About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Port 9100/TCP Probes

We have been seeing probes to port 9100/TCP in the HITME for a while and decided to check out some of the activity and post about it, so others could know what is going on there.

The connections come from a few sources, often universities, and don’t seem to be anything more than misconfigurations of devices in their environment. The connections that come in on port 9100 often contain the “@PJL INFO PRODINFO” strings, which are apparently tied to the HP Printer Job Language (PJL). Basically, the command is supposed to dump out identifying data from the printer and return it to the user. This data includes a variety of configuration data and other details about the device. You can find an example here

The port 9100 connections usually coincide with a connection to port 80/TCP on the same host. This port 80 connection looks something like this (with IP address info in the x.x.x.x string): 

“GET / HTTP/1.1\nAccept-Encoding: identity\nHost: x.x.x.x\nConnection: close\nUser-Agent: Python-urllib/2.7\n\n”

Now this is a little interesting. It is likely meant to be a validation probe that the printer device’s embedded web server is online and that the device is operational. BUT, the “Python-urllib/2.7” made us suspicious. Perhaps this isn’t a usual printer request?

A little Google searching pretty quickly shows that HP’s implementation of CUPS, that is the unix printing mechanism, strongly leverages this Python library.  So, that might not make it suspicious as most folks might think. 

So, we did the next thing in our bag of tricks, and returned valid connections from HoneyPoint on those ports. Our waiting finally came to fruition and lo and behold, we got more connections of the same nature. This time though, we also got a print job for the “printer” to print. What did we get? Spam, of course. Printer spam. An ad to buy some stuff, that needless to say, we don’t really need. 🙂

So, what are those port 9100 probes? What is the basis behind that “@PJL INFO PRODINFO” in your logs? Nothing more than spam attempts to waste your paper, ink/toner and time. Hey, it could have been worse, right? 🙂

Obviously, turning off port 9100/TCP from the Internet will help prevent this stuff from coming into your organization. It looks like a few malware folks have added this capability to their spyware/adware routines as well, so if you have 9100 blocked from the Internet and see printer spam coming in, track the print jobs back to a workstation if possible and do the turn and burn routine. Let us know if you have any questions or issues, and we will keep our ears and eyes open on port 9100 traffic and drop some more info if we see anything that looks wormy or the like. 

MSI ongoing assessment customers will note that port 9100 signatures are routinely tested and you would be notified of any illicit behaviors found during your assessments.

PS – There have been some “worm” like behaviors on port 9100 in the past, including a couple of pieces of printer malware. We didn’t see it in this case, but we know it’s out there…Here is an example of some of what may be lurking in your printer… 

MSI Announces The Second Annual ICS/SCADA Security Symposium

COLUMBUS, Ohio October 9, 2012 – The second annual ICS/SCADA Security Symposium, to be held November 1 2012 in Columbus, is designed to serve as a level set for teams and organizations who are actively managing production ICS/SCADA environments. Once again, this full day session will include best practices advice, incident response, detection techniques and a current threat briefing focused on ICS/SCADA providers. Presenters will cover a variety of topics about what is working, what is not working so well in terms of information security, network protection and trust management. To learn more about the event and to see if you qualify to attend, please contact us via email (info<at sign>microsolved(<dot>)com) or via phone by calling 614.351.1237 ext 215. Chris Lay (@getinfosechere) is handling the invitee list for the event and will be happy to discuss the event with you in more detail. Attendance is free of charge, meals will be provided and a limited number of seats are still available if you qualify.

Touchdown Task for Fall: Prepare Your Holiday Coverage Plan

J0289377

The holidays are right around the corner. Use some cycles this month to make sure your IT support and infosec teams have a plan for providing coverage during the holiday season. 

Does your help desk know who to call for a security incident? Do they have awareness of what to do if the primary and maybe even secondary folks are out on holiday vacation? Now might be a good time to review that with them and settle on a good plan.

Planning now, a couple of months before the holiday crush, just might make the holiday season a little less stressful for everyone involved. Create your plan, socialize it and score a touchdown when everyone is on the same page during the press of the coming months!

 

MicroSolved Lab Services: A Secret from Behind the Locked Doors

One of the oddest, most fun and most secretive parts of MSI is our testing lab services. You don’t hear a lot about what happens back there, behind the locked doors, but that is because of our responsible disclosure commitments. We don’t often talk publicly about the testing we do in the lab, but it varies from testing unreleased operating systems, applications, hardware devices, voting mechanisms, ICS/SCADA equipment, etc. We also do a small amount of custom controls and application development for specific niche solutions. 

Mostly though, the lab breaks things. We break things using a variety of electronic tools, custom hardware, bus/interface tampering, software hacking, and even some more fun (think fire, water & electric shock) kinds of scenarios. Basically, whatever the threat model your devices or systems face, most of them can be modeled, examined, tested, simulated or otherwise tampered into place in the MSI labs.

Our labs have several segments, with a wide array of emulated environments. Some of the lab segments are virtualized environments, some are filled with discreet equipment, including many historical devices for cross testing and regression assessments, etc. Our electronics equipment also brings a set of capabilities for tampering with devices beyond the usual network focus. We often tamper with and find security issues, well below the network stack of a device. We can test a wide range of inputs, outputs and attack surfaces using state of the art techniques and creatively devious approaches.

Our labs also include the ability to leverage HoneyPoint technology to project lab tested equipment and software into parts of the Internet in very controlled simulations. Our models and HoneyPoint tools can be used to put forth fake attack surfaces into the crimestream on a global basis and identify novel attacks, model attack sources and truly provide deep threat metrics for entire systems, specific attack surfaces or components of systems. This data and the capabilities and techniques they are based upon are entirely proprietary and unique to MicroSolved.

If you would like to discuss how our lab services could assist your organization or if you have some stuff you want tested, get in touch. We would love to talk with you about some of the things we are doing, can do and some of the more creatively devious ideas we have for the future. 🙂

Drop us a line or give us a call today.  We look forward to engaging with you and as always, thanks for reading! 

Ask The Experts: Advice to New InfoSec Folks

This time our question came from a follow up on our last advice article to new infosec folks (here). Readers might also want to roll back the clock and check out our historic post “So You Wanna Be in InfoSec” from a few years ago. 

Question: “I really want to know what advice the Experts would give to someone looking to get into the information security business. What should they do to get up to speed and what should they do to participate in the infosec community?”

Adam Hostetler replied:

To get up to speed, I think you should start with a good foundation of knowledge. Already working in IT will help, you should then already have a good idea of networking knowledge, protocols, and architecture, as well as good OS administrative skills. Having this knowledge already helped me a lot at the beginning. Then I would move into the infosec world, read and listen to everything you can related to infosec.  There’s much much more security related knowledge online than ever before, so use it to your advantage. You also now have the opportunity to take info sec programs in colleges, which weren’t really available 10 years ago. Social Networking is very important too, and how you would likely land a job in infosec. Go to events, conferences or local infosec meetings. Some of the local infosec meetings here in Columbus are ISSA, OWASP, and Security MBA. Find some in your area, and attend something like Security B-Sides, if you can. Get to know people at these places, let them know you’re interested, and you might just end up with your dream job.

John Davis chimed in:

If you want to get into the risk management side of the information security business, first and above all I recommend that you read, read, read! Read the NIST 800 series,  ISO 27001 & 27002, the PCI DSS, CobiT, the CAG, information security books, magazine articles, and anything else you can find about information security. Risk assessment, ERM, business continuity planning, incident response and other risk management functions are the milieu of the generalist; the broader your knowledge base, the more effective you are going to be. To participate in the infosec community, there are several things you can do. Probably the best and quickest way to get started is to attend (and participate in) meetings of information security professional organizations such as ISSA, ISACA and OWASP. Talk to the attendees, ask questions, see if they know of any entry level positions or internships you might be able to get into. There are also infosec webinars, summits and conferences that you can participate in. Once you get your foot in the door someplace, stick with it! It takes time to get ahead in this business. For example, you need four years of professional infosec experience or three years experience and a pertinent college degree before you can even test for your CISSP certification.

As always, thanks for reading! Drop us line in the comments or tweet us (@lbhuston or @microsolved) with other questions for the Security Experts.

See YOU at Derbycon!

I will be presenting Friday night at 7pm Eastern at Derbycon. Come on out and see us discuss the history, models and cellular nature of cyber-crime. We also plan to cover where we think online crime is likely to go in the next couple of generations and discuss some ideas for what we need to consider to combat the issues.

Drop by or chat in the hallways and we look forward to seeing you. Myself (@lbhuston), Phil Grimes (@grap3_ap3) and Adam Hostetler (@adamhos) will be in attendance. Tweet us if you want to connect! 

Have a great weekend! 

Oracle CSO Online Interview

My interview with CSO Online became available over the weekend. It discusses vendor trust and information security implications of the issues with password security in the Oracle database. You can read more about it here. Thanks to CSO Online for thinking of us and including us in the article.

Three Ways to Engage with the InfoSec Community

J0289893

Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen.

1) Join Twitter and engage with people who are also interested in infosec. Talk directly to researchers, security visionaries and leadership. Engage with them personally and professionally to build relationships. Add value to the discussions by researching topics or presenting material that you are familiar with.

2) Join an open source software project. Even if you aren’t a coder, join the project and help with testing, documentation or reviews of some kind. Open source projects (they don’t have to be security projects) can benefit from the help, an extra set of eyes and the energy of new folks contributing to their work. You’ll learn new stuff and build great relationships in the development and likely infosec communities along the way. 

3) The way that most folks go about it works as well. Go to events. Network. Meet infosec people and engage them in discussions about technical and non-technical subjects. Groups like ISSA, ISACA, ISC2, OWASP and other regional security events are good places to meet people, learn stuff and develop relationships with folks working on hard problems. Cons can be good for this too, but often have less chances for building rapport due to the inherent sensory overload of most con environments. Cons are a good place to grow relationships, but may not be the best events for starting them.

That’s my advice. All 3 items are hard work. They offer a chance for you to learn and engage. BUT, you have to work to earn respect and rapport in this community. You have to contribute. You must add value. 

As always, thanks for reading and until next time, stay safe out there! 

Columbus OWASP Meeting Presentation

Last week, I presented at the Columbus OWASP meeting on defensive fuzzing, tampering with production web applications as a defensive tactic and some of the other odd stuff we have done in that arena. 

The presentation was called “Hey, You Broke My Web Thingee :: Adventures in Tampering with Production” and I had a lot of fun giving the talk. The crowd interaction was excellent and a lot of folks have asked for the slide deck from the talk, so I wanted to post it here

If you missed the talk in person, feel free to reach out on Twitter (@lbhuston) and engage with me about the topics. I’d love to discuss them some more. Please support OWASP by joining it as a member. These folks do a lot of great work for the community and the local chapter is quite active these days! 

Ask The Experts: Online Banking

This time we asked the experts one of the most common questions we get when we are out speaking at consumer events:

Q: Hey Security Experts, do you do your banking online? If so, what do you do to make it safe for your family? If not, why not?

John Davis explained:

I’ve been banking online for many years now and have always loved the convenience and ability it gives you to monitor your accounts anywhere and any time. There are a few simple things I do to keep myself secure. I do all the usual stuff like keeping a well configured fire wall and anti-virus software package always running. I also ensure that my wireless network is as secure as possible. I make sure the signal is tuned so as to not leak much from the house, I use a long and strong password and ensure I’m using the strongest encryption protocol available. I also monitor my accounts often and take advantage of my banks free identity theft service. One final tip; instead of using your actual name as your login, why not use something different that is hard to guess and doesn’t reveal anything about your identity? It always pays to make it as tough on the cyber-criminals as possible!

Phil Grimes chimed in with:

I do almost all my banking online. This, however, can be a scary task to undertake and should always be done with caution on the forefront! In order to bank safely on line, the first thing I do is to have one machine that was built in my house for strictly that purpose. My wife doesn’t play facebook games on it. My kids don’t even touch it or know it exists. This machine comes online only to get updated and to handle the “sensitive” family business functions like bill payment or banking.  The next thing I’ve done to protect this surface was to use a strong password. I used a password generator and created a super long password with every combination of alpha, numeric, and special characters included to reduce the risk of a successful brute force attack. This password is set to expire every 30 days and I change it religiously! Then finally, using Firefox, I install the NoScript plugin to help defend against client side attacks.

Adam Hostetler added:

Yes, I do my banking online. I also pay all of my bills online and shop online. I think the biggest thing that you can do for safety is just to be aware of things like phishing emails, and other methods that fraudsters use to try to compromise your credentials. I also always use dual factor authentication when possible, or out of band authentication, most banks and credit unions support one of these methods these days. Checking all of my accounts for suspicious activity is also a regular occurrence. 

There are also the malware threats. These are mostly mitigated by having up to date software (all software, not just the OS), up to date anti-virus software, and treating social networking sites like a dark alley. Be wary of clicking on any links on social networks, especially ones that are apps that claim they will do something fun for you. Social networks are probably the largest growing vector of malware currently, and a lot of times people install it willingly!

If you’re really paranoid, just have a dedicated PC or virtual machine for online banking.

Got a question for the Experts? Send it to us in the comments, or drop us a line on Twitter (@microsolved or @lbhuston). Thanks for reading!