Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Virtual Appliances & Live CDs Make a Great Testing Lab

Posted on by
Reply

Appliances from the Parallels and VMWare appliance store make it very easy to set up a quick and dirty lab to practice security assessment skills. Want to try a new tool, or test a new approach for assessing a web application? Download an old, out of date, unpatched appliance with an older OS and app and you have a great target.

You can even do this for next to no cost. If you have a pretty beefy workstation or an old box laying around, do a base install of Windows, then install VMWare Player and you have what you need. Our team uses these virtual appliances in on-the-fly games of capture the flag, for skills practice and testing and for looking at new vulnerability patterns and threat vectors.

You will be amazed at just how easy setting up an effective security testing lab is when you combine virtual appliances with Live CDs. Together, they let you turn that machine graveyard behind your desk into a whole new playland. Live CDs are available for a ton of platforms, OS and application deployments. In most cases, you don’t even need a hard disk at all to get them up and running fully. Check them out and see just how far you can extend them into your new lab. Some of my favorites are Damn Small Linux, Puppy Linux, Knoppix, and BackTrack.

Using these two types of cheap approaches, you can build an easy testing lab for less than the cost of a new PC. Give it a shot and let me know how it goes!

Poor Visibility is a Solvable Problem

Posted on by
Reply

One of the big thing that many organizations lack today is visibility into their information security posture. Sure, they have vulnerability management and some have “false positive generators” (otherwise known as NIDS), some even have log analysis and event engines. But, with all of that technology, they still are very likely to miss insider attacks and attacks of a subtle nature.

I am continually amazed when organizations demo HoneyPoint technology and they have their first real “AH HA” moment. Usually a bot-infected machine triggers a HoneyPoint during a scan (like with Conflicker) or makes a login attempt against a decoy virtual machine. Occasionally, you see full on attacks underway that get caught by the demo. For example, one unlucky client caught a scan against a POP3 HoneyPoint that was a brute force attempt with VALID logins and passwords. The HoneyPoint alerted and they began an incident that lead to the discovery of a compromised domain. The attackers had cracked the SAM and were using the key admin accounts to see what else they could get into. You can rest assured, that client very quickly went from demo to customer.

Until organizations understand the value of putting forth bait to lure suspicious activity, it is hard for them to grasp that this is not just another source for noise. Once they get their head wrapped around the idea that since a resource is not real, any activity with it is, by default, suspicious at best and malicious at worst, they struggle to understand the leverage that HoneyPoint brings. But, the bad news for attackers is that more and more are getting it. More IT managers are flipping on that light switch and stepping out of the “dark ages” of infosec and into the age of the HoneyPoint.

What can I say, once security folks think differently about the problems, the game changes for the better. The time for threat-centric security has arrived. Things will never be the same again…

Danger: Conflicker Growing at Massive Rate **ALERT**

Posted on by
1

Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!

This is important to you for the following reasons if you are an IT person or Infosec person:

  • The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
  • Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
  • On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
  • You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!

What can you do?

  • HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
  • Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
  • Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
  • Prepare yourself and your team for the battle ahead.
  • If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
  • Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)

Please, pay attention to this one. It looks “slammer/code red” nasty…..

** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **

3 Links for Securing USB Drives

Posted on by
Reply

This project caught my eye. It is includes crypto and ease of use. It is called geek.menu and is based from the portableapps project. Installed and configured right, it makes an encrypted file system to protect your data if you lose the drive. It also allows you to easily configure some pretty powerful options around the apps you install. Check it out if you are a big thumb drive user.

This article is a great overview of risks from thumb drives. It should be a basic requirement for any user in the organization that gets provisioned one.

Lastly, for those of you want to make the most of security through obscurity to protect your precious USB thumb drive from discovery, check this article out about hiding your drive in the wall.

If you are both a thumb drive (USB drive) and a Windows user, you should probably read about the Conflicker malware. It is currently spreading wildly and can transit itself on USB drives. (Oooops, that was 4….)

Major Breach at Heartland Payment Systems

Posted on by
Reply

You’ve heard this story before. A major credit card company has experienced a massive breach. Tons and tons of data was stolen during the incident. They think they have it under control and are working with law enforcement. You should check your statements. Blah, blah, blah…

Once again, though, in this case, the company was certified as PCI compliant by their PCI auditors. If they were all compliant and filled to the brim with “fluffy, compliant goodness” then the attackers must have used some uber-hacking technique, right? Some bleeding edge tool or 0-day exploit that cut right through their defenses and rendered their compliant protections useless? Ummm…. NO…. The mighty technique that caused the damage? A sniffer!!!! (Some of the best technology that the late 80’s/early 90’s had to offer…)

How did I reach this conclusion? From their own press release:

“Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.” — sounds like a sniffer to me….(and a lot of other infosec folks…)

That’s right, the mighty sniffer strikes again. In the last couple of years, this same attack footprint has occurred over and over again. It has been largely successful. Why? Because companies don’t encrypt credit card data in transit across networks. Sure, many of them encrypt the database (not all, but many.) and some use various forms of endpoint protection, but many (way too many apparently) don’t encrypt the credit card data in transit across their networks.

Even worse, the PCI DSS DOES NOT REQUIRE THIS. That is how they can be compliant with PCI and still have this issue. What a cruel joke for consumers.

The DSS requires that organizations encrypt credit card data when it flows across “open, public” networks. Well, guess what, when your network gets compromised, even your “internal, private LAN”, it becomes “public” at least for the attackers. Misconfigure a firewall rule, get a workstation popped, allow a social engineer into the environment and that “private network” is not so private anymore, is it?

But, that never happens, right? Except when it does.

In my opinion, it is high time that organizations realize that compliance is not security. Compliance is a false goal set in sand. The real goal is risk management and data protection. In order to accomplish these goals, you have to make rational decisions and account for real threats, not just checklists compiled by some nebulous group of people in a “one size fits all fashion”. That is a fool’s errand.

As I have been saying for a while now, we have to start thinking differently about security. We have to forget the baselines and look at our risk from the view of a threat agent (a hacker, cyber-criminal, attacker, whatever!). We have to make rational choices that really do protect that which needs to be protected. We have to hope for the best and architect for abject failure. Anything less than that, and this is a story you we will just get to keep on telling….

Interested in learning more about “sniffing”? Click here for a great FAQ.

I also did an interview with Secure Computing Magazine about this. You can read that here.

Application Fuzzing Can Be Fun

Posted on by
1

One of the things my mother always said I was good at was breaking things. Apparently, as a young Evangelist, I chose to be an agent of entropy. I guess I always have been a huge fan of how things are continually breaking down and according to my mother at least, I did a lot to help them along the way. My mother just loves to tell stories about me taking things apart (clocks, radios, tv sets, lamps, my sister….) but I will save you from those, unless you choose to have coffee with my mother some day… 🙂

Today though, breaking software applications and studying how they fail has become a huge part of my work. I study how they fail, what causes the underlying issues, how those bad decisions could be exploited and what makes applications, devices and other things, tick. I am truly a student and professor of entropy.

You too can participate in these exercises. Tons of new tools are available to fuzz a variety of things, or you could choose to write your own fuzzers (this was a very worthwhile thing for me and led me to create “Defensive Fuzzing” which is the core of the HornetPoint defensive tools). (Patent Pending)

Here is a quick list of some books, papers and tools that you might want to explore if you are interested in playing with and learning from these techniques:

Fuzz testing – Wikipedia, the free encyclopedia

Ethical Hacking and Penetration Testing: Fuzzers – The ultimate list

Fuzzing – OWASP

Amazon.com: Fuzzing: Brute Force Vulnerability Discovery: Michael …

22C3: Fuzzing

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications | Darknet …

These links should give you plenty of materials and links to tools. I would highly encourage any security folks to set up a small lab, try the tools and just learn a bit about breaking applications. You will be surprised at how easy it is and how much insight it will give you into information security. Give it a shot and let me know how it goes!

Toata Moves On To Additional Targets

Posted on by
Reply

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

More Toata Scans for a New RoundCube File

Posted on by
1

Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.

No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.

Following are the signatures captured from one host:

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80

Alert Data: GET /rc/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80

Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80

Alert Data: GET /roundcube/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80

Alert Data: GET /webmail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80

Alert Data: GET /email/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.

Win7, Linux and the Future of the Desktop OS

Posted on by
Reply

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.

SANS Posts Info on Previous RoundCube Vulnerability

Posted on by
Reply

Looks like our work got more folks looking at RoundCube. SANS Storm Center has a posting that shows the exploit being used by attackers against the helpnetsecurity announced vulnerability in “html2text”.

The RoundCube folks have already released patches and done code cleanup to remove this and other known issues, including the msgimport.sh scripts from previous versions.

If you are a RoundCube user, please upgrade. Scans have slowed for this issue, but are still present and active at low levels.

Thanks to everyone who helped on this and to the RoundCube Webmail project team for their friendly, open approach to solving the problems and their rapid attention. It is refreshing to work with developers who are focused on solutions instead of wanting to fight about the source of the problems. Hats off to them!