We Have An iPhone App for Our Blog!

Our press release:

MSI RELEASES IPHONE APP FOR “STATE OF SECURITY” BLOG
MSI Offers Free Tool to Allow Access to Blog’s RSS Through iPhone App

COLUMBUS, Ohio January 26, 2010 — MicroSolved, Inc. (MSI) is pleased to introduce a fun free tool to add to a user’s iPhone app menu. Now readers of the “State of Security” blog can easily keep track of updates through a simple application that is available through Apple’s iTunes Store. The tool is designed to make it easier for security people to track emerging threats and stay up to date with security news.

MicroSolved’s “State of the Security” blog not only covers an array of security topics, but also is the launching pad for collaborative projects and quick online chats regarding “hot” threats of the day. The blog is very popular among security teams, CISOs and others with an interest in information security.

Those who would like to add the free application to their iPhone can download it here

FLASH Campfire Chat January 22 at 10 AM: The Aurora Vulnerability

Much media attention has been focused on the recent Internet Explorer vulnerabilities and the attacks and compromises of several large companies. Rumors are flying fast and furious around the Internet. Come learn about the technical exposures of these vulnerabilities, the suggest options for protection of your organization, and a discussion about what your peers are doing to manage this and other client-side attacks. Cut through the hype, ignore the hyperbole and let’s get down to the brass tacks. Attendees of this session will get an overview of the Aurora vulnerability, insights into client-side attack tactics and come away with suggestions for risk minimization.

Here are the details:

Date: Friday, January 22
Time: 10:00 AM EST
Location: Our Campfire Chat Room

Looking forward to seeing you there!

Is IE Still on the Desktop at Your Organization?

I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.

Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.

Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.

Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.

Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.

Let me know what you think!

How Honeypots Can Help You

A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.

It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon what you are trying to achieve.

There are two different types of honeypots: production and research. Production honeypots are typically used by companies and corporations. They’re easy to use and capture only limited information.

Research honeypots are more complex. They capture extensive information, and used primarily by research, military, or government organizations.

The purpose of a production honeypot is to mitigate risk to an organization. It’s part of the larger security strategy to detect threats. The purpose of a research honeypot is to collect data on the blackhat community. They are used to gather the general threats against an organization, enabling the organization to strategize their response and protect their data.

The value of honeypots lies in its simplicity. It’s technology that is intended to be compromised. There is little or no production traffic going to or from the device. This means that any time a connection is sent to the honeypot, it is most likely to be a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As we say about our HoneyPoint Security Server, any traffic going to or from the honeypot is, by definition, suspicious at best, malicious at worst. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity. What are the advantages to using honeypots?

  1. Honeypots collect very little data. What they do collect is normally of high value. This eliminates the noise, making  it much easier to collect and archive data. One of the greatest problems in security is sifting through gigabytes of useless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format.
  2. Many security tools can drown in bandwidth usage  or activity. NIDs (Network Intrusion Detection devices)  may not be able to handle network activity, and important data can fall through the cracks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. The beauty of honeypots is that they only capture that which comes to them.

Many of our clients swear by our HoneyPoint family of products to help save resources. With its advantages, it’s easy to see why! Leveraging the power of honeypots is an excellent way to safeguard your data.

Beware: Fraudulent W-2 Emails Ahead

Tax season is upon us and spammers are taking full advantage of the situation. Reports of fraudulent emails that appear to come from the IRS are popping up. The email states that all employers need to complete the attached W-2 update form. Unfortunately, the attachment contains a remote administration tool that allows the attacker to execute commands on the system.

The malicious file is named W2-Form and has various file extensions including .rtf, .pdf, and ,.doc.

While this attack targets employers, I suspect that the next wave will target employees. Possible scenarios include malicious attachments as described above and directing employees to fake corporate websites.
Employers should notify their employees of how W-2 information will be delivered and warm them of possible fraudulent emails. For more information on reporting these types of malicious emails visit

http://www.irs.gov/privacy/article/0,,id=179820,00.html

Mobile Directory scanning efforts

The HITME has been abuzz with alerts from around the globe of scans attempting to find various mobile directories on HoneyPoint hosts. Here is a list of targets that are being checked for:

/iphone
/m
/mobi
/mobile

While no scanner signatures or identifiers are being sent with the probes, it’s still cause for concern over the recent surge in interest of these directories. Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like (FREE). You can copy and paste the signatures from this page into the brain file and scan your environments for these targets.

Why Web-Application Security is Important

After the discussion about my last post and my omission of appsec, I wanted to make up for it not being in the list. Certainly, application security is important and as pointed out, I should have added it to the list of primary concerns for organizations.

By now, I hope everyone understands that attacks like SQL injection, cross-site scripting and the rest of the OWASP top 10 can have devastating effects. Often, when these vulnerabilities come into play, data loss soon follows. Sometimes, the attacker is able to gain direct access to the data targets they are seeking. For example, if SQL injection grants them access to a database that contains credit card information or identity data, then the initial compromise may be all that the attacker needs to obtain their goal.

But, even when the initial compromise does not directly yield them the data they seek, the initial SQL injection compromise often allows them access to and/or control over other systems and components. They then use a variety of technologies and techniques (from keylogging to sniffing and from pivot attacks to trojans) to leverage the initial problem into the compromise of the data they seek. In many cases, the attackers prove themselves to be both creative and patient as they slowly crawl towards their goals.

Even if your site does not have the targets they want, the SQL injection can be quite damaging for your organization. Not only do you have the compromise itself, but quite often, the application or web server with the vulnerability is manipulated to propagate malware that infects the visitors to your site, turning their machines into victims as well. As a client recently told me, “You don’t want to have to explain to upper management why your web site is responsible for infecting your customer’s computers with a virus. It is not really good for your career.”

These are just a few of the reasons that your organizations should take web application security seriously. If you have some more you would like to share, please leave a comment below.

New Year, Old Threats

Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.

How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. 🙂

1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.

2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.

3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.

Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. 🙂

PS – I hope you had a wonderful holiday season!