About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

PHP RFI: Old Attack, Common #FAIL

Posted on February 26, 2010 by Brent Huston

I just completed the slides for my new presentation on application security. It is focused on understanding Remote File Include attacks against PHP implementations.

The preso covers what they are, how common they are, metrics, signatures, code examples and guidance for finding and mitigating them.

The slides are available as a PDF here.

If there is interest, I will try and either record audio or video of the presentation and post that separately. If you would like to see/hear that in the near future, leave a comment below.

This research and the resulting project were made possible by two facets of MicroSolved, Inc. that we don’t talk a lot about, so here is some info on the power behind this project.

The first, is our application security assessments. We have really been focusing on these projects recently and my team has been working hard to complete assessments for clients, as well as a variety of open source/community tools. As a part of our deep lab capability here and our relationship with Syhunt, in Brazil, we have been working together to test and improve their Sandcat4PHP and Sandcat Pro products (which we distribute/resell for them in the US). Essentially, this gives us a very deep capability to “grey box” test PHP applications. For those unfamiliar with grey box testing, that means that the tools and engineers have both access to the source code (white box) and a useable testing version implementation (black box). Combined, this testing methodology creates a very robust, accurate and thorough capability to exercise and examine an application. Manual and automated assessments intertwine to achieve maximum width and depth of assessment.

The second facet that powered this project was the HoneyPoint Internet Threat Monitoring Environment (HITME). This is a rapidly-growing network* of HoneyPoint deployments donated to MSI for the purpose of gathering attack data. The HoneyPoint agents are deployed in a variety of international locations to give us a real-time, global view of attacker sources, frequency and tactics for our research projects. The HITME is a unique capability to MSI and brings us data that most other security organizations can only dream of. In turn, we take the gathered knowledge and give it back to the security community in presentations and projects like this and the @honeypoint/#HITME feeds on Twitter and use it to protect our clients against an ever-growing arsenal of threats.

Combined, these capabilities have helped us identify hundreds of new PHP RFI attack signatures (which we plan to release shortly), find privately released PERL and PHP attack code/bot-net infectors (shared with the AV & IDS/IPS vendors) and build this presentation for the security community.

It also opened our eyes to just how popular PHP has become and how large the footprint is in corporate organizations and businesses around the world. In a recent survey, about 50% of the polled population stated that they did not have PHP in their enterprise, but did indicate that they use some combination of WordPress, Drupal, Joomla, Moodle, etc. All of these technologies are written in and utilize PHP! To the MSI team, this represents another area where the underlying technology is not understood in our corporate networks. This is another “unknown” for the attacker to leverage.

I hope you enjoy the presentation slides and I look forward to presenting this in public. If you would like to discuss more about our application security capabilities or the HITME, please let me know.

* Organizations and individuals can donate the operation of an Internet facing HoneyPoint Agent to MSI. Depending on the situation, they may receive a free license for HoneyPoint or the HoneyPoint Managed Service for their organization or home network. If you think you might be interested, please let me know and we can discuss how we might be able to work together.

Why I No Longer Have a Login at ISACA.org

Posted on February 23, 2010 by Brent Huston

After much conversation with the folks who manage the ISACA.org site and quite a bit of frustration trying to reach the people responsible for the site within ISACA, I had a good discussion with them last night and they have removed my login credentials by my request. While I have been and continue to be a supporter and member of ISACA, I disagree with them over this particular issue.

The problem is that the ISACA.org password reset mechanism sends your password in clear text to your registered email address. An attacker, or anyone, only needs to know or guess a user name to cause the system to send the password. If an attacker initiates this process and can gain access to the email system or the email itself in transit, then they gain access to a live, user generated password.

The threat model for this is obvious and commonly exploited. Users, even security folks, often re-use the same passwords around the Internet for a variety of sites. If the attacker can gain the password by exploiting this mechanism, then it becomes easy to try and leverage those credentials on a myriad of sites and accounts. Similar attacks have been quite popular lately and have proven effective for high level compromises on social media, e-commerce and other popular sites.

When I explained the problem to the web manager, he did not disagree with either the risk or the attack vectors. He only explained that they had known of the problem for a year or so and that their mitigation was to launch a new web site. He assured me the new site would be ready within a few months. He explained that the new site, in accordance with current best-practices, would include a new reset mechanism for passwords that used a token URL link or the like instead of a plain text password. I suggested that they remove the current mechanism from use until then and he said they would explore that as an option.

My main point on this issue is that I expect more from ISACA. I expect that since they are teaching the world to audit systems and processes for security, that they themselves would have secure processes. I especially have a hard time accepting that they knew of this problem for a year and chose to accept the risk without any additional controls being implemented, thereby placing the residual risk squarely on the shoulders of their members. To make matters worse, they transferred this risk to the membership without so much as a reminder or disclosure statement on their site about the problem. I understand that they may have resource constraints around managing the site, as he explained, but these are the same issues that all organizations face, including the very organizations their training teaches people not to accept this explanation from.

While the discussion was amiable and professional, I am left with my disappointment. I got no assurances that anything would be done differently until the new site is launched and I got no sense for how that new site will be peer tested, reviewed or the like. Thus, I asked them to remove my account until that time. This is also the reason I am making this post. I want all ISACA members to be aware of the risk and that their credentials could potentially be exposed. Hopefully, none of the membership reuses their password around the web, but that seems unlikely. At least now, if they read this blog post, they will be aware.

Please feel free to let me know your thoughts on this issue by leaving a comment below. You can also contact ISACA by phone. Their numbers are listed in the contact us portion of their website.

Lastly, I want to say that I continue to support ISACA and their membership. I think their mission is critical and that their training is a strong positive for the security community and the world at large. As always, thanks for reading!

Interesting Bot News

Posted on February 17, 2010 by Brent Huston

In the last couple of days, there have been a couple of interesting pieces of bot-net news.

This one, discusses how a bot-net software war is brewing over control of your PC. Some bots are now including kill code for other bots. In this case, the new kid on the block is killing zeus code to make sure it has sole control over your fraud.

Then there was this one about ms10-015 where the bot authors have fixed their rootkit code to make the BSOD go away. They did this not as a favor to MS or anything, but to restore use of the PCs and their chain of fraud. They also wanted to cover up their own code to keep users from cleaning it.

Interesting stuff around the bot threat landscape….

Broken Window Economics and Being “Type B”

Posted on February 10, 2010 by Brent Huston

I am actually quite glad that this article was written. I agree with its premise and I am very glad that MicroSolved is a “type B” security vendor. I am OK with that. It fits my world view. I am OK with not being a member of the “PCI in crowd” or doing infosec “just like all of the other vendors.” In fact, I STRIVE for MSI to do it differently. I PUSH my organization to serve our clients at a higher level. I STRAIN to help them achieve leverage. I think being “type B” makes MicroSolved INVALUABLE as a security partner.

That, in my book, is worth far more than being popular, one of the crowd or getting industry trophies and certificates. Those things might be nice for some, but helping OUR CLIENTS serve their customers in a safer way is just more our focus at MSI.

New Emerging Web Scans from the HITME

Posted on February 5, 2010 by Brent Huston

We started picking up a few very low intensity scans last night. The pace of them are increasing. They appear to be aimed at cataloging users of the ANT tool. You can find a list of the scanning targets and a link to BrainWebScan here, if you would like to check for them yourself.

If you are a MicroSolved Managed Assessment (GuardDog) client, your systems will be tested during your next scheduled assessment.

If you have any questions or would like to know more about our ongoing assessment services, threat management or application security testing, feel free to email us at info [at] microsolved [dot] C O M or give us a shout at 1-877-351-1237. We would love to discuss it with you!

InfoSec Cheat Sheets, A Collection!

Posted on January 27, 2010 by Brent Huston

I don’t know about you, but I LOVE cheat sheets. I absolutely use the crap out of them.

Today, someone (I lost the email since then), sent me this page that has a boatload of cheat sheets in one locale. Thanks to whoever sent it, you know who you are. 🙂

Check them out here.

I hope you find something useful there. I know I did!

Is IE Still on the Desktop at Your Organization?

Posted on January 19, 2010 by Brent Huston

I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.

Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.

Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.

Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.

Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.

Let me know what you think!

Why Web-Application Security is Important

Posted on January 6, 2010 by Brent Huston

After the discussion about my last post and my omission of appsec, I wanted to make up for it not being in the list. Certainly, application security is important and as pointed out, I should have added it to the list of primary concerns for organizations.

By now, I hope everyone understands that attacks like SQL injection, cross-site scripting and the rest of the OWASP top 10 can have devastating effects. Often, when these vulnerabilities come into play, data loss soon follows. Sometimes, the attacker is able to gain direct access to the data targets they are seeking. For example, if SQL injection grants them access to a database that contains credit card information or identity data, then the initial compromise may be all that the attacker needs to obtain their goal.

But, even when the initial compromise does not directly yield them the data they seek, the initial SQL injection compromise often allows them access to and/or control over other systems and components. They then use a variety of technologies and techniques (from keylogging to sniffing and from pivot attacks to trojans) to leverage the initial problem into the compromise of the data they seek. In many cases, the attackers prove themselves to be both creative and patient as they slowly crawl towards their goals.

Even if your site does not have the targets they want, the SQL injection can be quite damaging for your organization. Not only do you have the compromise itself, but quite often, the application or web server with the vulnerability is manipulated to propagate malware that infects the visitors to your site, turning their machines into victims as well. As a client recently told me, “You don’t want to have to explain to upper management why your web site is responsible for infecting your customer’s computers with a virus. It is not really good for your career.”

These are just a few of the reasons that your organizations should take web application security seriously. If you have some more you would like to share, please leave a comment below.

New Year, Old Threats

Posted on January 4, 2010 by Brent Huston

Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.

How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. 🙂

1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.

2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.

3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.

Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. 🙂

PS – I hope you had a wonderful holiday season!

Got Internet? Read This….

Posted on December 22, 2009 by Brent Huston

http://is.gd/5xnBP I wish all consumers could read these 5 myths about cyber-security. Well spoken, Ms. Hathaway. Got Internet? Read this….

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston