Wednesday Cyber SA 21AUG2013 – TREMENDOUS Amount of News!

Good Wednesday Morning Fans of Cyber Mania News…

Lots of cyber related news out of the People’s Republic of China today – ENISA & NIST sound off, Islamic Republic of Iran has some noteworthy items and of course the token Russia Cyber story for the cyber fan from Leeds, UK…enjoy!

People’s Republic of China denies role in cyber-attacks on United States; Claim themselves victim of hacking – The Economic Times
http://economictimes.indiatimes.com/tech/internet/china-denies-role-in-cyber-attacks-on-united-states-claim-themselves-victim-of-hacking/articleshow/21931101.cms
Beijing’s Rising Hacker Stars…How Does Mother China React?
http://fmso.leavenworth.army.mil/documents/Beijings-rising-hackers.pdf

People’s Republic of China monitors online chatter as users threaten state hold on the internet
http://www.theguardian.com/world/2013/aug/20/china-internet-listening-citizens-views
Chinese lawyers targeted as Xi Jinping tightens control – Telegraph
http://www.telegraph.co.uk/news/worldnews/asia/china/10254632/Chinese-lawyers-targeted-as-Xi-Jinping-tightens-control.html
Xue Manzi: How Chinese social media can be a force for good
http://www.danwei.com/xue-manzi-how-chinese-social-media-can-be-a-force-for-good/

Chinese Man Who Offered To Install “Hacker” software is arrested 男子给网吧提供“黑客”软件 获刑三年罚金十万-资讯-黑基安全网
http://www.hackbase.com/news/2013-08-20/116340.html

Conflict Breeds Cyber Attacks | Analysis Intelligence
http://analysisintelligence.com/cyber-defense/conflict-breeds-cyber-attacks/?
Mapped: The 7 Governments the U.S. Has Overthrown – By J. Dana Stuster
http://www.foreignpolicy.com/articles/2013/08/19/map_7_confirmed_cia_backed_coups?page=full

PLA (中國人民解放軍)advancing laser weapons program|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130820000102&cid=1101
中國人民解放軍 (PLA) Lanzhou MAC organizes confrontation training – People’s Daily Online
http://english.people.com.cn/90786/8370233.html
More college students applying for entry into the military, Zhao Shengnan reports in Beijing.
http://english.peopledaily.com.cn/90786/8368846.html
Hagel, Chinese Defense Minister Commit To Cooperation But Tensions Clear
http://breakingdefense.com/2013/08/19/hagel-pla-leader-commit-to-cooperation-but-tensions-clear/?
People’s Republic of China, U.S. agree on new steps to enhance military cooperation – People’s Daily Online
http://english.peopledaily.com.cn/90786/8370788.html
US, People’s Republic of China (中華人民共和國) agree on new ways to enhance military cooperation|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130820000123&cid=1101
Advance toward new type of China-U.S. mil-to-mil relations – People’s Daily Online
http://english.peopledaily.com.cn/90786/8370960.html
Chinese professor warns of “democracy trap” – Xinhua | English.news.cn
http://news.xinhuanet.com/english/indepth/2013-08/20/c_132646879.htm

People’s Republic of China, U.S. Ink Deal to Counter Illicit Atomic Trafficking | GSN | NTI
http://www.nti.org/gsn/article/us-inks-multiple-deals-counter-illicit-atomic-trafficking/
Chinese shipbuilder reveals breakthrough technology – Xinhua | English.news.cn
http://news.xinhuanet.com/english/china/2013-08/20/c_132646180.htm
CNOOC Gas undertakes China’s first floating LNG project – Xinhua | English.news.cn
http://news.xinhuanet.com/english/china/2013-08/15/c_132633910.htm
People’s Republic of China’s Huawei And Security: The Bigger Picture
http://www.crn.com/news/networking/240160101/huawei-and-security-the-bigger-picture.htm?
People’s Republic of China’s Huawei Exec: We Need To Be A Better Communicator
http://www.crn.com/news/networking/240160097/huawei-exec-we-need-to-be-a-better-communicator.htm?

3 reasons Baidu is aiming high in Indonesia
http://www.techinasia.com/3-reasons-why-baidu-expanding-indonesia/?

Business Insider’s Reporting on the (中華人民共和國) People’s Republic of China
http://blog.hiddenharmonies.org/2013/08/business-insiders-reporting-on-china/
JPMorgan Chase Hit With China Bribery Probe
http://www.thenewamerican.com/economy/sectors/item/16360-jpmorgan-chase-hit-with-china-bribery-probe

Apple iPad market share plummets in China as domestic vendors grow
http://www.computerworld.com/s/article/9241731/Apple_iPad_market_share_plummets_in_China_as_domestic_vendors_grow?
Apple said to be close to 4G deal with China Mobile|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?cid=1204&MainCatID=12&id=20130816000097
Commentary: Well-behaved int’l firms welcomed in the People’s Republic of China – Xinhua | English.news.cn
http://news.xinhuanet.com/english/indepth/2013-08/19/c_132643309.htm
Xinhua Insight: Police reveal details of GSK China’s alleged violations – Xinhua | English.news.cn
http://news.xinhuanet.com/english/indepth/2013-07/26/c_132574386.htm

Why is China so Afraid of a Small Protest?
http://thediplomat.com/china-power/why-is-china-so-afraid-of-a-small-protest/?
With Bo Xilai on Trial, China Adopts Chongqing Model
http://thediplomat.com/china-power/with-bo-xilai-on-trial-china-adopts-chongqing-model/?

Russia Setting up Cyber Warfare Unit Under Military
http://www.ibtimes.co.uk/articles/500220/20130820/russia-cyber-war-hack-moscow-military-snowden.htm#!

Iran Trains Students to Target Drones |
http://defensetech.org/2013/08/19/iran-trains-students-to-target-drones/
Three Major Al-Qaida Forums Disrupted by DDOS Attack
http://news.softpedia.com/news/Three-Major-Al-Qaida-Forums-Disrupted-by-DDOS-Attack-376443.shtml

Digital Dao: The Cyber Kill Chain: Trademarked by Lockheed Martin?
Lockheed Martin is just angry they did not receive a $ SIX BEEELIION Cyber Contract from Uncle Sam…C’mon guys your background check would have caught the traitor Booz Allen Hamilton gave the world 🙂

http://jeffreycarr.blogspot.com/2013/08/the-cyber-kill-chain-trademarked-by.html

Infosecurity… Major Media Organizations Still Vulnerable Despite High Profile Hacks |
http://www.infosecurity-us.com/view/34043/infosecurity-exclusive-major-media-organizations-still-vulnerable-despite-high-profile-hacks/
Countering Advanced Persistent Threats with Comprehensive Network Security
http://www.infosecisland.com/blogview/23351-Countering-Advanced-Persistent-Threats-with-Comprehensive-Network-Security-.html
Total Defense | Blog | The cyber-attacks transformation
http://www.totaldefense.com/blogs/2013/08/19/the-cyber-attacks-transformation.aspx?
Angry Kitten…Electronic Warfare Development Targets Fully Adaptive Threat Response Technology
http://www.gatech.edu/newsroom/release.html?nid=228881

Thinking Differently: Unlocking the Human Domain in Support of the 21st Century Intelligence Mission | Small Wars Journal
http://smallwarsjournal.com/jrnl/art/thinking-differently-unlocking-the-human-domain-in-support-of-the-21st-century-intelligence

NIST Updates Patching and Malware Avoidance Guides
http://www.infosecurity-us.com/view/34070/nist-updates-patching-and-malware-avoidance-guides/
Thousands affected in US Energy agency breach
http://www.scmagazine.com.au/News/354011,thousands-affected-in-us-energy-agency-breach.aspx?utm_source=feedly
ENISA Report Outlines Incidents Causing Major Outages at Telcos | SecurityWeek.Com
http://www.securityweek.com/enisa-report-outlines-incidents-causing-major-outages-telcos?

Enjoy!

Semper Fi,

謝謝
紅龍

How Honeypots Can Help Safeguard Your Information Systems

 

 

 

 

 

 

 

A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.

It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon what you are trying to achieve.

There are two different types of honeypots: production and research. Production honeypots are typically used by companies and corporations. They’re easy to use and capture only limited information.

Research honeypots are more complex. They capture extensive information, and used primarily by research, military, or government organizations.

The purpose of a production honeypot is to mitigate risk to an organization. It’s part of the larger security strategy to detect threats. The purpose of a research honeypot is to collect data on the blackhat community. They are used to gather the general threats against an organization, enabling the organization to strategize their response and protect their data.

The value of honeypots lies in their simplicity. It’s technology that is intended to be compromised. There is little or no production traffic going to or from the device. This means that any time a connection is sent to the honeypot, it is most likely to be a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As we say about our HoneyPoint Security Server, any traffic going to or from the honeypot is, by definition, suspicious at best, malicious at worst. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity. What are the advantages to using honeypots?

  1. Honeypots collect very little data. What they do collect is normally of high value. This eliminates the noise, making it much easier to collect and archive data. One of the greatest problems in security is sifting through gigabytes of useless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format.
     
  2. Many security tools can drown in bandwidth usage or activity. NIDs (Network Intrusion Detection devices) may not be able to handle network activity, and important data can fall through the cracks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. The beauty of honeypots is that they only capture that which comes to them.

Many of our clients swear by our HoneyPoint family of products to help save resources. With its advantages, it’s easy to see why! Leveraging the power of honeypots is an excellent way to safeguard your data.

 

How HoneyPoint Security Server Minimizes Risk For Your Network

If you’re looking for a security tool that goes beyond NIDS, you’re in luck.

MicroSolved’s HoneyPoint Security Server has revolutionized the ease and power of what honeypots can do and be. With the emergence of HoneyPoint Wasp, you can also apply the HoneyPoint magic to your Windows desktops. 

HoneyPoint Wasp monitors your desktops for any new applications it has not seen before (Anomaly Detection). Should Wasp detect new code, the end-user will never see a pop-up alert. Instead, you will be notified and able to quickly take action. Should the notification go without follow-up action, HoneyPoint Wasp assumes the allowed application, and no future notification will be sent to the console (Self-Tuning White Listing).

As you’ll see in a moment, the HoneyPoint Security Server is much more than a mere intrusion detection system.. It’s an underlying framework of rock-solid code that’s been built to achieve three important goals: identify real threats, isolate and tamper with the attacker’s results, and “smart” detection processes that allow you to target attacker availability.

Let’s take a look at each of these goals, and why they matter to what you’re doing online…

Click to continue…

Quick Use Case for HoneyPoint Wasp

Several organizations have begun to deploy HoneyPoint Wasp as a support tool for malware “cleanup” and as a component of monitoring specific workstations and servers for suspicious activity. In many cases, where the help desk prefers “cleanup” to turn and burn/re-image approaches, this may help reduce risk and overall threat exposures by reducing the impact of compromised machines flowing back into normal use.

Here is a quick diagram that explains how the process is being used. (Click here for the PDF.)

If you would like to discuss this approach in more detail, feel free to give us a call to arrange a one on one session with an engineer. There are many ways that organizations are leveraging HoneyPoint technology as a platform for nuance detection. Most of them increase the effectiveness of the information security program and even reduce the resources needed to manage infosec across the enterprise!

MicroSolved’s HoneyPoint Wasp Nominated for TechColumbus Innovation Award

MSI is proud to announce their nomination in the annual Innovation Awards, sponsored by TechColumbus, which recognizes outstanding achievements in technology leadership and innovation. HoneyPoint Wasp has been nominated for Outstanding Product for companies with 250 employees or less. 

We’re thrilled to be nominated. We believe our HoneyPoint Wasp is an excellent product, helping our clients battle bots and malware on their desktops. For more information, please read our press release and visit our HoneyPoint webpage. We look forward to the Awards Dinner in February 2012. Good luck to everyone who has been nominated!

McAfee: 65 Million Malware Samples — And That’s Just the Tip of the Iceberg

I was fascinated by this article that came across my newsfeed earlier this week. In it, McAfee says that they have hit 65 million malware samples in the 2nd quarter of 2011. I have heard similar stories in my frequent conversations with other AV vendors this year. It seems, that the malware cat, truly is out of the bag. I don’t know about you, but it seems like someone forgot to warn the crimeware world about opening Pandora’s box.

One of the things that I think is still interesting about the number of signatures that AV vendors are creating are that they are still hitting only a small portion of the overall mountain of malware. For example, many of the AV vendors do not cover very many of the current PHP and ASP malware that is making the rounds. If you follow me on twitter (@LBHuston), then you have likely seen some of the examples I have been posting for the last year or so about this missing coverage. In addition, in many of the public talks I have been giving, many folks have had wide discussions about whether or not AV vendors should be including such coverage. Many people continue to be amazed at just how difficult the role of the AV vendor has become. With so much malware available, and so many kits on the market, the problem just continues to get worse and worse. Additionally, many vendors are still dealing with even the most simple evasion techniques. With all of that in mind, the role and work of AV vendors is truly becoming a nightmare.

Hopefully, this report will give some folks insight into the challenges that the AV teams are facing. AV is a good baseline solution. However, it is critical that administrators and network security teams understand the limitations of this solution. Simple heuristics will not do in a malware world where code entropy, encoding and new evasion techniques are running wild. AV vendors and the rest of us must begin to embrace the idea of anomaly detection. We must find new ways to identify code, and its behavior mechanisms that are potentially damaging. In our case, we have tried to take such steps forward in our HoneyPoint line of products and our WASP product in particular. While not a panacea, it is a new way of looking at the problem and it brings new visibility and new capability to security teams.

I enjoyed this article and I really hope it creates a new level of discussion around the complexities of malware and the controls that are required by most organizations to manage malware threats. If you still believe that simple AV or no malware controls at all are any kind of a solution, quite frankly, you’re simply doing it wrong. As always, thanks for reading and stay safe out there.

MSI HoneyPoint Featured on Virtualization Security Podcast


Brent Huston, CEO and Security Evangelist of MicroSolved, Inc., was recently a guest for the popular podcast, “Virtualization Security Podcast.”

Brent talked about HoneyPoint Wasp and discussed with other panelists how honeypot technology can help an organization detect real attacks and also the legal ramifications of stealth monitoring.

The Virtualization Practice also featured HoneyPoint in their recent post, “New Virtualization Security Products Available.”

The podcast panelists include;

  • Edward L. Haletky, Author of VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment and virtualization security analyst, as Moderator.
  • Michael Berman, CTO of Catbird Security
  • Iben Rodriguez, Independent Virtualization and Security Consultant and Maintainer of the ESX Hardening Guidance from CISecurity

Click on the player below to listen. To listen on iTunes or download the MP3, go here. Enjoy!

HoneyPoint Wasp Now Monitors Domain User and Admin Accounts


Do you:

  • Need a quick and easy way to provide monitoring of when new user accounts are created in your AD forest and domains?
  •  

  • Need an easy way to know when a user becomes a member of the administrator groups?
  •  

  • Want a powerful, flexible and effective tool for knowing what is running on your AD servers and when new code gets executed on these critical devices?
  •  

If you answered yes to any of these questions, read on.

HoneyPoint Wasp, a bleeding edge tool for anomaly detection on Windows Desktops and Servers has just been enhanced with the current release to extend these types of coverage (and more) to Windows 2003 & 2008 servers running an AD context of Primary Domain Controller & Backup Domain Controller. Yes, our customers have been asking for it, and we listened. Now, with a simple, no signature/no tuning/0-interface deployment, you can get centralized monitoring and visibility over your critical AD identity store. You can know what is running on these essential servers all of the time and when new users are created or promoted to administrative status.

Attackers commonly infect AD components as they move through the enterprise, often adding and promoting users as they go. In most incidents we have worked over the last several years, these changes have usually gone unnoticed until it was too late. That’s exactly why we built HoneyPoint in general and Wasp in particular, to answer this dire need and to help turn the tide against malware-based compromises.

Want to discuss how Wasp fits in your organization? Simply drop us a line at: (1info2@3microsolved4.5com6) (remove the numbers/spam protection), or give us a call at 614-351-1237 to discuss it with your account rep. Wasp is powerful, yet easy to use, detection and with it in your corner, “Attackers Get Stung, Instead of YOU.”

Thanks for reading and stay safe out there!

Learning USB Lessons the Hard Way


I worked an incident recently that was a pretty interesting one.
The company involved has an application running on a set of Windows kiosks on a hardened, private network that though geographically diverse, is architected in such a way that no Internet access is possible at any machine or point. The kiosk machines are completely tied to a centralized web-based application at a central datacenter and that’s all the kiosk machines can talk to. Pretty common for such installs and generally, a pretty secure architecture.

The client had just chosen to install HoneyPoint and Wasp into this closed network the previous week to give them a new layer of detection and visibility into the kiosk systems since they are so far apart and physical access to them is quite difficult in some locations. The Wasp installs went fine and the product had reached the point where it was learning the baselines and humming along well. That’s when the trouble began. On Saturday, at around 5am Eastern time, Wasp identified a new application running on about 6 of the kiosk machines. The piece of code was flagged by Wasp and reported to the console. The path, name and MD5 hash did not match any of the applications the client had installed and only these 6 machines were running it, with all of them being within about 20 miles of each other. This piqued our curiosity as they brought us in, especially given that no Internet access is possible on these machines and users are locked into the specific web application the environment was designed for.

Our team quickly isolated the 6 hosts and began log reviews, which sure enough showed outbound attempts on port 80 to a host in China known to host malware and bots. The 6 machines were inspected and revealed a job in the scheduler, set to kick off on Saturdays at 5am. The scheduler launched this particular malware component which appeared to be designed to grab the cookies from the browser and some credentials from the system and users and throw them out to the host in China. In this case, the closed network stopped the egress, so little harm was done. Anti-virus installed on the kiosk machines showed clean, completely missing the code installed. A later scan of the components on virustotal.com also showed no detections, though the sample has now been shared with the appropriate vendors so they can work on detections.

In the end, the 6 machines were blown away and re-installed from scratch, which is the response we highly suggest against today’s malware. The big question was how did it get there? It turned out that a bit of digging uncovered a single technician that had visited all 6 sites the previous week. This technician had just had a baby and he was doing as all proud fathers do and showing off pictures of his child. He was doing so by carrying a USB key with him holding the pictures. Since he was a maintenance tech, he had access to drop out of the kiosk and perform system management, including browsing USB devices, which he did to show his pictures to his friends. This completely human, innocent act of love, though much understandable, had dire results. It exposed the business, the users, the customers and his career to potential danger. Fortunately, thanks to a secure architecture, excellent detection with Wasp, good incident planning and a very understanding boss, no harm was done. The young man got his lesson taught to him and the errors of his ways explained to him in “deep detail”. Close call, but excellent lessons and payoff on hard work done BEFORE the security issue ever happened.

Wasp brought excellent visibility to this company and let them quickly identify activity outside the norm. It did so with very little effort in deployment and management, but with HUGE payoff when things went wrong. Hopefully this story helps folks understand where Wasp can prove useful for them. After all, not all networks are closed to the Internet. Is yours? If you had infected hosts like this and AV didn’t catch it, would you know? If not, give us a call or drop us a line and let’s talk about how it might fit for your team. As always, thanks for reading!

MicroSolved, Inc. Releases New Malware Protection for MS Windows

Our HoneyPoint Wasp 1.50 is cleaner, faster, and more flexible than ever!

COLUMBUS, Ohio March 14, 2011 — MicroSolved, Inc. is pleased to announce their new version of HoneyPoint Wasp 1.50. The new Wasp gives more capability to the security team to easily gain visibility into Windows systems and more power to their efforts to secure them against intrusion.

HoneyPoint Wasp, a tool used to monitor the security of user workstations, has been upgraded with several new features. New behavior-based detections are now included to help extend your existing AV investment. This will provide an extra layer of detection for malware that slips past the AV shield.

Wasp detects infections frequently missed by other malware tools in laboratory testing and real world environments.

“We’re proud of Wasp’s ability to identify compromised systems that other tools and techniques would have shown to be OK, leaving systems online and under attacker control for a longer period than needed,” said Brent Huston, CEO and Security Visionary for MicroSolved. “With HoneyPoint Wasp, you can more quickly and easily take compromised machines away from the attacker and significantly raise the bar in what they have to do to compromise your environment, avoid detection and steal your data.”

To learn more about HoneyPoint Wasp and how it can help an organization protect their desktop network, please visit our HoneyPoint Wasp page!