Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

PIPA/SOPA/Etc. Will Speed Up the Crime Stream

Posted on by
2

Today, many sites are protesting PIPA/SOPA and the like. You can read Google or Wikipedia for why those organizations and thousands of others are against the approach of these laws. But, this post ISN’T about that. In fact, censorship aside, I am personally and professionally against these laws for an entirely different reason all together.

My reason is this; they will simply speed up the crime stream. They will NOT shut down pirate sites or illicit trading of stolen data. They will simply force pirates, thieves and data traders to embrace more dynamic architectures and mechanisms for their crimes. Instead of using web sites, they will revert to IRC, bot-net peering, underground message boards and a myriad of other ways that data moves around the planet. They will move here, laws will pass to block that, they will move there, lather, rinse and repeat…

In the meantime, piracy, data theft, data trading and online crimes will continue to grow unabated, as they will without PIPA/SOPA/Etc. Nary a dent will be made in the amount or impact of these crimes. Criminals already have the technology and incentives to create more dynamic, adaptable and capable tools to defy the law than we have to marshall against them in enforcing the law.

After all that, what are we left with? A faster, more agile set of criminals who will actively endeavor to shorten the value chain of data, including intellectual property like movies, music and code. They will strive to be even faster to copy and spread their stolen information, creating even more technology that will need to be responded to with the “ban hammer”. The cycles will just continue, deepen and quicken, eventually stifling legitimate innovation and technology.

Saddest of all, once we determine that the legislative process was ineffective against the crime they sought to curtail, we still will have a loss of speech during that time, even if the laws were to ever be repealed. That’s right, censorship has a lasting effect, and we might lose powerful ideas, ideals and potentially world changing innovations during the time when people feel they are being censored. We lose all of that, even without a single long term gain against crime.

Given the impacts I foresee from these laws, I can not support them. I do believe in free speech. I do believe in free commerce on the Internet as a global enabler. But all of those reasons aside, I SIMPLY DO NOT BELIEVE that these laws will in any way affect the long term criminal viability or capability of pirates, thieves and data traders. Law is simply not capable of keeping pace with their level of innovation, adaptation and incentives. I don’t know what the answer is, I just know that this approach is not likely to be it.

So, that said, feel free to comment below on your thoughts on the impacts of these laws. If you are against the enactment of these laws, please contact your representatives in Congress and make your voice known. As always, thanks for reading and stay safe out there!

These are my opinions, as an individual – Brent Huston, and as an expert on information security and cyber-crime. They do not represent the views of any party, group or organization other than myself.

Quick Use Case for HoneyPoint Wasp

Posted on by
2

Several organizations have begun to deploy HoneyPoint Wasp as a support tool for malware “cleanup” and as a component of monitoring specific workstations and servers for suspicious activity. In many cases, where the help desk prefers “cleanup” to turn and burn/re-image approaches, this may help reduce risk and overall threat exposures by reducing the impact of compromised machines flowing back into normal use.

Here is a quick diagram that explains how the process is being used. (Click here for the PDF.)

If you would like to discuss this approach in more detail, feel free to give us a call to arrange a one on one session with an engineer. There are many ways that organizations are leveraging HoneyPoint technology as a platform for nuance detection. Most of them increase the effectiveness of the information security program and even reduce the resources needed to manage infosec across the enterprise!

Snort and SCADA Protocol Checks

Posted on by
1

Recently, ISC Diary posted this story about Snort 2.9.2 now supporting SCADA protocol checks. Why is this good news for SCADA?

Because it is a lower cost source of visibility for SCADA operators. Snort is free and a very competitive solution. There are more expensive commercial products out there, but they are more difficult to manage and have less of a public knowledge base and tools/options than Snort. Many security folks are already familiar with Snort, which should lower both the purchase and operational cost of this level of monitoring.

Those who know how to use Snort can now contribute directly to more effective SCADA monitoring. Basically, people with Snort skills are more prevalent, so it becomes less expensive to support the product, customize it to their specific solution and manage it over time. There are also a wide variety of open source add-ons, and tools that can be leveraged around Snort, making it a very reasonable cost, yet powerful approach to visibility. Having people in the industry who know how the systems work and who know how Snort works allows for better development of signatures for various nefarious issues.

It is likely to be a good detection point for SCADA focused malware and manual probes. The way these new signatures are written allows them to look for common attacks that have already been publicly documented. The tool should be capable of identifying them and can do so with ease. In terms of trending malware, (not currently) these attack patterns have been known for some time. 

The specifics of the probes are quite technical and we would refer readers to the actual Snort signatures for analysis if they desire.

By learning the signatures of various threats to the industry, people in the field can translate that into Snort scripts which can detect those signatures on the network and make the proper parties aware in a timely manner. Snort has the flexibility (in the hands of someone who knows how to use it) to be molded to fit the needs of nearly any network.

It makes an excellent companion tool to a deployment of HoneyPoint deep inside SCADA and ICS networks. In this case, Snort is usually deployed on the internal network segment of the ICS/SCADA firewall, plugged into the network switch. HPSS is as shown.  

 

 

 

 

 

 

 

 

If you’re looking for a low-cost solution and plenty of functionality for your SCADA, this recent development is a welcome one!

What the Heck Is FeeLCoMz?

Posted on by
3
FeeLCoMz is a string I often get a lot of questions about. Basically, people see it and other strings in their logs, or if they are unlucky, they run into it like this, in a file in their web directories:
 
 Basically, if this is in the file system, then the system has been compromised, usually by a PHP RFI vulnerability. Other strings to check for, if you feel you want to run some basic grep checks against web files, include: 
 
“FaTaLz”,”KinCay”,”CreWz”,”TeaM”,”CoMMunity”,”AnoNyMous”,”Music”,
“ProGraMMeR”,”CyBeRz” and “mIRC”
 
If you find those strings, they usually indicate other PHP scanners, worms or attack tools have compromised the system. Now, if you don’t find those, it does NOT mean the system is safe, the list of all of those relevant strings would be too large and dynamic to manage. 
 
Another good grep check to parse files for in web directories, especially PHP and text files, if the nearly ubiquitous, “base64_decode(“, which is an absolute favorite of PHP bot, shell and malware authors. Any files you find using that call should be carefully inspected.
 
If you want to find more information on how PHP RFI attacks and other such issues occur, check out these links 
 
 
Basically, if you find files with the FeeLCoMz tag in it in the web directories, you have some incident response and investigation work to do. Let us know if we can assist, and stay safe out there. 
 
PS – It’s a good idea to have all PHP applications, even common ones like WordPress and the like, assessed prior to deployment. It might just save you some time, hassle and money! 

Quick Use Case for HoneyPoint in ICS/SCADA Locations

Posted on by
1

 

 

 

 

 

 

 

This quick diagram shows a couple of ways that many organizations use HoneyPoint as a nuance detection platform inside ICS/SCADA deployments today.

Basically, they use HoneyPoint Agent/Decoy to pick up scans and probes, configuring it to emulate an endpoint or PLC. This is particularly useful for picking up wider area scans, probes and malware propagations.

Additionally, many organizations are finding value in HoneyPoint Wasp, using its white list detection capabilities to identify new code running on HMIs, Historian or other Windows telemetry data systems. In many cases, Wasp can quickly and easily identify malware, worms or even unauthorized updates to the ICS/SCADA components.

The Smart Grid Raises the Bar for Disaster Recovery

Posted on by
2

As we present at multiple smart grid and utility organizations, many folks seem to be focusing on the confidentiality, integrity, privacy and fraud components of smart grid systems.

Our lab is busily working with a variety of providers, component vendors and other folks doing security assessments, code review and penetration testing against a wide range of systems from the customer premise to the utility back office and everything in between. However, we consistently see many organizations under estimating the costs and impacts of disaster recovery, business continuity and other efforts involved in responding to issues when the smart grid is in play.

For example, when asked about smart meter components recently, one of our water concerns had completely ignored the susceptibility of these computer devices to water damage in a flood or high rain area. Seems simple, but even though the devices are used inside in-ground holes in neighborhoods, the idea of what happens when they are exposed to water had never been discussed. The vendor made a claim that the devices were “water resistant”, but that is much different than “water proof”. Filling a tub with water and submerging a device quickly demonstrated that the casing allowed a large volume of water into the device and that when power was applied, the device simply shorted in what we can only describe as “an interesting display”.

The problem with this is simple. Sometimes areas where this technology is eventually intended to be deployed will experience floods. When that happens, the smart meter and other computational devices may have to be replaced en masse. If that happens, there is a large cost to be considered, there are issues with labor force availability/safety/training and there are certainly potential issues with vendor supply capabilities in the event of something large scale (like Hurricane Katrina in New Orleans).

Many of the organizations we have talked to simply have not begun the process of adjusting their risk assessments, disaster plans and the like for these types of operational requirements, even as smart grid devices begin to proliferate across the US and global infrastructures.

There are a number of other examples ranging from petty theft (computer components have after market value & large scale theft of components is probable in many cases) to outright century events like hurricanes, floods, earthquakes and tornados. The bottom line is this – smart grid components introduce a whole new layer of complexity to utilities and the infrastructure. Now is the time for organizations considering or already using them to get their heads and business processes wrapped around them in today’s deployments and those likely to emerge in the tomorrows to come.

How to Choose a Security Vendor: Beware of “Free InfoSec”

Posted on by
Reply

In your search for security vendors, be aware of those who offer assessments on the “we find holes or it’s free” basis.  Below are a few points to consider when evaluating your choices.

  1. Security testing choices should not be based on price. They should be based on riskThe goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable.

    Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.
     

  2. The “find vulnerabilities or it’s free” mentality can backfire.It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to also tie that to price makes it doubly difficult — “Great, I pay now because Tom made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tom?

    Believe me, there can be long term side effects for Tom’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.
     

  3. It actually encourages the security assessment team to make mountains out of mole hills.Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly behooves the security team to note even small issues as serious security holes.

    In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get seriously skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.

In my opinion, let’s stick to plain old value. We can help you find and manage your risk. We focus on specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. The damages we prevent from occurring saves your company money. Look for a service vendor that provides this type of value and realize in the long run, you’ll be coming out ahead.

Want Rapid Feedback? Try a Web Application Security Scan!

Posted on by
1

A web application security scan is a great way to get rapid feedback on the security and health of your web-based applications.

You can think of the web application scan as a sort of vulnerability assessment “lite”. It leverages the power and flexibility of automated application scanning tools to do a quick and effective baseline test of your application. It is very good at finding web server configuration issues, information leakage issues and the basic SQL injection and cross-site scripting vulnerabilities so common with attackers today. 

This service fits particularly well for non-critical web applications that don’t process private information or for internal-facing applications with little access to private data. It is a quick and inexpensive way to perform due diligence on these applications that aren’t key operational focal points.

Many of our clients have been using the application scanning service for testing second-line applications to ensure that they don’t have injection or XSS issues that could impact PCI compliance or other regulatory standings. This gives them a less costly method for testing the basics than a full blown application assessment or penetration test.

While this service finds a number of issues and potential holes, we caution against using it in place of a full application assessment or penetration test if the web application in question processes critical or highly sensitive information. Certainly, these deeper offerings find a great deal more vulnerabilities and they also often reveal subtle issues that automated scans will not identify.

If you are interested in learning more about the applications scanning service, please fill out the contact form and put in the “Questions” box: Web App Scan. We can help you identify if these services are a good fit for your needs and are more than happy to provide more detail, pricing and other information about web application scans.

The Detection in Depth Focus Model & Example

Posted on by
2

Furthering the discussion on how detection in depth works, here is an example that folks have been asking me to demonstrate. This is a diagram that shows an asset, in this case PII in a database that is accessed via a PHP web application. The diagram shows the various controls around detection in place to protect the data at the various focus levels for detection. As explained in the maturity model post before, the closer the detection control is to the asset, the higher the signal to noise ratio it should be and the higher the relevance o the data should be to the asset being protected (Huston’s Postulate). 

Hopefully, this diagram helps folks see a working example of how detection in depth can be done and why it is not only important, but increasingly needed if we are going to turn the tide on cyber-crime.
 
As always, thanks for reading and feel free to engage with ideas in comments or seek me out on Twitter (@lbhuston) and let me know what you think. 

Detection in Depth Maturity Model

Posted on by
3

I have been discussing the idea of doing detection depth pretty heavily lately. One of the biggest questions I have been getting is about maturity of detection efforts and the effectiveness of various types of controls. Here is a quick diagram I have created to help discuss the various tools and where they fit into the framework of detection capability versus maturity/effectiveness.

The simple truth is this, the higher the signal to noise ratio a detection initiative has, the better the chance of catching the bad event. Detections layered together into various spots work better than single layer controls. In most cases, the closer you get to an asset, the more nuanced and focus (also higher signal to noise ratio) the detection mechanisms should become.
 
That is, for example – a tool like a script detecting new files with “base64decode()” in them on a web server is much higher signal than a generic IDS at the perimeter capturing packets and parsing them against heuristics.
 
When the close controls fire an alert, there better be a clear and present danger. When the distant controls alert, there is likely to be more and more noise as the controls gain distance from the asset. Technology, detection focus and configuration also matter A LOT. 
All of that said, detection only works if you can actually DO something with the data. Alarms that fire and nothing happens are pretty much useless tools. Response is what makes detection in depth a worthwhile, and necessary, investment.