Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Interview with Syhunt CEO

Posted on by
Reply

This week I got a chance to ask a couple of questions about Syhunt SandCat and the future of web application security. Here is the exchange with some great insights into where the web and attackers are heading!

Quick Interview with Felipe Aragon, CEO of Syhunt.

Q: The 3.8 release represents a significant step forward in application security scanning, especially around Javascript. What are the key features that application testers should know about in the 3.8 product?

R: Browsers and the web evolved significantly over the past years. Sandcat has evolved together with the new advancements and now has a lot in common with modern web browsers. This is essential because if you want to seriously hunt security breaches in web 2.0 applications you have to emulate modern Web technologies. So, naturally Sandcat evolved to understand JavaScript, AJAX and PHP and is now what is known as a hybrid web application security scanner. We also implemented multi-thread sessions, making each host scan a different process (Google Chrome, for example, employ a similar technique, making each tab a different process). Other important features we got working in Sandcat is the ability to simulate user interaction and multi-layer defense evasion. Sometimes, after evading a WAF (web application firewall), the last layer of defense against exploitation is a regular expression filter, which can also be bypassed by using many different techniques, so we got this working in Sandcat. Unfortunately weak filters were popularized and today many websites are vulnerable to this attack.

Q: How are Javascript threats influencing the state of application security today?

R: Thanks to JavaScript, Web applications are becoming increasingly more sophisticated, so next-generation web applications must be handled like desktop applications. Browsers like Opera, Firefox, Safari, Chrome are now adding faster JavaScript VMs each release because this is where the Web is going. Increased usage of JavaScript changes everything. It changes the way web developers build web sites, and the way hackers search for vulnerabilities or take advantage of weak spots in web applications. It makes more difficult for web developers to build secure web applications and, of course, for pen-testers that are unskilled web programmers to fit in in this new world. JavaScript can be used to steal cookies, spread worms, launch XSRF attacks and many other malicious purposes. The attacks are limited only by the attacker’s imagination.

Q: Where do you see application security heading in the next 12 months? What types of attacks should we be paying attention to that are slipping below our radar right now?

R: Right now we are monitoring the emergence of new web platforms (such as the recently announced Google Wave) that will make the 3.0 version of the Web possible. I believe we are heading towards the end of an era for the Web, a Web OS is materializing. These web 3.0 platforms and extensions built for these platforms will be a major target for cybercriminals. We have a set of new vulnerability classes and combined attacks (using both old and new classes) on the horizon. It will take a lot of time for web developers to understand how certain lines of code, client-side or server-side, translate to some serious security issues and how to avoid them. It might actually never happen because the Web and attack methods will continue to evolve faster. Without innovation, there is no future for the web, but I hope organizations will do whatever they can to understand and minimize security risks within their Web systems and not allow the cyberspace to become more insecure than it is today.

Check out SandCat’s new release at http://www.syhunt.com.

PS – In fair disclosure, MSI has a business relationship with Syhunt.

New Web Scanner Patterns

Posted on by
Reply

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons from an Almost Lost Laptop

Posted on by
Reply

I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.

It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.

Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.

Check it out here.

Super Secret Squirrel Pics of the New HoneyPoint Appliance

Posted on by
Reply

Here is a super secret picture of the soon to be released HoneyPoint appliance. The worker bees are hovering all around the hive and making last minute adjustments to the initial release.

I managed to snap this quick pic with my camera before they began to sting me. I hope you enjoy the preview.

The HoneyPoint appliance will likely be available late summer. Stay tuned for more info the details settle.

Tiny isn’t it?!!!

IMG_0376.JPG

A Basket Full of Caveats – The LimeWire Safety Page

Posted on by
Reply

I was taking a look at some P2P stuff for our Reputational Risk work when I bumped into the LimeWire safety page. This is a page that is (I suppose) intended to educate users on the risks associated with P2P file sharing networks and the use of LimeWire specifically. I really thought it was interesting.

The page is: http://www.limewire.com/legal/safety

Some of the items the page covers are: copyright infringement, careful shared content selection (to avoid leaking documents, spreadsheets, etc. and entire drives/folders), adult content, spyware/malware cautions and lots of language about default behaviors. Now to be sure, the authors of LimeWire have implemented new controls in their version 5 software to make it more difficult for users to make mistakes and share the wrong contents. Even given that, I still caution everyone to do their own risk/reward assessment before using such a tool.

The bottom line is this. Check out the page, because as infosec folks, we need to be aware of what topics we need to continue to talk about with others. Educating them in how to configure this type of tool, should they choose to use it, might be a powerful way to help them (and maybe your organization) remain safer online. At the very least, it seems that LimeWire has at least done a good job of trying to caution people about the problems with using their tool. That, at the very least, is quite admirable!

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Picture with a Bee Contest – Win FREE HoneyPoint!

Posted on by
Reply

That’s right! Send us your picture taken in a “security-related pose” with a stuffed, bee costume or bee-related item and we will pick the winner of a FREE license for HoneyPoint Security Server!

BuzzbyMSI.jpg

Just like in life, style counts, so get your ideas together and send us those pictures! Our judges will pick the winner on April 30th, so get your pics in before then. Imagination, security details and fun will be the key to your success. Three runners up will receive FREE licenses for HoneyPoint Personal Edition!

You can send your pictures via email to: hppics@microsolved.com

Remember, we reserve the right to publish all submissions, so make sure you are OK with that before you submit. 🙂 Contest closes and winners picked at noon on April 30th, 2009. Enter as often as you wish, odds of winning depends on number of people entering. Have fun!

3 Great Resources for Learning About SQL

Posted on by
Reply

My technical team has been training some new engineers and have been focusing on SQL injections for the last couple of days. They wanted me to share some great resources that they have found and have been told about to help with learning the basics of SQL syntax and such. They are currently working on compiling a set of vulnerable platforms and system images to create a deep lab environment with many examples and test scenarios in which to sharpen their skills and test new techniques and defenses.

The first site that they like is SQLZoo.Net which is a gentle online introduction to SQL. It is perfect for those who took a SQL course long ago, or who is in need of the basics. It is a quick refresher and instructor of SQL syntax, processes and command basics. This basic education mechanism lays the ground work for them to understand SQL queries and reverse engineer the instructions that are in place as they perform SQL injections. (Thanks to @tnicholson for the pointer to this site!)

Second, they have found the book Hacking Exposed: Web Applications Second Edition to be very helpful. The explanations about, and the examples of, SQL injections really helped them “get it”. Once they walked through this, side by side, with members of our penetration testing team, they really made huge strides and were able to immediately employ the examples in the lab. Thanks to the authors for their great work on this book. The entire Hacking Exposed series is simply fantastic for training up and coming security engineers!

Lastly, with special thanks to OWASP, the team found the use of the WebGoat tool to be amazing. This is an interactive web mechanism for stepping through a variety of basic attack patterns. While not complete, in and of itself, for real application penetration testing, it is a great educational tool and makes for great training examples. Our team spent a good deal of time learning to communicate and demonstrate the issues in WebGoat to a mock set of upper management folks who were role playing their parts. Our team members must be able to clearly, concisely and expertly communicate technical issues to non-technical folks, so this makes a great platform for training.

Thanks to all who helped by suggesting resources and thanks to the new techs for keeping their concentration so high. Our experienced engineers did a great job of bringing the new team members to the first floor, now they are showing them how to keep growing for the top. Great work!

If you would like to hear more about SQL injection, application security testing or would like to hear more about creating training/labs for SQL, please drop us a line.

Thanks for reading and I hope this gives you a pointer in the right direction to learn more about the basics of SQL injections!

Insider SQL Injection

Posted on by
Reply

While much improvement and awareness of SQL injections as an attack vector has been applied to Internet-facing applications, there remains a large set of vulnerable applications on internal networks. Our technical team often identifies large amounts of serious and easy to exploit SQL injection vulnerabilities on our internal assessments and penetration tests. While many organizations have begun to focus on network and OS threats for their business networks, application layer attacks remain unattended to in many cases.

“Our success level in obtaining customer sensitive data during internal tests remain very high.”, said Adam, penetration testing team leader of MSI. “Even as people have begun to patch their systems, finally, injections prove to be a critical weakness. To make matters worse, these internals web-apps often hold the keys to kingdom, so to speak, so they are a very attractive target for our testing team.”, Adam added.

“If it seems like a client is patched to current levels, then we know to check for injections.” claimed Nathan, penetration tester for MSI. “Throw a simple tick into forms and the vulnerable ones ‘shine like a crazy diamond’. From there, we are a few quick steps from compromise!”, Nathan exclaimed.

Adam and Nathan both agree that organizations really need to pay attention to injections and other web application vulnerabilities on their internal networks. Given the threats of insider attacks, this remains a significant risk. “Even applying the basic techniques that they have achieved success with outside on the Internet would help. They just have to teach developers that internal apps matter as much, if not more, than Internet apps.” added Adam.

At MSI, our teams go well beyond the “scan and report” that so many vendors call a “penetration test”. We perform active exploitation and leverage those vulnerabilities to identify the true depth of the security issues we find, in addition to the width that comes from vulnerability assessment. Our approach, experience and methodology create the clearest and most realistic view of your security issues available. From normal OS exploits to SQL injections and bleeding edge threat vectors, our team brings unique capabilities to the table and our award-winning reporting ensures that the clarity carries through to the board room.

To learn more about internal network assessments, or to receive some free technical training tools about SQL injections, please give us a call or drop us a line/comment. We look forward to helping your team better secure your own internal web apps and other attack targets against compromise.

25% off HoneyPoint Security Server, Plus 0% Financing For April

Posted on by
Reply

This is no joke, or at least if it is, then the joke is on us. 🙂

For the entire month of April, we are offering a 25% discount off the retail prices for HoneyPoint Security Server for new customers. In addition to that, you can extend our 0% financing option to pay in monthly payments over the life of your support agreement up to 3 years! Plus, as promised in earlier posts, anyone who purchases HPSS by the end of April will receive 3 free licenses for HoneyBees once they are released!

The product is now licensed per server, in anticipation of the 3.0 release which is in lab testing as I write this announcement. All licenses include one console license on the platform of your choice (Linux, Windows, OS X). Licenses include one year of our acclaimed support and HoneyPoint upgrades. Maintenance year 2 and beyond is 20% of purchase price.

Here are some pricing examples for you to consider:

The base entry point is a 5 server license pack. The retail price for this pack is $4,995.00. During April, you can purchase the pack for just $3,746.25. Additional years of maintenance (up to 2 for a total of 3 years of support and maintenance) are just $749.25 per year. That means that if you buy a 5 server license with two years of maintenance, you can purchase it in April for $5,244.75. Furthermore, you could apply our 0% financing program and spread that amount over 36 months for a monthly payment of just $145.69!

For less than $150 per month, you can achieve incredible security visibility, additional protections against malware and the insider threat and enjoy the power of HoneyPoint’s “deploy and forget” (sm) approach to reducing the workload of your security team!

Here is another example. Our most popular HPSS package is our 25 server protection pack. The pack retail price is $15,975.00 and includes the same one year of support and upgrades. During the month of April, you can purchase this pack for just $11,981.25, while additional years of support/upgrades will run $2,396.25 per year. Using the same 0% financing approach as above you could purchase protection for 25 servers along with 2 additional years of support/upgrades for a total of $16,773.75 or $465.94 per month for 36 months!

In this common case, less than $500 per month can bring you the flexibility of HoneyPoint plugins, the self-defending mechanisms of HornetPoints and the insight that can only be achieved by knowing attacker frequency, capability and motivation.

And, of course, if you are an enterprise, we have the same deal for you too. You can leverage the power that we bring to integrate into existing security architectures and see the 90% savings we have brought to clients in terms of security resources as well. Give us a call and we would be happy to discuss your specific network size, implementations and HoneyPoint needs.

So, check out HoneyPoint. Give us a call to arrange a demo, or better yet, try out our HoneyPoint Personal Edition to see the technology in action. (Take a look at the included HPPE/HPSS document for ideas on how to test the product with HPSS in mind.) Then, give us a call or drop us a line and get the power of the Hive on your side. With HoneyPoint, attackers get stung instead of you.

Note: Purchase orders must be received by April 30, 2009 to qualify for this special offer.