About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

HoneyPoint Appliance and Virtual Appliance Growing

Posted on July 28, 2009 by Brent Huston

I was so pleased with the news from my team yesterday that we are just about ready for the formal release of the HoneyPoint physical appliance. We are putting the final polish on the devices and they will be ready for release by the end of next week.

The virtual appliance is now going into its 2.0 architecture. The appliance has been rebuilt from scratch, hardened and reconfigured. It is also ready for shipment.

Special thanks to Adam for his work on completing these “decoy hosts” for folks that don’t want to put HoneyPoints on their production servers. His work is pushing HoneyPoint to the next stage of evolution and is much appreciated!

You can get both the virtual appliance and the physical appliance as a part of HoneyPoint Security Server and through the Managed HoneyPoint service as well. Drop us a line or give us a call to learn more about either of these programs!

Get Ready, Here Comes the MS Web Office Bot-Nets!

Posted on July 16, 2009 by Brent Huston

Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: https://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.

Risk Assessment and Mitigation for the MS Web Office Issue

Posted on July 14, 2009 by Brent Huston

Here is a PDF of the risk assessment and review of this emerging vulnerability. Please check it out if you are working on mitigating this issue.

While the corporate risk is identified as an overall medium, there is a high risk of workstation infection from this problem.

Check out the document here.

Vuln RA 071409 – MS Web Office 0-day

If you would like to follow the emerging threat, the SANS Internet Storm Center is the best place to get current news about the outbreaks and exploitation. You can also follow me (@lbhuston) on Twitter for more information as it comes in.

UPDATES:

7/14 – 2:17pm Eastern –

SANS has gone back to green status and is posting that they hope awareness has been raised.

Nick Brown wrote in to tell us that the exploit in MetaSploit is easy to use and very effective against most XP workstations. He also warns home users to be on the lookout as this is very likely to turn into a worm or automated bot-net attack very soon. He agreed that the MetaSploit exploit is unlikely to affect servers as we expressed in our assessment. Lastly, he wanted us to remind everyone that using the kill bits, REQUIRES A REBOOT OF THE SYSTEM BEFORE IT IS IMMUNE.

Adam Hostetler also found this site, which has some interesting ways of identifying vulnerable hosts: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

We have scheduled a FLASH Campfire chat for a threat update and discussion at 4pm Eastern today. The URL for that chat is: https://microsolved.campfirenow.com/ccf03

Thanks for reading and for all of the excellent feedback!

Update2: Here is the transcript from the public chat. Thanks to all who attended. Hopefully, it will be helpful for folks who are working on the issue.

Transcript

HoneyPoint Cracks with a Hidden Cost

Posted on July 10, 2009 by Brent Huston

OK, so we have been aware of a couple of cracked versions of HoneyPoint Personal Edition for a while now. The older version was cracked just before the 2.00 release and made its way around the torrent sites. We did not pay much attention to it, since we believe that most people are honest and deserve to be trusted. We also feel like people who value our work will pay the small cost for the software and those that just want to play with it and are willing to risk the issues of the “warez” scene would not likely buy it anyway….

However, today, someone sent me a link to a site that was offering a crack for HoneyPoint Personal Edition. The site was not one I had seen before, so I went to explore it. I fired up a virtual lab throw away machine and grabbed a copy of the crack application.

As one might expect, the result was a nice piece of malware. Just for grins, I uploaded it to Virus Total and here is the result:

http://hurl.ws/432e

Now, two things are interesting here. First, the crack is not even real and does not work. Second, once again, the performance of significant anti-virus tools are just beyond poor. 6 out of 41 products detected the malware in this file. That’s an unbelievably low 14.6% detection rate!

The bottom line on this one is that if you choose to dabble in the pirate world, it goes without saying that, sometimes you will get more than you bargained for. In this case, trying to get HoneyPoint Personal Edition for free would likely get you 0wned! Ahh, the hidden costs of things…..

If you are interested in a legitimate version of HPPE, check it out here.

In the meantime, true believers, take a deep breath the next time your management team says something along the lines of “…but, we have anti-virus, right…” and then start to educate them about how AV is just one control in defense in depth, and not a very significant one at that…

Table Top Testing Your Incident Response Process

Posted on June 25, 2009 by Brent Huston

Here is a slide deck for a presentation I gave today about a cheap, easy and effective way to test your incident response process.

It is a lot like a corporate game of Dungeons and Dragons (IT Manager needs food badly!), except that you get to actually see what your team knows and needs training on about your environment, the process itself and/or other specifics that could be useful during a real information security event.

If your interested in the topic and would like to schedule a presentation or the like, just let me know. Enjoy the slides and take a stab at role playing as a mechanism for testing business processes. Our experiences have shown it to be a worthwhile investment, and of course, let me know if you need me to be the “Dungeon Master”… 🙂

Testing your Incident Response Team

If the above link does not work, try this one.

HoneyPoint Managed Service Now Available

Posted on June 19, 2009 by Brent Huston

The initial private launch is complete, and the public launch has begun. HoneyPoint Security Server is now available as a managed service!

HoneyPoints can be deployed as software on your internal existing servers and workstations or on our VMWare virtual appliance. We manage the console and deliver real time email alerts, support and advice on security incidents. Incident response consulting and handling help is also available at a reduced hourly rate to HP Managed Service clients.

In addition to leveraging the power of HoneyPoints and HornetPoints, you also get easy, automated monthly reporting to make your life as an IT administrator or security team member easier.

As a special introductory price for readers of the blog, our newsletter and friends of the firm, you can sign up now for HoneyPoint Managed Services for as low as $99.00 (US) per month. Plus, for being a supporter of MicroSolved and our efforts, we will waive the setup fee ($195.00 normally) if you join the program before the end of July, 2009!

Interested in putting the power of the HoneyPoint Hive to work for your organization? Give us a call (614-351-1237 x206) or drop us a line (info@microsolved.com) and learn more about how to get more security with the least amount of effort. We’ll be happy to share our success stories with you. We look forward to working with your team!

Thoughts on Increasing Security in the Smart Grid

Posted on June 17, 2009 by Brent Huston

There has been a lot of attention lately on the “smart grid” and the coming evolution of the US (and global) power grid into a more robust, information and data-centric environment. Much press has been generated around the security and insecurity of these changes.

Currently, NIST and various other concerned parties, are hard at work on formalizing the standards around this particular environment and the products that will eventually make up this public spectrum of life. In the MSI lab, we have researched and reviewed much of this data and would like to offer forth some general recommendations for both the consideration of the various standards bodies and the particular vendors developing products in this area. Here they are, in no particular order:

First, we would ask that you design your products and the underlying standards with industry standard best practices for information security in mind. The security practices for IT are well established, mature and offer a large amount of protection against common security issues. Please include them in your designs.

Next, we would offer the following bullet items for your consideration:

Please take steps to minimize the attack surfaces of all products throughout the system to reduce the chances that attackers have to interact with the system components. Many of the products we have looked at offer far too wide and too many attack surfaces. This should definitely include reducing the attack surfaces available to system processes and thus, by implication, malware.
Please ensure that your system includes the ability to update the components in a meaningful way. As the smart grid system evolves, security issues are bound to arise and being able to patch, upgrade and mitigate them where possible will be a powerful feature.
Please implement end-to-end detective controls that include the ability to monitor the components for fraud, tampering, etc. Please include not just operational detective controls, but also logging, reporting and support for forensic hashing and other incident analysis capabilities.
You MUST be prepared to implement these systems with strongly authenticated, role-based access controls. Implementations that rely solely on single factor authentication are not strong enough for banking applications, so they should not be considered strong enough for the power grid either.
Please take every opportunity to prevent and restrict data leaks. Reducing the information available to the casual attacker does help prevent casual compromise. While these reductions might not prevent the determined, focused attacker, the exposure of these attack surfaces to the casual attacker is much more probable and thus should be controlled for in your security equation.
When you implement encryption into your products and systems, please choose appropriate, strongly peer-reviewed encryption. Proprietary encryption is too large of a risk for the public infrastructure. Also, please ensure effective, yet low resource requirement key management. Complicated key managed approaches do not differentiate your product in a good way, nor do they usually enhance security in any meaningful way. Proper key management technologies and encryption exist, please use them.
The same goes for protocols as encryption. We have standard protocols defined that are mature, stable, understood and effective. Please leverage these protocols and standards wherever possible and reduce or eliminate proprietary protocols. Again, the risk is just too large for the world to take a chance on unproven, non-peer reviewed math and algorithms.
Please design these systems with defense in depth in mind. You must provide multiple controls for confidentiality, integrity and availability. Failure to do this at a meaningful level creates substantial risk for you, your clients and the public.
Please ensure that your allow for rational processes for risk assessment, risk management and mitigation. If systems require high complexity or resources to perform these tasks, they simply are not likely to get done in the longer term of the smart grid when the shiny newness rubs off.
Please apply the same care and attention to consumer privacy and protection as you do to managing waste, fraud and abuse. This helps you design more secure components and protects both you and the public in a myriad of ways.
Please ensure that your product or system includes appropriate training materials, documentation and ongoing support for handling security and operational issues. Very little of the smart grid technology is likely to be “fire and forget” over the long haul. Please make sure your organization continues to create appropriate materials to educate and inform your users.

Largely, the rewards of the smart grid are incredible. Energy savings and reduced ecological impact are both key components of why the smart grid is in the public eye and is achieving so much momentum. However, like all change, the public is right to fear some facets. If done right, this will become the largest, most technological network ever created. Done wrong, it represents a significant risk for privacy, safety and national security. At MSI, we believe that the project can and will be done right! Thus, we want to contribute as much as possible to the right outcome.

Thanks for reading and please, take some time and educate yourself about the smart grid technologies. Your voice is very important and we all need to lend a hand and mind to the effort!

Interview with Syhunt CEO

Posted on June 12, 2009 by Brent Huston

This week I got a chance to ask a couple of questions about Syhunt SandCat and the future of web application security. Here is the exchange with some great insights into where the web and attackers are heading!

Quick Interview with Felipe Aragon, CEO of Syhunt.

Q: The 3.8 release represents a significant step forward in application security scanning, especially around Javascript. What are the key features that application testers should know about in the 3.8 product?

R: Browsers and the web evolved significantly over the past years. Sandcat has evolved together with the new advancements and now has a lot in common with modern web browsers. This is essential because if you want to seriously hunt security breaches in web 2.0 applications you have to emulate modern Web technologies. So, naturally Sandcat evolved to understand JavaScript, AJAX and PHP and is now what is known as a hybrid web application security scanner. We also implemented multi-thread sessions, making each host scan a different process (Google Chrome, for example, employ a similar technique, making each tab a different process). Other important features we got working in Sandcat is the ability to simulate user interaction and multi-layer defense evasion. Sometimes, after evading a WAF (web application firewall), the last layer of defense against exploitation is a regular expression filter, which can also be bypassed by using many different techniques, so we got this working in Sandcat. Unfortunately weak filters were popularized and today many websites are vulnerable to this attack.

Q: How are Javascript threats influencing the state of application security today?

R: Thanks to JavaScript, Web applications are becoming increasingly more sophisticated, so next-generation web applications must be handled like desktop applications. Browsers like Opera, Firefox, Safari, Chrome are now adding faster JavaScript VMs each release because this is where the Web is going. Increased usage of JavaScript changes everything. It changes the way web developers build web sites, and the way hackers search for vulnerabilities or take advantage of weak spots in web applications. It makes more difficult for web developers to build secure web applications and, of course, for pen-testers that are unskilled web programmers to fit in in this new world. JavaScript can be used to steal cookies, spread worms, launch XSRF attacks and many other malicious purposes. The attacks are limited only by the attacker’s imagination.

Q: Where do you see application security heading in the next 12 months? What types of attacks should we be paying attention to that are slipping below our radar right now?

R: Right now we are monitoring the emergence of new web platforms (such as the recently announced Google Wave) that will make the 3.0 version of the Web possible. I believe we are heading towards the end of an era for the Web, a Web OS is materializing. These web 3.0 platforms and extensions built for these platforms will be a major target for cybercriminals. We have a set of new vulnerability classes and combined attacks (using both old and new classes) on the horizon. It will take a lot of time for web developers to understand how certain lines of code, client-side or server-side, translate to some serious security issues and how to avoid them. It might actually never happen because the Web and attack methods will continue to evolve faster. Without innovation, there is no future for the web, but I hope organizations will do whatever they can to understand and minimize security risks within their Web systems and not allow the cyberspace to become more insecure than it is today.

Check out SandCat’s new release at http://www.syhunt.com.

PS – In fair disclosure, MSI has a business relationship with Syhunt.

New Web Scanner Patterns

Posted on June 11, 2009 by Brent Huston

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons from an Almost Lost Laptop

Posted on June 5, 2009 by Brent Huston

I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.

It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.

Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.

Check it out here.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston