Reflections on a Past Vulnerability, Kind Of…

 Recently, someone asked me about a vulnerability I had found in a product 15 years ago. The details of the vulnerability itself are in CVE-1999-1141 which you can read for yourself here.

Apparently, some of these devices are still around in special use cases and some of them may not have been updated, even now, 15 years after this issue came to light and more than 13 years after Mitre assigned it a 7.5 out of 10 risk rating and an associated CVE id. That, in itself, is simply shocking, but is not what this post is about.

This post is about the past 15 years since I first made the issue public. At that time, both the world of infosec and I were different. I still believed in open disclosure, for example. However, shortly after this vulnerability research experience, I started to choke back on that belief. Today, I still research and discover vulnerabilities routinely, but I handle them differently.
 
I work with the vendor directly, consult with their developers and project teams as much as they let me, and then allow them to work through fixing their products. Some of these fixes take a very, very long time and some of them are relatively short. Sometimes the vendors/projects give me or MicroSolved public credit, but often they do not. Both are OK under the right circumstances, and I am much happier when the vendors ask us if we want to be credited publicly, but I am content if they fix the problems we find in many cases. We do our very best to be non-combative and rational with all of them in our discussions. I think it is one of the reasons why application and device testing in our lab is so popular — better service and kindness go a long way toward creating working relationships with everyone.
 
Now, I don’t want to dig into the debate about open disclosure and non-disclosure. You may have different opinions about it than I do, and I am perfectly fine with that and willing to let you have them. I choose this path in vulnerability handling because in the end, it makes the world a safer place for all of us. And make no mistake, that’s why I do what I do nearly every day and have done what I have done for more than 20 years now in information security.
 
That’s really what this post is about. It’s about change and commitment. I’m not proud of releasing vulnerability data in 1997, but I’m not ashamed of it either. Times have changed and so have I. So has my understanding of the world, crime and security. But at the bottom of all of that change, what remains rock solid is my commitment to infosec. I remain focused, as does MicroSolved, on working hard every day to make the world a safer place for you and your family.
 
In November of 2012, MSI will enter its 20th year in business. Twenty years of laser focus on this goal, on the work of data protection, and on our customers. It’s an honor. There is plenty of tradition, and plenty of change to reflect on. Thanks to all of you for giving me the opportunity to do so.
 
Now that I have nostalgia out of the way, if you are still using those old routers (you know who you are), replace those things! 
 
As always, thanks for reading and stay safe out there! 

Credit Unions and Small Banks Need Strong Security Relationships

With all of the attention in the press these days on the large banks, hacking, and a variety of social pressures against the financial institutions, it’s a good time to remember that credit unions and small banks abound around the world, too. They may offer an alternative to the traditional big banking you might be seeking, but they sometimes offer an alternative to the complex, well staffed information security teams that big banks have to bear against attackers and cyber-criminals, too.
 
While this shouldn’t be a worry for you as a consumer (in that your money is secure in a properly licensed and insured institution), it should be a concern for those tasked with protecting the data assets and systems of these organizations.
 
That’s where strong vendor relationships come in. Partnerships with good solution providers, security partners, virtual security teams and monitoring providers can be very helpful when there are a small number of technical resources at the bank or credit union. Ongoing training with organizations like SANS, CUISPA and our State of the Threat series is also very likely to assist the resources they do have in being focused against the current techniques used by attackers. Whether with peers or vendors, relationships are a powerful tool that help security admins in the field.
 
Smaller organizations need to leverage simple, effective and scalable solutions to achieve success. They simply won’t have the manpower to manage overwhelming alerts, too many log entries or some of the other basic mechanisms of infosec. They either must invest in automation or strategically outsource some of those high resource functions to get them done. If your bank has a single IT person who installs systems, manages software, secures the network, helps users, and never goes on vacation; you have one overwhelmed technician. Unfortunately, this all too common. Even worse is that many times, the things that can’t be easily done sometimes end up forgotten, pushed off or simply ignored. 
 
In some cases, where some of the security balls may have been dropped, attackers take advantage. They use malware, bots, social engineering and other techniques to scout out a foothold and go to work on committing fraud. That’s a bad way to learn the lessons of creating better security solutions.
 
So, the bottom line is if you are one of these smaller organizations, or one of the single technicians in question, you need to find some relationships. I suggest you start with your peers, work with some groups in your area (ISSA, ISACA, ISC2, etc.) and get together with some trusted vendors who can help you. Better to get your ducks in a row ahead of time than to have your ducks in the fire when attackers come looking for trouble. 

HoneyPoint Tales: Conficker Still Out There

I had an interesting conversation this week over email with a security admin still fighting Conficker.

If you haven’t recalled Conficker in a while, take a moment and read the wikipedia entry here: (http://en.wikipedia.org/wiki/Conficker). Back in 2008, this nasty bugger spread across the net like wild fire. It was and is, quite persistent. 

Back in those days, we even put out a free version of HoneyPoint called HPConficker to act as a scatter sensor for detecting infected hosts on networks around the world. That tool expired eventually, and to be honest, we stopped really tracking Conficker back in 2010 to move on to studying other vectors and exploits. I hadn’t even thought about the HPConficker tool since then, until this week. 
 
In order to help this admin out as they battled the worm, I came in on a vacation day, dug the old code out of the source vault and updated it to run through the end of 2012. I then built a quick compile, zipped it (in my hurry forgetting to remove the OS X file noise) and sent it on to the sales person who was helping the client directly. When I heard that the zip file with OS X noise was a problem, I quickly cleaned the zip and sent it back up to the server for them to re-download, install and use. Sadly, I haven’t yet had time to build a readme file or the like, but the tool is pretty easy to use. Unzip it with folder extraction enabled, execute it and follow the GUI instructions. I haven’t heard back from my new security admin friend, but I hoped it helped them fight the good fight.
 
I took a couple of key points from this: 1) Conficker is still around and causing trouble; and 2) Helping people with HoneyPoint is still one of the core reasons I do what I do.
 
I may not say it often enough, but, thanks to all of you for playing with my toys. Since 2006, the knowledge gained, the insights and the outright chance to help people with my software has been a great joy. I look forward to pursuing it for many years to come. 
 
Keep playing with HoneyPoint. Keep talking to us. We want to engage, and we want to help YOU solve YOUR problems. At the core, that’s what MSI is all about. As always, thanks for reading and stay safe out there!
 
PS – We haven’t decided if we are going to release the tool again. If you want it and it can help you, drop me a line in the comments, send me a tweet (@lbhuston) or get in touch. Even if we don’t push it out in public on the site, it’s here if you need it…

The Changing World of Information Security Compromises

Because of the evolving nature of the attacker populace and their adoption of social media and open source mechanisms for crime ware tool development; new threat models are being applied across the board to sites that either had no attention on threat management or were woefully unprepared for the threat models that got focused against them. Hacktivism is indeed an extended threat for information security.

You can be targeted for your business partnerships, role in the supply chain, political leanings, or public position — OR simply to steal CPU cycles/storage from your systems because of your valuable data or simply because you have a common vulnerability. There are a myriad of reasons from the directly criminal to the abstract.

Social media and the traditional media cycles are simply amplifying the damage and drawing attention to the compromises that would not have made the news a few years ago. Web site defacements get linked to conspiracy groups. Large attacker movements get CNN headlines whereas they were basically ignored by most just a short while ago.

However, the principles of what you can do about insecurity and compromises remains the same. Do the basics of information security and do them well. Know what you have and its posture. Take the basic steps to understand its life cycle and provide protections for the important data and systems. 
 
Implement vulnerability management, reduce your vulnerabilities, increase your detection/visibility capabilities and have a PLAN for when something goes wrong. Practice your plan and accept that failure is going to occur. Adopt that as a point of your engineering. It may sound simplistic, but doing the basics and doing them well, pays off time and time again. Apart from seeking whiz-bang, silver bullets; the basic controls established by The 80/20 Rule of Information Security, the SANS CAG and the other common baselines that are threat focused continues to provide stable, measurable, effective safety for many organizations.
 
That’s it. Do those things and you are doing all you can do. If an attacker focuses their attention on you, they will likely get some form of compromise. How much they get, how long they have access, and how bad it hurts is up to you.
 
Just my 2 cents. Thanks for reading!

MSI Strategy & Tactics Talk Ep. 24: When Outsourcing Security Tasks Goes Wrong

Outsourcing security tasks can be beneficial to a busy organization. But is there a possible downside? What questions should that organization ask when outsourcing part of their information security tasks?  In this episode of MSI Strategy & Tactics, the techs discuss an incident that happened when an organization outsourced a part of their system administration tasks to an outside consulting firm.  If you are considering outsourcing part of your security tasks, you’ll want to listen! Discussion questions include:

  • How important is it for vendors to vet employees before sending them into the field?
  • How important is it for organizations to be able to see that the vendors have thoroughly done this?
 
Panelists:
Brent Huston, CEO and Security Evangelist
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator
 

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Stealth Code for New Mutation of PHP Bot Infector

Recently, I found another new mutation of a PHP bot infector, with zero percent detection by anti-virus software. There was an anti-security tool code included, as well. 

For those interested, you can view this link to see that the total number of anti-virus detections was 0.

However, when I decoded the PHP backdoor, I got 17 anti-virus hits on it. It seems they locked into the c99 backdoor code remnants, which is a pretty old backdoor PHP trojan. This leads to the question about evasion techniques and how effective anti-virus applications are at doing code de-obfuscation. For example, if you want a currently effective AV evasion technique in PHP, it comes down to this simple line of code: (gzinflate(str_rot13(base64_decode($code)))); – There’s the cash money key in terms of evading most, if not all, current anti-virus tools.

However, if you have a process that runs grep against your files  looking for base64_decode and alerts you to new ones, you’ll get visibility to it and many, many others like it. Base64 encoding is still quite a popular call in PHP attack and compromise tools.

Here are some examples of this specific trivial control — here, and here. Now you have a real life example of how it pays off. So simple, yet so effective at detecting these slippery backdoors.

Finding specific nuance controls that pay off against specific threats to your assets is a key way to better security. It’s a win, all around!

Deeper Than X-Ray Vision: Device Configuration Reviews

Many of our assessment customers have benefitted in the last several years from having their important network devices and critical systems undergo a configuration review as a part of their assessments. However, a few customers have begun having this work performed as a subscription, with our team performing ongoing device reviews of one to three devices deeply per month, and then working with them to mitigate specific findings and bring the devices into a more trusted and deeply hardened state.

From credit unions to boards of elections and from e-commerce to ICS/SCADA teams, this deep and focused approach is becoming a powerful tool in helping organizations align better with best practices, the 80/20 Rule of Information Security, the SANS CAG and a myriad of other guidance and baselines.

The process works like this:
  1. The organization defines a set of systems to be reviewed based on importance, criticality or findings from vulnerability assessments.
  2. The MSI team works with the organization to either get the configurations delivered to MSI for testing or to access the systems for local assessments in the case of robust systems like servers, etc.
  3. The MSI team performs a deep-level configuration assessment of the system, identifying gaps and suggested mitigations.
  4. The MSI team provides a technical level detail report to the organization and answers questions as they mitigate the findings.
  5. Often, the organization has the systems re-checked to ensure mitigations are completed, and MSI provides a memo of our assertions that the system is now hardened.
  6. Lather, rinse and repeat as needed to continually provide hardening, trust and threat resistance to core systems.
Our customers are also finding this helpful as a separate service. Some smaller credit unions and IT departments may simply want to identify their critical assets and have this deep-level review performed against them in advance of a regulatory audit, to prepare for the handling of new sensitive data or important business process or simply to harden their environment overall.
 
Deep-dive device configuration reviews are affordable, easy to manage, and effective security engagements. When MSI works with your team to harden what matters most, it benefits your team and your customers. If you want to hear more about these reviews, engage with MSI to perform them; or to hear more about device/application or process focused assessments, simply drop us a line or give us a call. We would be happy to discuss them with you and see how we can help your organization get clarity with a laser-focus on testing the systems, devices and processes that you value most.
 
As always, thanks for reading and stay safe out there! 

Speed Bumps and Information Security

On Twitter, Brent Huston (@lbhuston), CEO and Security Evangelist, posed this question: Does the introduction of speed bumps into a neighborhood reduce overall burglaries and  petty crime?

There was some speculation that it may not impact burglaries but could impact violent crime. An Oakland study showed that bumps decrease the casual traffic pattern by 33%. As it turns out, speed bumps decrease speeding by 85%. Less casual traffic means less scouting for break-ins. So, speed bumps make you more secure. A study done by the Portland Bureau of Transportation shows a full examination of the impact of speed bumps.

Although speed bumps may deter criminal traffic, there’s a good possibility that the criminals just head toward an area that doesn’t have speed bumps. The same can be true with hardening your home security. If you take precautions and make your home more difficult to enter, the burglar may instead target one of your neighbor’s homes.

Although there may be instances where criminal activity increased due to speed bumps, those are not common and serve as the exception rather than the rule. Still, logic dictates that with more controls comes a decrease in crime. (Less speeding, less petty crime.)

And if you do find yourself in a neighborhood with speed bumps, slow down. They can sometimes break the cars of speeders

This leads us to the next question: What do speed bumps tell us about information security?

Can minor annoyances to attackers increase our overall security? What kind of speed bumps can you think of that might help?
 
Of course, honeypots, especially those that do misdirection and black holing are good cyber speed bumps. Curious about using honeypots as your deterrent against attacks? Give us a call and we’ll show you how to put a few of these “speed bumps” into your network. We promise they won’t damage your alignment!

 

Apple’s PC Free Feature: Insecure But Maybe That’s a Good Thing?

At least in the case of stolen devices.

The fervor for the newest iOS for Apple was building throughout 2011, and those who utilized the Apple iPhone and iPad felt a great sense of anticipation for Apple’s Worldwide Developers Conference (WWDC). Feature speculation floated around the Internet, leading to the launch date of iOS 5. What latest and greatest features and functionality would be announced?

Rumors were laid to rest at WWDC in June 2011 as the late Steve Jobs made one of his last public appearances to promote the launch of the newest mobile iOS, available October 12, 2011. New features included iMessage and numerous integration points with Twitter, the ability to hold your iPhone like a camera and “click” with the volume button, and the ability to sync your device with iCloud. The PC Free feature finally freed iOS users from the cord, no longer requiring them to connect their device to their Mac or PC to sync photos, music and software updates.  

As long as the user was sharing the same Apple ID, a photo, for example, would be uploaded to the cloud and pushed to each device running the newest iOS.  

During the WWDC keynote, MicroSolved, Inc’s CEO, Brent Huston, spent considerable time on Twitter discussing the lack of built-in security for the new iOS. He made the point that each unique identifier (in this case, the Apple ID) on numerous devices would allow possibly unwanted users to see information they shouldn’t see. He used the example of a parent downloading and viewing patient medical data (such as an MRI scan) on their Apple device. Instantly, the image would upload to the cloud and be pushed to any user sharing the same Apple ID. In theory, the images would be shared with the spouse’s iPad and the daughter’s iPhone or iPod. In the case of medical data, this would pose serious HIPAA/HIPAA HITECH violations.

He shared other examples of syncing photos meant “for your eyes only,” which would be shared into the photo stream. I shuddered when I imagined how many conversations of  “Where were you last night?” would happen as a result. 

While the “doom and gloom” scenarios will surely play out (And they did in the case of the gentleman who used “Find my Friend” to catch a cheating spouse.), this newest feature has actually helped victims of stolen Apple devices catch kleptomaniacs.

Recently, the seamless sync feature led authorities in Hilliard, Ohio directly to thieves.  During a home burglary, they stole an iPad among other items. The homeowner suddenly noticed a number of new photos in his Photo Stream — pictures of people he didn’t know or recognize.  As it turned out, the iPad thieves were taking photos of themselves and unknowingly sharing their identity with the users who shared the Apple ID — including the dad who notified local police.

While this is great news in the case of the photogenic iPad snatcher, it does appear Dad didn’t have the lock feature on; which if he had, would have prevented the iPad from uploading photos to the cloud. We at MSI encourage device users to take advantage of all security features, but in this case, the father’s actions (or lack thereof)  worked in his favor.

Moral of the story: educate yourself regarding your device’s safety features and utilize the GPS function when needed.

Stay safe out there! 

MSI Strategy & Tactics Talk Ep. 22: 3 Tasks a Security Administrator Hates To Do (But Needs To Do)

It’s an understatement to say a security administrator is busy. In the quest to achieve POLA (Principle of Least Access), it’s easy to overlook other tasks that can make a huge difference in your overall security strategy.  In this episode of MSI Strategy & Tactics, the techs discuss three tasks that if consistently put on hold, will eventually cause havoc in your world. If you’re a security administrator, take a listen! Discussion questions include:

  • Password Management: Why is this an issue and what can a security administrator do that will make it easier?
  • Log Reviews: How can this task be better organized?
  • Why is documentation often overlooked and what can a security administrator do to change it?
Tools mentioned:
 
Panelists:
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!