Review: The Bus Pirate

We have been playing with the Bus Pirate for a while now in the lab. And, while overall, we love the tool and the functionality it brings, there is one thing we hate about it too. We love the open source architecture and just the fact that it exists, in general. It is quite a useful tool for exploring electronic systems and dumping data from embedded devices.

The tutorials and documentation around the web make it a widely useable device. You can find detailed configuration data and connection scenarios in the forums for the product and in the general documentation as well. We recently spent a good deal of time playing with the Pirate and connecting it up to known and unknown equipment. The wide variety of modes took a lot of the complication out of the manual work that used to be required before the Pirate became available.

There is really only ONE thing NOT to like about the Bus Pirate. That specific thing is the flashing process to upgrade or downgrade the firmware. It requires physically manipulating the device pins with jumper wire and running an application to specifically install the version you desire. Given how easy using the device is normally, we hope to see this mature into something more along the lines of the update process for a router or the like. The main gripe about the current process is the time it takes to do the upgrade/downgrade. In a classroom environment, it takes quite a bit of time to make these changes, though among our team there is currently a discussion about the inherent value of the lessons learned from doing it. 

Overall, even with the tedium of the upgrade process in mind, the Bus Pirate is a wonder. Dangerous Prototypes have pulled off an amazing feat to bring this thing to life. It makes hardware hacking so much easier than the “bad old days” and gives more people more access to the circuitry level for hacking. It makes grabbing data from chips and systems significantly easier. At the same time, it means that vendors of products that need to protect data against attacks at this level have to get better too. More eyes and more brains focusing on this level, means the race is on at a heated pace…

What is HPSS? :: HoneyPoint Agent

This post builds on the What is HPSS? Series. Previous posts are here and here


HoneyPoint Agent is the original detection capability of the HoneyPoint Security Server suite. Basically, it allows a system to offer up a variety of “fake services” to the network for the purpose of detection. These services can either be simple port listeners or can be complex, deeper emulations of protocols like SMTP, HTTP, Telnet, FTP, etc. These ports have no real users and no legitimate traffic flows to them. This means that anytime these ports are tampered with, the interactions are “suspicious at best and malicious at worst”. 


HPAgentOverview

Because the Agent is designed to be extremely light weight in terms of computing power needed, the Agents can be sprinkled throughout the network environment easily. Many organizations simply add Agent into default server and workstation builds, turning most of the systems in their network into sensors for detection. 

 

Other organizations deploy Agent more sporadically, either using virtual or physical appliances dedicated to HoneyPoint hosting. These organizations often assign multiple physical or virtual interfaces to the devices, allowing them to have a presence on many network segments at the same time.

 

Still other users leverage an approach called “scattersensing” by deploying HoneyPoint on systems that they move periodically around their environment. This makes for a less dependable detection mechanism, but gives them the capability to get more vision into “hotspots” where targeting is expected or where malware is more likely to pop-up. 

 

The most successful HoneyPoint Agent deployments use a combination of these tactics, along with including strategies like DNS redirection of known command and control sites and other more active forms of getting bad traffic into the HoneyPoint systems.

 

HoneyPoint Agent has proven to be very useful in identifying scanning and malware outbreaks. Customers with supposedly secure networks have found malware that had been missed for years by their traditional internal security tools. These were detected when the ongoing slow and low scanning triggered HoneyPoint deployments, particularly for SQL, Terminal Server and other commonly targeted ports.

 

HoneyPoint Agent can be configured through the command line or via a GUI application, making it easy to manage and deploy. Once installed, it is a “deploy and forget” style tool which doesn’t require ongoing tuning or signature updates. Generally speaking, customers deploy Agent and it runs for years without feeding and care.

 

HoneyPoint Agent also features MSI’s patented “defensive fuzzing” capabilities (previously known as HornetPoint mode), which can create self-defending services that attempt to take down attacker tools during their probing to interfere with propagation. Still other users automate defense with Agent using it as a means for black holing hosts that probe their environment. In these optional, more active roles, Agent can help organizations strengthen their posture with a “one strike and you’re out” kind of approach. 

 

HoneyPoint Agent runs in Linux, Windows and OS X. It communicates securely with the HoneyPoint Console. It also features user configurable services, a known scanning host ignore list (for ongoing vulnerability assessment clients) and a wide variety of common service emulation templates (available through support). 

 

To learn more about HoneyPoint Security Server or to get a demo, please contact us. We would be happy to walk you through the product and discuss how it might fit into your environment. There is even a free for personal use “Community Edition” available to get you started or to let you experience the power, ease and flexibility of the platform yourself. Just give us a call to learn more about HoneyPoint Security Server and HoneyPoint Agent. You’ll be glad you did! 


Malware in Many Places

 

GlobalDisplay Orig

Just a quick reminder that malware can come in many forms and from many places. These days, it isn’t just phishing, drive-by downloads and stray email attachments that you have to worry about. USB drives, digital picture frames, wireless devices, watches with USB plugs, exercise equipment with public “charge and data monitoring ports” and whole variety of other things.

Basically, today, if it can plug into your systems or talk to your network and has any kind of processing, memory or storage – it can likely carry malware. That’s certainly something to keep in mind as the “Internet of Things” becomes more and more a part of our daily lives. 

All of the usual defenses still apply, but today we need more than just anti-virus to keep us safe. We have to be using a variety of security controls from throughout the spectrum of prevention, detection and response. Since malware can be everywhere, so too must our vigilance against it. 

PS – Those of you with teens and older parents who use/depend on electronics and computers should discuss malware and safer computing with them. They likely have an entirely different risk profile than you do, and they may not be paying as much attention to the impacts that these attacks can have or where they can come from. They may be doing risky things without even knowing it. Talk to them about malware and help keep them safer in the online world.

Come Grow with MicroSolved

MSI is currently seeking two full time team members to help grow our information security offerings to our clients. 

We are seeking a sales person to assist current customers with their needs, conduct campaigns to identify new prospects, work directly with the security engineers to scope engagements and complete the process by closing engagements and working with the project managers to complete the work plan. The successful sales person will be detail oriented, friendly, self motivated and willing to engage with customers with a high level of passion and energy. Our sales process is mature, transparent and client focused and that has helped us become one of the oldest information security firms in the country. The sales position can be filled by someone located anywhere in the mid-west, as long as they are open to some travel to visit clients and occasional travel back to Columbus as needed. 

The other position is a security team member. This is a technical position, with the primary duties being penetration testing of networks, applications and electronic devices. Security team members also back up the risk assessment team, perform consulting duties and help with development of products and services across the MSI offerings. Some security experience is required, along with expected proficiency with operating systems, networking and some basics of coding/scripting. The security team member position should live in Central OH. We need physical presence for much of the work in our lab, so this person has to be close to HQ. 

To apply for either of these positions, please drop us an email with a resume, a short bio and few paragraphs that explain exactly what you bring to the table and why we should add you to our team. Email us at INFO(at sign)microsolved.com. Thanks for reading and we look forward to hearing from you! 

Java 0-Days are Changing Corporate Use Patterns

With all of the attention to the last few Java 0-days and the market value for them falling them (which many folks believe indicate there are more out there and more coming), we are starting to hear some organizations change their policies around Java, in general. 

It seems some clients have removed it from their default workstation images, restricting it to the pile of as-needed installs. A few have reported requiring more frequent Java update settings and a couple have talked about switching in-house development away from Java to different languages. 

Is your organization changing the way you view Java? How are things changing around the IT shops you work with? 

Drop us a line in the comments or via Twitter (@microsolved or @lbhuston) and let us know what YOU think!

Help Us Help the World with Information Security

We are seeking a motivated, IT knowledgeable sales person to help our information security firm reach new clients and new markets. 
 
We have a strong history of excellent work, terrific products that stand out in the crowd, and an amazingly skilled and friendly team. We are a results oriented work environment with a laser focus on serving our customers well.
 
The position is full time, with benefits, and enjoys a salary plus commission and bonuses pay structure. The duties include maintaining current client relationships, conducting targeted marketing campaigns to connect with prospects, working with security engineers to help scope solutions to customer problems and closing sales for products and services. We have an open, well defined, mature sales process that includes ongoing feedback, real world metrics and shared goal setting. 
 
The successful candidate can be in Columbus, located somewhere else in Ohio or throughout the mid-west. To succeed in the position, you should be detail oriented, self motivated and be ready to engage with some of the most amazing clients in the world. 
 
Please provide a high level bio, a resume and a quick couple of paragraphs that explain the value you can bring to our team. We look forward to hearing from you! 
 
You can reach us via email at INFO(at sign)microsolved.com or via Twitter (@lbhuston).

Reminder: Upgrade HoneyPoint Console to 3.52

Just a quick reminder to all HoneyPoint Security Server users that Console 3.52 is now available on the distribution site. Access information for the distribution site is in the Quick Start Guide that you received when you first downloaded the product.

This new version of the Console component includes speed improvements, bug fixes and .DLL upgrades of some of the underlying modules.

Contact your account executive or technical support if you would like more information.

CMHSecLunch is TODAY

Don’t forget, the #CMHSecLunch is TODAY, January 14th, 2013. The time is 11:30 and the location this month is at the Easton Mall food court inside the indoor portion of the mall.

We hope to see you there and bring a friend! No admission, no cost (you can buy food if you want) and open to the public. December had a great turn out and some fantastic conversations!

SANS SCADA Security Conference & a DISCOUNT

SANS has allowed us to offer a 10% discount to our readers who attend their SCADA Security Summit. The event is being held in Orlando this year, February 12-13, with optional training courses wrapped around on both sides. We think this is a great event and we are proud to be able to help SANS promote it.

You can get your discount using the discount code: MicroSolvedSCADA

More information about the event follows below (Overview provided by SANS): 

More than 1,200 security analysts and process control engineers, from government and industry, have attended the SCADA Security Summits. That’s because Summits are the one place where the people shaping the future of control systems security come together to share the lessons they have learned and because the Summits give attendees unique, early access to important new information. This year’s program will be no different. If you have any responsibility for security of control systems – policy, engineering, governance or operations you won’t want to miss the 2013 Summit in Orlando, Florida.

 At the Summit you will:

  • Learn why control systems are so difficult to protect and arm yourself with clear case studies showing what’s been done and what can be done to protect SCADA and other control systems.
  • Learn the language of control systems so you can be of more help to the engineers who plan and deploy such systems.
  • Understand the requirements and constraints faced by owners and operators of automation systems. Determine the state of the art in control system security as a benchmark for your own future planning.
  • How to build an ICS security program and develop your team.
  • Better understand what government can and can’t do by learning the requirements, constraints and current capabilities available to secure critical control systems.

 For more information and to register click here  http://www.sans.org/event/north-american-scada-2013

Gameframe Follow Up

This is a follow up to the original Gameframe scan post here. (**Note I have defanged the urls, edit them manually if you copy and paste)

Throughout the end of December, we saw just a few more probes in the public HITME that contained the Gameframe pattern. The ports shifted between port 80 and port 3128. The initial bursts of probes we observed were on port 3131, but they seem to now be occurring across the port spectrum.

The only host the public HITME caught these probes from was: 96.254.171.2 – WHOIS – US, Verizon

A Twitter user, (@benediktkr), also pointed out probes on port 8080 from a small batch of source IPs. He also observed the same source IP, which means the scanning is likely pretty wide, given that we have seen it from several of the HITME end points. 

Here is a quick dump of the log for the few we saw at the end of December (Output from a HoneyPoint plugin): 

2012-12-19 08:12:57|96.254.171.2|80|GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n
2012-12-19 12:30:38|96.254.171.2|3128|GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n
2012-12-28 12:46:42|96.254.171.2|3128GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n

We also picked up this probe, which is quite different from the others, which is interesting in general, note that the source host is also different – this time from 92.240.68.153 – WHOIS – Latvia

2012-12-27 10:29:27|92.240.68.153|80|GET hxxp://thumbs.ifood.tv/files/Salmonella_in_Vegetables.jpg HTTP/1.1 User-Agent: webcollage/1.135a Host: thumbs.ifood.tv headers HTTP/1.1\nUser-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.10\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n

It is likely that others are simply using the headers output of this page for other types of probes and scans, likely to identify open proxies and alternate paths to avoid censorship or to use in proxy chains to help hide their origins for other purposes.

If you run a black list of IPs as a part of your defense, or redirect bad IPs to a HoneyPoint, you should likely add these two sources to the list if you aren’t using the automated approach.

We will continue to observe these probes and let you know what else we see. Thanks for reading.