Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Giving for the Holidays

Posted on by
Reply

Now is the time when many folks open their hearts and their wallets to help others. At MSI, I am proud to say that we do this all year. This year alone we have worked on gathering and donating old cell phones for the Central Ohio Choices program, made donations to the One Laptop Per Child organization, donated our services to a group of non-profits and charities working to make the world a better place and performed various other functions. I am so very proud to lead a team of individuals who are fully committed to the goals of many of these organizations and who routinely work to improve the lives of others, the environment and our future.

Information security and technology aside, I wanted to take a few moments and give links to some very deserving organizations in my book. Of course, there are a ton of organizations out there, many are very very dedicated and do wonderful work. Organizations like the Red Cross/Red Crescent and so many others are deserving of your support year round, but here is a quick list of special organizations I hope you will support this year and in the future.

(RED) – This organization is fighting desperately to overcome the tragedy of HIV/AIDS. You can help by buying products with their logo, which will donate an amount of the sale to the cause.

Heifer – They provide animals and other micro-farming capabilities to emerging nations. Their tradition of passing new born animals back into the program is one of the greatest ideas ever!

Of course, One Laptop Per Child, who is taking measures to educate the youth of the world. Their “give one, get one” program is simply amazing. Try this, give one to the program and take the get one to a local school or pre-school and donate it too. Or, choose a neighbor or someone with children who could benefit from the technology. It is a great way to help.

Then there is Charity:Water , who is fighting to bring clean, safe drinking water to the world. Believe me, we will all need this in the future. The world could be a very different place in the future.

There are tons more I wish I could cover: dog shelters, Animal Rights Aruba, various anti-poverty and disease research groups, etc. The nice thing about charity today is that there are so many ways to give and so many organizations to support that everyone can find the right one to fit their own moral, religious and social compass. Just picking one is the first step. Hopefully, this quick list will get you started, or at least thinking about it.

We will now resume our regularly scheduled security banter. Thanks for reading, not just today, but all year long and everyone at MSI wishes you and yours a safe, peaceful and wonderful holiday season!

New Twitter Feed of “Bad Touches” Available

Posted on by
Reply

For those of you interested in security, black listing or HoneyPoint stuff, check this out.

I used the TweetCLI tool I blogged about earlier to write a HoneyPoint Security Server plugin. The plugin fires for each event and tweets the attacker IP and source port that the deployed HoneyPoints covered by this console saw.

There are several hosts and networks reporting HoneyPoint alerts to this console. All of these HoneyPoints are Internet exposed, so you should be able to see some basic sources of scans, probes and malware attacks.

I am not presently publishing the payloads, though I may in other ways in the future or show aggregate data in some manner.

The basis for the “bad touches” is that these are hosts and ports not truly offering any services, thus any interaction with them could be considered suspicious at best and malicious at worst. An IP address will only be tweeted once per 24 hour period currently, regardless of the amount of interaction it has with HoneyPoints reporting to this console.

You can watch the stream via the web at http://www.twitter.com/honeypoint or by following @honeypoint on twitter. There could be a lot of tweets depending on attack trafffic, so know that up front.

Please let me know if you like the feed, any plans or ways you can think of that it might be helpful to you or other feedback. We are offering this up to the community and we hope that it is helpful to those interested in HoneyPoints, security trending and/or black list generation.

Let me know your thoughts and thanks for reading!

Security of Secondary Financial Service Systems

Posted on by
Reply

In the US several “secondary financial services” exist. They range from check cashing/money transfer to short-term lenders and various other financial services. Many of these organizations also offer additional services like payroll check loans, check “floats”, tax preparation and a variety of services. In many cases these organizations aim their marketing for immigrant workers, people sending money to foreign countries and the economically challenged.

Unlike traditional banks and credit unions, these organizations are loosely regulated, if at all. In many states few rules for their operation exist and certainly they do not face the security and regulatory requirements of traditional financial services organizations. Several cases have been made about the predatory, aggressive and border-line criminal activities that seem to abound in this industry.

Recently, Panda, an anti-virus vendor, completed a study of the check cashing centric businesses associated with this tier of financial services. Their study found that thousands of machines in these businesses were running out of date security software, including anti-virus trial versions. They observed more than 1500 machines running these out of date basic security tools. Of those, they found more than 60 percent to be actively infected by some form of malware. 80 percent of the machines studied were actively being used to process financial transactions.

Basically, this demonstrates a true lack of concern for information security in this sector. By not providing for even the most basic of security functions, anti-virus, they leave the identity and financial data of their clients vulnerable to theft and tampering.

To make matters worse, in many locations in our state, Ohio, the check cashing organizations require a lot of information about you to obtain their services. Normal contact information, plus social security number, driver’s license and other identity details are often maintained in their databases. In more than one case of calling around various locales near us, several of the companies asked for a “client number” and when pressed, we were told this was the same as our social security number and could be found on our “membership card”. Needless to say, this very fact that SSN is being used so carelessly, gave us more than a chill. We truly hope that those consumers choosing to use these organizations for financial services take note of the insecurity and risks to which they may be exposing themselves.

Ohio has just passed new laws to regulate the practices of these organizations and to prevent some of their more abusive tactics. Let’s hope that additional regulatory oversight and attention to information security is also coming for these businesses. Until then, they and the consumers who choose them, remain in the low hanging fruit category for cyber-criminals and identity thieves.

Be Aware: Twitter API Uses Basic Authentication and a Twitter Toy

Posted on by
3

For those of you who have embraced the web movement that has become known as Twitter, be aware that the widely used Twitter API employs only web-based Basic Authentication. The credentials (login and password) are sent to the web API with only a simple HTTP POST and are unencrypted. I could not locate a means of even using HTTPS when sending tweets to the API.

The credentials are sent over the web in the standard form of “login:email”. They are base64 encoded first, so they are not exactly in plain sight, but base64 is far from cryptography and is beyond trivial to identify. Any attacker with a sniffer or sitting at a proxy in the stream can easily capture and decode those credentials.

The moral of the story is, if you use Twitter, make sure you use a password uniquely created for that service, since it will be trivial for an attacker to expose. Be aware that most, if not all, existing clients and twitter extensions use this same mechanism.

While twitter is proving to be a popular and useful mechanism for micro-blogging, it also comes with some inherent risks that include exposure of information that could lead to social engineering attacks and password exposure issues. Use twitter with some caution and all should be well, but without common security sense, twitter (like many other things) may be sharper than expected.

You can find a ton of information about the Twitter API here.

You can follow me on twitter here.

You can download the tool, twittercli, that I was writing when I saw this from the following locations (Not endorsed by MicroSolved, Inc. — Just a personal project!):

TwitterCLI will let you send tweets from a command line, schedule them with at/cron/iCal or call them from scripts, etc. Freeware from L. Brent Huston (NOT MSI!)

Windows

Linux

OS X

Thanks for reading!

Take Time to Check Your Remote Access Tools

Posted on by
Reply

Over the last several months we have worked a ton of incidents where compromise of systems and networks was accomplished via Internet exposed terminal servers, VNC and other remote access applications. Often, these same administration-friendly tools are used in internal compromises as well. While there is certainly a value in terminal server and VNC, they can be configured and your implementations hardened to minimize the chances of attack and compromise.

Careful consideration should be given to having any form of remote desktop access Internet exposed. Attackers are very good at slow and low password grinds, social engineering and other techniques that make these exposures good targets for gateways into an environment. Unless you have a serious plan for managing the risk and you have excellent levels of controls, raw exposures of these tools to the Internet should be avoided. If you need to use them for remote access, consider some form of IP address restriction, authentication at a router for dynamic ACLs or forcing a VPN connection to gain access to them. Neither terminal server or VNC should be considered a replacement for a robust VPN and with tools like OpenVPN offering free or low cost alternatives, it is just silly to not leverage them over simple port exposures.

Even if you do not Internet expose your terminal servers, it is likely a great idea to make sure that they are hardened. Here is a great powerpoint that covers hardening both terminal servers and Citrix deployments. You can also find more guidance in the CIS baseline tools and documents. There are several good documents around the net for hardening TS in line with various baselines.

VNC can also be configured to be more secure than a “base install”. Starting with which VNC implementation you run, UltraVNC and TightVNC have some very powerful security configurations that can help you minimize your risks. Choosing stronger authentication mechanisms and implementing IP address controls, even inside, can really help you keep an attacker from running “hog wild”, even if they do gain some sort of user access or compromise a workstation with a bot-net client. Consider the use of “jump boxes” dedicated to being the terminal server or VNC gateway to all other machines. If you implement these “choke points” then you can uber-harden them and monitor them closely for bad behaviors and be assured that without accessing them, an attacker can’t easily use your remote access servers against you.

Just take a few moments and think it through. Sure these tools make it easy for admins. It makes it convenient for them to do their work and admin remote machines, but it also makes it easy for an attacker. Hardening these tools and your architecture is a great way to achieve that balance between usability and security. You can get work done, but you can do so knowing that you have enough controls in place to make sure that it really is you who is doing the work.

Hackers Hate HoneyPoint

Posted on by
Reply

HackersHateHPlogoed200.jpg

We have been getting so much great feedback and positive response to our HoneyPoint products that Mary Rose, our marketing person, crafted this logo and is putting together a small campaign based on the idea.

We are continuing to work on new capabilities and uses for HoneyPoint. We have several new tricks up our sleeve and several new ways to use our very own “security swiss army knife”. The capabilities, insights and knowledge that the product brings us is quickly and easily being integrated into our core service offerings. Our assessments and penetration testing brings this “bleeding edge” attack knowledge, threat analysis and risk insight to our work. We are routinely integrating the attack patterns and risk data from our deployed HoneyPoints back into the knowledge mix. We are adding new tools, techniques and risk rating adjustments based on the clear vision we are obtaining from HoneyPoint.

This is just one of the many ways that HoneyPoint and the experience, methodology and dedication of MSI separate us from our competitors. Clients continue to love our rapport, reporting formats, flexibility and deep knowledge – but now, thanks to HoneyPoint, they also enjoy our ability to work with them to create rational defenses to bleeding edge threats.

You can bet that you will see more about HoneyPoint in the future. After all, hackers hate HoneyPoint, and in this case, being hated is fine with us!

A Web Application Cheat Sheet & More

Posted on by
Reply

I got a lot of response from folks about my last cheat sheet post. Here is another one that many folks might find useful.

This one, from Microsoft, describes quick references for the Microsoft Web App Security Framework. This is a pretty useful sheet and one that our techs use a lot.

I also find this one for Nessus and Nmap to be pretty useful.

I found this one for you CISSP study folk.

This one for PMP study folk.

And, lastly, for all the new waxers of armchair economics, this one about sub-prime mortgages…

OK,OK, I could not resist this one, THE INTERACTIVE SIX DEGREES OF KEVIN BACON CHEAT SHEET!

Hope you enjoy these, and now back to your regularly scheduled infosec blogs… 🙂

Webcollage Agent Proxy Scans – Likely a Bot

Posted on by
2

Here is a quick example of a scan that we have been seeing a lot of lately, especially in our HoneyPoints deployed around consumer ISP networks. The example is about month old, but proxy scans are a very common occurrence.

HoneyPoint shows the following aler (some data modified for privacy)t:

XXX received an alert from 92.240.68.152 at 2008-11-08 09:57:07 on port 80
Alert Data: GET http://www.morgangirl.com/pics/land/land1.jpg HTTP/1.0
User-Agent: webcollage/1.135a
Host: www.morgangirl.com

Now, the XXX replaces the HoneyPoint location, so it remains obscured from the public.

This is a web server emulating HoneyPoint and it is listening on port 80.

The Alert Data: field shows the request received, which appears to be a proxy attempt to get a graphic.

The source of the request was 92.240.68.152 which the whois plugin shows to be (trimmed):

% Information related to ‘92.240.68.149 – 92.240.68.159’

inetnum: 92.240.68.149 – 92.240.68.159

netname: ADDIO-LTD-20080414

descr: ADDIO Ltd.

descr: Server farm Daype.com

country: LV

admin-c: AS11278-RIPE

tech-c: AS11278-RIPE

status: ASSIGNED PA

org: ORG-IOMA1-RIPE

mnt-by: lumii-mnt

source: RIPE # Filtered

organisation: ORG-IoMa1-RIPE

org-name: Institute of Mathematics and Computer Science of University of Latvia

org-type: LIR

Interesting in that the agent is likely faked as webcollage, a screen saver type application for displaying random graphics from the web. Another possibility on this event is that a previous scanner took the bait of the 200 return code from the HoneyPoint and added it as an open proxy. If that is true, then we may be on a proxy list and get to see many requests from people attempting to use open proxies. Getting a HoneyPoint added into these lists has given us great insight to web attacks, scams and phishing attacks in the past.

Now you have a variety of actions, you could block the source IP address to kill further scans and probes from that host. You could report the suspicious activities to the ISP in question. If a review of the web site that was the target showed illicit activity, you could also analyze and proceed to take actions to alert its owners as well. Many times these quick investigations have identified compromised hosts on both ends or compromised web hosts that are spreading malware. Plugins are available or can be created to automate many, if not all of these activities.

In this case, since this is simply a quick proxy attempt, and a cursory review of the target web site does not show any overt malicious activity, we will pass on this one and just use it as an example.

HoneyPoint can be used in a variety ways. Internet exposed HoneyPoints can give you deep insights into the types of targeting and exploit activity your networks are experiencing without the need to troll through immense log files or dig through noisy NIDS event patterns. HoneyPoint is great at collecting black list hosts, scanners and bot patterns. The longer clients use HoneyPoint, the more they discover that they can do with it. It becomes like a security swiss army knife to many clients.

Check out more information about HoneyPoint here. Follow me on twitter here to learn more about HoneyPoint, the threats we capture and other security and non-security info.

3 Improvements for Financial Applications

Posted on by
Reply

Our tech lab reviews several financial applications every year from a variety of vendors that are focused on the financial institution market space. The majority of these applications perform poorly to some extent in either security and/or usability. Here are three key tips for vendors to keep in mind when they or their clients ask us to do an assessment of their application.

1. Make sure the application actually works as it would in a production environment. Make sure it is reasonable in terms of performance. The idea of performing our lab assessment is to model risks in a real world simulation. Thus, if the system is not configured and working as it would in a real deployment, then the validity of the test is poor. Many of the applications we test simply do not function as expected. Many times, their performance is so slow and horrible that it impacts the availability metric. Basically, by the time it is submitted for the complete application assessment or risk assessment, it should work and be installed in a QA environment just as it would be in production. If there are any variances, be prepared with a document that explains them and their anticipated effects. Be ready to discuss and defend your assertions with a team of deeply technical engineers.

2. Do the basics. Make sure you meet an established baseline like PCI, ISO or some other basic security measure. That means ensuring that controls are in use to provide for confidentiality, integrity and availability. That means that you are protecting the data properly during transit, storage and processing. That means that you and/or your client have an idea about how to provide preventative, detective and responsive capabilities around your product. Make sure your documentation clearly explains any security assumptions or add-on products required.

3. Be ready to handle issues. If/When we find a security issue, be it overflows, input problems, and/or best practice variances, be ready to mitigate the issue and submit a fix. Many times it takes months for vendors to handle the issues we find and this is certainly NOT good for their relationship with the client. Almost every full assessment our lab conducts involves some kind of deployment timeline and crunch from the customer. Nothing seems to go worse for vendors whose products we test as when an issue is found and they become unresponsive to us and/or their client. Seriously, JUST DON’T DO THIS. Be prepared to apply resources to fix issues when we test the application. Very few applications (less than 2%) pass through the lab process without some sort of issue. This is NOT a basic process, it is a seriously deep, complex and heavily leveraged process for finding holes and measuring impact. Be prepared.

I hope this post helps both clients and vendors be better prepared for their testing. I think it gives the basic ideas for the approaches that we know do not work. We really want your applications to be secure, thus the level of detail we apply. Let us know if you have any questions. We are also about to open the lab registration window for 1Q09, so if you have applications you would like tested, let us know and we will try and get them on the schedule.

Security Cheat Sheets

Posted on by
Reply

One of the best tools that the technicians at MSI rave about is a series of information security “cheat sheets” that they keep around the lab. These small, easy to view posters make quick visual references for common commands, tool parameters, etc. They can be an excellent source for remembering those specific commands or settings that always seem to elude techs or that are just so convoluted that you have to look them up anyway.

The MSI techs suggest checking out this site for a whole library of these tools.

If there are other sites out there that your team uses to obtain these helpful posters, please reply with a comment.

If you have made your own cheat sheets, please send us a link if they are public and we will post the ones we compile at a later date. Thanks for reading!