About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

More Tales From the Tweetstream: HoneyPoint Wasp Detects Trojan Attack

Posted on March 8, 2011 by Brent Huston

A very interesting discovery!

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44751049545879552″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44751709305708544″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44752439404011520″]

We’re pretty proud of HoneyPoint Wasp, our newest addition to our HoneyPoint family; for exactly this reason. It is able to detecti attacks earlier, automatically disrupting attacker activity and by giving you intelligence about the source, intent and capability of attackers.

Want to learn more? Check out our HoneyPoint Wasp page!

Tales From the Tweetstream: AV Detection with Brent Huston

Posted on March 4, 2011 by Brent Huston

Recently, I had an interesting discovery regarding AV detection. Follow them below, and let me know what you think!

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41156624727031808″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41158471889977345″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41159738955665408″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41160629037441025″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41161521144795136″]

Beware of Drive Erasure Problems on SSD Drives

Posted on February 28, 2011 by Brent Huston

There is a lot of interesting research going on right now with the processes and tools that may be useful in erasing the new solid state drives that many laptops and other systems are using. The traditional methods of magnetic cleansing (degaussing), and even file over-write tools that have been in use now for decades in many organizations, have little to no effect on removing sensitive data on these solid state drives.

Here is a nice article explaining some of the problems.

As described in the article, it seems that many of our current data management and cleansing techniques simply do not apply to these solid state memory-based devices. This makes drive encryption all the more urgent, as these systems are beginning to pop up in many organizations that are starting their hardware refresh processes after delaying them due to economic conditions.

If you are an information security team, or an IT team considering such purchases, please make appropriate cryptography a part of your solution. Many solutions exist by a variety of vendors today with pricing ranging from near zero to the cost of full-scale commercial enterprise implementations in the hundreds of thousands of dollars. Complexity also ranges from trivial and built into the operating system to quite high, depending on centralized management and remote assistance capabilities.

No matter how you to choose to address the problem, the key factor is that you are aware that SSD systems are a different animal with unique challenges versus traditional hard disks. Knowing that will at least put you on the right path toward investigating a solution and updating your processes.

Learn a Scripting Language to Make Security Work Easier

Posted on February 25, 2011 by Brent Huston

One of the most common complaints I hear from folks working in information security is that they are overwhelmed with data, alerts, log files and all of the other information sources they deal with on a daily basis. Often, this is a problem that can be solved with an adjustment to the level of data they are looking at and investment in some processes and tools to help gain some leverage. You may not need or be able to afford a full SEIM implementation, but with a couple of basic tools and a little bit of creativity, you can likely get a bit more leverage than you are today.

The first thing I often advise folks to do is to embrace a scripting language. You don’t need to become a master coder, but to get some leverage from systematizing your work, you will have to create some tools that are specific to your work. These scripts or tools should replicate much of the repetitive work you are doing today and can be a simple front end to handle the most common issues without your personal interaction, thus saving you time and resources.

Specifically, let’s say you have to comb log entries for a specific message that is pretty routine and then email the help desk when you see that message with the relevant details. In our example, with some basic scripting skills in python/ruby/perl, this becomes an easy to automate task. Pull the data in, parse through it with some scripting logic, segregate out the events you need and then drop them into an email and send it out. A quick script that runs in a scheduler or cron and your new virtual assistant just took over one of your daily tasks.

Do this enough, and you knock out much of the repetitive work you face today. That frees up your cycles to dive deeper, do additional research or grow your skills.

Scripting helps in other ways too. Understanding programming logic basics is a huge plus for security folks who might have a more network/systems-centric background. It will help you understand a lot more about how applications work in your environment and how to best interact with them in ways to protect them. It also gives you some empathy when working with developers and other folks who are heads down in code. Scripting can also be a very valuable skill in just solving complex problems and the security world is full of those.

How to get started in mastering the basics of a scripting language? Well, identify how you learn best. Are you a classroom learner, then take a class or use online universities and training that are common today. Learn by reading? Then get yourself a good book from Amazon or the mall and get started. Learn by doing? This is the easiest on of all. Just do it. Choose one language. Stick with it. Learn the basics. Looping, variables, basic syntax, file access, etc. Then grow your skills over time by actually scripting your tasks.

I challenge you to try this for 90 days. Give it a shot. If, after 90 days, this is not helping you free up more time at work, learn more about things you don’t know today and making your job in security easier, then write me a nasty email and stop doing it. I have made this challenge before and haven’t gotten one email in more than a decade that said it was horrible and that it didn’t help. 90 days. Give it, and yourself, a break and make it happen. The first step is committing to actually do it. Make the commitment and follow through. You won’t be sorry.

InfoSec Insights: Getting Indexed Via Twitter – Good & Bad

Posted on February 17, 2011 by Brent Huston

Earlier this week, I did a quick experiment in the MSI Threat Lab. I wanted to see what happened when someone mentioned a URL on Twitter. I took a HoneyPoint Agent and stood it up exposed it to the Internet on port 80.

I then mapped the HoneyPoint to a URL using a dynamic IP service and tweeted the URL via a test account.

Interestingly, for the good, within about 30 seconds, the HoneyPoint had been touched by 9 different source IP addresses. The search engines, it seems, quickly picked the URL out of the stream, did some basic traffic and I assume queued the site for crawling and indexing in the near future. A few actually indexed the sites immediately. The HoneyPoint cataloged touches from 4 different Amazon hosts, Yahoo, Twitter itself, Google, PSINet/Cogent and NTT America. It took less than an hour for the site to be searchable in many of the engines. It seems that this might be an easier approach to getting a site indexed then the old visit each engine and register approach, or even using a basic register tool. Simply tweet the URL and get the ball rolling for the major engines. 🙂

On the bummer side, it only took about 10 minutes for the HoneyPoint to be probed by attacker scanning tools. We can’t tie cause to the tweeting, but it did target that specific URL and did not touch other HoneyPoints deployed in the range which certainly seems correlative. Clearly, search engines aren’t the only types of automated applications watching the Twitter stream. My guess is that scanning engines watch it too, to some extent, and queue up hosts in a similar manner. Just like all things, there are good and bad nuances to the tweet to get indexed approach.

Further research is needed in what happens when a URL is tweeted, but I thought this was an interesting enough topic to share. Perhaps you’ll find it useful, or perhaps it will explain where some of that index traffic (and scanner probes) come from. As always, your mileage and paranoia may vary. Thanks for reading!

Audio Blog with Brent Huston: SpeakerConf 2011 and Developer Awareness

Posted on February 14, 2011 by Brent Huston

I recently attended SpeakerConf 2011, which was a fantastic tech conference for developers. We had some great sessions, and I was able to connect more with developers. In this audio blog post, I cover:

1) Observations from SpeakerConf

2) What language developers are loving right now

3) New attack processes

4) Moving into the next phase of security

This and more. Check it out!

Click to access the entire audio file: DevAwarenessSpeakerCon

Mobile Application Security Podcast with Brent Huston

Posted on February 7, 2011 by Brent Huston

Are you working with mobile applications? Trying to figure out security? In this helpful informative podcast, Brent covers 3 tips that will give you the tools you need to move forward. Often a developer isn’t certain what questions to start asking. Brent shares some common areas that include foundational practices:

Here is what you’ll learn:

1) What you should be doing to encrypt your application

2) Almost 50% of the apps we tested missed this powerful avenue toward leveraging knowledge that is readily available

3) How are you storing your data? And where? Brent shares insights on data storage

Click to access the entire audio file

Quick Advisory: Several new DB2 & PostgresSQL Exploits in the Wild

Posted on February 4, 2011 by Brent Huston

In the last couple of days, several new vulnerabilities, some with exploit code, have been made public in the DB2 database and PostgresSQL products. Given the core sensitivity of the data and business processes often handled by these applications, we thought we would post about them.

If you are running these applications as a part of your core business processes, now might be a good time to check with the vendor support sites, download the available updates and get them into your weekend maintenance windows as a critical update.

Given the exploit code availability and the ease of exploitation for a couple of these issues, their impact could be high if an attacker is in position to leverage them against your organization.

As with all of your applications, these should already be a part of your ongoing patching cycles, though these components are often missed or ignored as “too critical to patch”. Don’t make that mistake.

If you would like more information about the issues or would like to schedule a briefing privately with one of our engineers, please give your account executive a call or email. As always, thanks for selecting MicroSolved as your security partner!

Opinion: Warez More Dangerous Than P0rn

Posted on January 28, 2011 by Brent Huston

A couple of vendors have been talking about how prevalent malware is in online porn these days, but during our testing of HoneyPoint Wasp, we found pirated software (or “warez”) to be among the most concerning. Pornography is still a dangerous segment for infection, but it seems that grabbing so called “cracks” and “keygens”, along with pirated programs from the web and peer to peer networks is even more dangerous.

In our testing, it took us around 1/8 of the time to find infected warez that it took to find infected pornographic sites. In fact, our estimates are that less than 10% of the pornography files we tested (excluding “codecs”, obvious Trojan Horses) were infected, while nearly 90% of the cracking and keygen tools were, in fact, malware. In many cases, the warez would appear to work, but contained a background dropper that would install one or more pieces of adware, spyware or other malicious software. Even worse, in a clear majority of our testing cases, several of these malicious programs were missed by the consumer-grade anti-virus applications we had installed on the test bed. We used the white listing capability of HoneyPoint Wasp as the control and indeed identified a large number of malicious programs that traditional AV missed.

The key point of this topic though, is that pirated software remains a significant threat to businesses without proper license controls. Particularly, small and mid-size businesses where piracy often runs rampant, present a very wide target for attackers. Good policies against pirated software, user awareness and the use of license enforcement/asset inventory tools are useful controls in ramping up protection against this attack vector.

How has your organization fared against pirated software? What controls do you have in place to reduce both the legal liability and the malware threat that warez represents?

Jumphosts Are a Great Place For HoneyPoint Wasp

Posted on January 19, 2011 by Brent Huston

As the idea of network segmentation, or enclaving, becomes more and more popular, many organizations are also implementing so called “jumphosts” for their critical systems. Typically, a jumphost is a terminal server or Citrix host that users and admins connect to, then ride a terminal server or Citrix connection into the segmented critical hosts. This connection is usually filtered by a firewall, screening router or other access control method which segments the critical hosts from other parts of the infrastructure. Given the critical role these jumphosts play in the operations, it is essential that they be highly protected and monitored.

This is where HoneyPoint Wasp comes in. One of the strongest use cases for Wasp in the field has been to help protect these critical jumphosts from compromise and give the security team deeper visibility into their operation. Wasp lends itself well to this task, especially given the static nature of the systems, by extending normal anti-virus to include deeper, more accurate behavior-based anomaly detection. For example, Wasp maintains a white-list of known applications on the jumphost. If a user or attacker starts a new process that Wasp has never seen before, an alert is generated for the security team to investigate.

This white-listing approach is not reliant on signatures or heuristics to determine if a process is malware or the like, it just learns what is known on the jumphost and when something new is observed, it alerts. In addition, with Wasp in place, the jumphosts are continually monitored for other common signs of infection and intrusion, like newly opened listening IP ports, changes to critical files in the file system, new accounts being created locally or changes to the population of the local administrators group, etc. This new vision into changes on the jumphost can give the security team a heads up when an attack against the critical core is in process. Further, it does so without false positives or noise to degrade their performance over time.

Pricing for HoneyPoint Wasp is comparable to anti-virus pricing. Wasp is designed to work in conjunction with normal anti-virus and is available for Windows systems. Other components of the HoneyPoint product suite are also being used heavily in enclaved environments to bring detection to areas of the network defined as being of the highest priority. Deployments of these tools are in place in government systems, financial organizations, telecomm, manufacturing and critical infrastructure, including SCADA networks. For more information about what HoneyPoint Wasp can bring to your IT environment, give us a call or drop us a line.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston