About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

MSI Partner Syhunt Brings Source Code Scanning to ASP & JSP

Posted on October 14, 2010 by Brent Huston

Syhunt has launched a very nice and powerful new edition of their Sandcat web application security tool. Sandcat is an extremely thorough and very capable assessment engine for web servers, web applications and web application source code. MSI has been using the tool for many years and we enjoy a very close relationship with the team behind the tool.

In addition to adding new features to the PHP source code scanning, this new release gives users the new capability to do white box testing on web applications for XSS vulnerabilities beyond PHP. The new version now includes cross site scripting checks for classic ASP, ASP.NET and JSP (JavaServer Pages) code modules. Syhunt even plans to further extend the classes of checks in those languages in the coming months. As with PHP source code assessment, this is a very powerful tool for increasing the quality and security of web applications, both new and legacy, around the enterprise.

Check out the new release at http://www.syhunt.com and let them know you heard it about from MSI. The Syhunt team are nice folks and they work very hard to bring you one of the most flexible, powerful and easy to use web application tools on the planet. Give it a shot, we think you’ll become a huge fan too!

Better Detection on the Desktops is Now Available!

Posted on October 6, 2010 by Brent Huston

Gang, as we have been talking about for several months, MicroSolved is proud to announce the immediate availability of HoneyPoint Wasp. Version 1.00 of this new tool focused on detecting compromised workstations and Windows servers is now running full speed ahead. Clients and participants in the beta program have had some great things to say about the product, like:

“It’s a no-brainer!”, “…deeply extends visibility into the desktop world…” and “Immensely helpful!”

For more information about how Wasp can help you defend your desktops and workstations, plus play a critical role in identifying attacks against Windows servers, check out the press release, web page or give us a call at (614) 351-1237 to set up a briefing!

SAMBA Vuln Could Be Dangerous

Posted on September 14, 2010 by Brent Huston

If you are not already looking at the newest SAMBA issue, you should be paying attention. It is a stack-based buffer overflow, exploitable remotely without credentials. The MetaSploit folks are already hard at work on an exploit and some versions are rumored to be floating about the underground.

The vulnerability exists in OS X, Linux and a variety of appliance platforms using the core SAMBA code. Updates are starting to roll into the primary distributions and OS images. Ubuntu, for example, already has a fixed version available.

You can read the SAMBA folks release here for more information.

Likely, wide scale exploitation is on the horizon and malware/worm development is also predicted for this particular issue.

In terms of actions, begin to understand where SAMBA is used in your environment, reduce your attack surfaces as much as possible, implement the patches where available and increase your vigilance on SAMBA utilizing systems/processes.

Keep your eyes on this one. With this also being a fairly heavy/serious Microsoft patch day, your security team and admins might be focused on other things. You don’t want this one to slip through the cracks.

HoneyPoint Wasp is Almost Ready to Leave the Nest

Posted on September 8, 2010 by Brent Huston

As many of you may know, the MSI team has been hard at work the last several months finishing the beta of our new compromised workstation detection product, HoneyPoint Wasp. It is a fully integrated component of HoneyPoint Security Server, capable of executing distributed detection and threat monitoring on Windows workstations across enterprises. The initial feedback by the beta group have been absolutely amazing. We are finding bots, malware and compromised hosts in a variety of locations, once thought to be “clean” and “safe”.

Wasp accomplishes this mission by being deployed as a service on workstations and by monitoring for the most common signs of compromise. It can watch for changes in the users, admins, port postures and such. It does white list detection of the running processes and it is even capable of detecting DNS tampering and changes to selected files on the operating system.

Even better, it does this work without the need for workstation event logs, signature updates or tuning. It “learns” about the workstation on which it is deployed and adapts its detection techniques to focus on important changes over the long run.

We designed Wasp to be easy to install, easy to manage and to be transparent to the end – user. As such, it is deployed as a 0-interface piece of software. There are no pop-ups, no GUI and no interaction at all with the user. All alerts are routed to the HoneyPoint console and the security team, eliminating any chance of increased help desk calls, user push back and confusion.

In the next couple of weeks, we will be making some announcements about the general availability of the Wasp product. I hope you will join me in my excitement when we announce this launch. In the meantime, think about what you are doing today to protect against initial stage compromises and congratulate the MSI development team and our beta testers on a job well done. I think you are going to be amazed at how easy, capable and advanced Wasp is, when it is released. I know I continue to be amazed at what it is detecting and how much stuff has evaded current detection techniques.

In the meantime, while we await the full release, check out this PDF for some more information about where we are going with Wasp and our HoneyPoint product line. I think you are going to like the diagrams and the explanations. If you would like to book a special sneak preview of Wasp and the rest of HoneyPoint, give your account executive a call. We will be happy to sit down and discuss it with you. As always, thanks for reading!

Excellent Source for Metrics on PHP RFI

Posted on September 7, 2010 by Brent Huston

My friend Eric has put up some excellent statistics and metrics on PHP RFI attacks against his honeynet. This is some excellent data. If you have read other stuff we have pointed to from Eric, then you know what to expect. But, if you are interested in a real world look at trends and metrics around PHP exposures, give this a few moments of your time.

You can find the interface and metrics set here.

Check it out, I think you’ll be impressed. Thanks, as always, to Eric and other folks in the honeypot community for all of their hard work, time and attention.

If you have some honeypot metrics to share, drop a comment below! As always, thanks for reading!

Looking For More Info on SEIM Best Practices?

Posted on September 1, 2010 by Brent Huston

I know we get a lot of questions on SEIM tools, their use and the best practices around their deployment and I have talked heavily to some of the folks involved in this SANS webcast tomorrow. If you have an interest in SEIM, I urge you to tune in.

You can find the details here.

They got some excellent folks to participate and the content should be quite strong. As always, if you have questions on SEIM deployments, products or use, drop me a line. Always happy to give my 2 cents.

PS – Special thanks to Scott Gordon for putting this together. I am sorry I could’t personally participate, but it is a very cool thing to bring to the community!

Using Honeypots to Track Attackers: Eric Romang’s FileAve.com Report

Posted on July 20, 2010 by Brent Huston

One of MSI’s Twitter friends, Eric Romang, recently wrote a deep dive about PHP RFI attacks that used the fileave.com service. The write-up was based on a large set of honeypot data that dates back several years!

The data is interesting and compelling and goes a long way to show value derived from the use of honeypots to track attackers and reveal information and trends about their behaviors. Check out this article here.

We were quite impressed with the data visualizations and are excited to see the level of effort put forth. Thanks for the dedication and hard work! We hope that, you, our readers, enjoy pointers to great data like this.

Have you seen or done other honeypot research or visualizations on your networks and threats? If you care to share tips, results or the like, drop us a line below in the comments or via Twitter (@lbhuston, @mrmaguire). We would love to hear more about them!

As always, thanks for reading!

An Explanation of Our HoneyPoint Internet Threat Monitoring Environment #HITME #security

Posted on July 16, 2010 by Brent Huston

One of the least understood parts of MicroSolved is how the HoneyPoint Internet Threat Monitoring Environment (#HITME) data is used to better protect our customers. The engineers have asked me to drop this line into the newsletter and give you a “bees knees” perspective of how it works! First, if you don’t know about the #HITME, it is a set of deployed HoneyPoints that gather real world, real time attacker data from around the Internet. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. You can even follow the real time updates of attacker IPs and target ports on Twitter by following @honeypoint or the #HITME hash tag. MSI licenses that data under Creative Commons, non-commercial for FREE as a public service to the security community.

That said, how does the #HITME help MSI better protect their customers? Well, first, it allows folks to use the #HITME feed of known attacker IPs in a blacklist to block known scanners at their borders. This prevents the scanning tools and malware probes from ever reaching you to start with. Next, the data from the #HITME is analyzed daily and the newest, bleeding edge attack signatures get added to the MSI assessment platform. That means that customers with ongoing assessments and vulnerability management services from MSI get continually tested against the most current forms of attack being used on the Internet. The #HITME data also gets updated into the MSI pen-testing and risk assessment methodologies, focusing our testing on real world attack patterns much more than vendors who rely on typical scanning tools and back-dated threats from their last “yearly bootcamp”.

The #HITME data even flows back to the software vendors through a variety of means. MSI shares new attacks and possible vulnerabilities with the vendors, plus, open source projects targeted by attackers. Often MSI teaches those developers about the vulnerability, the possibilities for mitigation, and how to perform secure coding techniques like proper input validation. The data from the #HITME is used to provide the attack metrics and pattern information that MSI presents in its public speaking, “State of the Threat,” the blog, and other educational efforts. Lastly, but certainly not least, MSI provides an ongoing alerting function for organizations whose machines are compromised. MSI contacts critical infrastructure organizations whose machines turn up in the #HITME data and works with them to mitigate the compromise and manage the threat. These data-centric services are provided, pro-bono, in 99% of all of the cases!

If your organization would be interested in donating an Internet facing system to the #HITME project to further these goals, please contact your account executive. Our hope is that the next time you hear about the #HITME, you’ll get a smile on your face knowing that the members of my hive are working hard day and night to protect MSI customers and the world at large. You can count on us, we’ve got your back!

A Quick Word on LiveCD’s and Bootable USB for Consumers

Posted on July 9, 2010 by Brent Huston

I gave a quick interview today for a magazine article to be printed in late July. The topic was pretty interesting; it revolved around consumer fears about online banking.

The key point of the discussion was that financial organizations are doing a ton of work on securing your data and their systems from attack. The major problem facing online banking today is really the consumer system. So many home PCs are compromised or infected today that they represent a significant issue for the banking process.

The good news is that home systems can pretty easily be removed from the equation with a simple bootable LiveCD or USB key. It is quite easy (and affordable) to create Linux distros with very limited applications and security measures that enforce using it just for banking and other high risk transactions. Solutions in this space are available in open source, community/payment supported and of course, full blown commercial software tools complete with a variety of VPN, access control and authentication tools.

You might even consider creating your own open source distro, labeled and logo branded to distribute for free to your customers. A few of my credit unions are taking this approach. For the cost of CD duplication, they get the high trust customer contact and peace of mind of having a dedicated, trusted platform for their home banking. That, indeed, may be well worth the investment.

Review of Puppy Linux 5.0

Posted on July 6, 2010 by Brent Huston

Lucid Puppy Linux 5.0 was released back in May of 2010, but as one of my favorite distros, I have been playing with it heavily since then. I have been so impressed with the new version that I wanted to take a moment and write a quick review of this release.

You can find the official release page here, along with download information.

First, let me say that I have really come to love Puppy Linux over the last several years. I use it as a LiveCD/USB platform for secure on the go browsing, a Linux OS for old hardware that I donate to a variety of folks and causes, and as a platform for using HoneyPoint as a scattersensor. I like the ease of use, wide range of hardware support, and small footprint. All of these make this a very workable Linux distro.

This version especially seems to be stable, fast, and capable. I have taken to running it from a bootable USB drive and the performance has been very nice. Being able to drop these onto untrusted systems and use them as a browser, VPN client, and productivity tool has been handy. Using HoneyPoint Personal Edition, the nmap plugins and some other Puppy installs of security tools gives me a great platform for working incidents, gaining visibility and catching rogue scans, probes and malware that are in circulation when I pull in to help a client. Over and over again, the distro has proven itself to be a very powerful tool for me.

I suggest you take a look at the distro, LiveCD or USB and see how it can help you. I think you’ll find it fun, easy to use, and quite addicting. The pictures of the puppies don’t hurt either. 🙂

Check it out!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston