Thanks to NEOISF & Ohio State Office of the CIO

Posted on October 31, 2012 by Brent Huston

J0289893

Last week we had a great time in Cleveland speaking at the North East Ohio Information Security Summit. Thanks to the folks who came out to hear us speak and to the great staff of NEOISF for making the event such an amazing thing for all who attend. We look forward to next year!

Thanks, as well, to the Ohio State University office of the CIO. We were pleased to participate in the Information Security Day sponsored by the university and Battelle. Thanks to all who attended that event with the threat of Hurricane Sandy looming large. It was a fantastic interaction with some of the next generation of infosec folks and some of the awesome members of the CMH InfoSec community. Thanks for having us participate and especially for asking us to keynote.

The slide decks for both of these talks are available by request. If you would like to have a copy or set up a time to discuss them, have them presented to your team or engage with us about the content either drop us a line in the comments, reach out on Twitter (@lbhuston) or give your account executive a call at (614) 351-1237 ext 215.

Some pictures from the events are available here:

2012 10oct 25 dsc 0065 smaller

NEO Summit – Picture courtesy of Greg Feezel (Thanks Greg!!!)

Ohio State Information Security Day

ICS/SCADA Security Symposium Reminder

Posted on October 29, 2012 by Brent Huston

COLUMBUS, Ohio October 9, 2012 – The second annual ICS/SCADA Security Symposium, to be held November 1 2012 in Columbus, is designed to serve as a level set for teams and organizations who are actively managing production ICS/SCADA environments. Once again, this full day session will include best practices advice, incident response, detection techniques and a current threat briefing focused on ICS/SCADA providers. Presenters will cover a variety of topics about what is working, what is not working so well in terms of information security, network protection and trust management. To learn more about the event and to see if you qualify to attend, please contact us via email (info<at sign>microsolved(<dot>)com) or via phone by calling 614.351.1237 ext 215. Chris Lay (@getinfosechere) is handling the invitee list for the event and will be happy to discuss the event with you in more detail. Attendance is free of charge, meals will be provided and a limited number of seats are still available if you qualify.

Surface Mapping Pays Off

Posted on October 26, 2012 by Brent Huston

You have heard us talk about surface mapping applications during an assessment before. You have likely even seen some of our talks about surface mapping networks as a part of the 80/20 Rule of InfoSec. But, we wanted to discuss how that same technique extends into the physical world as well.

In the last few months, we have done a couple of engagements where the customer really wanted a clear and concise way to discuss physical security issues, possible controls and communicate that information to upper management. We immediately suggested a mind-map style approach with photos where possible for the icons and a heat map approach for expressing the levels of attack and compromise.

In one case, we surface mapped a utility substation. We showed pictures of the controls, pictures of the tools and techniques used to compromise them and even shot some video that demonstrated how easily some of the controls were overcome. The entire presentation was explained as a story and the points came across very very well. The management team was engaged, piqued their interest in the video and even took their turn at attempting to pick a couple of simple locks we had brought along. (Thanks to @sempf for the suggestion!) In my 20+ years of information security consulting, I have never seen a group folks as engaged as this group. It was amazing and very well received.

Another way we applied similar mapping techniques was while assessing an appliance we had in the lab recently. We photographed the various ports, inputs and pinouts. We shot video of connecting to the device and the brought some headers and tools to the meetings with us to discuss while they passed them around. We used screen shots as slides to show what the engineers saw and did at each stage. We gave high level overviews of the “why” we did this and the other thing. The briefing went well again and the customer was engaged and interested throughout our time together. In this case, we didn’t get to combine a demo in, but they loved it nonetheless. Their favorite part were the surface maps.

Mapping has proven its worth, over and over again to our teams and our clients. We love doing them and they love reading them. This is exactly how product designers, coders and makers should be engaged. We are very happy that they chose MSI and our lab services to engage with and look forward to many years of a great relationship!

Thanks for reading and reach out on Twitter (@lbhuston) or in the comments if you have any questions or insights to share.

NE Ohio Security Summit – Come Out & See Us!

Posted on October 24, 2012 by Brent Huston

The NE Ohio Security Summit kicks off tomorrow and runs through Friday evening. Chris Lay (@getinfosechere) and myself (@lbhuston) will be in attendance. I will be speaking on Thursday afternoon about Detection in Depth and some other models for doing nuance detection around the enterprise.

While you are there, check out the booth of Managed HoneyPoint partner Hurricane Labs, and hit Chris up for a cup of coffee and a friendly discussion about our services, partnerships and engagements.

We look forward to a great event and give much thanks to the folks who put this amazing Summit together. They are an awesome team, with a ton of great help and a can-do attitude. Their hard work and dedication is what makes this one of the best Summit events of the year. Stop them in the hall and give them a big thanks for all they do!

As always, thanks for reading. If you mention you read the post and use the code word “snazzy” when you come up to chat, I just might have a little special treat for you. 🙂

PS – My talk is in Bordeaux B at 2:30 PM Eastern. See ya there!

Ask The Security Experts: Mobile Policy

Posted on October 23, 2012 by Brent Huston

This time around, the experts offer insights on this question:

Q: “Dear Experts, what are the key things I need to keep in mind when I write my company’s mobile security policy?” — MK

John Davis starts us off with:

I would say the most important thing is to actually write your own policy; don’t just copy a generic mobile security policy from the Internet and adopt it as your own. For a mobile security policy to be effective, it needs to be tailored to meet your organizations particular information security requirements and also needs to reflect the reality of mobile device use at your organization. It won’t do you much good to forbid using mobile devices for business purposes if you have no mechanisms in place to prevent or detect such uses. Effective information security policy, like effective statute law, is both practical and enforceable.

Adam Hostetler added:

Keep in mind what kind of current security policies you have, and try to apply that to the mobile sphere. Users need to understand that they are connecting an additional computer to the network, and not just a “phone”. Keep in mind also what kind of deployment you are using. Is it bring your own device, or is it company provided? There will be different policies and procedures for each method and possible user backlash depending on how you are doing this.

As always, thanks to the experts for weighing in, and to the readers for the questions. Keep them coming!

Recovering Data from Dead Hard Drives

Posted on October 17, 2012 by Brent Huston

We caught this post on Lifehacker a few days ago and thought they did a pretty good job of handling a pretty frequent question. How many times have you been asked about data recovery? For us, we always ask “You have that backed up, right?”, in return.

Sadly, few people seem to backup their data, even though that is one of the basic foundations of protecting information.

If you are or know someone who gets into this predicament, we hope this approach helps.

In the meantime, where did you put your backup disk? You have one, right??? 🙂

Ask The Experts: Insights on Facebook Friends

Posted on October 15, 2012 by Brent Huston

This time around, the experts tackle this question:

Q: “Hey Security Experts, should I be friends with everyone that asks on Facebook? What’s the risk of friending people I don’t really know? Can we be friends on Facebook?” –Scott918

Adam Hostetler weighed in with:

I wouldn’t recommend accepting friends request for anyone on Facebook, unless you actually know them. This especially goes for somebody that claims they work at the same company as you, as it really could be somebody building a network of targets to social engineer.

Take advantage of Facebook privacy settings also. Don’t make your information public, and only make it viewable by friends. I would even recommend against putting too much personal information on there, even if it is only among friends. There have been security issues in the past that allow people to get around privacy controls, and Facebook really doesn’t need a lot of information from you anyway.

John Davis added:

The short answer is NO! I’m a big believer in the tenet the you DON’T want the whole world to know everything about you. Posting lots of personal facts, even to your known friends on Facebook, is akin to the ripples you get from tossing a pebble into still water – tidbits of info about you radiate out from your friends like waves. You never know who may access it and you can never get it back! There are lots of different people out there that you really don’t want as your friend – I’m talking about everything from annoying marketers to thieves to child molesters. People like that are trying to find out information about you all the time. Why make it easy for them?

Finally, Phil Grimes chimed in:

Facebook is a ripe playground for attackers. This is something I speak about regularly and the short answer is NO, absolutely not. If you don’t know someone, what is the benefit of “friending” them? There is no benefit. On the contrary, this opens a can of worms few of us are prepared to handle. By having friends who aren’t really friends one risks being attacked directly, in the case of the unknown friend sending malicious links or the like. There is also the risk of indirect attack. If an attacker is stalking Facebook pages, there is a lot of information that can be viewed, even if you think your privacy settings are properly set. Stranger danger applies even more on the Internet.

So, while they may not be your friends on Facebook, you can follow the Experts on Twitter (@microsolved) or keep an eye on the blog at http://www.stateofsecurity.com. Until next time, stay safe out there!

Port 9100/TCP Probes

Posted on October 11, 2012 by Brent Huston

We have been seeing probes to port 9100/TCP in the HITME for a while and decided to check out some of the activity and post about it, so others could know what is going on there.

The connections come from a few sources, often universities, and don’t seem to be anything more than misconfigurations of devices in their environment. The connections that come in on port 9100 often contain the “@PJL INFO PRODINFO” strings, which are apparently tied to the HP Printer Job Language (PJL). Basically, the command is supposed to dump out identifying data from the printer and return it to the user. This data includes a variety of configuration data and other details about the device. You can find an example here.

The port 9100 connections usually coincide with a connection to port 80/TCP on the same host. This port 80 connection looks something like this (with IP address info in the x.x.x.x string):

“GET / HTTP/1.1\nAccept-Encoding: identity\nHost: x.x.x.x\nConnection: close\nUser-Agent: Python-urllib/2.7\n\n”

Now this is a little interesting. It is likely meant to be a validation probe that the printer device’s embedded web server is online and that the device is operational. BUT, the “Python-urllib/2.7” made us suspicious. Perhaps this isn’t a usual printer request?

A little Google searching pretty quickly shows that HP’s implementation of CUPS, that is the unix printing mechanism, strongly leverages this Python library. So, that might not make it suspicious as most folks might think.

So, we did the next thing in our bag of tricks, and returned valid connections from HoneyPoint on those ports. Our waiting finally came to fruition and lo and behold, we got more connections of the same nature. This time though, we also got a print job for the “printer” to print. What did we get? Spam, of course. Printer spam. An ad to buy some stuff, that needless to say, we don’t really need. 🙂

So, what are those port 9100 probes? What is the basis behind that “@PJL INFO PRODINFO” in your logs? Nothing more than spam attempts to waste your paper, ink/toner and time. Hey, it could have been worse, right? 🙂

Obviously, turning off port 9100/TCP from the Internet will help prevent this stuff from coming into your organization. It looks like a few malware folks have added this capability to their spyware/adware routines as well, so if you have 9100 blocked from the Internet and see printer spam coming in, track the print jobs back to a workstation if possible and do the turn and burn routine. Let us know if you have any questions or issues, and we will keep our ears and eyes open on port 9100 traffic and drop some more info if we see anything that looks wormy or the like.

MSI ongoing assessment customers will note that port 9100 signatures are routinely tested and you would be notified of any illicit behaviors found during your assessments.

PS – There have been some “worm” like behaviors on port 9100 in the past, including a couple of pieces of printer malware. We didn’t see it in this case, but we know it’s out there…Here is an example of some of what may be lurking in your printer…

MSI Announces The Second Annual ICS/SCADA Security Symposium

Posted on October 9, 2012 by Brent Huston

Touchdown Task for Fall: Prepare Your Holiday Coverage Plan

Posted on October 4, 2012 by Brent Huston

J0289377

The holidays are right around the corner. Use some cycles this month to make sure your IT support and infosec teams have a plan for providing coverage during the holiday season.

Does your help desk know who to call for a security incident? Do they have awareness of what to do if the primary and maybe even secondary folks are out on holiday vacation? Now might be a good time to review that with them and settle on a good plan.

Planning now, a couple of months before the holiday crush, just might make the holiday season a little less stressful for everyone involved. Create your plan, socialize it and score a touchdown when everyone is on the same page during the press of the coming months!

MSI :: State of Security

Insight from the Information Security Experts

Monthly Archives: October 2012