I just posted this on Twitter:

The #HITME caught 1,684 new unique probes last week. That’s about 10 unique probes per hour or one unique probe every 6 minutes on avg.

Interesting idea that some sort of entropy in attacker signatures happens that often on average. Every 6 minutes some nuance of an attack pattern changes and we see it in the HITME data. Sure, some of these are encoding changes, slight modifications, but some are new scanning targets, new payloads and entirely new strains of attack and probe activity.

With attack patterns changing so rapidly, are you really sure your heuristics-based tools and approaches are able to keep up? Remember, too, this is just server/application viewpoint data. It has nothing to do with the threat entropy that a client application like a browser encounters. Those metrics, in my opinion, are likely to be exponentially higher if we could ever find a way to measure them in a meaningful way.

I just completed the slides for my new presentation on application security. It is focused on understanding Remote File Include attacks against PHP implementations.

After much conversation with the folks who manage the ISACA.org site and quite a bit of frustration trying to reach the people responsible for the site within ISACA, I had a good discussion with them last night and they have removed my login credentials by my request. While I have been and continue to be a supporter and member of ISACA, I disagree with them over this particular issue.

The problem is that the ISACA.org password reset mechanism sends your password in clear text to your registered email address. An attacker, or anyone, only needs to know or guess a user name to cause the system to send the password. If an attacker initiates this process and can gain access to the email system or the email itself in transit, then they gain access to a live, user generated password.

The threat model for this is obvious and commonly exploited. Users, even security folks, often re-use the same passwords around the Internet for a variety of sites. If the attacker can gain the password by exploiting this mechanism, then it becomes easy to try and leverage those credentials on a myriad of sites and accounts. Similar attacks have been quite popular lately and have proven effective for high level compromises on social media, e-commerce and other popular sites.

When I explained the problem to the web manager, he did not disagree with either the risk or the attack vectors. He only explained that they had known of the problem for a year or so and that their mitigation was to launch a new web site. He assured me the new site would be ready within a few months. He explained that the new site, in accordance with current best-practices, would include a new reset mechanism for passwords that used a token URL link or the like instead of a plain text password. I suggested that they remove the current mechanism from use until then and he said they would explore that as an option.

My main point on this issue is that I expect more from ISACA. I expect that since they are teaching the world to audit systems and processes for security, that they themselves would have secure processes. I especially have a hard time accepting that they knew of this problem for a year and chose to accept the risk without any additional controls being implemented, thereby placing the residual risk squarely on the shoulders of their members. To make matters worse, they transferred this risk to the membership without so much as a reminder or disclosure statement on their site about the problem. I understand that they may have resource constraints around managing the site, as he explained,   but these are the same issues that all organizations face, including the very organizations their training teaches people not to accept this explanation from.

While the discussion was amiable and professional, I am left with my disappointment. I got no assurances that anything would be done differently until the new site is launched and I got no sense for how that new site will be peer tested, reviewed or the like. Thus, I asked them to remove my account until that time. This is also the reason I am making this post. I want all ISACA members to be aware of the risk and that their credentials could potentially be exposed. Hopefully, none of the membership reuses their password around the web, but that seems unlikely. At least now, if they read this blog post, they will be aware.

Please feel free to let me know your thoughts on this issue by leaving a comment below. You can also contact ISACA by phone. Their numbers are listed in the contact us portion of their website.

Lastly, I want to say that I continue to support ISACA and their membership. I think their mission is critical and that their training is a strong positive for the security community and the world at large. As always, thanks for reading!

We started picking up a few very low intensity scans last night. The pace of them are increasing. They appear to be aimed at cataloging users of the ANT tool. You can find a list of the scanning targets and a link to BrainWebScan here, if you would like to check for them yourself.

If you are a MicroSolved Managed Assessment (GuardDog) client, your systems will be tested during your next scheduled assessment.

If you have any questions or would like to know more about our ongoing assessment services, threat management or application security testing, feel free to email us at info [at] microsolved [dot] C O M or give us a shout at 1-877-351-1237. We would love to discuss it with you!

I don’t know about you, but I LOVE cheat sheets. I absolutely use the crap out of them.

Today, someone (I lost the email since then), sent me this page that has a boatload of cheat sheets in one locale. Thanks to whoever sent it, you know who you are. 🙂

Check them out here.

I hope you find something useful there. I know I did!

After the discussion about my last post and my omission of appsec, I wanted to make up for it not being in the list. Certainly, application security is important and as pointed out, I should have added it to the list of primary concerns for organizations.

By now, I hope everyone understands that attacks like SQL injection, cross-site scripting and the rest of the OWASP top 10 can have devastating effects. Often, when these vulnerabilities come into play, data loss soon follows. Sometimes, the attacker is able to gain direct access to the data targets they are seeking. For example, if SQL injection grants them access to a database that contains credit card information or identity data, then the initial compromise may be all that the attacker needs to obtain their goal.

But, even when the initial compromise does not directly yield them the data they seek, the initial SQL injection compromise often allows them access to and/or control over other systems and components. They then use a variety of technologies and techniques (from keylogging to sniffing and from pivot attacks to trojans) to leverage the initial problem into the compromise of the data they seek. In many cases, the attackers prove themselves to be both creative and patient as they slowly crawl towards their goals.

Even if your site does not have the targets they want, the SQL injection can be quite damaging for your organization. Not only do you have the compromise itself, but quite often, the application or web server with the vulnerability is manipulated to propagate malware that infects the visitors to your site, turning their machines into victims as well. As a client recently told me, “You don’t want to have to explain to upper management why your web site is responsible for infecting your customer’s computers with a virus. It is not really good for your career.”

These are just a few of the reasons that your organizations should take web application security seriously. If you have some more you would like to share, please leave a comment below.

Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.

How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. 🙂

1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.

2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.

3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.

Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. 🙂

PS – I hope you had a wonderful holiday season!