Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Talking to Your Management Rationally About Malware

Posted on by
2
Malware with comparisons to Stuxnet are all the rage these days. CNN and other popular media outlets now run stories about new Trojans, viruses and exploits. Much of what is in the media is either hysteria, hype, confusion or outright wrong.
 
There are often nuggets of truth scattered about in the stories, but few of the fears and scenarios whipped into a frothy story have a rational bearing on reality, let alone your business. Nonetheless, executives and even end-users take this stuff in and start to talk about information security topics (which is usually a good thing), but without a rational view, they may use that information to make decisions without regard to risk or the exposures that truly matter to the organization.
 
This is where YOU come in. As an infosec practitioner, your job is to explain to folks in a rational way about the trends and topics in the news. You need to be able to discuss the new piece of malware they saw last night on the news and explain carefully, truthfully, and rationally how it might impact your organization.
 
You need to discuss the controls you have in place. You need to explain the recovery and response processes you have been honing over the last few years. You also need to carefully walk them through how attacks like this work, how your team would be able to detect it (or not), and what you need to be able to do in the future.
 
You need to do this without breathlessly going into detail about the newest evasion techniques it uses, how cool the new exploits are that it leverages, or otherwise spreading uncertainty or fear to your management team. Now, I am NOT suggesting you tell them you have everything under control if you don’t. However, I am suggesting that this conversation should be rational, fair and flat — and offer to come by their office later to discuss future enhancement capabilities and projects that could be funded to assist your team with defending against these and other threats in the future. Then, do it at a time when they have intellectual and emotional stability. 
 
You must also learn about these threats. Be ready to discuss them in real-world (non-IT geek), business language. You have to be able to explain them clearly and concisely, including their rational impacts. If, for example, CNN is running a story about malware that destroys reactors or deletes records of uranium deposits and your organization doesn’t own a reactor or track uranium, then explain the impacts of the attack are not likely to be anything more than an annoyance to your organization and offer to discuss it with them or present on the topic at a later time. Keep them up to date, but whatever you do, keep them rational and make sure that you precisely explain potential impacts clearly. If the worst outcome of a popular malware infection is that your network traffic would rise 12% for a 48 hour period and then drop back to previous levels when the malware doesn’t find what it’s looking for and deletes itself, explain that to them.
 
If the malware is designed to target and exfiltrate the secret sauce to your chicken nuggets, and that’s how your company derives income, then explain that to them in clear, unemotional terms and tell them what you are doing about it and how they can help. 
 
That’s about it. I think the point is clear, but I will repeat it again. Explain new threats rationally to your management when they ask. Share with them realistic impacts, what you are doing about them and how they can help. Offer to give them a deep dive at a later time when they are emotionally and intellectually stable. Avoid the FUD and stick to the facts. You will be doing yourself, your organization, your profession, and maybe even the world a big favor in doing so.
 
Thanks for reading!

Quick Wireless Network Reminders

Posted on by
3

I recently tested a couple of Android network stumblers on a drive around the city and I found that not a lot has changed for consumer wireless networks since I last stumbled.

There are still a TON of unprotected networks, default SSIDs and WEP networks out there. It appears that WPA(x) and WPS have been slower to be adopted than I had expected. I don’t know if that is consumer apathy, ignorance or just a continued use of legacy hardware before the ease of push button WPS. Either way, it was quickly clear that we still have a long way to go to deprive criminals of consumer-based wireless network access.

The good news is that it appears from this non-comprehensive sample that the businesses in our area ARE taking WiFi security seriously. Most networks easily coordinated with a business were using modern security mechanisms, though we did not perform any penetration testing and can’t speak to their password policies or detection capabilities. But for the most part, their SSIDs made sense, they used effective crypto and in most cases were even paying attention to channel spread to maximize the reliability of the network. This is good news for most organizations and shows that much of the corporate awareness and focus on WiFi security by vendors seems to be working. It makes the business risk of these easy-to-deploy systems more acceptable.
 
I also noted that it was apparent on the consumer side that some folks deploying WiFi networks are paying attention. We saw SSIDs like “DontHackMe”, “DontLeechMeN3rds”,”Secured”, “StayOut”., etc. Sadly, we also saw plenty of SSIDs that were people’s names, addresses, children’s names and in one case “PasswordIsPassword1”. Clearly, some installers or consumers still haven’t seen the dangers of social engineering that some of these names can bring. So, while we have seen some improvement in SSID selection, there is still work to be done to educate folks that they need to pick non-identifiable information for broadcast.
 
That said, how can we better teach consumers about the basics of WiFi security? What additional things could we do as an industry to make their data safer at home?
 
 

Discuss Detection in Depth at CMH ISSA Summit

Posted on by
1

 

 

On May 18th, I will be presenting on detection in depth at the CMH ISSA Summit. I look forward to a good discussion of the ideals, organizational needs, and maturity models. Given all of the focus on re-allocating resources from “prevention only” strategies to an equal spread across the core values of prevention, detection and response, this is likely to be a useful discussion to many organizations.

Come ready with good questions. I will also be available throughout the Summit for break-out discussions, one-on-ones, and small team meetings. Please reach out via email, phone or Twitter to schedule a sit down. Otherwise, feel free to approach me in the halls and we can have an ad-hoc discussion if you want to learn more about specific detection in depth approaches.
 
I speak on Friday, May 18th at 11:15 am. I hope to see you there!

Follow Up to Out of Band Authentication Post

Posted on by
2

(This is a commentary follow up to my earlier post, located here.)

A couple of folks have commented on Twitter that they have a fear of using SMS for any sort of security operations. There have been discussions about the insecurity of SMS and the lack of attention to protecting the cellular network by carriers around the world. I generally disagree with blanket statements, and I would push for organizations considering SMS as a means of authentication to undertake a real risk assessment of the process before they jump in.
 
However, if the controls in place in the cell networks meet their appetite for risk, then I think it is a perfectly acceptable business case. It certainly beats in-band simple authentication mechanisms like “pictures of trust” and traditional login/password as a security control.
 
At least in SMS authentication, the attacker would usually need to have control over or access to more than one device belonging to the user. I think this helps make the risk model more acceptable for my views.
 
Other folks discussed how Out of Band Authentication (OOBA) has been done now successfully in many places. I agree with this. We know how to do it. There are a LOT of vendors out there who can successfully integrate, deploy and manage a solution for you. Sadly, though, there are still more than a few who are struggling to get it right or done at all. As with most things in life, it helps to do a little research. Organizations should perform due diligence on their vendors and factor vendor risks into the equation of purchases and project planning. 
 
Lastly, a few folks commented on the fact that they, too, are running into speed bumps with deployments and logistics. Several folks echoed the sentiments of the original challenges and few offered suggestions beyond simply “doing more homework” and looking for “quickly scalable solutions”. The good news with this is that you are not alone out there. Other folks are facing AND BEATING challenges. Feel free to reach out to your peers and discuss what is and what isn’t working for them.
 
As per the original post, the more communication and discussion we can have amongst the community about these topics, the better off we all will be. So, discuss, seriously…
 
##Special thanks to the vendors that replied with case studies, references or stories about how they have done integration and deployment. There are a lot of good vendors out there with knowledge in this area. Careful review of their capabilities will help you sort them out from the less capable. Communication is key.
 
Thanks for reading! 

Are You Attending the 2012 ISSA Central Ohio InfoSec Summit?

Posted on by
1

 

If you are in the midwest and can make it to Columbus for the ISSA Summit this year, you owe it to yourself to do so. Great speakers, great content, an amazing location and some of the best folks from around the world, for two days focused on infosec. It’s been amazing the past several years. You can find info online about it here

Some of the things I am looking forward to are getting to hear more from Richard Clarke (I might not always agree with his view, but he is an excellent speaker and a very good man.), and the rest of the speakers. In fact, there is not a speaker on the docket that I don’t think is amazing. We have developer insights, business folks, techno geeks, hackers, auditors and even a few MSI folks. 
 
So, if you can come to town and be here May 17th and 18th, do so. If not, you’ll miss out on what is sure to be an amazing event.
 
Special thanks to the Columbus ISSA team for putting the event together. These folks work really hard to pull it off, and the volunteers on the day of the event go above and beyond to make it all happen. Please take a moment at the event and give them a pat on the back. If something would happen to go wrong, or could be done better, drop them a line in email and they will look at improving it next year. Thank them, in person, for all of the things that go right. Seriously, it helps. Even better, volunteer for the Summit and help them and the community out. It’s a great way to give back for all that the community does for all of us, all year long. 
 
Thanks for reading and we’ll see you at the Summit! 

Financial Organizations Struggle with Out of Band Authentication

Posted on by
4

Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.

 A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.

For starters, the implementation and integration of some of the software designed for this purpose has been a little more difficult than expected by many of the teams working on the projects. We are hearing that in some cases, the vendors are having difficulty integrating into some of the site platforms, particularly those not using .NET. Other platforms have been successful, but over time (and many over budget), the lesson learned is this: communicate clearly about the platforms in use when discussing implementations with potential vendors.
 
Other problems we have been hearing about include: availability issues with the number of outbound phone connections during peak use periods, issues with cellular carriers “losing” SMS messages (particularly a few non-top tier carriers), and integrating solutions into VoIP networks and old-style traditional PBX systems.
 
In many cases, these telephonic and cellular issues have caused the systems to be withdrawn during pilot, even turned off for peak periods during use and other “fit and start” approaches as the rough patches were worked out. The lesson in this area seems to be to design for peak use as a consideration, or at least understand and communicate acceptable delays, outages or round-robin processes, and make sure that your systems properly communicate these parameters to the user.
 
In the long run, proper communication to the users will lower the impact of the onslaught some of these systems call to the customer support and help desk folks.
 
It is getting better though. Vendors are learning to more easily and effectively develop and implement these solutions. The impact on account theft has been strong so far and customers seem to have a rapid adjustment curve. In fact, a few of our clients have shared that they have received kudos from their members/customers for implementing these new tools when they were announced, documented, and explained properly to the user base.
 
If your organization is considering this technology and has struggled with it, or has emerged victorious in the mastery of it; please drop me a line on Twitter (@lbhuston) and let me know your thoughts. The more we share about these tools, the better we can all get at making the road less bumpy for the public.
 
As always, thanks for reading and stay safe out there!

Remember Public Cellular Networks in Smart Meter Adoption

Posted on by
3

One of the biggest discussion points at the recent MEA Summit was the reliance of Smart Meter technology on the public cellular networks for communication.

There seemed to be a great deal of confusion about negotiating private cellular communications versus dependence on fully public networks. Many folks also described putting in their own femtocell and microcell deployments to greatly reduce the dependence on communication assets that they did not own. However, as you might expect, the purchase, install, management, and maintenance of private cellular infrastructure is expensive, requires skilled personnel, and often bumps into regulatory issues with frequency control and saturation.

Other considerations than cost also emerged with several ICS/SCADA owners discussing prioritization of repair issues versus consumer deployments, problems with negotiating effective, acceptable Service Level Agreements with the cell network vendors and a lack of understanding on the cell vendors’ part about ICS/SCADA deployments/integration/criticality in general.
 
Clearly, more analysis, study, and communication needs to occur between ICS/SCADA researchers/owners/developers and the relevant cellular network engineers/implementation teams to grow mutual knowledge and understanding between the parties. In the meantime, ICS/SCADA owners must strive to clearly identify their needs around cellular technologies, clearly demarcate the requirements for private/segmented/public cellular network use and understand the benefits/issues and threats of what they are utilizing. Cellular communications has a clear role to play in the future of ICS/SCADA, but the waters of how it will be managed, how it will be secured and how smaller organizations can obtain it affordably remain a bit muddy for now.
 
If your organization has winning strategies or has concerns that have arisen with the use of cellular networks, we would love to hear about them in the comments. The more ICS/SCADA owners work together to bring this knowledge forward, the more quickly and effectively we can resolve many of the issues that utilities and other organizations are encountering.

Getting Your ICS/SCADA Components Security Tested

Posted on by
1

Recently, at the MEA Summit, I had the opportunity to engage in a great discussion with a number of SCADA owners about security testing of their devices. Given all of the big changes underway concerning SCADA equipment, connectivity and the greater focus on these systems by attackers; the crowd had a number of questions about how they could get their new components tested in a lab environment prior to production deployment.

Device and application testing is something that MicroSolved has done for more than a decade. We have tested hundreds of IT hardware products, commercial software loads, web/mobile applications, consumer products, and for the last several years, ICS/SCADA and Smart Grid components. Our lab environments are suitable for a wide variety of testing scenarios and are used by utility companies, manufacturers and software developers from around the world as a trusted source for rational security testing and relevant threat analysis. We have a firm non-disclosure policy for client systems tested and the relevant vulnerabilities discovered and we often work hand in hand with the developers/design engineers to work through both mitigation and/or compensating control development.
 
ICS/SCADA owners should have any new designs assessed prior to implementation, they should have some form of ongoing security assessment (analysis – NOT scanning…) performed against current deployments/threats, plus they should be engaged in testing all new hardware and software platforms before production adoption. Developers, designers and manufacturers of ICS/SCADA/Smart Grid components should be engaging in a full set of product assessments, attack surface analysis, threat modeling and penetration testing prior to the release of the products to market. This will be a value-add to your customers, and ultimately, to the consumer. 
 
If your organization would like to have a device or software analysis performed, or would like to discuss how to engage with MicroSolved to have new equipment or ICS/SCADA deployment ideas modeled, tested and assessed, please contact us. 

Don’t Forget About VoIP Exposures and PBX Hacking

Posted on by
6

 

 

 

 

 

 

I was browsing my usual data alerts for the day and ran into this set of data. It motivated me to write a quick blog post to remind folks that VoIP scans and probes are still going on out there in the wild.

These days, with all of the attention to mass compromises, infected web sites and stolen credit card data, voice systems can sometimes slip out of sight.

VoIP compromises and intrusions remain a threat. There are now a variety of tools, exploits and frameworks built for attacking VoIP installations and they are a target for both automated tools and manual hacking. Access to VoIP systems can provide a great platform for intelligence, recon, industrial espionage and traditional toll fraud.
 
While VoIP might be the state of the art for phone systems today, there are still plenty of traditional PBX, auto-attendant and dial-up voicemail systems around too. Now might be a good time to review when those systems were last reviewed, audited or pen-tested. Traditional toll fraud is still painful to manage and recover from, so it’s probably worth spending a few cycles on reviewing these devices and their security postures. 
 
Let us know if your organization could use assistance with these items or with hardening voice systems, implementing detection techniques for them or otherwise increasing voice system security.

HoneyPoint and HITME Helps Clients Take Out Malware

Posted on by
5

I wanted to share some great feedback we received this week from a couple of sources. Both are regarding HoneyPoint — our product for creating a platform of nuance detection and visibility.

The first came from a critical infrastructure team. We notified them of an attack from their environment which was detected on the HITME (HoneyPoint Internet Threat Monitoring Environment). Using our alert, they quickly identified, investigated and isolated a specific machine that been infected with a piece of malware and was now scanning the Internet for other potential victims. They thanked us for the notification and said they truly appreciated our efforts and the work of the HITME team to help protect US critical infrastructures.
 
The second bit of feedback came from a long-time user of HoneyPoint Wasp, who suddenly began to see a piece of code propagate across a few machines in their workstation space. The code was rapidly identified as a piece of malware that had successfully evaded their anti-virus, but triggered the Wasp white list detection mechanism. Their team traced the infection back to a single USB key, which they impounded and sanitized. Thankfully, they found this infection before it was able to be leveraged by an attacker against them. They were very supportive of HoneyPoint and thanked us for assisting them in their investigation and for teaching them how to use Wasp through our installation services.
 
Together, these represent just a couple of the stories where HoneyPoint has helped security teams. Some of the people who receive the benefit of our work are not even users of the product or MicroSolved clients at all. It’s just another way that we engage every single day to help make a difference in the security and safety of peoples’ lives.
 
At MSI, we don’t just make great tools and perform great services, we have spent the last 20 years working hard to help people with information security. It continues to be both our pleasure and our passion.
 
Thanks for reading!