About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Three Tips for Banking App Dev for Mobile Devices

Posted on June 11, 2010 by Brent Huston

Lately, we have been looking at a lot of banking apps and front ends for the iPhone, Android and other mobile devices in the lab. Our testing thus far has shown some great results and it seems like a lot of banks, credit unions and other financial institutions are interested in having an “app” for their customers and members. Many of these apps are well designed, deep and rich. Many are simply canned front ends to existing web page content and functionality. A few are just plain horrible.

Here are three tips for organizations to keep in mind when coding their banking and financial apps for the mobile devices.

1. The mobile devices are not PCs. The apps should be light weight, clean and easy to use. Usability is tied to security in this case, because of errors. If your app has tiny little buttons with confusing text, no confirmation dialogs and lacks other basic usability features then you make it easier for users to make mistakes, create bad transactions, get confused and other issues would could constitute a risk for your business and your users. Don’t design for a PC monitor. Make sure your designs are usable on the appropriate size screens and with appropriate space for human digits.

2. Don’t allow users to store their credentials in the app or its underlying data structures. Many mobile phones and such remain woefully unsecured. Even where the vendor has provided for basic security controls for the devices, many users do not use them. Plan ahead for this. The app has to be convenient, but it shouldn’t let the users place undo risk on themselves. If you allow them to store logins, or even a digital certificate, make sure they can’t also store at least 1-2 other pieces of credentials between uses. If someone just picks up their device, they should NOT have access to the users accounts.

3. This goes without saying, but don’t forget encryption. Just because an application uses the cell network, does not mean that you don’t need SSL. (I’m looking at you two developer groups in the last 90 days, you know who you are.) No matter the network, protect your transactions and data streams with strong crypto. The mobile devices can handle it. They can do enough lifting to handle SSL or they shouldn’t be running a banking app. Like Nike says, “Just Do It!”

There you have it. Three basic ways that you can help increase the safety and capability of your financial services app on the iPhone, iPad and other mobile platforms. If you have done these three basics, then you are off to a start. The next crucial step is to get your app and the back-end processes checked via a risk assessment and security test. Give us a call if you need assistance or want us to drop it into our testing lab process. We are seeing quite a few of these days.

Piracy as a Crimeware Defense

Posted on June 9, 2010 by Brent Huston

So, just a quick thought on this one. What if we, as security folks, made a serious endeavor to reduce the earning capability of those who create crimeware, spyware and other malware? What if we did to them exactly what the gaming companies and MPAA have been saying is killing their business? What if every time we saw a piece of “licensed” crimeware tool, we cracked it and published keygens and other cracks for it?

Sure, in the mid-term there would be more attackers able to use the malware. But, what if, in the longer term, less malware were actually created? What if the bar went up to the point where publishing these tools was no longer profitable? Would the numbers and evolution of malware be slowed?

I am asking, not because I have an answer in mind, but because I am curious. At what point does striking at the root of the profitability of criminals reduce their efforts and capabilities? Anyone with ideas or experience in this line of thought, please leave a comment below. Thanks for reading and I look forward to your responses.

Fox Hypes Consumers on Cyber Security

Posted on June 7, 2010 by Brent Huston

This has to be one of the worst, most FUD-filled articles I have seen yet on cyber security.

http://www.foxnews.com/scitech/2010/06/03/ways-your-home-susceptible-hackers-cybersecurity/

In the article, many vulnerabilities and threats are discussed, but the article fails to lay out any sense of real risk based on probability or likely damages. In other words, here is a bunch of the over the top crap to scare you about using technology.

I think this kind of stuff is exactly why consumers have grown palliative to security threats and keeping their machines patched. The media loves to whip the fear and hype on them routinely, yet common sense tells us innately that the sky can’t always be falling, or it would have fallen by now. Humans are incapable of existing at high levels of threat sensory overload for long periods of time. We just weren’t wired for it. Our sense of risk becomes irrational with too frequent and infrequent use.

Please, talk to people who ask about this stuff with a well-placed sense of risk. Explain that security issues exist in a variety of platforms, but the average person needs not fear every security problem. They need to base their decisions and actions on real world probability and damage calculations and NOT on hype by vendors, the media or interested parties.

I don’t know about you, but I’m not too worried about someone HERFing my stereo. It would work, likely, but the odds of someone caring enough to do it, having access and capability, seem pretty small. I’m not planning on tempesting the house any time soon, and neither should you.

The Media Makes PCI Compliance “Best Defense”?

Posted on May 20, 2010 by Brent Huston

I have seen a lot of hype in my day, but this one is pretty much — not funny. Below is a link to a mainstream media trade magazine for the hospitality industry in which the claim that PCI compliance is the “best defense” hotels and the like can have against attackers and data theft.

Link: http://is.gd/cgoTz

Now, I agree that hospitality folks should be PCI complaint, since they meet the requirements by taking credit cards, but setting PCI DSS as the goal is horrible enough. Making PCI out to be the “best defense” is pretty ridiculous.

PCI DSS and other standards are called security BASELINES for a reason. That is, they are the base of a good security program. They are the MINIMUM set of practices deemed to be acceptable to protect information. However, there is, in most all cases, a severe gap between the minimum requirements for protecting data and what I would quantify as the “best defense”. There are so many gaps between PCI DSS as a baseline and “best defense” that it would take pages and pages to enumerate. As an initial stab, just consider these items from our 80/20 approach to infosec left out of PCI: Formalized risk assessment (unless you count the SAQ or the work of the QSA), data flow modeling for data other than credit card information, threat modeling, egress controls, awareness, incident response team formation and even skills gap/training for your security team.

My main problem with PCI is not the DSS itself, but how it is quickly becoming the goal for organizations instead of the starting line. When you set minimums and enforce them with a hammer, they quickly come to be viewed as the be-all, end-all of the process and the point at which the pain goes away so you can focus on other things. This is a very dangerous position, indeed. Partial security is very costly and, at least in my opinion, doing the minimum is pretty far away from being the “best defense”.

Responding to a Compromised System Alert

Posted on May 14, 2010 by Brent Huston

Thanks to the data from the HITME, I interact with a lot of people and organizations that have compromised machines. Often, my email or phone call is the first they have heard of the problem. Reactions vary from shock and denial to acceptance and occasionally rage. Even worse, when they hear that their machines are attacking others or being used in active attacks, many have no idea how to handle the situation.

Should you ever get a call like this from me or someone else, here are a few tips that you might find helpful for proceeding.

1. Be polite. I am calling to help you. Even though my message may mean more work and possibly some pain for you and your staff, knowing about a compromise is MUCH better than not knowing. Usually, the more polite and nice you are, the more information I will help you understand. I can usually point you in the right direction to begin to understand the issue, but if you act like a jerk, I will likely leave you to it.

2. Begin an investigation as soon as possible. Invoke your incident response process. If you don’t have one, ask for help, or retain assistance. But, please, treat a caller who explains and demonstrates that you have a system compromise with immediate attention. I see hundreds of compromised systems a day and I don’t have time to beg and plead with you to reduce your risk and the risk your systems present to others. I am happy to substantiate my claims, but after I notify you, TAKE ACTION. The majority of compromised systems involved in notification remain under attacker control for extended periods. Often, weeks and months pass by before any apparent action (such as mitigation or clean up) takes place.

3. Do a thorough job of mitigation. I would say that more than 25% of the time (I just started formally tracking this to gather better metrics.) when a site goes through “clean up”, they end up compromised again and right back where they started from. Likely many of these machines are simply bot-infected and the bots just place their malware back on the system after “clean up” is done. Removing the basic tag files or malware, but not understanding how they got there in the first place and fixing that is pretty much meaningless. For example, I have been working with a site presently that has been used as a PHP RFI verification tag file host for weeks. They have “cleaned up” every day for several weeks to no avail. Every night, they get hit by another PHP RFI scanner and it exploits their system and drops a new tag or malware bot. I have tried explaining no less than 10 times how they need to identify the underlying PHP issue, harden the PHP environment (yeah, I sent them the settings) to no avail. This is an example of how to fail at risk, threat and vulnerability management. Don’t do it. Fix the real problems. If you don’t know how, ask and then follow the guidance provided. If you need more help, either retain it or get a scanner and start hardening.

4. Respect the law. Don’t beg me not to turn this over to law enforcement. I have to. I want to, if you are critical infrastructure or some other member of the high threat club. Fix your stuff and manage security appropriately if you’re a member of the club; or you deserve to explain to law enforcement why you declined. Either way, I am going to try and help you and everyone by making the report.

5. List a contact for security issues on your site. Please, when I do call, I need to know who to talk to. At the very least, let your reception folks know how to handle security calls. The last thing you want is for the attacker to continue to compromise your systems while I play in “Voicemail-Land” forever. Remember, help me help you.

Lastly, even if you don’t get this call, do your due diligence. Make sure that your systems are secure and that you have security processes in place. Retain someone to help you manage risk and perform validation. Work with them to create effective risk management techniques for your organization. Hopefully, you won’t be on the other end of the line tomorrow or the next day as I make my round of calls….

If you have any additional suggestions or comments on this approach, please feel free to drop a comment below. As always, thanks for reading and be careful out there.

The iPad as a VPN Client

Posted on May 11, 2010 by Brent Huston

Today was my first real chance to try out the iPad as a VPN client in a critical situation. I needed an essential file for a client in a real hurry. We were about 50 miles from the office and a physical return with the file wasn’t possible. Even worse, it was stored on an encrypted vault volume on my personal backup system, so none of my engineers could assist me, since they lack credentials for that box.
Thankfully, I had my iPad with me. I had already set up a VPN connection for my device, but hadn’t yet tested it. The good news is that it worked perfectly! I was able to quickly create a VPN tunnel back to my network and then SSH into my vault. Once there, I could effortlessly arrange for a file transfer to my client in a secure manner. I even piped a VNC connection over the tunnel using iTeleport and could interact with the GUI nearly as easily as on a laptop.
All in all, it was a great save and made an excellent real world use case for the iPad in my work flow. Have you had any other big successes with the iPad in your security work? If so, drop a comment and tell us about it. I look forward to reading about it!

Zeus-bot Gets More Power

Posted on April 27, 2010 by Brent Huston

Symantec is reporting that the mighty Zeus bot network is getting more capability and powerful new features. Read a summary of their thoughts here.

Among the new features seems to be a focus on Windows 7 and Vista systems as opposed to XP. New mechanisms for random file and folder names in an attempt to evade basic detection tools looking for static names and paths are also observed.

Even worse for web users, the manipulation and information gathering techniques of the trojan have been refined and now extend more capability to tamper with data flows when the user is using the FireFox browser in addition to Internet Explorer.

Organizations should note that this trojan has a strong history of credential theft from social networks and other popular sites on the public Internet. Users who use the same credentials on these sites with infected machines can expose their work credentials to attackers. Security teams should step up their efforts to make users more aware of how to secure their home and portable systems, what is expected from them in terms of using unique authentication and other relevant security training.

It’s quite unlikely that the threat of Zeus and other malware like it is going to go away soon. Technical controls are lagging well behind in terms of prevention and detection for these threats. That means that education and helping users practice safer computing is likely to be one of the most powerful options we have to combat these threats.

A Quick Thought on Window’s Anti-Virus

Posted on April 26, 2010 by Brent Huston

I know that recently I’ve been spending a lot of time talking about Windows antivirus. Often, I am quite disappointed at the effectiveness of most antivirus tools. Many security researchers, and my own research on the subject, estimate antivirus to be effective less than half of the time. That said, I still believe that antivirus deserves a place on all systems and I wanted to take a moment to describe the way that I implement antivirus on many of the Windows machines in my life.

Let me start by saying first, that I have very few Windows machines left in my life. Most of those machines that I still use on a day-to-day basis are virtual machines used for very specific research and testing purposes. I use a pretty basic approach for antivirus on these systems, as they are not usually exposed to general use, uncontrolled traffic or un-trusted networks.

However, there are still a few holdout machines that I either use or support for friends and family. On these devices, most of which are Windows, I have begun to use a new approach for antivirus implementation. Thus far, I have been impressed by the solution and the effectiveness of keeping the machines relatively virus free and operating smoothly. So, how do I do it? Well, for starters, I use two different antivirus products. First, I install Clam AV for Windows and configure it for real-time protection. Clam is free software and so far I have been very impressed with its performance. One of the nicest things about the clam solution is that it has a fairly light system footprint and doesn’t seem to bog down the system even while it performs real-time protection. Next, I install the Comodo firewall and antivirus solution. This solution is pretty nice. It includes, not only antivirus, but also a pretty effective and useful firewall. This software is also free for noncommercial use. On the Comodo antivirus, I remove real-time protection and instead, schedule a full antivirus scan every night while my family member is sleeping.

By combining two different antivirus products, one in real time and the other for periodic ongoing scanning, I seem to have been able to reduce my service call infection rates by about 50%. From an attacker standpoint, a piece of malware would need to be able to evade both products in order to maintain a presence on the system longer than 24 hours. While such an attack is surely plausible, it simply is not the threat pattern that my family’s home personal use machines face. By combining two different products and leveraging each of them in a slightly different way, I have been able to increase the effective defense for my users.

As always, your mileage and paranoia may vary. Certainly, I am not endorsing either of these products. You should choose whatever antivirus products you feel most comfortable with. I simply used these examples as free solutions in a way to illustrate this approach. Thanks for reading, and be careful out there.

Pain and Malicious PDFs

Posted on April 6, 2010 by Brent Huston

The ubiquitous PDF, it just seems to be everywhere. With all of the recent hype surrounding a variety of exploits that have come to light in the last couple of weeks, many of our customers are asking about how to defend against malicious PDF documents. This is both a simple and a complex question.

The simple answer, and of course the least realistic, is to disallow PDFs altogether. However, as you might already suspect, this is nearly impossible in any modern enterprise. A couple of recent polls in customer enterprises showed that even when staff members said they didn’t use PDFs for anything in their day-to-day work, nearly all of them realized suddenly that PDFs were an important part of some process once PDF documents started to get blocked at the perimeter. Not one single organization that is a client has reported success at blocking PDF documents as a blanket solution.

So, if we can’t block something that may be dangerous, then we are back to that age old game of defense in depth. We’re going to need more than one single control to protect our organization against this attack vector. Sure, almost everyone has antivirus on their workstations and other systems, however, in this case, most antivirus applications show little progress in detecting many malicious PDF attack vectors. But, the good news is, that antivirus is as effective as usual at detecting the second stage of a malicious PDF attack, which usually involves the installation of malware. Some organizations have also started to deploy PDF specific heuristic-based solutions in their email scanners, web content scanners, firewalls and IDS/IPS systems. While these technical controls each have varying levels of strengths and weaknesses, when meshed together they do a pretty good job of giving you some detective and maybe preventative capability for specific known attack vectors using PDFs.

Obviously, you want to back up these technical controls with some additional human training, education and awareness. You want users to understand that a PDF can be as dangerous, if not more so, than many other common attachments. Many of the users we have talked to in the last few weeks have been surprised by the fact that PDFs could execute remote code or be harmful. It seems that many users trust PDF documents a lot more than they should. Given how many of the new PDF exploits work, it is a good idea to make your users aware they they should pay careful attention to any pop-up messages in the PDF reader and that if they are unsure about a message they should seek assistance before accepting or hitting OK/Continue.

Lastly, PDF attacks like the current ones in circulation, continue to show the importance of many of the projects in our 80/20 Rule of Information Security. By leveraging projects such as anomaly detection and enclave computing, organizations can not only reduce the damage that a successful client side attack can do, but they can give themselves a leg up on identifying them, blocking their sources and quarantining their victims. If you would like to discuss some of these approaches, please drop me a line or give us a call.

What approaches to PDF security has your organization found to be effective? If you have a winning strategy or tactic, leave us a comment below. As always, thanks for reading and be careful out there.

MicroSolved, Inc. Announces the Immediate Release of NED Alpha

Posted on April 1, 2010 by Brent Huston

That’s right! No longer do you have to spend days and nights worrying about the state of your network. No more fretting about your partners, security or other traditional concerns.

Today is the dawn of a new day for network engineers around the globe!

Want to know how your network is? ASK YOUR PACKETS!!!!!

MicroSolved’s revolutionary new product, code named, NED or Network Emotion Detector, will continually update you on the emotional health of your packets. If there’s a network problem, a security breach or if you happen to fall out of compliance with the Pennsylvania Concrete Institute’s (PCI) standards, your NED will immediately alert your team to the lack of happiness being experienced by your packets as they traverse the various public and private networks!

wpid-NEDShot.82HVMJmrrSV4.jpg

Even more powerful than the executive dashboard, the GUI can be operated near the data center hallway window, so passing executives can quickly identify the happiness quotient (TM) of your network. When they see NED smiling, they will know you are doing your job well. When NED is unhappy and your packets begin to show signs of sadness, they can quickly and easily purchase additional “emotional credits” through the handy interface. These emotional credits (ie: money) make your packets happy and joyous as they traverse the Intertubes.

If that were all NED did, it would still be the most powerful network emotional monitoring tool on the market, but we even take it one step further! Using NED’s soon to be copylefted capabilities, we create emotional tunnels for your packets to move back and forth with your peers. These “Virtual Private Hugs” (VPH) allow you and your business partners to mutually enjoy all the power of NED and emotional credits together. You can easily monitor the happiness of your partner’s packets and those that show emotional disparity, making VPH even more important for those folks. Lastly, NED features a peer-to-peer network monitoring mechanism that allows you to closely monitor the overall happiness level around the Cloud. That’s right, MSI is the first in the world to create Happiness as a Service (HaaS)(TM)!

Act now and you can get your own copy of NED for Windows FREE for a limited time. Download from here and start enjoying the ease and joy of NED from MSI. We hope you enjoy NED, “because packets need love too…”

Happy April Fools Day from your security partners at MicroSolved, Inc. We hope it made you smile. BTW – The download really runs. Windows only, for now…. :p

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston