Book About PERL for Problem Solving

One of the essential tech skills I am always on the prowl for is a way to use technology to solve a complicated problem. Of course, one of the most useful ways to do this is to learn and apply simple programming skills. PERL is one of those scripting languages that is easy to get on a basic level, but it offers so much additional capability and complexity that it would take a literal lifetime to truly “master”.

But, the wonderful thing about PERL is its amazing capability in simplicity. You can take a few basic PERL legos and really make some wonderful things to increase the ease of your life and work. This book, <a href=”http://www.secguru.com/books/wicked_cool_perl_scripts_useful_perl_scripts_solve_difficult_problems” target=”_blank”>Wicked Cool Perl Scripts</a>, is chocked full of examples of just how to apply some basic PERL to real world problems. Check it out if you are a fan of PERL and want to automate things from work, to your news and RSS feeds to your World of Warcraft gaming. PERL is not only easy and cool, but also fun!

Egress Filtering 101

Egress filtering is one of the most often underestimated defenses today. We continue to see organizations that have not yet deployed strong egress filtering, which is one of the most effective controls in defending against and detecting bot-nets. Without it, outbound connections are usually a mystery to the security team and identification and interception of malware outbound command and control channels are unlikely.

To add fuel to the fire, egress filtering is cheap (you probably already have a firewall or router that can do it) and easily managed once configured. Sure, establishing the political will to see it through it can be tough, but given the threat levels and attacker techniques in play today, it is a highly critical effort. You start by examining what outbound ports you allow today, then close all ports outbound and allow only the ones that have a true business case. Once you have choked down the traffic, consider implementing application proxies where possible to further strengthen the egress traffic and rules.

Once you have appropriate proxies in place, don’t allow any outbound web traffic or the like from any host but the proxies. No outbound DNS, chat protocols or the like from the desktop world to the Internet. The more you choke this down, the easier it is to protect the desktop world from simple issues.

Egress filtering is just too easy to ignore. The level of protection and the capability to monitor outbound attempts to break the rules once in place are powerful tools in identifying compromised internal hosts. Best practices today truly includes this requirement and those interested in truly securing information should embrace egress filtering as soon as possible.

If you want help with such a project or want to learn more about scoping egress filtering in your network, let us know. We would be happy to help you!

HoneyPoint Appliance and Virtual Appliance Growing

I was so pleased with the news from my team yesterday that we are just about ready for the formal release of the HoneyPoint physical appliance. We are putting the final polish on the devices and they will be ready for release by the end of next week.

The virtual appliance is now going into its 2.0 architecture. The appliance has been rebuilt from scratch, hardened and reconfigured. It is also ready for shipment.

Special thanks to Adam for his work on completing these “decoy hosts” for folks that don’t want to put HoneyPoints on their production servers. His work is pushing HoneyPoint to the next stage of evolution and is much appreciated!

You can get both the virtual appliance and the physical appliance as a part of HoneyPoint Security Server and through the Managed HoneyPoint service as well. Drop us a line or give us a call to learn more about either of these programs!

New HITECH Law Expands HIPAA Requirements

j0321057

A new law was enacted on February 17th of this year that expands the HIPAA privacy rule to include “business associates” of health care providers. This law also sets a new requirement for notifying individuals in the event that their private health information (PHI) has been compromised and gives State Attorneys General new powers to prosecute persons or organizations that fail to comply with HIPAA privacy and security requirements. This law is called the Health Information Technology for Economic and Clinical Health Act (HITECH), and is a part of the new American Recovery and Reinvestment Act of 2009.

What this means is that a number of different organizations that process or use PHI on behalf of a HIPAA “covered entity” must now also comply with the HIPAA security rule just as the covered entity is required to. This includes the need to develop or alter policy and procedural documents, conduct risk assessments and gap analyses, apply appropriate encryption and secure transmission methods to PHI and more. And the security breach notification rule comes into effect just one month from today on August 16th!

Now, this gets a little complicated, so first let’s look at what “covered entity” and “business associate” means in terms of HIPAA and HITECH. A “covered entity” is basically defined as:

  • A health care provider that conducts certain transactions in electronic form
  • A health care clearinghouse
  • A health care plan

A “business associate” is basically defined as a third party that performs or assists in the performance of: A function or activity involving the use or disclosure of individually identifiable PHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing and more.

A third party person or organization that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for a covered entity or wherever the provision of services involves disclosure of individually identifiable PHI to a business associate.

In other words if you process or have access to PHI from a covered entity, then you can be pretty sure that this law applies to you! So what do you need to do if you find that this new law does indeed apply to you or your organization? Well, the best thing you can do is encrypt all of your PHI data for both transmission and storage. This has to be done according to Department of Health and Human Services requirements which in turn means that it has to be done according to standards found in NIST 800-111 and FIPS 140-2 (Also see 45 CFR Parts 160 & 164). If you do meet these standards, you have suitably rendered PHI information “Unusable, Unreadable or Indecipherable to Unauthorized Individuals” and therefore do not need to develop the elaborate information security breach notification measures that are specified in the new law.

And not having to deal with breach notification is something most people and organizations should definitely want to avoid! Not only does it just make good sense to properly encrypt and protect private information from a best practices standpoint, a breach could do you or your organization real harm. For example, under the new law if you have a security breach that reveals the PHI of 500 individuals or more, there is a MANDATORY requirement to notify the news media! What affect would THAT have on your reputation and bottom line!? And remember, even if you do suitably protect PHI in motion, at rest, while in use and when being disposed of, you need to have a suitable written information security program in place that details the administrative, physical and technical security measures you will use to protect PHI. And these measures must be strong enough to meet HIPAA Security Rule requirements. If your organization does not meet the specified data encryption standards, then you also need to develop written policies and procedures around the new Security Breach Notification Requirements found in HITECH.

In a nutshell, here are some of the steps you or your organization should be taking to ensure compliance with HITECH:

  • Find out if you or your organization is a covered entity or business associate under the new law
  • Perform risk assessments and/or gap analyses as needed to see if you meet HIPAA Security Rule and HITECH standards or not. (If not, you will need to develop a roadmap detailing what you will do to meet these standards in the future)
  • Update or develop your information security, privacy and HIPAA policies and procedures as needed to meet the HIPAA Security Rule
  • Update any relevant Notice of Privacy Practices documents you have in order to meet the new standards
  • Develop or update your Breach Notification Policies and Procedures to comply with HITECH and any State counterpart law
  • Update and/or expand your business associate agreements to include the new security and notification requirements

Remember, if your organization willfully or through ignorance or inattention does not meet these new requirements, the penalties have been strengthened against you. Civil monetary penalties have been increased and for the first time, this law authorizes State Attorneys General to begin pursuing civil actions for HIPAA privacy and security violations that have threatened or adversely affected residents of their respective States. Also, starting early next year, entities using electronic health records will be required to track any disclosures of patients’ medical information, including disclosures made for treatment and payment.

So, don’t get caught short by HITECH! Consider implementing proper encryption and information protection measures now. Strengthen and update all of your information security policies and procedures. The need to do so will only increase in the future anyway. And if you need help developing policies and procedures or performing risk assessment and gap analyses, MicroSolved has the experience and expertise needed to get the job done. Give us a call!

Get Ready, Here Comes the MS Web Office Bot-Nets!

Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: http://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.

Risk Assessment and Mitigation for the MS Web Office Issue

Here is a PDF of the risk assessment and review of this emerging vulnerability. Please check it out if you are working on mitigating this issue.

While the corporate risk is identified as an overall medium, there is a high risk of workstation infection from this problem.

Check out the document here.

Vuln RA 071409 – MS Web Office 0-day

If you would like to follow the emerging threat, the SANS Internet Storm Center is the best place to get current news about the outbreaks and exploitation. You can also follow me (@lbhuston) on Twitter for more information as it comes in.

UPDATES:

7/14 – 2:17pm Eastern –

SANS has gone back to green status and is posting that they hope awareness has been raised.

Nick Brown wrote in to tell us that the exploit in MetaSploit is easy to use and very effective against most XP workstations. He also warns home users to be on the lookout as this is very likely to turn into a worm or automated bot-net attack very soon. He agreed that the MetaSploit exploit is unlikely to affect servers as we expressed in our assessment. Lastly, he wanted us to remind everyone that using the kill bits, REQUIRES A REBOOT OF THE SYSTEM BEFORE IT IS IMMUNE.

Adam Hostetler also found this site, which has some interesting ways of identifying vulnerable hosts: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

We have scheduled a FLASH Campfire chat for a threat update and discussion at 4pm Eastern today. The URL for that chat is: https://microsolved.campfirenow.com/ccf03

Thanks for reading and for all of the excellent feedback!

Update2: Here is the transcript from the public chat. Thanks to all who attended. Hopefully, it will be helpful for folks who are working on the issue.

Transcript

HoneyPoint Cracks with a Hidden Cost

OK, so we have been aware of a couple of cracked versions of HoneyPoint Personal Edition for a while now. The older version was cracked just before the 2.00 release and made its way around the torrent sites. We did not pay much attention to it, since we believe that most people are honest and deserve to be trusted. We also feel like people who value our work will pay the small cost for the software and those that just want to play with it and are willing to risk the issues of the “warez” scene would not likely buy it anyway….

However, today, someone sent me a link to a site that was offering a crack for HoneyPoint Personal Edition. The site was not one I had seen before, so I went to explore it. I fired up a virtual lab throw away machine and grabbed a copy of the crack application.

As one might expect, the result was a nice piece of malware. Just for grins, I uploaded it to Virus Total and here is the result:

http://hurl.ws/432e

Now, two things are interesting here. First, the crack is not even real and does not work. Second, once again, the performance of significant anti-virus tools are just beyond poor. 6 out of 41 products detected the malware in this file. That’s an unbelievably low 14.6% detection rate!

The bottom line on this one is that if you choose to dabble in the pirate world, it goes without saying that, sometimes you will get more than you bargained for. In this case, trying to get HoneyPoint Personal Edition for free would likely get you 0wned! Ahh, the hidden costs of things…..

If you are interested in a legitimate version of HPPE, check it out here.

In the meantime, true believers, take a deep breath the next time your management team says something along the lines of “…but, we have anti-virus, right…” and then start to educate them about how AV is just one control in defense in depth, and not a very significant one at that…

MicroSolved’s “Best Of” Security News July 10, 2009

What an interesting week! South Korea and the United States experienced attacks on computers with a nasty virus that supposedly today, erased data from computers that had not been updated with anti-virus software.

Korea DDOS virus mission shifts to destroying, erasing data

IBM researches rolled out new technology to mask sensitive data. Their approach differs from others in that it doesn’t make copies of the data and removes certain elements of it depending on who will be viewing it and their user rights to the data. The masking is done “on the fly.”

IBM Researchers Unveil New Data-Masking Technology

Apple is pretty quiet regarding all this issues that are starting to pop up with their brand spankin’ new iPhone 3GS. Everything from a shorter battery life to phones heating up, customers have been more than disappointed by all the hype regarding this latest version of the popular tech gadget. Security vulnerability sent up a red flag. (And I’m sure @lbhuston is very grateful now that he didn’t purchase the 3GS. As for me, I just signed a two-year contract in January, so I’m not budging, either.)

As Three Big iPhone Troubles Surface, Apple Dinged for Secrecy

What were some of the infosec stories this past week that caught your eye?

Security Guard Charged With Hacking Hospital Systems

I came upon this story today, which should remind every hospital guard administrator of Pogo’s wry observation, “We have met the enemy and he is US.”

On Friday the federal authorities arrested Jesse William McGraw on a charge of felony computer intrusion, saying he intended to use the botnet to launch a massive distributed denial of service (DDOS) attack on July 4, the day after he was set to stop working there. He’d nicknamed the day “Devil’s Day.”

He worked for a Dallas security company called United Protection Services, on the 11 p.m. to 7 a.m. shift at the clinic.

McGraw, who went by the hacker name GhostExodus, allegedly installed malicious software all over the Carrell Clinic, including systems that contained confidential information, and others that managed the building’s climate-control systems, authorities said Tuesday.

The hacker could have harmed patients or damaged drugs if he had turned off air conditioning during Texas’s hot summer months, authorities said.

Rest of article

It would seem he was itching to prove his mad hacking skilz by donning a hoodie while riding an elevator, looking into the camera and while the theme from “Mission: Impossible” played, said, “You’re on a mission with me: Infiltration.” As brilliant as he thought he was, he earned a major FAIL by typing on a keyboard and then putting gloves on to mask his fingerprints. Also he posted the ubiquitous YouTube videos to explain said brilliance. (And yet he can play the violin pretty well.)

All the more reason to pay attention to who’s wandering down your hallways. Not only would this guy have attacked the hospital’s network system, but they could easily have been sued for negligence when Uncle Bob suddenly keeled over because his room became an oven.

Encryption: 3 solutions to fit your budget

When your worst fears become a reality and you notice there has been some breech of your data (a stolen laptop, an unlocked or unattended computer) and someone has either access to your machine or has a copy of it for themselves, is there any hope left? Although most don’t think it’s necessary, encrypting data is another link in the chain mail that is our security policy. While this link is not substantial on it’s own, the entire suit of armor is where the true strength lies.

Data encryption sounds scary. People think of lines of binary crossing the screen at lightening speed like a scene from The Matrix or Hackers, but it’s become something so simple that everyone should be doing it! In this post, we’ll review some free and open source solutions to offer protection and peace of mind that what’s yours stays yours!

Encrypted Password Manager: KeePass

KeePass is a powerful password manager that supports the Advanced Encryption Standard (AES) and the Twofish algorithms to encrypt your passwords and various account information. In addition, SHA-256 is used as password hash. This means a master password is hashed using this algorithm and the output is used as a key for the encryption. One master password will decrypt the entire database which supports multiple user keys, which offers the option to have your key on CD, USB or floppy (floppy disk, really?) in addition to or in lieu of a password. KeePass is small and portable. This means it runs just as smoothly from a USB disk as it does installed to a hard drive. KeePass doesn’t store anything on your system. No registry keys are created or modified and no INI files are added to the Windows directory. Deleting the KeePass directory or using the uninstaller leaves no trace of the program after removal. This tool has too many features to list completely if we intend to discuss others, but a random password generator allows you to create a password within KeePass and then copy it and paste into the necessary forms using intuitive and secure clipboard handling. One final feature that can’t be left out is the ease of database transfer. When passwords need to be available on multiple machines or in a multi user setting, a simple copy and paste of a single database file is all it takes to solve the problem.

The sun will go nova before you can decrypt the database”- www.KeePass.info

Encrypted Volume Manager: TrueCrypt

TrueCrypt is an open source disk encryption program that creates a virtual encrypted disk within a file and mounts it as a real disk. Encryption is automatic, real time, and transparent. This virtual partition can be read and written to as fast as if it were not encrypted thanks to the use of parallelization and piplelining of data. This tool allows multiple encrypted volumes to be created and relies on AES-256, Twofish, and Serpent algorithms to protect your sensitive data. TrueCrypt can be downloaded and installed quite easily and includes a setup wizard which will guide the creation of the encrypted volume. Once created, the interface allows you to mount one or multiple volumes, which then gives the ability to treat these as local drives to store data at will. Very smooth in use, very user friendly, and something any user should employ to protect personal and/or private data of any kind. – www.truecrypt.org

Email Encryption: x.509 Certificates

x.509 email encryption assumes a strict hierarchical system of certificate authorities, much unlike the “web of trust” models like PGP, x.509 is a ITU-T standard for public key infrastructure (PKI) for single sign-on and Privilege Management Infrastructure (PMI). Specified within x.509 are standard formats for public key certificates, certificate revocation lists, attribute certifications, and certification path validation amongst other things. While the TrueCrypt’s use of MD5 based certificates was in question as recently as 2008, x.509 certificates based on SHA-1 are deemed to be secure. While it is prudent for companies to use enterprise level encryption solutions, individuals can protect themselves with the help of a free x.509 personal email certificate from www.thawte.com.

More often than not people see encryption, passwords, and monitoring policies more of an annoyance than anything else. Few would argue that it’s a pain to have to input a password to do anything at the system level or to have to remember to mount, unlock, and unmount an encrypted volume, or to have to allow access through a firewall- until you need it. When someone steals your data, you’ll be happy to know your passwords are locked up safe, and your data is encrypted to the point you can back up and change anything sensitive before the bad guys can get to it! Keep your armor strong and polished and most foes will seek alternative victims. Don’t be an easy target!