About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

The New Version of HPPE OR Whoop, Here It Is!

Posted on February 3, 2009 by Brent Huston

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.

Prepping for Release of HoneyPoint Personal Edition 2.00

Posted on January 30, 2009 by Brent Huston

Great news!

We are currently prepping for the public release of HoneyPoint Personal Edition 2.00 on Monday. The product has been through two closed Beta’s and a great period of pre-release testing. Thanks to all who helped with the testing and for all who contributed to our cause with product feedback. A special thanks to “DA” from a local organization who really held my feet to the fire on changes and interface updates. Hopefully, everyone will be pleased with the interface and features! (BTW – D – we kept the “lights”…<grin>)

Here is a screen shot of the new main interface on the Mac.

Snapz Pro X001.png

New features include:

HornetPoint defensive fuzzing (patent pending)

Plugins capability from HPSS

Public support for Linux and OS X in addition to Windows

and a few other goodies….

Also, this represents the beginning of the new line for HPPE. Development will remain ongoing on it and we have few more tricks up our sleeves. We are also working on HPSS 3.00 and will begin alpha testing of that new architecture very soon.

Stay tuned for the launch and for more details as they become public!

Waiting for the Other Conflicker Shoe to Drop

Posted on January 29, 2009 by Brent Huston

OK, so by now you have probably read a 100 articles on Conflicker and the spread of the worm. I warned of impending trouble from the worm, which, thankfully did not emerge over the weekend. I really thought the traffic levels would be of importance, but indeed, there was little impact on global traffic levels. This is one of those cases where I am really glad I was wrong!

Now that the majority of the scanning and traffic spikes are over, we are waiting for the other shoe to drop on this attack. The initial worm spread and compromise was likely only the first phase of the attacker’s plans. They now have an immense network of bot-infected hosts at their command. What they will do with them and how they will focus these systems on compromise remains to be seen. Given the sophistication of Conflicker and the “intelligence” of its design and scanning code, the forthcoming use could be a pretty creative and powerful threat vector. We may well see some new form of attack or probe that we have not encountered before.

It is, of course, critical that organizations and individuals move to identify and mitigate any infected hosts. The less bot-infected hosts for the attackers to command, the better. The problem is that many of the compromised systems are in locales with limited IT knowledge resource levels. In many of the countries where infected systems are concentrated, IT admins and tech savvy users are difficult to locate and even harder to afford. This means that while some of the systems may get cleaned up, there is still likely to be a significant army of infected zombies for the bot-herder(s) to wield.

In general, in this case, other than mitigating compromised hosts, there is little you can do beyond standard security practices. You can deploy detective capabilities around logging and vision-enhancement tools like HoneyPoint, but other than the usual, there is little focused risk minimization you can do for this one.

My best advice is to remain vigilant, keep up to date and keep working to better the security across your organization. Eventually, the other shoe will drop, and when it does, we will have to do our best to turn aside whatever happens.

Virtual Appliances & Live CDs Make a Great Testing Lab

Posted on January 28, 2009 by Brent Huston

Appliances from the Parallels and VMWare appliance store make it very easy to set up a quick and dirty lab to practice security assessment skills. Want to try a new tool, or test a new approach for assessing a web application? Download an old, out of date, unpatched appliance with an older OS and app and you have a great target.

You can even do this for next to no cost. If you have a pretty beefy workstation or an old box laying around, do a base install of Windows, then install VMWare Player and you have what you need. Our team uses these virtual appliances in on-the-fly games of capture the flag, for skills practice and testing and for looking at new vulnerability patterns and threat vectors.

You will be amazed at just how easy setting up an effective security testing lab is when you combine virtual appliances with Live CDs. Together, they let you turn that machine graveyard behind your desk into a whole new playland. Live CDs are available for a ton of platforms, OS and application deployments. In most cases, you don’t even need a hard disk at all to get them up and running fully. Check them out and see just how far you can extend them into your new lab. Some of my favorites are Damn Small Linux, Puppy Linux, Knoppix, and BackTrack.

Using these two types of cheap approaches, you can build an easy testing lab for less than the cost of a new PC. Give it a shot and let me know how it goes!

Poor Visibility is a Solvable Problem

Posted on January 27, 2009 by Brent Huston

One of the big thing that many organizations lack today is visibility into their information security posture. Sure, they have vulnerability management and some have “false positive generators” (otherwise known as NIDS), some even have log analysis and event engines. But, with all of that technology, they still are very likely to miss insider attacks and attacks of a subtle nature.

I am continually amazed when organizations demo HoneyPoint technology and they have their first real “AH HA” moment. Usually a bot-infected machine triggers a HoneyPoint during a scan (like with Conflicker) or makes a login attempt against a decoy virtual machine. Occasionally, you see full on attacks underway that get caught by the demo. For example, one unlucky client caught a scan against a POP3 HoneyPoint that was a brute force attempt with VALID logins and passwords. The HoneyPoint alerted and they began an incident that lead to the discovery of a compromised domain. The attackers had cracked the SAM and were using the key admin accounts to see what else they could get into. You can rest assured, that client very quickly went from demo to customer.

Until organizations understand the value of putting forth bait to lure suspicious activity, it is hard for them to grasp that this is not just another source for noise. Once they get their head wrapped around the idea that since a resource is not real, any activity with it is, by default, suspicious at best and malicious at worst, they struggle to understand the leverage that HoneyPoint brings. But, the bad news for attackers is that more and more are getting it. More IT managers are flipping on that light switch and stepping out of the “dark ages” of infosec and into the age of the HoneyPoint.

What can I say, once security folks think differently about the problems, the game changes for the better. The time for threat-centric security has arrived. Things will never be the same again…

Danger: Conflicker Growing at Massive Rate ALERT

Posted on January 24, 2009 by Brent Huston

Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!

This is important to you for the following reasons if you are an IT person or Infosec person:

The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!

What can you do?

HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
Prepare yourself and your team for the battle ahead.
If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)

Please, pay attention to this one. It looks “slammer/code red” nasty…..

** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **

3 Links for Securing USB Drives

Posted on January 23, 2009 by Brent Huston

This project caught my eye. It is includes crypto and ease of use. It is called geek.menu and is based from the portableapps project. Installed and configured right, it makes an encrypted file system to protect your data if you lose the drive. It also allows you to easily configure some pretty powerful options around the apps you install. Check it out if you are a big thumb drive user.

This article is a great overview of risks from thumb drives. It should be a basic requirement for any user in the organization that gets provisioned one.

Lastly, for those of you want to make the most of security through obscurity to protect your precious USB thumb drive from discovery, check this article out about hiding your drive in the wall.

If you are both a thumb drive (USB drive) and a Windows user, you should probably read about the Conflicker malware. It is currently spreading wildly and can transit itself on USB drives. (Oooops, that was 4….)

Major Breach at Heartland Payment Systems

Posted on January 21, 2009 by Brent Huston

You’ve heard this story before. A major credit card company has experienced a massive breach. Tons and tons of data was stolen during the incident. They think they have it under control and are working with law enforcement. You should check your statements. Blah, blah, blah…

Once again, though, in this case, the company was certified as PCI compliant by their PCI auditors. If they were all compliant and filled to the brim with “fluffy, compliant goodness” then the attackers must have used some uber-hacking technique, right? Some bleeding edge tool or 0-day exploit that cut right through their defenses and rendered their compliant protections useless? Ummm…. NO…. The mighty technique that caused the damage? A sniffer!!!! (Some of the best technology that the late 80’s/early 90’s had to offer…)

How did I reach this conclusion? From their own press release:

“Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.” — sounds like a sniffer to me….(and a lot of other infosec folks…)

That’s right, the mighty sniffer strikes again. In the last couple of years, this same attack footprint has occurred over and over again. It has been largely successful. Why? Because companies don’t encrypt credit card data in transit across networks. Sure, many of them encrypt the database (not all, but many.) and some use various forms of endpoint protection, but many (way too many apparently) don’t encrypt the credit card data in transit across their networks.

Even worse, the PCI DSS DOES NOT REQUIRE THIS. That is how they can be compliant with PCI and still have this issue. What a cruel joke for consumers.

The DSS requires that organizations encrypt credit card data when it flows across “open, public” networks. Well, guess what, when your network gets compromised, even your “internal, private LAN”, it becomes “public” at least for the attackers. Misconfigure a firewall rule, get a workstation popped, allow a social engineer into the environment and that “private network” is not so private anymore, is it?

But, that never happens, right? Except when it does.

In my opinion, it is high time that organizations realize that compliance is not security. Compliance is a false goal set in sand. The real goal is risk management and data protection. In order to accomplish these goals, you have to make rational decisions and account for real threats, not just checklists compiled by some nebulous group of people in a “one size fits all fashion”. That is a fool’s errand.

As I have been saying for a while now, we have to start thinking differently about security. We have to forget the baselines and look at our risk from the view of a threat agent (a hacker, cyber-criminal, attacker, whatever!). We have to make rational choices that really do protect that which needs to be protected. We have to hope for the best and architect for abject failure. Anything less than that, and this is a story you we will just get to keep on telling….

Interested in learning more about “sniffing”? Click here for a great FAQ.

I also did an interview with Secure Computing Magazine about this. You can read that here.

Application Fuzzing Can Be Fun

Posted on January 20, 2009 by Brent Huston

One of the things my mother always said I was good at was breaking things. Apparently, as a young Evangelist, I chose to be an agent of entropy. I guess I always have been a huge fan of how things are continually breaking down and according to my mother at least, I did a lot to help them along the way. My mother just loves to tell stories about me taking things apart (clocks, radios, tv sets, lamps, my sister….) but I will save you from those, unless you choose to have coffee with my mother some day… 🙂

Today though, breaking software applications and studying how they fail has become a huge part of my work. I study how they fail, what causes the underlying issues, how those bad decisions could be exploited and what makes applications, devices and other things, tick. I am truly a student and professor of entropy.

You too can participate in these exercises. Tons of new tools are available to fuzz a variety of things, or you could choose to write your own fuzzers (this was a very worthwhile thing for me and led me to create “Defensive Fuzzing” which is the core of the HornetPoint defensive tools). (Patent Pending)

Here is a quick list of some books, papers and tools that you might want to explore if you are interested in playing with and learning from these techniques:

Fuzz testing – Wikipedia, the free encyclopedia

Ethical Hacking and Penetration Testing: Fuzzers – The ultimate list

Fuzzing – OWASP

Amazon.com: Fuzzing: Brute Force Vulnerability Discovery: Michael …

22C3: Fuzzing

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications | Darknet …

These links should give you plenty of materials and links to tools. I would highly encourage any security folks to set up a small lab, try the tools and just learn a bit about breaking applications. You will be surprised at how easy it is and how much insight it will give you into information security. Give it a shot and let me know how it goes!

Toata Moves On To Additional Targets

Posted on January 19, 2009 by Brent Huston

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston