Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

3 Great Resources for Learning About SQL

Posted on by
Reply

My technical team has been training some new engineers and have been focusing on SQL injections for the last couple of days. They wanted me to share some great resources that they have found and have been told about to help with learning the basics of SQL syntax and such. They are currently working on compiling a set of vulnerable platforms and system images to create a deep lab environment with many examples and test scenarios in which to sharpen their skills and test new techniques and defenses.

The first site that they like is SQLZoo.Net which is a gentle online introduction to SQL. It is perfect for those who took a SQL course long ago, or who is in need of the basics. It is a quick refresher and instructor of SQL syntax, processes and command basics. This basic education mechanism lays the ground work for them to understand SQL queries and reverse engineer the instructions that are in place as they perform SQL injections. (Thanks to @tnicholson for the pointer to this site!)

Second, they have found the book Hacking Exposed: Web Applications Second Edition to be very helpful. The explanations about, and the examples of, SQL injections really helped them “get it”. Once they walked through this, side by side, with members of our penetration testing team, they really made huge strides and were able to immediately employ the examples in the lab. Thanks to the authors for their great work on this book. The entire Hacking Exposed series is simply fantastic for training up and coming security engineers!

Lastly, with special thanks to OWASP, the team found the use of the WebGoat tool to be amazing. This is an interactive web mechanism for stepping through a variety of basic attack patterns. While not complete, in and of itself, for real application penetration testing, it is a great educational tool and makes for great training examples. Our team spent a good deal of time learning to communicate and demonstrate the issues in WebGoat to a mock set of upper management folks who were role playing their parts. Our team members must be able to clearly, concisely and expertly communicate technical issues to non-technical folks, so this makes a great platform for training.

Thanks to all who helped by suggesting resources and thanks to the new techs for keeping their concentration so high. Our experienced engineers did a great job of bringing the new team members to the first floor, now they are showing them how to keep growing for the top. Great work!

If you would like to hear more about SQL injection, application security testing or would like to hear more about creating training/labs for SQL, please drop us a line.

Thanks for reading and I hope this gives you a pointer in the right direction to learn more about the basics of SQL injections!

Insider SQL Injection

Posted on by
Reply

While much improvement and awareness of SQL injections as an attack vector has been applied to Internet-facing applications, there remains a large set of vulnerable applications on internal networks. Our technical team often identifies large amounts of serious and easy to exploit SQL injection vulnerabilities on our internal assessments and penetration tests. While many organizations have begun to focus on network and OS threats for their business networks, application layer attacks remain unattended to in many cases.

“Our success level in obtaining customer sensitive data during internal tests remain very high.”, said Adam, penetration testing team leader of MSI. “Even as people have begun to patch their systems, finally, injections prove to be a critical weakness. To make matters worse, these internals web-apps often hold the keys to kingdom, so to speak, so they are a very attractive target for our testing team.”, Adam added.

“If it seems like a client is patched to current levels, then we know to check for injections.” claimed Nathan, penetration tester for MSI. “Throw a simple tick into forms and the vulnerable ones ‘shine like a crazy diamond’. From there, we are a few quick steps from compromise!”, Nathan exclaimed.

Adam and Nathan both agree that organizations really need to pay attention to injections and other web application vulnerabilities on their internal networks. Given the threats of insider attacks, this remains a significant risk. “Even applying the basic techniques that they have achieved success with outside on the Internet would help. They just have to teach developers that internal apps matter as much, if not more, than Internet apps.” added Adam.

At MSI, our teams go well beyond the “scan and report” that so many vendors call a “penetration test”. We perform active exploitation and leverage those vulnerabilities to identify the true depth of the security issues we find, in addition to the width that comes from vulnerability assessment. Our approach, experience and methodology create the clearest and most realistic view of your security issues available. From normal OS exploits to SQL injections and bleeding edge threat vectors, our team brings unique capabilities to the table and our award-winning reporting ensures that the clarity carries through to the board room.

To learn more about internal network assessments, or to receive some free technical training tools about SQL injections, please give us a call or drop us a line/comment. We look forward to helping your team better secure your own internal web apps and other attack targets against compromise.

25% off HoneyPoint Security Server, Plus 0% Financing For April

Posted on by
Reply

This is no joke, or at least if it is, then the joke is on us. 🙂

For the entire month of April, we are offering a 25% discount off the retail prices for HoneyPoint Security Server for new customers. In addition to that, you can extend our 0% financing option to pay in monthly payments over the life of your support agreement up to 3 years! Plus, as promised in earlier posts, anyone who purchases HPSS by the end of April will receive 3 free licenses for HoneyBees once they are released!

The product is now licensed per server, in anticipation of the 3.0 release which is in lab testing as I write this announcement. All licenses include one console license on the platform of your choice (Linux, Windows, OS X). Licenses include one year of our acclaimed support and HoneyPoint upgrades. Maintenance year 2 and beyond is 20% of purchase price.

Here are some pricing examples for you to consider:

The base entry point is a 5 server license pack. The retail price for this pack is $4,995.00. During April, you can purchase the pack for just $3,746.25. Additional years of maintenance (up to 2 for a total of 3 years of support and maintenance) are just $749.25 per year. That means that if you buy a 5 server license with two years of maintenance, you can purchase it in April for $5,244.75. Furthermore, you could apply our 0% financing program and spread that amount over 36 months for a monthly payment of just $145.69!

For less than $150 per month, you can achieve incredible security visibility, additional protections against malware and the insider threat and enjoy the power of HoneyPoint’s “deploy and forget” (sm) approach to reducing the workload of your security team!

Here is another example. Our most popular HPSS package is our 25 server protection pack. The pack retail price is $15,975.00 and includes the same one year of support and upgrades. During the month of April, you can purchase this pack for just $11,981.25, while additional years of support/upgrades will run $2,396.25 per year. Using the same 0% financing approach as above you could purchase protection for 25 servers along with 2 additional years of support/upgrades for a total of $16,773.75 or $465.94 per month for 36 months!

In this common case, less than $500 per month can bring you the flexibility of HoneyPoint plugins, the self-defending mechanisms of HornetPoints and the insight that can only be achieved by knowing attacker frequency, capability and motivation.

And, of course, if you are an enterprise, we have the same deal for you too. You can leverage the power that we bring to integrate into existing security architectures and see the 90% savings we have brought to clients in terms of security resources as well. Give us a call and we would be happy to discuss your specific network size, implementations and HoneyPoint needs.

So, check out HoneyPoint. Give us a call to arrange a demo, or better yet, try out our HoneyPoint Personal Edition to see the technology in action. (Take a look at the included HPPE/HPSS document for ideas on how to test the product with HPSS in mind.) Then, give us a call or drop us a line and get the power of the Hive on your side. With HoneyPoint, attackers get stung instead of you.

Note: Purchase orders must be received by April 30, 2009 to qualify for this special offer.

New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

Posted on by
Reply

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

Posted on by
7

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.

Toata Update: Smaller Target List for Now

Posted on by
Reply

We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.

The scanning targets list is much smaller this time around, which should increase their speed and efficiency.

Current Toata scanning pattern 03/19/09:

GET HTTP/1.1 HTTP/1.1

GET /mantis/login_page.php HTTP/1.1

GET /misc/mantis/login_page.php HTTP/1.1

GET /php/mantis/login_page.php HTTP/1.1

GET /tracker/login_page.php HTTP/1.1

GET /bug/login_page.php HTTP/1.1

GET /bugs/login_page.php HTTP/1.1

Of course, the scans also contain the string:

“Toata dragostea mea pentru diavola”

You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

Change the Way You Use (and Pay For) Penetration Testing

Posted on by
Reply

For a couple of years now, we have been offering our managed service and menu-based service clients flat rate options for all kinds of penetration testing, assessments and application security. By far, though, the best received and most popular service is our focal point penetration testing service. Let me share with you a situation I had with a client we’ll call “Joe”.

Joe is a 38 year old IT manager for a financial services company. He has been with the organization for more than 6 years and is a hard worker who is known around the company as a “get things done” kind of guy. Joe, like all IT managers today, is facing a cutback in his security staff and is struggling to keep up with the ever-changing threats, vulnerabilities and regulatory landscape that his company faces. He has been a MicroSolved client for several years and we have great rapport.

Joe’s problem is that his once a year penetration testing is just not working. The huge snapshot of his environment doesn’t maintain relevance for long as his staff struggles to respond to the findings and attack the problems that are identified in an overall manner. That’s when Joe comes to me to discuss his issues.

Joe and I spend a couple of hours talking about the problems he is facing and we quickly find a HUGE solution to his problem. Joe and the MSI team break up his IT environment into 4 functional slices. Instead of doing one big penetration test, once per year, we begin to test 1/4 of his environment every quarter. That allows his team to focus on a specific set of his environment for improvement during a given quarter and makes it very easy for him to create measurable security improvements in those targets. This gives him the ammunition he needs to provide continual improvement metrics to his upper management. From the MSI side, it makes the task smaller and faster for our team, and while the human engineer factor is slightly higher since we have to do setup and manual parts 4x, the difference is not really large. We extend terms to Joe’s company that allows him to pay for this service in low monthly payments over the term of the agreement. This makes the security bill from MSI easy to plan for and manage.

This was a couple of years ago. Joe is now approaching the big 4-0 and has been with his company more than 8 years. When we talked last week, Joe renewed his agreement with MSI for FIVE YEARS! He could not say enough about the work that we do with them, how the subscription approach to penetration testing has helped him and how grateful his board is for us letting them create a menu of services (including subscriptions for assessments and pen-testing) and split the cost INTEREST FREE over the five year term!

Joe is one happy client and at MSI that is exactly what we are all about. I love that our team has worked with clients to “get creative” about security problems. We deliver quality reports, do a lot of the heavy lifting for our clients and are always looking for new ways to help them be more successful with our services. Joe has learned just what that can mean to an organization and how my team can even “think outside the box” when it comes to payment terms and contracts. All around, Joe and MSI both have found a win-win relationship doing business together.

Subscription-based, line of business or segment of IT environment, focused penetration testing. It truly, in my opinion, is the future of security assessments. If you would like to discuss just such a solution, drop me a comment, email or tweet (@lbhuston) or feel free to call 614-351-1237 and talk to one of our account managers. We would love to help you get more from your security budget and find creative ways to make security better and more affordable for your organization too!

Breaches Often Stem from Unknown Data? Wow!

Posted on by
Reply

While doing some work on Operation Anaconda, I have been spending some time analyzing some of the various known metrics and statistics around the insider threat. One of the findings that I found absolutely amazing is this one from the Verizon report, that 66% of the 500 breaches studied in the report revolved around data that the organization DID NOT EVEN KNOW THEY HAD or DID NOT KNOW WHERE IT WAS in their own IT environment!

That’s ~330 breaches where the victim did not even know either that they had the data in question or did not realize where in the network that data was supposed to be.

This, to me, is alarming. How on Earth can an organization secure what they do not know about? How can a security team possibly be tasked with securing what they don’t know they have? The fact is, they can’t. Thus, the first condition would be for the security teams in these organizations to KNOW WHAT DATA THE ORGANIZATION HAS AND WHERE IT LIVES.

If you are still trying to create security based on perimeters, architectures or anything else that is not data-centric, then this should serve as a wake up call. You must identify all of the data that is in your organization that is at risk. You must know what it is, how it is created/stored/processed/used/destroyed and YOU MUST BUILD SECURITY AROUND IT.

Let me say that again to be clear. You must focus on identifying the data and then on defining security around it!

Please, use this statistic to change your security focus from architecture and IT environment protection to protecting the data. To focus on anything other than securing the data is to fail. Attackers will find the weakest point and when they do, they will attack the confidentiality, integrity and/or availability of the DATA.

As security folks, it is easy to get caught up in the day to day. It is easy to spend way too much time focused on management goals, content filtering, “playing net cop” and all of the other stuff that goes on. BUT, it is critical that we retain the daily focus on knowing what our organization has that needs protected and on where and how we have to protect it. Focus on that and all will be well, fail at it and you’ll eventually be one of the 66% referenced above.

MSI is Currently Seeking Resellers for Services and HoneyPoint

Posted on by
Reply

We are currently seeking resellers for our HoneyPoint line of products and our professional services. We are open to discussing this with any firms interested in creating a virtual security practice and helping us present our HoneyPoint products to their markets.

We have a strong interest in working with partners in South America, Europe and Asia.

If your firm is interested in joining a reseller program that has been performing well for more than a decade and has members from the Fortune 100 to regional specialists, then please read more about the program here and contact us to arrange a discussion.

Our recent expansion of technical staff has created a limited opportunity to bring on new partner relationships. Does your organization have the will and capability to be among the group that leverages our two decades of excellence?