September TouchDown Task: Policy Quick Review

This month’s touchdown task is to review your information security related policies and procedures. Whether you, your team, or human resources are responsible for updating and maintaining information security policies, we suggest you review these documents every quarter, or at least every six months to ensure your policies keep pace with legislation, pertinent guidance and ever-changing technology. Even if your organization utilizes a company wide revision process, we suggest you carve out a few hours this month to begin to review the infosec policies.

Start by reading all the policies related to information security. Note those that require significant updates.
Next, research changes in legislation or technology that might affect your policies. Note the pertinent changes.
Seek feedback from your colleagues and managers.
Using the information gained, revise the necessary policies or document your suggestions for the company-wide revision process.
Either obtain necessary approvals for your updates or provide your draft revisions to those responsible for maintaining updated policies and procedures.
Until next month, stay safe out there!

Special Thanks to Teresa West for the help on this one! — Brent

Three Talks Not To Miss at DerbyCon

 

Here are three talks not to miss this year at DerbyCon:

1. Bill Sempf (@sempf) presents a talk about pen-testing from a developer’s point of view. (PS – He has a stable talk too, catch it if you sell stuff in the Windows store) His work is great and he is a good presenter and teacher. Feel free to also ask him questions about lock picking in the hallways. He is a wealth of knowledge and usually friendly after a cup of coffee in the morning. Beware though, if he asks you to pick the lock to get to the pool on the roof… This talk is Saturday at 6pm. 

2. Definitely catch @razoreqx as he talks about how he is going to own your org in just a few days. If you haven’t seen his bald dome steaming while he drops the knowledge about the nasty stuff that malware can do now, you haven’t lived. I hear he also may give us a bit of secret sauce about what to expect from malware in the next 6 months. You might wanna avoid the first couple of rows of seating in this talk. He often asks for “voluntolds” from the audience and you might not look good in the Vanna White dress… His chrome dome presents on Friday at 7pm.

3. Don’t miss the Keynote by @hdmoore. His keynotes are always amazing and this time it appears he is going to teach you how to port scan the entire Internet, all at once and all in an easy to manage tool and timeframe. He probably will astound you with some of his results and the things he has seen in his research. It’s worth it! The Keynote is Friday at 9am. Yes, 9am in the morning. It rolls around twice a day now… I know… 🙂

Lastly, if you want to see me speak, you can find me on Friday at 1pm as I discuss and unveil the Stolen Data Impact Model (SDIM) project. Check it out! 

PS – There will be plenty of hallway talk and shenanigans at the con. Come out and sit down and chat. I can’t wait to talk to YOU and hear what you have to say about infosec, threats, the future or just what your thoughts are on life. Seriously… I love the hang out. So, drop down next to me and have a chat! See you this weekend!

 PSS – Yes, I might wear my “hippy hacker”/”packet hugger” shirt. Don’t scream “Packet Hugger” at me in the hallway, please, it hurts my feelings…. 

Operation Lockdown Update ~ Xojo Web App Security

Just a quick note today to bring you up to date on Operation Lockdown. As many of you may know, MSI began working with Xojo, Inc. a year or so ago, focusing on increasing the security of the web applications coded in the language and produced by their compiler. As such, we gave a talk last year at XDC in Orlando about the project and progress we had made. 

Today, I wanted to mention that we have again begun working on OpLockdown, and we remain focused on the stand-alone web applications generated by Xojo. 

Last week, Xojo released Xojo 2014R3 which contains a great many fixes from the project and our work.

The stand-alone web apps now use industry standard HTTP headers (this was true for the last couple of releases) and have the ability to do connection logging that will meet the compliance requirements for most regulatory guidelines.

Additionally, several denial-of-service conditions and non-RFC standard behaviors have been fixed since the project began.

My team will begin doing regression testing of the security issues we previously identified and will continue to seek out new vulnerabilities and other misbehaviors in the framework. We would like to extend our thanks to the folks at BKeeney Software who have been helping with the project, and to Xojo for their attention to the security issues, particularly to Greg O’Lone, who has been our attentive liaison and tech support. Together, we are focused on bringing you a better, safer and more powerful web application development platform so that you can keep making the killer apps of your dreams!

Hello from DayCon!

I have spent some time this week at DayCon in Dayton, Ohio. This is a small hacker conference, with attendance by invitation only. This year the event was focused on attack sources, emerging trends and new insights into the cutting edge of dealing with cyber-crime across many vertical markets and countries.

I speak later today, and I am focusing on the history of cyber-crime, the crime stream, the criminal value chain and how information coalesces before an attack. I look forward to my talk, especially given how engaged the crowd has been thus far with the other speakers. The hallway conversations have been great! 

Lots of variety in the speakers here, with professors, researchers, hackers and even some ICS/SCADA folks in attendance. Lots of good insights floating around and even a few new product ideas!

I’d highly suggest you check out DayCon next year.

PS – Also, looking at the calendar, we are prepping for DerbyCon next week. Come out and see us there. I will be speaking on the Stolen Data Impact Model (SDIM) project and other topics. Plus, as usual, we will be haunting the halls and swinging from the rafters! 🙂 See you in Louisville! 

Ask The Experts: Favorite HoneyPoint Component

This time around, we got a question from a client where HoneyPoint was being demoed for the experts.

Q: “What is your favorite component of HoneyPoint and why? How have you used it to catch the bad guys?”

Jim Klun started off with:

My favorite component is the simplest: HoneyPoint Agent. 

It’s ease of deployment and the simple fact that all alerts from an agent are of note – someone really did touch an internal service on a box where no such service legitimately exists – makes it attractive. 
No one will argue with you about meaning. 

I have recently seen it detect a new MSSQL worm (TCP 1433) within a large enterprise – information obtained from my own laptop. The Agent I had deployed on the laptop had a 1433 listener. It captured the payload from an attacking desktop box located in an office in another US state. 

The HoneyPoint Agent info was relayed to a corporate team that managed a global IPS. They confirmed the event and immediately updated their IPS that was – ideally – protecting several hundred thousand internal machines from attack. 

Honeypoint Agent: It’s simple, it works.

Adam Hostetler added his view:

I’m a simple, no frills guy, so I just like the regular old TCP listener component built into Agent. We have stood these up on many engagements and onsite visits and picked up unexpected traffic. Sometimes malware, sometimes a misconfiguration, or sometimes something innocuous (inventory management). I also find it useful for research by exposing it to the Internet.

John Davis closed with a different view:

My favorite HoneyPoint is Wasp. Watching how skilled attackers actually compromise whole networks by initially compromising one user machine gives me the shivers! Especially since most networks we see aren’t properly enclaved and monitored. If I were a CISO, knowing what is on my network at all times would be of primary importance; including what is going on on the client side! Wasp gets you that visibility and without all the traditional overhead and complexity of other end-point monitoring and white listing tools.

Have a question about HoneyPoint? Want to talk about your favorite component or use case scenario? Hit us on Twitter (@lbhuston or @microsolved). We can’t wait to hear from you. Feel free to send us your question for the experts. Readers whose questions we pick for the blog get a little surprise for their contribution. As always, thanks for reading and stay safe out there! 

3 Reasons I Believe in #CMHSecLunch

Around a year ago, (I know, it is hard to believe it has been a year), I started a quick and informal meet up group in Columbus, called #CMHSecLunch. The idea was simple:

  • Re-Create the “Hallway Con” effect on a monthly basis.

In this scenario, the Hallway Con is the best part of security events. It’s the one where you see old friends, make new ones and have great, warm and personal connections with them. I believe this is the core of why security events and conferences are so valuable. Beyond the skills training, marketing hype and presentations ~ the value of friendship, camaraderie and personal relationships remain.

Thus, I thought, what better way to encourage that part, than organizing events that focus on those goals. And thus, #CMHSecLunch was born. We have been meeting on the second Monday of each month at a rotating mall food court around the city. Response has been great! Sometimes there are a few of us (4 has been the smallest) and sometimes many of us (around 20 have been the largest meetings). But, people have gotten new jobs, found solutions to difficult security problems, met some new friends and saw people they missed.

Overall, it has been fun, entertaining and worthwhile.

We will be continuing the process into 2014 and here are at least three reasons I believe this approach and the #CMHSecLunch events are worth doing:

  1. I have gotten to see people connect, smile and re-unite for a quick bite of food, some laughs and great conversation. Since I am often referred to as the “Hippy Hacker”, you have to know that this alone makes me happy and makes me believe that the events are worthwhile. Whenever we connect with another and share with the community, good things happen! 
  2. New threats have been discussed that brought to light attacker motives, techniques and the width of their activity. If we don’t have lunch and discuss what we are seeing, then the bad guys win. They win even less, if we also have coffee and dessert afterwards. Nuff said! 🙂
  3. New projects have originated from the #CMHSecLunch discussions. In fact, several new projects. People have aligned, worked out some of their ideas and started working together to build talks, mathematical models, risk documents and various other useful tools. When a bunch of smart people eat and play together, often the outcome is stuff that helps all of us. So, being the origin of projects and stuff that helps the community is a fantastic thing. 

Why haven’t you attended (again)? 🙂

If I still haven’t persuaded you to check out the next #CMHSecLunch, (which you can find by clicking here), how about these quotes from people who have attended the event?

@TSGouge: Interaction with real live human beings, no screens involved! Food, jokes (that only another geek would get), getting my butt out of the office chair, and dialogue more rich than any conference or lecture…these are people who will now reach out and collaborate on problems or projects. To sum it all up: connections with people who get it.

@Cahnee: CMHSecLunch is a great way to get away from the craziness of work and spend time with infosec peers to talk about whats on everyones mind. We talk about current events and what each of us see as challenges facing us both professionally and personaly from an infosec perspectice.  Talk about encryption, mobile devices, NSA, DOD, etc.

@gisobiz: CMHSecLunch is a great thing! You meet with the like-minded people, or like-minded people wannabes and enjoy the food (great or not), but most importantly, the awesome conversation. You will get to know better people you already know, or make new friends.  Talking in an informal friendly environment takes the pressure off “being right” or “saying the right thing” which one encounters in a professional environment. Nobody will laugh at you or criticize you; in fact everyone is interested in your fresh (or stale) perspective on InfoSec or current events related to cyber security or anything else you care to share. And the really best thing is you get to learn from your colleagues, something you may not have an opportunity to learn otherwise.  It is like a miniature “geek” party in the best sense of the word. Or if you like – a mini-Black Hat conference. With food.

So, come on out next month and support the community. Have fun, grab a bite and engage with us, we are waiting for the view and insight that ONLY YOU can provide. Join us! 

Infosec, The World & YOU Episode 3 is Out!

Our newest episode is out, and this time we are joined by a very special guest, @TSGouge who discuss social engineering for companies and on the nation state scale. Victoria reveals her new plans to take over the world and Brent tries to keep up with these gals, who are straight up geniuses. We also pontificate on Syria and the potential for cyber-fallout from the action going on over there.

Check it out here

Have a global real world/cyber issue you want us to tackle? Observed an odd event that ties to a real world cause in the Internets? Drop us a line ~ we’d love to hear about it or get you on the show! 

You can find Brent on Twitter at @lbhuston and Victoria stars as @gisoboz. Get in touch! 

CMHSecLunch is Monday August 9th

This month’s CMHSecLunch is Monday, August 9th, 2013 at 11:30am. The location for this month is the Easton Mall food court. You can register here, or just show up. ADMISSION IS FREE!!!!!

Imagine hanging out with your infosec bestys, or meeting a new infosec connection that takes your career to the next level. Ever wondered what infosec experts eat, drink or why some of them only wear pastel shirts? This is YOUR chance to find out! 

We hope to see you there! 

Cyber SA from the Queensland Police Cyber Crime & Fraud Symposium…

Good day from Queensland Australia;

Today your are receiving Cyber SA from the 2013 Queensland Police Cyber Crime & Fraud Symposium…

Heard a variety of scintillating cyber fraud case histories from international law enforcement today as the 2013 Queensland Police Cyber Crime & Fraud Symposium Day One kicked off…other topics presented included data breach handling and online reputation remediation suggestions from some of Australia’s cyber duty experts in the field…

Enjoy today edition, albeit abbreviated, of Cyber Situational Awareness!

People’s Republic of Corruption Control…Discipline bodies launch website Globaltimes.cn |
The Central Commission for Discipline Inspection (CCDI) of the Communist Party of China (CPC) and theMinistry of Supervision on Monday jointly opened an official website, offering the public a new online channel to report corrupt officials
http://www.globaltimes.cn/content/808182.shtml#.UiWHQmSG1JE
People’s Republic of China’s quest for world-beating brand held back by regime
http://wanderingchina.org/2013/09/03/chinas-quest-for-world-beating-brand-held-back-by-regime-guardian-risingchina-branding/
Jiang Jiemin removed from office: authority – People’s Daily Online
http://english.peopledaily.com.cn/90785/8387285.html
Yahoo Kills Chinese Services
http://www.techweekeurope.co.uk/news/yahoo-pulling-out-of-china-126178
Targeted Attacks Deliver Disassembled Malware |
http://www.symantec.com/connect/blogs/targeted-attacks-deliver-disassembled-malware

Chinese look for greater influence in UK nuclear programme
http://www.powerengineeringint.com/articles/2013/09/chinese-look-for-greater-influence-in-uk-nuclear-programme.html
People’s Republic of China’s Lenovo CEO to Share $3 Million Bonus With 10,000 Employees The Diplomat |
http://thediplomat.com/tech-biz/2013/09/03/lenovo-ceo-to-share-3-million-bonus-with-10000-employees/
People’s Republic of China-Russia Ties Deepen
http://thediplomat.com/china-power/china-russia-ties-deepen/

Citadel Makes a Comeback, Targets Japan Users |
http://blog.trendmicro.com/trendlabs-security-intelligence/citadel-makes-a-comeback-targets-japan-users/
Fraud and ATM attacks hit Germany hard
http://www.net-security.org/secworld.php?id=15495
Learning From One of the Most Successful Industry Verticals — Cybercrime
http://hacksurfer.com/amplifications/253-learning-from-one-of-the-most-successful-industry-verticals-8212-cybercrime

The TAO of NSA
http://www.net-security.org/secworld.php?id=15500&
NSA tops up exploit pool with $25m in ‘grey market‘ vulnerabilities
http://www.cso.com.au/article/525241/nsa_tops_up_exploit_pool_25m_grey_market_vulnerabilities_/
Cyber Warfare: Government-Endorsed Surveillance
http://www.ibtimes.co.uk/special-reports/3338/cyber-warfare-government-endorsed-surveillance.html
More illegal NSA spying activities leaked – Xinhua | English.news.cn
http://news.xinhuanet.com/english/world/2013-09/02/c_132684366.htm

Semper Fi,

謝謝,
紅龍!

Cyber SA ~ Queensland, Australia 2400Z1SEP2013

Good day from Queensland , Australia…

Today’s cyber SA greeted the Red Dragon with a notification that his name had been used in a targeted hacking attack…data breach and data loss resulted…and BTW ‘check your travel arrangements for compromise’ as your records were violated digitally…yikes!

Nonetheless – much more in today’s issue of Cyber SA for you to enjoy…

US cyber attacks ‘targeted Russia, People’s Republic of China, Iran and North Korea’
http://www.news.com.au/technology/us-cyber-attacks-targeted-russia-china-iran-and-north-korea-according-to-washington-post/story-e6frfro0-1226708363415?f

Taiwan probes HTC staff over theft of trade secrets…destination: People’s Republic of China
http://www.scmp.com/news/china/article/1300866/taiwan-probes-htc-staff-over-secrets-theft
Cyber Kleptomaniacs: Why the People’s Republic of China Steals Our Secrets
http://www.worldaffairsjournal.org/article/cyber-kleptomaniacs-why-china-steals-our-secrets
Three HTC Employees Suspected Of Selling Design Secrets To People’s Republic of China
http://www.businessinsider.com.au/three-htc-employees-suspected-of-selling-design-secrets-to-china-2013-8?
“People’s Republic of China actively engaging in kinetic & directed -energy based weapons systems…

China Studying as US launches new rocket carrying spy satellite – SCI_TECH – Globaltimes.cn
http://www.globaltimes.cn/content/807212.shtml#.UiPF_2SG1JE
China Studies: US sends new military satellite into orbit – SCI_TECH – Globaltimes.cn
http://www.globaltimes.cn/content/802482.shtml#.UiPGEmSG1JE

People’s Republic of Cyber Espionage … Xi’an Couple Jailed for Selling Hi-Technology State Secrets
http://www.militaryy.cn/html/52/n-93052.html

People’s Republic of China’s War On Online Gossip Is Starting To Get Scary
http://www.businessinsider.com.au/china-is-waging-a-war-on-online-rumors-2013-8?
People’s Republic of China’s “seven base lines” for a clean internet
http://cmp.hku.hk/2013/08/27/33916/
Canadian fellow tracks China’s censored words
http://www.cbc.ca/news/canada/toronto/story/2013/08/29/toronto-university-munk-school-sina-weibo-censor.html
Netizens & companies behind People’s Republic of China’s $39 billion search engine market (INFOGRAPHIC)
http://www.techinasia.com/china-39-billion-dollar-search-engine-market-in-2013/?
Chinese “black PR” firm controlled hundreds of verified Weibo users, raked in millions
http://www.techinasia.com/chinese-black-pr-firm-controlled-hundreds-verified-weibo-users-raked-millions/?
An Inside Look at the People’s Republic of China’s Censorship Tools
http://blogs.wsj.com/chinarealtime/2013/08/30/an-inside-look-at-chinas-censorship-tools/?
Top microbloggers must well handle discourse power – People’s Daily Online
http://english.peopledaily.com.cn/90782/207872/8385107.html

Beijing security expert calls for greater openness and transparency in Xinjiang
Says Chinese Government should stop information blockades…

http://www.scmp.com/news/china/article/1301450/beijing-security-expert-calls-greater-openness-and-transparency-xinjiang
Attack on rumours a step backwards for transparency in People’s Republic of China
http://www.scmp.com/news/china/article/1301448/attack-rumours-step-backwards-transparency

China investigating corruption allegations against state asset regulator Jiang Jiemin
A move to bring down Zhou Yongkang, the widely-feared former head of China’s security apparatus, has claimed the scalp of one of his senior lieutenants, the former chairman of the giant oil monopoly China National Petroleum Company (CNPC)

http://www.telegraph.co.uk/news/worldnews/asia/china/10278672/China-investigating-corruption-allegations-against-state-asset-regulator-Jiang-Jiemin.html
People’s Republic of China’s Army Day Coverage Stresses Winning Battles with “Dream of a Strong Military”
http://www.jamestown.org/programs/chinabrief/single/?tx_ttnews%5Btt_news%5D=41300&cHash=d9441328a6f257f9f39db71ae6815333#.UiOh3WSG1JE

Mesh networks can help Asia avoid censorship and recover from disasters
http://www.techinasia.com/mesh-networking-asia-avoid-censorship-recover-disasters/?

First free, public malware database launched in Taiwan|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130831000004&cid=1103

People’s Republic of China’s Huawei spokesman tells Intelligence Committee chair to ‘stow it’
http://www.bizjournals.com/sanjose/news/2013/08/30/huawei-spokesman-tells-intelligence.html
People’s Republic of China’s ZTE steps up lobbying after spy fears block US contracts
http://www.scmp.com/business/china-business/article/1300810/zte-steps-lobbying-after-spy-fears-block-us-contracts
EXCLUSIVE TEST: People’s Republic of China’s Huawei switch: Good first effort
http://www.itworld.com/networking/371054/exclusive-test-huawei-switch-good-first-effort
People’s Republic of China’s quest for world-beating brand held back by regime
OP Middle Kingdom…

http://www.theguardian.com/business/2013/sep/01/chinese-brands-thinking-west
Corrupt, anonymous and in thrall to the party – People’s Republic of China is not the new Japan
http://www.theguardian.com/world/2013/sep/01/china-japan-corrupt-anonymous-party
People’s Republic of China Pakistan pledge to further boost military ties Lastupdate:- Sun, 1 Sep 2013 18:30:00
http://www.greaterkashmir.com/news/2013/Sep/1/china-pakistan-pledge-to-further-boost-military-ties-68.asp
Policy resolves foreigners’ visa extension issue: China
http://www.chinapost.com.tw/china/national-news/2013/09/01/387847/Policy-resolves.htm
People’s Republic of China Moves to Isolate Philippines, Japan
http://thediplomat.com/the-editor/2013/08/30/china-moves-to-isolate-philippines-japan/

An American Cyberoperations Offensive
http://www.nytimes.com/2013/09/01/world/americas/documents-detail-cyberoperations-by-us.html?
Feds plow $10 billion into “groundbreaking” crypto-cracking program
Consolidated Cryptologic Program has 35,000 employees working to defeat enemy crypto.
http://arstechnica.com/security/2013/08/feds-plow-10-billion-into-groundbreaking-crypto-cracking-program/
US Intelligence Community: The World’s 4th Largest Military?
http://thediplomat.com/flashpoints-blog/2013/08/30/us-intelligence-community-the-worlds-4th-largest-military/

Iran plays key role in global campaign against terrorism: intelligence minister
http://www.tehrantimes.com/politics/110416-iran-plays-key-role-in-global-campaign-against-terrorism-intelligence-minister
Why the U.S. Should Use Cyber Weapons Against Syria
http://www.defenseone.com/technology/2013/08/why-us-should-use-cyber-weapons-against-syria/69776/
Drums of cyber war grow louder
http://www.arabnews.com/news/463050
Syria’s largest city just dropped off the Internet
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/30/syrias-largest-city-just-dropped-off-the-internet/
Syrian Electronic Army: If U.S. Attacks ‘We Will Target All of It’
http://mashable.com/2013/08/30/syrian-electronic-army-interview/
Attacking Syria may lead to missile strikes, cyber warfare and terror attacks on US soil, warn military experts
http://www.dailymail.co.uk/news/article-2405362/Attacking-Syria-lead-terror-attacks-cyber-warfare-missile-attacks-US-soil-warn-military-experts.html

Report: Spy Agencies’ ‘Black Budget’ Reveals Intelligence Gaps : NPR
http://www.npr.org/blogs/thetwo-way/2013/08/29/216873944/report-spy-agencies-black-budget-reveals-intelligence-gaps?f
These are the companies alleged to have links to the NSA surveillance scandal
http://gigaom.com/2013/08/30/these-are-the-companies-alleged-to-have-links-to-the-nsa-surveillance-scandal/
Exclusive: Army Admits To Major Computer Security Flaw
Army’s Deputy of Cybersecurity says a security failure can allow unauthorized access to computer files. Instead of fixing it, they are telling soldiers to be more careful.

http://www.buzzfeed.com/justinesharrock/exclusive-army-admits-to-major-computer-security-flaw
NSA misused PRISM – Spied on Al Jazeera, bugged UN headquarters and used for personal spying
http://thehackernews.com/2013/08/nsa-misused-prism-spied-on-al-jazeera.html

Semper Fi ~

謝謝,
紅龍!