About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

HoneyPoint Security Server Console 3.00 Released

Posted on August 18, 2009 by Brent Huston

This is an informal notice to the readers of the blog and the Twitter feed that we have made the 3.00 console release available on the FTP site. You can get the latest version using the credentials shipped with your original purchase.

Installation and upgrade is through the normal processes. Please let us know if you have any questions. A formal announcement and press release will be forthcoming tomorrow, but we wanted to give our readers a chance to grab the code before the onslaught begins. 🙂

Thanks to everyone who participated in the 3.00 testing and we are very happy to make this available. The next release will likely be the 3.00 version of the newly consolidated HoneyPoint Agent and Configuration Utility. More on that in the near future!

ABC News Reports Shortage of H1N1 Vaccine

Posted on August 18, 2009 by Brent Huston

ABC news is reporting that a shortage of the vaccine for H1N1 is looming. This is mostly due to the virus being slower to reproduce in the chicken egg medium used to grow the viral load for the injections.

Health care workers and children will receive the bulk of the available vaccine when it is available, likely beginning in October.

Since most of the work force are not children or health care workers, this leaves quite a large population that should be planned for absences from work. Many people will become ill from the virus or be required to miss work taking care of others who are ill from the virus if the current trends continue.

While not ill, your organization should provide these workers a mechanism for working remotely, if possible. This not only allows you to continue your business operations, but also allows those with exposures to the virus to “work from home” limiting their contact with the rest of your team and the public in general.

This is the basis for the pandemic planning that is required and that we have been discussing in previous blog postings.

All businesses are urged to consider pandemic planning a priority and to consider creating, testing and revising their current plans.

Pandemic Planning Coverage

Posted on August 17, 2009 by Brent Huston

Over the next few weeks, we will be presenting some blog coverage and a couple of public talks about pandemic planning. Given the current information on the H1N1 virus and the outlook from the CDC & WHO, we feel this to be prudent. I wanted to publish this post to draw your attention to the situation and to reinforce the idea that pandemic planning is the exact process to avoid PANIC.

Planning for situations is a responsible, mature act. Panic is a dangerous, and often disastrous response to a problem. Our goal, over the next few weeks is to get you thinking about pandemic planning. While the H1N1 threat may or may not immediately emerge as a significant issue, planning for such events is, in our opinion, a wise investment.

As we move forward in discussing pandemic plans, it will be in the flavor of disaster recovery and business continuity. Hopefully, you already have a basic plan, and this will serve as more of thought points for evaluation and consideration. If you do not yet have a plan, then please use this coverage as a basis for developing one.

Our framework will be around the primary 3 areas: Technology, Policy and Process and Awareness.

Here is a quick and dirty mind map of the topics we will be covering.

Keep your eyes on the blog for events around pandemic planning and related topics. As always, feel free to let us know your thoughts and comments, as well as any helpful tips you would like to share with others.

Updated Note: Thanks to WordPress for making the above graphic unusable, even when saved. You can download the png image at full (readable) size from here.

Your Next Security Threat May Not Involve Attackers

Posted on August 4, 2009 by Brent Huston

I was astounded when I read this article that includes a 2 BILLION estimate on the number of H1N1 cases that the WHO is expecting. Even worse, at 30% of human population on the planet, many are calling that number conservative. Some members of the medical community say that 45-50% may be likely!

In either case, the good news is that SOME vaccine is likely to be available to those in the Northern Hemisphere before Autumn arrives. The bad news is that there will likely not be an abundance of it, and that means some will not have access.

This is where the DR/BC planning comes in. By now, you probably have heard a little bit about pandemic planning and hopefully have created processes for remote working, containing illness and ensuring that you can operate with reduced staff. If you haven’t done this yet, NOW IS THE TIME to get this started.

If you do already have a plan, now might be a good time to do some rudimentary testing. Maybe declare a couple of reduced staff days, test the load on the VPN and remote access servers and such. This testing effort will likely reveal a few holes in these plans, but it is much better to learn about them and mitigate them now than when the real thing is going on.

Clearly, from the evidence presented by the WHO, this is something we should be paying attention to. Those who lack the focus or resources to take it seriously may well find themselves in troubling times when the weather turns colder and folks in the office begin to sneeze….

Book About PERL for Problem Solving

Posted on July 31, 2009 by Brent Huston

One of the essential tech skills I am always on the prowl for is a way to use technology to solve a complicated problem. Of course, one of the most useful ways to do this is to learn and apply simple programming skills. PERL is one of those scripting languages that is easy to get on a basic level, but it offers so much additional capability and complexity that it would take a literal lifetime to truly “master”.

But, the wonderful thing about PERL is its amazing capability in simplicity. You can take a few basic PERL legos and really make some wonderful things to increase the ease of your life and work. This book, <a href=”http://www.secguru.com/books/wicked_cool_perl_scripts_useful_perl_scripts_solve_difficult_problems” target=”_blank”>Wicked Cool Perl Scripts</a>, is chocked full of examples of just how to apply some basic PERL to real world problems. Check it out if you are a fan of PERL and want to automate things from work, to your news and RSS feeds to your World of Warcraft gaming. PERL is not only easy and cool, but also fun!

Egress Filtering 101

Posted on July 30, 2009 by Brent Huston

Egress filtering is one of the most often underestimated defenses today. We continue to see organizations that have not yet deployed strong egress filtering, which is one of the most effective controls in defending against and detecting bot-nets. Without it, outbound connections are usually a mystery to the security team and identification and interception of malware outbound command and control channels are unlikely.

To add fuel to the fire, egress filtering is cheap (you probably already have a firewall or router that can do it) and easily managed once configured. Sure, establishing the political will to see it through it can be tough, but given the threat levels and attacker techniques in play today, it is a highly critical effort. You start by examining what outbound ports you allow today, then close all ports outbound and allow only the ones that have a true business case. Once you have choked down the traffic, consider implementing application proxies where possible to further strengthen the egress traffic and rules.

Once you have appropriate proxies in place, don’t allow any outbound web traffic or the like from any host but the proxies. No outbound DNS, chat protocols or the like from the desktop world to the Internet. The more you choke this down, the easier it is to protect the desktop world from simple issues.

Egress filtering is just too easy to ignore. The level of protection and the capability to monitor outbound attempts to break the rules once in place are powerful tools in identifying compromised internal hosts. Best practices today truly includes this requirement and those interested in truly securing information should embrace egress filtering as soon as possible.

If you want help with such a project or want to learn more about scoping egress filtering in your network, let us know. We would be happy to help you!

HoneyPoint Appliance and Virtual Appliance Growing

Posted on July 28, 2009 by Brent Huston

I was so pleased with the news from my team yesterday that we are just about ready for the formal release of the HoneyPoint physical appliance. We are putting the final polish on the devices and they will be ready for release by the end of next week.

The virtual appliance is now going into its 2.0 architecture. The appliance has been rebuilt from scratch, hardened and reconfigured. It is also ready for shipment.

Special thanks to Adam for his work on completing these “decoy hosts” for folks that don’t want to put HoneyPoints on their production servers. His work is pushing HoneyPoint to the next stage of evolution and is much appreciated!

You can get both the virtual appliance and the physical appliance as a part of HoneyPoint Security Server and through the Managed HoneyPoint service as well. Drop us a line or give us a call to learn more about either of these programs!

Get Ready, Here Comes the MS Web Office Bot-Nets!

Posted on July 16, 2009 by Brent Huston

Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: https://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.

Risk Assessment and Mitigation for the MS Web Office Issue

Posted on July 14, 2009 by Brent Huston

Here is a PDF of the risk assessment and review of this emerging vulnerability. Please check it out if you are working on mitigating this issue.

While the corporate risk is identified as an overall medium, there is a high risk of workstation infection from this problem.

Check out the document here.

Vuln RA 071409 – MS Web Office 0-day

If you would like to follow the emerging threat, the SANS Internet Storm Center is the best place to get current news about the outbreaks and exploitation. You can also follow me (@lbhuston) on Twitter for more information as it comes in.

UPDATES:

7/14 – 2:17pm Eastern –

SANS has gone back to green status and is posting that they hope awareness has been raised.

Nick Brown wrote in to tell us that the exploit in MetaSploit is easy to use and very effective against most XP workstations. He also warns home users to be on the lookout as this is very likely to turn into a worm or automated bot-net attack very soon. He agreed that the MetaSploit exploit is unlikely to affect servers as we expressed in our assessment. Lastly, he wanted us to remind everyone that using the kill bits, REQUIRES A REBOOT OF THE SYSTEM BEFORE IT IS IMMUNE.

Adam Hostetler also found this site, which has some interesting ways of identifying vulnerable hosts: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

We have scheduled a FLASH Campfire chat for a threat update and discussion at 4pm Eastern today. The URL for that chat is: https://microsolved.campfirenow.com/ccf03

Thanks for reading and for all of the excellent feedback!

Update2: Here is the transcript from the public chat. Thanks to all who attended. Hopefully, it will be helpful for folks who are working on the issue.

Transcript

HoneyPoint Cracks with a Hidden Cost

Posted on July 10, 2009 by Brent Huston

OK, so we have been aware of a couple of cracked versions of HoneyPoint Personal Edition for a while now. The older version was cracked just before the 2.00 release and made its way around the torrent sites. We did not pay much attention to it, since we believe that most people are honest and deserve to be trusted. We also feel like people who value our work will pay the small cost for the software and those that just want to play with it and are willing to risk the issues of the “warez” scene would not likely buy it anyway….

However, today, someone sent me a link to a site that was offering a crack for HoneyPoint Personal Edition. The site was not one I had seen before, so I went to explore it. I fired up a virtual lab throw away machine and grabbed a copy of the crack application.

As one might expect, the result was a nice piece of malware. Just for grins, I uploaded it to Virus Total and here is the result:

http://hurl.ws/432e

Now, two things are interesting here. First, the crack is not even real and does not work. Second, once again, the performance of significant anti-virus tools are just beyond poor. 6 out of 41 products detected the malware in this file. That’s an unbelievably low 14.6% detection rate!

The bottom line on this one is that if you choose to dabble in the pirate world, it goes without saying that, sometimes you will get more than you bargained for. In this case, trying to get HoneyPoint Personal Edition for free would likely get you 0wned! Ahh, the hidden costs of things…..

If you are interested in a legitimate version of HPPE, check it out here.

In the meantime, true believers, take a deep breath the next time your management team says something along the lines of “…but, we have anti-virus, right…” and then start to educate them about how AV is just one control in defense in depth, and not a very significant one at that…

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston