for 2 years.   Not good.  Even sites that are fixed now may have had the flaw – and been exploited – during that period. 

For general users:

    • Check to see if the “sensitive” sites you login into are patched. But remember that just because a site is OK now does not mean it was 6 months ago.  Here are some testing sites:

    • For sites that have patched, change your passwords now. They may have been stolen. No panic – just get it done over the next week or so.
    • Do not use the same login and password on sensitive sites as you use for “throwaway” sites.   This is a common mistake.  Attackers will check to see if that password you use for trivial sites is the same as the one you use for banking. 
    • Make sure your mobile devices ( Android-based systems in particular) are patched.
    • As with every “Internet event” – watch out for phishing campaigns that attempt you to get to download “fixes” for the problem or encourage you to visit unknown “https” sites.  Attackers will attempt to capitalize on fear and confusion.

For developers and system administrators:

  •  All: Look for the presence of the vulnerable versions of OPENSSL in your environment and in any business partner environment that your application connects to.  Anywhere you rely on SSL-based encryption for security inbound OR outbound. Make sure that your business partners are on top of this.  They may need to issue new certificates after they patch affected systems. 
  • Developers: 
    • Check to see if you are using a vulnerable version of OPENSSL in your code.  If so, move to a safe version or recompile with “-DOPENSSL_NO_HEARTBEATS” . Then DEPLOY!
  • SysAdmins: 
    • Both nmap and Nessus have reliable tests for the vulnerability.  Use these tests now to root out all instances of the vulnerability.  Scan ALL ports, not just TCP 443.  Start with your Internet perimeter and all your business partner and customer-exposed systems first – then inside.  Upgrade OPENSSL or at least disable the heartbeat check on all affected systems. 
    • For systems that are exposed to the Internet that were affected, install new certificates.  The potential for the compromise of the private key portion of your certificates is real – and could have happened some time ago.
    • Ask your business partners what they are doing. Make sure they are aware and are acting.
    • See if your load balancers or web proxies can help.  If you use such devices to terminate SSL at your boundary, they can potentially be used to protect against incoming Heartbleed attacks.  Talk to your vendor!

Microsolved has the ability to quickly examine your environment for the presence of Heartbleed and a host of other problems common to our brave new digital word.  If you need help, we can be there for you. 


Additional sources of information:






Deals for Replacing XP for Home & Small Business

Now that Windows XP is end-of-lifed, it is wise to replace it at home and in businesses of all sizes. Malware and vulnerabilities for XP are likely to skyrocket over the coming months, making it a very unsafe platform, indeed.

To help with replacement, we at MSI went shopping for some deals on Windows 7 and Windows 8 for you. Here are the deals we found on newer Windows software. Please note, we have no affiliation with any of these vendors and can’t recommend them in particular. We simply found the best prices we could identify for Windows OS. Your milage and paranoia may vary.

Here are the deals we could find:

For one PC license of Windows 7 Pro for as low as $69.99.

If you need more than one,  the lowest is $219.99.

For Windows 8 Pro – $79.94 for single computer use.

The price is $199.99 for multiple computer to use Windows 8 Pro.

We hope that helps some of you who still need to upgrade. Until next time, thanks for reading & stay safe out there! 


If you use OpenSSL anywhere, or use a product that does (and that’s a LOT of products), you need to understand that a critical vulnerability has been released, along with a variety of tools and exploit code to take advantage of the issue.

The attack allows an attacker to remotely tamper with OpenSSL implementations to dump PLAIN TEXT secrets, passwords, encryption keys, certificates, etc. They can then use this information against you.

You can read more about the vulnerability itself here. 

THIS IS A SERIOUS ISSUE. Literally, and without exaggeration, the early estimates on this issue are that 90%+ of major web sites and software packages using OpenSSL as a base are vulnerable. This includes HTTPS implementations, many mail server implementations, chat systems, ICS/SCADA devices, SSL VPNs, many embedded devices, etc. The lifetime of this issue is likely to be long and miserable.

Those things that can be patched and upgraded should be done as quickly as possible. Vendors are working on patching their implementations and products, so a lot of updates and patches will be forthcoming in the next few days to weeks. For many sites, patching has already begun, and you might notice a lot of new certificates for sites around the web.

Our best advice at this point is to patch your stuff as quickly as possible. It is also advisable to change any passwords, certificates or credentials that may have been impacted – including on personal sites like banking, forums, Twitter, Facebook, etc. If you aren’t using unique passwords for every site along with a password vault, now is the time to step up. Additionally, this is a good time to implement or enable multi-factor authentication for all accounts where it is possible. These steps will help minimize future attacks and compromises, including fall out from this vulnerability.

Please, socialize this message. All Internet users need to be aware of the problem and the mitigations needed, even for personal safety online.

As always, thanks for reading, and if you have any questions about the issues, please let us know. We are here to help!