Brent Huston shares his thoughts on the upcoming iOS5 and Apple’s iCloud.
Click here to listen
Audio Blog Post: What Apple’s iCloud Means For The Enterprise
Reply
Author Archives: Brent Huston
Security Alert: RSA Breach and 7 Ways to Secure Your Tokens
Since the compromise of the RSA environment several months ago, much attention has been paid to the potential impact of the attack on RSA customers.
Given the popularity of the RSA products and the sensitivity of the processes that they protect, the situation should be taken very seriously by RSA token users.
Last night, RSA made a public announcement that their breach and information stolen in that breach has now been used in attacks against RSA customers. The primary focus, as far as is known, has been the defense sector, but it is very likely that additional threat-focus has been placed on other critically sensitive verticals such as financial and critical infrastructure.
There are a number of things that RSA customers should do, in the advice of MicroSolved, Inc. Below is a short list of identified strategies and tactics:
- Identify all surfaces exposed that include RSA components. Ensure your security team has a complete map of where and how the RSA authentication systems are in use in your organization.
- Establish a plan for how you will replace your tokens and how you will evaluate and handle the risks of exposure while you perform replacement.
- Increase your vigilance and monitoring of RSA exposed surfaces. This should include additional log, event and intrusion monitoring around the exposed surfaces. You might also consider the deployment of honeypots or other drop-in measures to detect illicit activity against or via compromised systems available with the RSA exposed surfaces.
- Develop an incident response plan to handle any incidents that arise around this issue.
- Increase the PIN length of your deployments as suggested by RSA, where appropriate, based on identified risk and threat metrics.
- Teach your IT team and users about the threats and the issue. Prepare your team to handle questions from users, customers and other folks as this issue gains media attention and grows in visibility. Prepare your technical management team to answer questions from executives and Board-level staff around this issue.
- Get in contact with RSA, either via your account executive or via the following phone number for EMC (RSA’s parent company): 1-800-782-4362
In the meantime, if MSI can assist you with any of these steps or work with you to review your plan, please let us know. Our engineers are aware of the issues and the processes customers are using to manage this problem in a variety of verticals. We can help you with planning or additional detection and monitoring techniques should you desire.
We wish our clients the highest amount of safety and security as we, as an industry, work through this challenge. We wish RSA the best of luck and the highest success in their remediation and mitigation efforts. As always, we hope for the best outcome for everyone involved.
Thanks for your time and attention to this issue. It is much appreciated, as is your relationship with MicroSolved, Inc.
Powerless No More! Making Your Threat-Centric Penetration Testing Work for You
By now, even small organizations should know that they need periodic penetration testing focused on their critical processes if they hope to secure and protect their data. The question is, when this testing is being performed, are they getting something of value or just another checkbox on a compliance form? At MicroSolved, we believe in the first and we think you should get the latter naturally from the exercise. The problem is, the effort is NOT vice-versa.
Compliance-centric penetration testing is when the simulated attacker really takes the eye of an auditor. They focus only on testing the surfaces, elements and data sources absolutely required by the standard you are being tested against. These “penetration tests” are usually little more than a vulnerability scan and a run through by an engineer who “validates” that you are vulnerable. Little attention is paid to impact of compromise, how compromised systems and their information could be leveraged to get to the critical information or data and vulnerability chains (complex failures that cascade) are often ignored or completely unidentified. You can tell if the assessment is compliance-centric if the assessment doesn’t include items like testing multi-stage attacks, simulated malware and simulated social engineering failures. In many cases, for example, in the MicroSolved testing methodology, these attack surfaces are exercised, monitored, modeled and then regardless of outcome, emulated as if they failed during internal assessments to ensure reliable, real-world impacts are measured.
Threat-centric penetration testing, which by now, you probably know, is what MicroSolved is famous for. Our process doesn’t focus on compliance. It focuses on protecting your assets against the real world threats. We perform like an attacker, NOT like an auditor. We map attack surfaces, compare them to the real world, real-time data streams we get from the HoneyPoint Internet Threat Monitoring Environment (HITME) every day. We take our knowledge of what attackers do and how they work and apply it to your organization. We test the attack surfaces and note how they respond. We model what would happen if your controls succeed and what happens when they fail. Our testing takes a little while longer, and in some cases is a bit more expensive than the “scan and verify” providers, because our penetration team measures your systems against complex, multi-stage leveraged attacks just like you should expect from a real-world attacker targeting your data. We crack passwords, steal documents, social engineer your team, root through your electronic trash (and sometimes even the physical trash) and tear into your internal networks just as if we were a bot-herder, a malware author or a bad guy who got a job in customer service or the mailroom. We work with you to establish the scope and bounds of the exercise, but in the end, you get a real, true and holistic look at your defenses and the ways you can improve. You also get the capability to check that compliance box with the full knowledge and confidence that you tested not just their limited scope or with blinders on approach, but against a real-world, bleeding edge group of attackers focused on getting YOUR data.
At MicroSolved, we think that if you’re going to spend money on penetration testing, you should get what you pay for. You should get a real measurement against real threats and a real idea of what needs to be improved. If all you want is a checkbox, you can find plenty of folks to “scan and forget” with prices starting at FREE and ending at hundreds of thousands of dollars. Their cookie-cutter processes should let you check the box on your next set of forms, but maybe not sleep at night while you wonder if the data is really OK. On the other hand, working with a real-world emulating, threat-centric team, might cost a little more in the short run, but just of the money you’ll be saving in fines, legal fees and forensics costs for each attack vector mitigated in the event of a compromise. Give us a call. We’ll be happy to tell you more or work with you to set up a project to help you evaluate other penetration testing teams where MSI might not be a perfect fit.
Horrible Ideas, Modeled & Profiled
Just a quick note this time about the HITME (HoneyPoint Internet Threat Monitoring Environment). One of the best uses for having the kind of global honeynet that we have deployed in the incarnation of the software is that you can create actual working models for a mistake or a horrible security idea.
Want to know what happens if you accidentally expose an internal system to the public Internet for 24 hours? We can quickly (in less than 30 mins) build an emulation for it and use a decoy dropped into place on your network to measure and model that risk over a period of time. You can get a real life set of metrics for how many probes it receives, from where and for what the attackers are looking. You can find out how long the average time is before the issue is identified by an attacker. You can even work up a profile of what sources, their locale and their capability to add to your risk assessments. These kinds of metrics, tied to a strong mathematical model (like FAIR) make for fantastic real world analysis.
You can do the same with web applications. Want to know what kind of attacks you can expect if you put in a new VPN portal at your managed hosting provider? No problem. We create an emulation and drop a decoy into their ESX(i) infrastrcuture, monitor it for 30 days and work up the data into a report for you. Now you can take that data and feed into a risk assessment, work out compensating controls and even get a budget idea for what it will take to secure such an infrastructure. We can also do this in multiple places and then work with the reporting you get from several vendors, using this mock up as a bake off data point to help you determine if your exposures and risks are higher from one hosting provider to another, what kinds of reporting you get from each, how effective their prevention and detection programs are, etc. We’ve even had a couple of organizations drop in temporary HoneyPoint decoys while being audited or undergoing penetration testing to get a third party view of how effective and capable their assessment and testing process has been.
The coolest thing to me about HoneyPoint is not the bleeding-edge attacks you can capture, nor the insights into attacker behavior it brings. Instead it’s the wide array of business problems that it can lend real world insight to inside the security world. It truly makes it easy to model and measure some of the most horrible ideas that an admin or developer can have. Wanna know more about the mistakes you make or might make in the future? Wanna measure attack interactions or generate metrics to feed a better risk assessment? Give us a call, we’ll be glad to discuss how you can take the next step in threat-centric information security with HoneyPoint!
Think You Can’t Afford Code/App Testing? Think Again!
According to this article, most companies skimp on third-party code checks.
Over the years, in our application testing services, we have found a variety of reasons why people skip code review and even application testing from a blackbox standpoint. The main objection we hear is cost. The cost of code review is often quite a bit higher than they expect. In some cases, we have seen where code review quotes from some vendors have been as much as 40% of the total development costs!
Now, that said, things are shifting. Today, you have a plethora of code review automation tools and source code scanners. These tools make an easy way to pick the low hanging (and sometimes higher, depending on language/complexity & tool variables) vulnerabilities out of your code long before it is exposed to malicious outsider/insider contact. (You do have a DEV and QA environment, now, right? Hint, Hint!) A quick list of code scanning tools is here. Even more are available.
For example our favorite PHP scanner, SandCat Hybrid is not on the list yet, but is widely available and used today. Pricing for some of these tools varies from FREE (like beer AND like speech) to hundreds of thousands of dollars per year. With a little research work, you can likely find a tool to meet your needs. Need help picking a tool? Just drop us a line, we would be happy to help.
Having a tool is one thing, using it and applying what you learn is another. You will need to create processes to make use of the tool. You will need to define where in your development and product purchasing processes the assessments should take place. You will need someone to run the tool and analyze the results. You will need someone to help work with the developers to make sure that any identified weaknesses are mitigated or that compensating controls are employed appropriately to minimize any defects not cost effectively fixed. This takes time, skill, knowledge and talent. However, if you want this skill ad-hoc or via a subscription, both are available from MicroSolved. Just drop us a line or give us a call and we can work together to design a toolset and skill set appropriate to your needs.
Using this approach, you don’t have to be one of the firms ignoring code review and application testing. You CAN afford to perform testing prior to product launch, deployment or upgrades. We can help you design a solution that fits your business needs and your risk tolerance. Rise above your competitors (who are likely in that 65% of companies NOT doing testing) and began offering software and products that have been assured to protect their privacy. We can help and together, we can make it safer for all of us online.
From the Tweetstream: What HITME Caught: Ongoing Defacement Campaign
Recently, we noticed our @HoneyPoint account, (HoneyPoint Internet Threat Monitoring Environment or HITME) was getting pinged. What we found is explained below:
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67954775886544896″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67955056300920832″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67955546187243520″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67973785218859008″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67974149250879489″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67984136337498113″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67985250583715840″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67985707125325824″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67990169353068544″]
Tales from the Tweetstream: Are You Trusting AV Software Alone to Detect Malware?
(To read more interesting discoveries, follow Brent Huston on Twitter.)
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61498319142260737″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61499509645127680″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61499751950069760″]
[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61513076557615104″]
AV software is not a “deploy and forget” solution to detect malware. More surveillance is needed, such as checking the logs to see if there are any occurrences of strange activity. Too often, attackers can drop files in the PHP servers and AV software will rarely detect it.
As I said, the moral of the story is that if you’re depending upon an AV detection mechanism for compromised PHP servers, you’re mistaken. Protect your servers by analyzing your logs. And using our HoneyPoint Wasp would help greatly by giving you more visibility and alerts when malware has entered into your system.
HoneyPoint Wasp Now Monitors Domain User and Admin Accounts
Do you:
- Need a quick and easy way to provide monitoring of when new user accounts are created in your AD forest and domains?
- Need an easy way to know when a user becomes a member of the administrator groups?
- Want a powerful, flexible and effective tool for knowing what is running on your AD servers and when new code gets executed on these critical devices?
If you answered yes to any of these questions, read on.
HoneyPoint Wasp, a bleeding edge tool for anomaly detection on Windows Desktops and Servers has just been enhanced with the current release to extend these types of coverage (and more) to Windows 2003 & 2008 servers running an AD context of Primary Domain Controller & Backup Domain Controller. Yes, our customers have been asking for it, and we listened. Now, with a simple, no signature/no tuning/0-interface deployment, you can get centralized monitoring and visibility over your critical AD identity store. You can know what is running on these essential servers all of the time and when new users are created or promoted to administrative status.
Attackers commonly infect AD components as they move through the enterprise, often adding and promoting users as they go. In most incidents we have worked over the last several years, these changes have usually gone unnoticed until it was too late. That’s exactly why we built HoneyPoint in general and Wasp in particular, to answer this dire need and to help turn the tide against malware-based compromises.
Want to discuss how Wasp fits in your organization? Simply drop us a line at: (1info2@3microsolved4.5com6) (remove the numbers/spam protection), or give us a call at 614-351-1237 to discuss it with your account rep. Wasp is powerful, yet easy to use, detection and with it in your corner, “Attackers Get Stung, Instead of YOU.”
Thanks for reading and stay safe out there!
Learning USB Lessons the Hard Way
I worked an incident recently that was a pretty interesting one.
The company involved has an application running on a set of Windows kiosks on a hardened, private network that though geographically diverse, is architected in such a way that no Internet access is possible at any machine or point. The kiosk machines are completely tied to a centralized web-based application at a central datacenter and that’s all the kiosk machines can talk to. Pretty common for such installs and generally, a pretty secure architecture.
The client had just chosen to install HoneyPoint and Wasp into this closed network the previous week to give them a new layer of detection and visibility into the kiosk systems since they are so far apart and physical access to them is quite difficult in some locations. The Wasp installs went fine and the product had reached the point where it was learning the baselines and humming along well. That’s when the trouble began. On Saturday, at around 5am Eastern time, Wasp identified a new application running on about 6 of the kiosk machines. The piece of code was flagged by Wasp and reported to the console. The path, name and MD5 hash did not match any of the applications the client had installed and only these 6 machines were running it, with all of them being within about 20 miles of each other. This piqued our curiosity as they brought us in, especially given that no Internet access is possible on these machines and users are locked into the specific web application the environment was designed for.
Our team quickly isolated the 6 hosts and began log reviews, which sure enough showed outbound attempts on port 80 to a host in China known to host malware and bots. The 6 machines were inspected and revealed a job in the scheduler, set to kick off on Saturdays at 5am. The scheduler launched this particular malware component which appeared to be designed to grab the cookies from the browser and some credentials from the system and users and throw them out to the host in China. In this case, the closed network stopped the egress, so little harm was done. Anti-virus installed on the kiosk machines showed clean, completely missing the code installed. A later scan of the components on virustotal.com also showed no detections, though the sample has now been shared with the appropriate vendors so they can work on detections.
In the end, the 6 machines were blown away and re-installed from scratch, which is the response we highly suggest against today’s malware. The big question was how did it get there? It turned out that a bit of digging uncovered a single technician that had visited all 6 sites the previous week. This technician had just had a baby and he was doing as all proud fathers do and showing off pictures of his child. He was doing so by carrying a USB key with him holding the pictures. Since he was a maintenance tech, he had access to drop out of the kiosk and perform system management, including browsing USB devices, which he did to show his pictures to his friends. This completely human, innocent act of love, though much understandable, had dire results. It exposed the business, the users, the customers and his career to potential danger. Fortunately, thanks to a secure architecture, excellent detection with Wasp, good incident planning and a very understanding boss, no harm was done. The young man got his lesson taught to him and the errors of his ways explained to him in “deep detail”. Close call, but excellent lessons and payoff on hard work done BEFORE the security issue ever happened.
Wasp brought excellent visibility to this company and let them quickly identify activity outside the norm. It did so with very little effort in deployment and management, but with HUGE payoff when things went wrong. Hopefully this story helps folks understand where Wasp can prove useful for them. After all, not all networks are closed to the Internet. Is yours? If you had infected hosts like this and AV didn’t catch it, would you know? If not, give us a call or drop us a line and let’s talk about how it might fit for your team. As always, thanks for reading!
What To Do When Your Identity Gets Stolen
OK, so it happens. A lot. Companies and people don’t always do the right things and sometimes, criminals win. They steal identity data and get the chance to commit massive fraud. We all know about it. We hear the stories and we hear people talking, but we don’t think it will happen to us, until it does.
What now? What should you do when such an event occurs in your life? Well, this great article from our friends over at Help Net Security summarizes best practices for identify theft victims and their support systems as described by the Consumer Federation of America (CFA). I thought the article was not only good content, but an excellent point of reference for folks who might be impacted by identity theft. You should check it out here. Here are some more tips:
- You should also be well aware of your legal rights and responsibilities and not be afraid to engage with your state Attorney General’s office if you suspect vendors are not playing by the rules. You can find a list of state Attorney General contacts here: http://www.consumerfraudreporting.org/stateattorneygenerallist.php
- Legal representation may also be of assistance if the fraud you face is large enough to warrant the cost of representation. Don’t be afraid to engage with an attorney if the fraud costs are large or the legal complexity you face is astounding. Contact your state bar association for information on finding reputable consumer law attorneys in your area.
- If you are considering something like one of these consumer data/life “locking” services or the like, please check out a DIY approach here.
We hope you never have to use this information, but if you do, these are a few quick tidbits to get you started while avoiding further scams, fraud and abuse. As always, thanks for reading and stay safe out there!