Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

3 Tips for BYOD

Posted on by
4

I wanted to take a few moments to talk about 3 quick wins you can do to help better deal with the threats of BYOD. While much has been said about products and services that are emerging around this space, I wanted to tack back to 3 quick basics that can really help, especially in small and mid-size organizations.

1. Get them off the production networks – an easy and often cheap quick win is to stand up a wireless network or networks that are completely (logically and physically) separated from your production networks. Just giving folks an easy and secure way to use their devices at the office may be enough to get keep them off of your production networks. Back this up with a policy and re-issue reminders periodically about the “guest network”. Use best practices for security around the wifi and egress, and you get a quick and dirty win. In our experience, this has reduced the BYOD traffic on production segments by around 90% within 30 days. The networks have been built using consumer grade equipment in a few hours and with less than $500.00 in hardware.

2. Teach people about mobile device security – I know, awareness is hard and often doesn’t produce. But, it is worth it in this case. Explain to them the risks, threats and issues with business data on non-company owned devices. Teach them what you expect of them, and have a policy that backs it up. Create a poster-child punishment if needed, and you will see the risks drop for some time. Keep at it and it just might make a difference. Switch your media periodically – don’t be afraid to leverage video, audio, posters, articles and emails. Keep it in their face and you will be amazed at what happens in short term bursts.

3. Use what you already have to your advantage – There are hundreds of vendor white papers and configuration guides out there and it is quite likely that some of the technologies that you already have in place (network gear, AD Group Policy Objects, your DHCP & DNS architectures, etc.) can be configured to increase their value to you when considering BYOD policies and processes. Quick Google searches turned up 100’s of Cisco, Microsoft, Aruba Networks, Ayaya, etc.) white papers and slide decks. Talk to your vendors about leveraging the stuff you already have in the server room to better help manage and secure BYOD implementations. You might save money, and more importantly, you might just save your sanity. 🙂

BYOD is a challenge for many organizations, but it is not the paradigm shift that the media and the hype cycle make it out to be. Go back to the basics, get them right, and make rational choices around prevention, detection and response. Focus on the quick wins if you lack a long term strategy or large budget. With the right approach through rapid victories, you can do your team proud!

The Big Three

Posted on by
2

Information security techniques certainly are improving. The SANS Top Twenty Critical Controls, for example, are constantly improving and are being adopted by more and more organizations. Also, security hardware devices and software applications are getting better at a steady rate. But the question we have to ask ourselves is: are these improvements outpacing or even keeping up with the competition? I think a strong argument can be made that the answer to that question is NO! Last year there were plenty of high profile data loss incidents such as the Target debacle. Over 800 million records were compromised that we know of, and who knows how many other unreported security breaches of various types occurred?

So how are we going to get on top of this situation? I think the starkly realistic answer to that question is that we arent going to get on top it. The problem is the age old dilemma of defense versus attack; attackers will always have the advantage over entrenched defenders. The attackers know where you are, what you have and how you defend it. All they have to do is figure out one way to get over, under or around your defenses and they are successful. We, on the other hand, dont know who the attackers are, where theyre at or exactly how they will come at us. We have to figure out a way to stop them each and every time a daunting task to say the least! Sure, we as defenders can turn the tables on the information thieves and go on the attack; that is one way we can actually win the fight. But I dont think the current ethical and legal environment will allow that strategy to be broadly implemented.

Despite this gloomy prognosis, I dont think we should just sit on our hands and keep going along as we have been. I think we should start looking at the situation more realistically and shift the focus of our efforts into strategies that have a real chance of improving the situation. And to me those security capabilities that are most likely to bear fruit are incident detection, incident response and user education and awareness; the Big Three. Over the next several months I intend to expand upon these ideas in a series of blog posts that will delve tactics and means, so stay tuned if this piques your interest! 

Thanks to John Davis for writing this entry.

SoS Video Post Number 1: TigerTrax M&A & Threat Intel

Posted on by
2

Today, we started trying to record our first attempt at a video blog post. Check it out and let us know what you think.

You can download it from here.

As always, thanks for reading, listening or watching… Stay safe out there! 

You can give us feedback, jeers or encouragement on Twitter (@lbhuston or @microsolved).

Federal Hacking Laws – Some Pointers

Posted on by
Reply

We wanted to close out this series by pulling together some information for clients on the federal laws (US) surrounding computer intrusion and hacking. Here are some pointers for your consideration:

Internet crime is among the newest and most constantly evolving areas of American law. Although the Internet itself is more than three decades old, greater public usage began in the late 1980s with widespread adoption only following in the 1990s. During that decade the Net was transformed from its modest military and academic roots into a global economic tool, used daily by over 100 million Americans and generating upwards of $100 billion in domestic revenue annually. But as many aspects of business, social, political, and cultural life moved online, so did crime, creating new challenges for lawmakers and law enforcement. 

Crime on the Net takes both old and new forms. The medium has facilitated such traditional offenses as fraud and child pornography. But it has also given rise to unique technological crimes, such as electronic intrusion in the form of hacking and computer viruses. High-speed Internet accounts helped fuel a proliferation of copyright infringement in software, music, and movie piracy. National security is also threatened by the Internet’s potential usefulness for terrorism. Taken together, these crimes have earned a new name: when FBI Director Louis J. Freeh addressed the U.S. Senate in 2000, he used the widely-accepted term “cybercrime. 

Source

Great explanation (dated though – 2006) of Section 18 of the US code and their relevant sections to cybercrime.

The main hacking laws are in the US Computer Fraud and Abuse Act passed in 1986 and has undergone several amendments. 


Based on the history of hacking, computer problems caused as a result of hacking were continuously increasing and like recent times ethical hacking became unpopular because of the notoriety of black hats. What do you think? If these laws weren’t there, ha! Imagine what would have been happening. I like the efforts of the US government on hacking. 

Hacking laws according to the US laws(Computer Fraud and Abuse Act) states, 

Hacking Law 1 

1.Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; 

Hacking Law 2 

2.Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains– 

Information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); 

B.Information from any department or agency of the United States; or 

C. Information from any protected computer if the conduct involved an interstate or foreign communication;

Hacking law 3 

3. Intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States; 

hacking law 4 

4 Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; 

A.Knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; 

B. Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or 

C. Intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;

Source

Reporting Cyber-Crimes:

Every day, criminals are invading countless homes and offices across the nation—not by breaking down windows and doors, but by breaking into laptops, personal computers, and wireless devices via hacks and bits of malicious code. 

The collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 services around the country. 

Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging rights…to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, from rings of criminals wanting to steal your personal information and sell it on black markets…to spies and terrorists looking to rob our nation of vital information or launch cyber strikes. 

Today, these computer intrusion cases—counterterrorism, counterintelligence, and criminal—are the paramount priorities of our cyber program because of their potential relationship to national security. 

Combating the threat. In recent years, we’ve built a whole new set of technological and investigative capabilities and partnerships—so we’re as comfortable chasing outlaws in cyberspace as we are down back alleys and across continents. That includes: 

A Cyber Division at FBI Headquarters “to address cyber crime in a coordinated and cohesive manner”; 

Specially trained cyber squads at FBI headquarters and in each of our 56 field offices, staffed with “agents and analysts who protect against investigate computer intrusions, theft of intellectual property and personal information, child pornography and exploitation, and online fraud”; 

New Cyber Action Teams that “travel around the world on a moment’s notice to assist in computer intrusion cases” and that “gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy;” 

Our 93 Computer Crimes Task Forces nationwide that “combine state-of-the-art technology and the resources of our federal, state, and local counterparts”; 

A growing partnership with other federal agencies, including the Department of Defense, the Department of Homeland Security, and others—which share similar concerns and resolve in combating cyber crime.

Source

How to Report Computer Hackers 

Many computer users fall prey to hackers and the crimes they perpetrate on unsuspecting individuals and companies. If a crime occurs in your home or business, it’s not difficult to report the computer hacker. 

Determine which agency has jurisdiction over the crime. This will depend upon whether the crime was committed at your home or at your business, and the address of that particular location. If you live within city limits, the proper agency will generally be a police department in your town. If you live outside the city limits, within the county, contact your local sheriff’s office. 

Call the non-emergency phone number for your local police department or sheriff’s office to report the crime. Ask to speak with someone in the detective’s division about an Internet crime.

Source

Reporting Computer Hacking, Fraud and Other Internet-Related Crime 

The primary federal law enforcement agencies that investigate domestic crime on the Internet include: the Federal Bureau of Investigation (FBI), the United States Secret Service, the United States Immigration and Customs Enforcement (ICE) , the United States Postal Inspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF) . Each of these agencies has offices conveniently located in every state to which crimes may be reported. Contact information regarding these local offices may be found in local telephone directories. In general, federal crime may be reported to the local office of an appropriate law enforcement agency by a telephone call and by requesting the “Duty Complaint Agent.” 
Each law enforcement agency also has a headquarters (HQ) in Washington, D.C., which has agents who specialize in particular areas. For example, the FBI and the U.S. Secret Service both have headquarters-based specialists in computer intrusion (i.e., computer hacker) cases.

Ohio Laws Around Hacking

Posted on by
5

We are often asked for specific details of the legal issues surrounding hacking, computer intrusion and other criminal acts around infosec. Specifically, many of our Ohio clients ask for specific pointers. As such, similarly to what we did a couple of weeks ago with regard to child pornography, here is some vital information about the topic.

Computer hacking in Ohio falls under unauthorized use of property. Generally this is a misdemeanor of the 4th degree. If the hacking is for the purpose of obtaining property or services and the loss is under $1000 it is a 1st degree misdemeanor. Losses between $1,000-$7,500 it is a 5th degree felony, between $7,500-$150,000 it is a 4th degree felony and over $150,000 it is a 3rd degree felony. If the victim is elderly or disabled, then computer hacking is automatically at least a 5th degree felony, depending on the circumstances. 

This information is directly from the Ohio state government website and should be the most up to date info available.

Statute 2909.04 also has a section on computer intrusion and hacking, prohibiting the aforementioned activities in so far as they may interfere with the ability of public services or emergency response.

This information was obtained here.

To report instances of computer intrusion in Ohio, citizens are directed to contact their local law enforcement/sheriff’s office. In addition, citizens and organizations should also consider notifying the Federal Bureau of Investigation (FBI), as federal laws are also likely to apply. You can contact the FBI directly through a variety of methods detailed here. 

(NOTE: MSI is not providing legal advice of any kind, consult your attorney or council for legal advice. This material is simply meant to be a pointer for education. MSI is NOT qualified to offer legal advice under any circumstance.)

Sources for Tor Access Tools

Posted on by
3

As a follow up to my last couple of weeks posting around Tor and the research I am doing within the Tor network, I presented at the Central Ohio ISSA Security Summit around the topic of Tor Hidden Services. The audience asked some great questions, and today I wanted to post some links for folks to explore the Tor network on their own in as safe a manner as possible.

The following is a set of links for gaining access to the Tor network and a couple of links to get people started exploring Tor Hidden Services.  (Note: Be careful out there, remember, this is the ghetto of the Internet and your paranoia may vary…)

 Once you get into the Tor network, here are a couple of hidden service URLs to get you started:

http://kpvz7ki2v5agwt35.onion – Original hidden wiki site

http://3g2upl4pq6kufc4m.onion/ – Duck Duck Go search engine

http://kbhpodhnfxl3clb4.onion – “Tor Search” search engine

As always, thanks for reading and stay safe out there! 

Great explanation of Tor in Less than 2 Minutes

Posted on by
3

Ever need to explain Tor to a management team? Yeah, us too. That’s why we wanted to share this YouTube video we found. It does a great job of explaining Tor in less than two minutes to non-technical folks.

The video is from Bloomberg Business Week and is located here.

Check it out and circulate it amongst your management team when asked about what this “Tor” thing is and why they should care.

As always, thanks for reading and we hope these free awareness tools help your organization out.

Watching Malware Evolve with TigerTrax

Posted on by
3

Recently, I have been spending a lot of my time working with TigerTrax, our intelligence platform, and using it to further my research into emerging threats. One of the most interesting areas has been using to track and trace the fits and starts of malware evolution using social media data and the web.

TigerTrax is really good at finding and analyzing the data for trends. The visualizations make spotting emerging patterns and even outliers very easy. For example, we noticed a trend around side loading of malware payloads recently. Not an overwhelming trend across all of malware, but associated with a specific group of verticals being targeted. This emerged easily from the graph data and analytics engines. We were able to use that information to inform our customers in that space and increase their capabilities in detection and incident response.

We have only just begun to find the deeper use cases for TigerTrax, but it is already changing the way MSI does work, even the core work of assessments. For example, with a small window of lead time, we can generate specific pattern analysis and cases to support findings in risk assessments, vulnerability and pen-testing work. The engines can keep our scenarios refreshed, keep us up to date with the latest attack vectors and exploits being used in the wild.

All in all, TigerTrax has given us a larger view of infosec, and watching malware evolve through its lens has become an interesting part of what we do at MSI. We look forward to the day when we can discuss more publicly what we are doing with TigerTrax and some of the findings we are generating, but for now, just know that the platform is being used in a myriad of ways, and that new developments are occurring on a daily basis. If you’d like to discuss what TigerTrax can do for your organization, give us a call. We’d be happy to sit down for a briefing with your team.

See You at the Columbus ISSA InfoSec Summit

Posted on by
1

Remember, the Columbus InfoSec Summit is this week. It starts Monday afternoon and runs through Tuesday.

I will be speaking on Monday at 5:30 in Track 1 and my topic is a deep dive into Tor hidden nodes, including how to get business intelligence from them.

Come and say hello. Have a cup of coffee or just a chat. We look forward to seeing you and wish the ISSA a great event!

Child Pornography Resource Materials for Businesses

Posted on by
3

Sadly, as an information security professional, we are sometimes engaged with clients who either suspect or have discovered the presence of child pornography in their computing environment. Another way that such materials come to our attention, is during pen-testing or incident response work, we may discover the materials on a system and be forced to bring the materials to the attention of law enforcement.

In many cases, clients ask us why we are required to notify law enforcement, and/or why they are required to notify law enforcement about this material. Perhaps your organization has struggled with this in the past. In any case, we hope the following information helps organizations understand the US legal requirements for handling such materials. (If you live outside of the US, please consult local legal assistance for your laws and procedures.)(NOTE: MSI is not providing legal advice of any kind, consult your attorney or council for legal advice. This material is simply meant to be a pointer for education. MSI is NOT qualified to offer legal advice under any circumstance.)

The Department of Justice lists the following federal statutes for online child pornography:

  • 18 U.S.C. § 2251- Sexual Exploitation of Children (Production of child pornography)
  • 18 U.S.C. § 2251A- Selling and Buying of Children
  • 18 U.S.C. § 2252- Certain activities relating to material involving the sexual exploitation of minors(Possession, distribution and receipt of child pornography)
  • 18 U.S.C. § 2252A- certain activities relating to material constituting or containing child pornography
  • 18 U.S.C. § 2256- Definitions
  • 18 U.S.C. § 2258A- Reporting requirements of electronic communication service providers and remote computing service providers
  • 18 U.S.C. § 2260- Production of sexually explicit depictions of a minor for importation into the United States

A summary of these laws is that it is the federal law that mandates this duty to report specifically requires that “electronic communication service providers” report child pornography. (18 USC § 2258A. Reporting requirements of electronic communication service providers and remote computing service providers.) An “electronic communications service” means “any service which provides to users the ability to send or receive wire or electronic communications.” The term “electronic communication,” for purposes of the reporting requirement, means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” All of which is to say that both the business/employer that provides the computer or phone system over which the data is communicated, as well as the IT company that helps the employer maintain those systems, are covered by this law. A business or IT service company ignores child porn at its peril. Failing to report the information to the National Center for Missing and Exploited Children violates the Section 2258A reporting requirements. Deleting the material might make the company an accessory to the underlying crime of possessing the information in the first place. Making copies of the material and then transmitting the copies, except at the direction of law enforcement officials or as required by section 2258A, also runs afoul of the laws proscribing possession of child pornography. A first violation of Section 2258A carries a penalty of up to a $150,000 fine. A second violation can be penalized by up to $300,000.

A full summary of other elements of Child Pornography laws from the Department of Justice website is here.

According to the Department of Justice website, to report an incident involving the production, possession, distribution, or receipt of child pornography, file a report on the National Center for Missing & Exploited Children (NCMEC)’s website or call 1-800-843-5678. Your report will be forwarded to a law enforcement agency for investigation and action as detailed here.

It may be required or optional to report to local law enforcement as well, and is dependent on state and local laws and statutes.

According to the National Conference of State Legislatures website, the state of Ohio does not have explicit state policies requiring businesses to report the incident, as detailed here (as of Sept 2013), though again, local statutes may vary by location.

We also found this article, which might be helpful in understanding risks from a legal perspective for businesses who might find child pornography on their server, as it lays out a process for organizations to follow.

Lastly, this white paper from the American Bar Association may also prove useful for organizations.