Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Got Disaster Recovery?

Posted on by
Reply

As the recent heavy storms in the Midwest has brought to my attention in a personal way — even the best laid plans can have weaknesses. In my case, it was an inconvenience, but a good lesson.

I got a reminder about cascading failures in complex systems via the AT&T data network collapse (thanks to a crushed datacenter), as well as a frontline wake-up call about the importance of calculating generator gasoline supplies properly. 

So, while you read this, I am probably out adding 30 gallons to my reserve. Plus, working on a “lessons learned” document with my family to more easily remember the things we continually have to re-invent every time there is a power outage of any duration. 

I share with you these personal lessons for a couple of reasons. First, I hope you’ll take a few moments and update/review your own personal home plans for emergencies. I hope you’ll never need them, but knowing how to handle the basics is a good thing. Then move on to how you’ll manage trivialities of personal comfort like bandwidth, coffee & beer. 🙂

Lastly, I hope you take time and review your company’s DR/BC plans as well. Now might be a good time to do exactly what I hope AT&T, Amazon, Netflix, Instagram, etc. are doing and get those plans back in line with attention to the idea that failures can and often do, cascade. This wasn’t an earthquake, tsunami or hurricane (though we did have 80+ mph winds) – it was a thunderstorm. Albeit, a big thunderstorm, but a thunderstorm nonetheless. We can do better. We should expect better. I hope we all will get better at such planning. 

As always. thanks for reading and until next time, stay safe out there. 

PS – The outpouring of personal kindness and support from friends, acquaintances and family members has been amazing. Thank you so much to all of the wonderful folks who offered to help. You are all spectacular! Thank you!

HoneyPoint Agent Helps Another Client

Posted on by
2
Just got an interesting report in from another client helped by HoneyPoint Agent. This time, the client detected a probe against a SQLServer port that seemed to be coming from several hosts on their internal network.
 
The probe was aimed at identifying SQLServer installations, and while the story seems familiar, the probe itself was different. In this case, the client had network-based intrusion detection tools and other elements of signature-based visibility. However, the probe they were seeing was a new type of probe and signatures had not yet been created. Thus, the signature-based tools were basically blind to detecting the scans of this malware, even while it was beginning to spread across their environment.
 
HoneyPoint Agent on the other hand, simply detected the illicit traffic. Since deployed HoneyPoints are not real services, any contact with them should be considered suspicious at best or malicious at worst. In this case, the traffic was indeed malicious. HoneyPoint tipped them off to the source IP’s of the scanning and even gave them the data they needed to build network signatures for their network-based detection tools. Several hours later, they had significant intelligence into the scope, capability, source and methods of what they were facing. HoneyPoint had not only served as an early warning system, but had also given them the knowledge to grow their visibility to the overall impact of the security incident.
 
I love it when customers tell us about how HoneyPoint helped them in a time of need. I truly appreciate it when they catch malware early on and get to take quick, decisive defensive action. We might not win all of the battles in the infosec war, but when we do win a few and something we made helps turn the tide, it makes the MSI team very happy indeed!

Search for Malware by MD5 Hash

Posted on by
5

Got a file that you want to know more about? Have the MD5 hash for it, and want to know if it is known to be malware? This seems to be a common problem. 

 Here are three links that might help you:
1. Search VirusTotal by hash (simply put the hash in the search box): https://www.virustotal.com/#search
3. Search Eureca by hash (replace xxx with your hash): http://eureka.cyber-ta.org/OUTPUT/xxx/
Even if these sites don’t turn anything up, the file still might be malware. It may simply have been modified or specially crafted. However, if these sites turn up hits, you should be extra secret squid careful with the binary, since it is very likely to actually be malware of some sort.
Hope that helps folks. Thanks for reading!
If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

Talking to Your Management Rationally About Malware

Posted on by
2
Malware with comparisons to Stuxnet are all the rage these days. CNN and other popular media outlets now run stories about new Trojans, viruses and exploits. Much of what is in the media is either hysteria, hype, confusion or outright wrong.
 
There are often nuggets of truth scattered about in the stories, but few of the fears and scenarios whipped into a frothy story have a rational bearing on reality, let alone your business. Nonetheless, executives and even end-users take this stuff in and start to talk about information security topics (which is usually a good thing), but without a rational view, they may use that information to make decisions without regard to risk or the exposures that truly matter to the organization.
 
This is where YOU come in. As an infosec practitioner, your job is to explain to folks in a rational way about the trends and topics in the news. You need to be able to discuss the new piece of malware they saw last night on the news and explain carefully, truthfully, and rationally how it might impact your organization.
 
You need to discuss the controls you have in place. You need to explain the recovery and response processes you have been honing over the last few years. You also need to carefully walk them through how attacks like this work, how your team would be able to detect it (or not), and what you need to be able to do in the future.
 
You need to do this without breathlessly going into detail about the newest evasion techniques it uses, how cool the new exploits are that it leverages, or otherwise spreading uncertainty or fear to your management team. Now, I am NOT suggesting you tell them you have everything under control if you don’t. However, I am suggesting that this conversation should be rational, fair and flat — and offer to come by their office later to discuss future enhancement capabilities and projects that could be funded to assist your team with defending against these and other threats in the future. Then, do it at a time when they have intellectual and emotional stability. 
 
You must also learn about these threats. Be ready to discuss them in real-world (non-IT geek), business language. You have to be able to explain them clearly and concisely, including their rational impacts. If, for example, CNN is running a story about malware that destroys reactors or deletes records of uranium deposits and your organization doesn’t own a reactor or track uranium, then explain the impacts of the attack are not likely to be anything more than an annoyance to your organization and offer to discuss it with them or present on the topic at a later time. Keep them up to date, but whatever you do, keep them rational and make sure that you precisely explain potential impacts clearly. If the worst outcome of a popular malware infection is that your network traffic would rise 12% for a 48 hour period and then drop back to previous levels when the malware doesn’t find what it’s looking for and deletes itself, explain that to them.
 
If the malware is designed to target and exfiltrate the secret sauce to your chicken nuggets, and that’s how your company derives income, then explain that to them in clear, unemotional terms and tell them what you are doing about it and how they can help. 
 
That’s about it. I think the point is clear, but I will repeat it again. Explain new threats rationally to your management when they ask. Share with them realistic impacts, what you are doing about them and how they can help. Offer to give them a deep dive at a later time when they are emotionally and intellectually stable. Avoid the FUD and stick to the facts. You will be doing yourself, your organization, your profession, and maybe even the world a big favor in doing so.
 
Thanks for reading!

Quick Wireless Network Reminders

Posted on by
3

I recently tested a couple of Android network stumblers on a drive around the city and I found that not a lot has changed for consumer wireless networks since I last stumbled.

There are still a TON of unprotected networks, default SSIDs and WEP networks out there. It appears that WPA(x) and WPS have been slower to be adopted than I had expected. I don’t know if that is consumer apathy, ignorance or just a continued use of legacy hardware before the ease of push button WPS. Either way, it was quickly clear that we still have a long way to go to deprive criminals of consumer-based wireless network access.

The good news is that it appears from this non-comprehensive sample that the businesses in our area ARE taking WiFi security seriously. Most networks easily coordinated with a business were using modern security mechanisms, though we did not perform any penetration testing and can’t speak to their password policies or detection capabilities. But for the most part, their SSIDs made sense, they used effective crypto and in most cases were even paying attention to channel spread to maximize the reliability of the network. This is good news for most organizations and shows that much of the corporate awareness and focus on WiFi security by vendors seems to be working. It makes the business risk of these easy-to-deploy systems more acceptable.
 
I also noted that it was apparent on the consumer side that some folks deploying WiFi networks are paying attention. We saw SSIDs like “DontHackMe”, “DontLeechMeN3rds”,”Secured”, “StayOut”., etc. Sadly, we also saw plenty of SSIDs that were people’s names, addresses, children’s names and in one case “PasswordIsPassword1”. Clearly, some installers or consumers still haven’t seen the dangers of social engineering that some of these names can bring. So, while we have seen some improvement in SSID selection, there is still work to be done to educate folks that they need to pick non-identifiable information for broadcast.
 
That said, how can we better teach consumers about the basics of WiFi security? What additional things could we do as an industry to make their data safer at home?
 
 

Discuss Detection in Depth at CMH ISSA Summit

Posted on by
1

 

 

On May 18th, I will be presenting on detection in depth at the CMH ISSA Summit. I look forward to a good discussion of the ideals, organizational needs, and maturity models. Given all of the focus on re-allocating resources from “prevention only” strategies to an equal spread across the core values of prevention, detection and response, this is likely to be a useful discussion to many organizations.

Come ready with good questions. I will also be available throughout the Summit for break-out discussions, one-on-ones, and small team meetings. Please reach out via email, phone or Twitter to schedule a sit down. Otherwise, feel free to approach me in the halls and we can have an ad-hoc discussion if you want to learn more about specific detection in depth approaches.
 
I speak on Friday, May 18th at 11:15 am. I hope to see you there!

Follow Up to Out of Band Authentication Post

Posted on by
2

(This is a commentary follow up to my earlier post, located here.)

A couple of folks have commented on Twitter that they have a fear of using SMS for any sort of security operations. There have been discussions about the insecurity of SMS and the lack of attention to protecting the cellular network by carriers around the world. I generally disagree with blanket statements, and I would push for organizations considering SMS as a means of authentication to undertake a real risk assessment of the process before they jump in.
 
However, if the controls in place in the cell networks meet their appetite for risk, then I think it is a perfectly acceptable business case. It certainly beats in-band simple authentication mechanisms like “pictures of trust” and traditional login/password as a security control.
 
At least in SMS authentication, the attacker would usually need to have control over or access to more than one device belonging to the user. I think this helps make the risk model more acceptable for my views.
 
Other folks discussed how Out of Band Authentication (OOBA) has been done now successfully in many places. I agree with this. We know how to do it. There are a LOT of vendors out there who can successfully integrate, deploy and manage a solution for you. Sadly, though, there are still more than a few who are struggling to get it right or done at all. As with most things in life, it helps to do a little research. Organizations should perform due diligence on their vendors and factor vendor risks into the equation of purchases and project planning. 
 
Lastly, a few folks commented on the fact that they, too, are running into speed bumps with deployments and logistics. Several folks echoed the sentiments of the original challenges and few offered suggestions beyond simply “doing more homework” and looking for “quickly scalable solutions”. The good news with this is that you are not alone out there. Other folks are facing AND BEATING challenges. Feel free to reach out to your peers and discuss what is and what isn’t working for them.
 
As per the original post, the more communication and discussion we can have amongst the community about these topics, the better off we all will be. So, discuss, seriously…
 
##Special thanks to the vendors that replied with case studies, references or stories about how they have done integration and deployment. There are a lot of good vendors out there with knowledge in this area. Careful review of their capabilities will help you sort them out from the less capable. Communication is key.
 
Thanks for reading! 

Are You Attending the 2012 ISSA Central Ohio InfoSec Summit?

Posted on by
1

 

If you are in the midwest and can make it to Columbus for the ISSA Summit this year, you owe it to yourself to do so. Great speakers, great content, an amazing location and some of the best folks from around the world, for two days focused on infosec. It’s been amazing the past several years. You can find info online about it here

Some of the things I am looking forward to are getting to hear more from Richard Clarke (I might not always agree with his view, but he is an excellent speaker and a very good man.), and the rest of the speakers. In fact, there is not a speaker on the docket that I don’t think is amazing. We have developer insights, business folks, techno geeks, hackers, auditors and even a few MSI folks. 
 
So, if you can come to town and be here May 17th and 18th, do so. If not, you’ll miss out on what is sure to be an amazing event.
 
Special thanks to the Columbus ISSA team for putting the event together. These folks work really hard to pull it off, and the volunteers on the day of the event go above and beyond to make it all happen. Please take a moment at the event and give them a pat on the back. If something would happen to go wrong, or could be done better, drop them a line in email and they will look at improving it next year. Thank them, in person, for all of the things that go right. Seriously, it helps. Even better, volunteer for the Summit and help them and the community out. It’s a great way to give back for all that the community does for all of us, all year long. 
 
Thanks for reading and we’ll see you at the Summit! 

Financial Organizations Struggle with Out of Band Authentication

Posted on by
4

Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.

 A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.

For starters, the implementation and integration of some of the software designed for this purpose has been a little more difficult than expected by many of the teams working on the projects. We are hearing that in some cases, the vendors are having difficulty integrating into some of the site platforms, particularly those not using .NET. Other platforms have been successful, but over time (and many over budget), the lesson learned is this: communicate clearly about the platforms in use when discussing implementations with potential vendors.
 
Other problems we have been hearing about include: availability issues with the number of outbound phone connections during peak use periods, issues with cellular carriers “losing” SMS messages (particularly a few non-top tier carriers), and integrating solutions into VoIP networks and old-style traditional PBX systems.
 
In many cases, these telephonic and cellular issues have caused the systems to be withdrawn during pilot, even turned off for peak periods during use and other “fit and start” approaches as the rough patches were worked out. The lesson in this area seems to be to design for peak use as a consideration, or at least understand and communicate acceptable delays, outages or round-robin processes, and make sure that your systems properly communicate these parameters to the user.
 
In the long run, proper communication to the users will lower the impact of the onslaught some of these systems call to the customer support and help desk folks.
 
It is getting better though. Vendors are learning to more easily and effectively develop and implement these solutions. The impact on account theft has been strong so far and customers seem to have a rapid adjustment curve. In fact, a few of our clients have shared that they have received kudos from their members/customers for implementing these new tools when they were announced, documented, and explained properly to the user base.
 
If your organization is considering this technology and has struggled with it, or has emerged victorious in the mastery of it; please drop me a line on Twitter (@lbhuston) and let me know your thoughts. The more we share about these tools, the better we can all get at making the road less bumpy for the public.
 
As always, thanks for reading and stay safe out there!

Remember Public Cellular Networks in Smart Meter Adoption

Posted on by
3

One of the biggest discussion points at the recent MEA Summit was the reliance of Smart Meter technology on the public cellular networks for communication.

There seemed to be a great deal of confusion about negotiating private cellular communications versus dependence on fully public networks. Many folks also described putting in their own femtocell and microcell deployments to greatly reduce the dependence on communication assets that they did not own. However, as you might expect, the purchase, install, management, and maintenance of private cellular infrastructure is expensive, requires skilled personnel, and often bumps into regulatory issues with frequency control and saturation.

Other considerations than cost also emerged with several ICS/SCADA owners discussing prioritization of repair issues versus consumer deployments, problems with negotiating effective, acceptable Service Level Agreements with the cell network vendors and a lack of understanding on the cell vendors’ part about ICS/SCADA deployments/integration/criticality in general.
 
Clearly, more analysis, study, and communication needs to occur between ICS/SCADA researchers/owners/developers and the relevant cellular network engineers/implementation teams to grow mutual knowledge and understanding between the parties. In the meantime, ICS/SCADA owners must strive to clearly identify their needs around cellular technologies, clearly demarcate the requirements for private/segmented/public cellular network use and understand the benefits/issues and threats of what they are utilizing. Cellular communications has a clear role to play in the future of ICS/SCADA, but the waters of how it will be managed, how it will be secured and how smaller organizations can obtain it affordably remain a bit muddy for now.
 
If your organization has winning strategies or has concerns that have arisen with the use of cellular networks, we would love to hear about them in the comments. The more ICS/SCADA owners work together to bring this knowledge forward, the more quickly and effectively we can resolve many of the issues that utilities and other organizations are encountering.