New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.

Toata Update: Smaller Target List for Now

We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.

The scanning targets list is much smaller this time around, which should increase their speed and efficiency.

Current Toata scanning pattern 03/19/09:


GET /mantis/login_page.php HTTP/1.1

GET /misc/mantis/login_page.php HTTP/1.1

GET /php/mantis/login_page.php HTTP/1.1

GET /tracker/login_page.php HTTP/1.1

GET /bug/login_page.php HTTP/1.1

GET /bugs/login_page.php HTTP/1.1

Of course, the scans also contain the string:

“Toata dragostea mea pentru diavola”

You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.

Finding Conficker with HoneyPoint

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

Change the Way You Use (and Pay For) Penetration Testing

For a couple of years now, we have been offering our managed service and menu-based service clients flat rate options for all kinds of penetration testing, assessments and application security. By far, though, the best received and most popular service is our focal point penetration testing service. Let me share with you a situation I had with a client we’ll call “Joe”.

Joe is a 38 year old IT manager for a financial services company. He has been with the organization for more than 6 years and is a hard worker who is known around the company as a “get things done” kind of guy. Joe, like all IT managers today, is facing a cutback in his security staff and is struggling to keep up with the ever-changing threats, vulnerabilities and regulatory landscape that his company faces. He has been a MicroSolved client for several years and we have great rapport.

Joe’s problem is that his once a year penetration testing is just not working. The huge snapshot of his environment doesn’t maintain relevance for long as his staff struggles to respond to the findings and attack the problems that are identified in an overall manner. That’s when Joe comes to me to discuss his issues.

Joe and I spend a couple of hours talking about the problems he is facing and we quickly find a HUGE solution to his problem. Joe and the MSI team break up his IT environment into 4 functional slices. Instead of doing one big penetration test, once per year, we begin to test 1/4 of his environment every quarter. That allows his team to focus on a specific set of his environment for improvement during a given quarter and makes it very easy for him to create measurable security improvements in those targets. This gives him the ammunition he needs to provide continual improvement metrics to his upper management. From the MSI side, it makes the task smaller and faster for our team, and while the human engineer factor is slightly higher since we have to do setup and manual parts 4x, the difference is not really large. We extend terms to Joe’s company that allows him to pay for this service in low monthly payments over the term of the agreement. This makes the security bill from MSI easy to plan for and manage.

This was a couple of years ago. Joe is now approaching the big 4-0 and has been with his company more than 8 years. When we talked last week, Joe renewed his agreement with MSI for FIVE YEARS! He could not say enough about the work that we do with them, how the subscription approach to penetration testing has helped him and how grateful his board is for us letting them create a menu of services (including subscriptions for assessments and pen-testing) and split the cost INTEREST FREE over the five year term!

Joe is one happy client and at MSI that is exactly what we are all about. I love that our team has worked with clients to “get creative” about security problems. We deliver quality reports, do a lot of the heavy lifting for our clients and are always looking for new ways to help them be more successful with our services. Joe has learned just what that can mean to an organization and how my team can even “think outside the box” when it comes to payment terms and contracts. All around, Joe and MSI both have found a win-win relationship doing business together.

Subscription-based, line of business or segment of IT environment, focused penetration testing. It truly, in my opinion, is the future of security assessments. If you would like to discuss just such a solution, drop me a comment, email or tweet (@lbhuston) or feel free to call 614-351-1237 and talk to one of our account managers. We would love to help you get more from your security budget and find creative ways to make security better and more affordable for your organization too!

Breaches Often Stem from Unknown Data? Wow!

While doing some work on Operation Anaconda, I have been spending some time analyzing some of the various known metrics and statistics around the insider threat. One of the findings that I found absolutely amazing is this one from the Verizon report, that 66% of the 500 breaches studied in the report revolved around data that the organization DID NOT EVEN KNOW THEY HAD or DID NOT KNOW WHERE IT WAS in their own IT environment!

That’s ~330 breaches where the victim did not even know either that they had the data in question or did not realize where in the network that data was supposed to be.

This, to me, is alarming. How on Earth can an organization secure what they do not know about? How can a security team possibly be tasked with securing what they don’t know they have? The fact is, they can’t. Thus, the first condition would be for the security teams in these organizations to KNOW WHAT DATA THE ORGANIZATION HAS AND WHERE IT LIVES.

If you are still trying to create security based on perimeters, architectures or anything else that is not data-centric, then this should serve as a wake up call. You must identify all of the data that is in your organization that is at risk. You must know what it is, how it is created/stored/processed/used/destroyed and YOU MUST BUILD SECURITY AROUND IT.

Let me say that again to be clear. You must focus on identifying the data and then on defining security around it!

Please, use this statistic to change your security focus from architecture and IT environment protection to protecting the data. To focus on anything other than securing the data is to fail. Attackers will find the weakest point and when they do, they will attack the confidentiality, integrity and/or availability of the DATA.

As security folks, it is easy to get caught up in the day to day. It is easy to spend way too much time focused on management goals, content filtering, “playing net cop” and all of the other stuff that goes on. BUT, it is critical that we retain the daily focus on knowing what our organization has that needs protected and on where and how we have to protect it. Focus on that and all will be well, fail at it and you’ll eventually be one of the 66% referenced above.

HoneyPoint Helps You Do More With Less


We all know the economy is struggling right now. Budgets are tighter than ever and many companies are forced to find ways to do more with less. Even though cybercrime is on the rise, it doesn’t mean your organization has to suffer. Here are two ways HoneyPoint Products can help you increase efficiency in an economical way.

1) Avoid heavy customization tools – HoneyPoint comes “ready-to-go.” It can be customized but it isn’t necessary for it to work. It’s a great “plug-and-play” product. Once the HoneyPoint Security Server is deployed, attacks are tracked. The HoneyPoint strategy is simple, yet powerfully effective. HoneyPoints are flexible pseudo-server applications that are able to emulate thousands of real services such as web, email, database systems and others. Since these pseudo-services are not real applications, there is no reason for anyone to interact with them in any way. Thus, once deployed, any activity to a HoneyPoint is, by default, suspicious. Since attackers do their work by scanning for and examining services looking for vulnerabilities, the HoneyPoints lie in wait, trapping the attacker in the act of doing the exact thing that attackers seek to do – find vulnerable services!

2) Allow others to do the heavy lifting – Certain security tasks can be outsourced or automated. Sometimes an organization can decrease the total cost of ownership by having someone else do it. Why not allow MicroSolved, Inc. handle some of these security functions such as vulnerability assessment and penetration testing? Our experts can assess your policies, processes and network infrastructure against a variety of baselines including PCI DSS, FFIEC/NCUA/FDIC, NIST, ISO and other industry standard best practices. We routinely provide deep level penetration testing for clients who wish to get a real world view of their IT, network and physical security mechanisms. From blue team assessments to red team testing leveraging the latest techniques in social engineering and simulated attack, MSI’s experience and capabilities clearly separate us from our competition.

With a little creativity, we can all work smarter to not just survive, but thrive during these challenging days!