About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Finding Reputable IT Firms

Posted on November 24, 2008 by Brent Huston

How do organizations, especially SMEs, find reputable, dependable IT support help?

For example, I have a client in Cleveland that really needs a strong network and system management company that they can depend on. The problem is, that they are a small to mid-size financial institution, so trust really matters. Of course, I am aware of all the vendor management mechanisms and such, but we need to know how to find reputable vendors to even approach.

The client is reaching out to their peers for references, but I was hoping that one of our readers might know of a mechanism or an “angie’s list” style site for determining relevant capabilities and such for IT firms. If those pieces are not out there, then maybe this is a business idea for you budding entrepreneurs.

Please, let me know you thoughts and ideas!

RE: SANS Are We Doomed?

Posted on November 19, 2008 by Brent Huston

This kind of stuff is, in my opinion, exactly why management and consumers grow sick of hearing about information security and cyber-risk in general. For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, the cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.

SANS at least asks for good things too that represent hope, but the list is always small. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. That’s human nature, to point to the short comings.

My point is that just as many real world risk pundits have said, we have to look at things through a higher level lens. We have to create RATIONAL security. Yes, we have to protect against increases in risk, black swans, 0 day exploits, huge bot-nets and all of the other examples of “bleeding edge threats”, but we have to realize that we have only so many resources to bring to bear and that risk will NEVER approach ZERO!

Here is a real world example:

I recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.

Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “Nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again. So would connecting the newly built “secure” network to the Internet. If 1 minute after the network went live a user clicked on the “dancing gnome” from a malicious email, then the network is in a risk state again. Not to mention or even dive into the idea that an internal attacker or rogue admin could exist inside the environment, even as it was being rebuilt.

Thus, the decision was made to focus not on mitigation of the risk, but on MINIMIZING it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed. Today, this IT environment remains in a semi-trusted state, but they are quickly implementing a phased approach to restore full trust to the environment and bring it into compliance with security best practices.

Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely less than if they had taken the “turn and burn” approach. They still have risk. They still have threats. They still have vulnerabilities, BUT they are moving to deal with them in a RATIONAL fashion.

RATIONAL response to risk is what we need, NOT gloom, doom and FUD. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have RATIONAL approaches to solving the security problems are they likely to start listening again. After all, who does anything different when the Internet security level moves from “mochachino” to “dirty martini” or vice versa???

HoneyPoint Event Stats

Posted on November 17, 2008 by Brent Huston

I have gotten a few inquiries about the average number of events per day that HoneyPoint Security Server deployments catch on average networks. While this question is pretty hard to answer in a general sense, since most networks differ by size, deployment security, policies and processes, we can talk about averages across multiple client networks and our own HoneyPoint sensor networks.

On average, Internet visible HoneyPoint deployments usually experience around 4 events per HoneyPoint deployed per day. This can vary depending on services emulated, but in general, adding smtp and web (the two largest receivers by far) against those deployed on rarely scanned ports yields this average over time. Those are amazing statistics when you consider that each of those is a genuine probe/scan event or attack! Many clients use Internet facing sensors as a means of populating black hole lists, web application address filters and other prevention focused mechanisms. Less often, clients use this information as means to perform risk assessment and response, meaning that they actively track this data and the sources and take a manual action. Usually clients use Internet exposed HoneyPoints as a source of threat intelligence, trend tracking for frequency and source variations and automated blocking configurations.

Internally, most clients experience 3-4 events per month on average. These events are usually treated very seriously, since any HoneyPoint traffic internally is suspicious at best and malicious at worst. Most security teams leveraging HoneyPoint use these events as triggers for true security incidents. They launch full investigations and either mitigate or minimize the discovered issues. They are able to do this and focus on these critical events due to the low number of them they experience, the lack of false positive events they see and the placement of the HoneyPoints close to the actual assets they are tasked with protecting. Many clients have moved away from using NIDS as any type of action item at all, and refer to their NIDS deployments only as forensic and correlation data for incidents triggered from HoneyPoints and log analysis/log management solutions.

While HoneyPoint Security Server is not a panacea for information security, it is a very strong addition to a security program. Clients are continually discovering new uses, new capabilities and new ways to leverage the system to further reduce their resource requirements. HPSS has proven to be a low noise, high signal, effective, traditional approach to providing threat management, security intelligence and detective capabilities for organizations of any size.

If you are interested in hearing more about the averages and what you can expect from a HoneyPoint deployment, just let us know. Give us a call or drop us a line and we will be happy to share the metrics we have with you!

Port Mining with HoneyPoints

Posted on November 10, 2008 by Brent Huston

Myself and a client have been playing around with a new technique that we are calling port mining. In this approach, we use HoneyPoint Security Server and HoneyPoints deployed in key locations to mess with worms, scans and tools.

The process is very very basic. We basically configure a simple HoneyPoint so that instead of sending the various text files it usually sends down the connection it sends a large binary file like an MP3, ISO or other binary data. Then we deploy the HoneyPoint and have it listen on a port for incoming traffic.

When the HoneyPoint gets a completed TCP connection, it immediately shoves the binary content down the pipe. It then waits for a response and sends either the same file again or another file. Very basic, right? Yes, indeed. However, we have seen three effects from this process:

1. In many cases, the file transfer of the first huge file completes and the connection dies with a timeout. In our lab testing, this was due to the unexpected input size and content of the data sent from the HoneyPoint, which has caused multiple forms of tools and malware to simply crash.

2. In other cases, we have seen the file transfer complete and the tool or malware respond only to get the file again down the pipe. We have watched this process act like a LaBrea scenario where the tool, scan or malware is significantly slowed by the data (of course, we are also using a lot of our own bandwidth) and in some cases we were able to cause the MS08-067 scans we were seeing to wait up to 50 mins for each 8 MB MP3 we sent and do this hundreds of times! Effectively, we slowed down that system from further scans while it kept playing with our HoneyPoint.

3. In very few cases, we see the connection terminate upon partial sending of the binary data. In about half of these cases, the connection terminates properly (so likely we had no effect) but in the other half, we see odd disconnections (unknown, but possible crash of the malware). In the lab, we have seen this happen with a few tools due to unexpected inputs causing exceptions in the code.

Now, it should be said, that we are just “playing” with this approach. We are not sure how or if this will be beneficial to anyone, but it was a fun idea to mess with scanners and such in such an easy way. Give it a try and let us know what you think!

PS – Extra points (and fun) can be had for finding the worst MP3 of the most horrible songs that have the largest effective use as a port mine defensive component. So, bust out your one hit wonders MP3 collection and see how your milage varies. 🙂

MS08-067 – The Worm That Wasn’t – Wait… Might Be?

Posted on November 5, 2008 by Brent Huston

So, the worm based on MS08-067 was rumored last week and now SANS confirms that the worm is spreading from at least one host. SANS is blaming 61.218.147.66. We also have seen scans from 208.23.24.52, 66.100.224.113, 97.89.26.99, 219.158.0.96, 88.178.18.41, 91.142.209.26, 189.20.48.210, 212.122.95.217, 131.118.74.244, 84.3.125.99, 81.57.69.99 and a ton more. Those started to increase dramatically starting this morning around 9:25 am Eastern and have continued throughout the day.

HoneyPoints on consumer bandwidth networks and commercial ISP’s alike are picking up a spike in 445 scans and traffic.

Obviously, given the metasploit framework’s improvement of the exploit in the last week or so and the myriad of proof of concept tools that have been filtering around the underground, the threat of a worm is a reality. Worm code was first announced several days ago, but seemed to fail to propagate likely due to the lack of port 445 being available on most Internet connections. However, it appears that some victims have been found and have been slowly accumulating.

While we are not yet seeing the massive scans and probes associated with the worms of the past, we are beginning to see traffic levels that indicate increasing worm behaviors.

Obviously, if you have not yet ensured that port 445 is blocked at your Internet connection, you should immediately do so. HoneyPoint users can also setup TCP listeners or basic TCP HornetPoints to discover and attempt to “defensive fuzz” the worm code. Mixed results of causing termination have been shown so far, but our lab is working on a HornetPoint configuration to cause exceptions in the worm code in a stable manner.

HoneyPoint TCP listeners can be deployed on Linux boxes and other platforms where port 445 is undialated and used to identify hosts performing 445 scans and probes. This is an excellent approach to finding laptops and portable devices that might be infected on the internal network.

Prep for Election Day

Posted on November 3, 2008 by Brent Huston

With election day on tomorrow’s dawn, now might be a good time to prep yourself for the coming tasks.

1) Make sure you have your ID, driver’s license or other documentation that may be required to vote in your state.

2) Take the time to prepare and familiarize yourself with the issues. There are several sites sorted by states that cover the various issues. Use a search engine to locate your specific issues and races.

3) Be prepared for weather issues, traffic, long lines and other significant problems. Take enough time to allow for the task and any snafus that might arise. Bring a book, a bottle of water and your patience.

4) Forget “testing the security” if that is your deal. It will only cause problems for you, others and the board of elections. Play around in the voting booth and you might end up spending some time as a guest of your state. Forget the e-voting media and press and just make your voice heard with a proper vote. Let the voting officials handle the rest.

Most of all, just vote. It is the single most important duty we have as an American. So, make your choices, select your candidate and do your patriotic duty. Using your voice is the finest way to honor the memory and sacrifice of all those who made it possible!

HoneyPoint Personal Edition Key Change in Upcoming Versions

Posted on October 21, 2008 by Brent Huston

Please be aware that new versions of HPPE in the works will be using a new key mechanism. The current key mechanism appears to have fallen prey to piracy and a key has been identified in several “WAREZ” distribution sites. It appears that the current key that was leaked was made public after the software was awarded as a prize at a local public IT event. We have received several reports of web sites hosting the current version of the software with the leaked key and of several torrents floating about the Internet.

Thanks to those who reported the issue and who alerted us to the presence of the leaked key. We urge any illicit users to register their software and purchase a valid copy from our site here. Your continued support of the product will allow us to continue to improve the product.

While software piracy is regrettable, we of all people, know that essentially any type of software license can be defeated. We have and will continue to make our software licenses as convenient for our customers as possible. In our opinion, ease of use is key!

Please note that HPSS keys are unaffected as the product is licensed using an entirely different mechanism that is host specific. HPPE licenses depend solely on a custom generated numeric key sequence.

Have an Application or a Device on the Market — We Will Test Its Security Posture

Posted on October 20, 2008 by Brent Huston

Just a reminder about our lab services for those organizations that may be interested. Part of what has made MSI famous over the years is the extensive work we have done around application and device security. Our lab has tested everything from traditional software to ultra-modern web applications and all kinds of hardware from appliance firewall and server loads to bio-metric systems, check scanners and, of course, the voting systems!

In the past we have served as security testing labs for operating systems, appliance applications, consumer electronics, various financial products and a ton of consumer-facing software tools. Many vendors have chosen us as partners for application/device-based risk assessments, product testing, vulnerability management and penetration testing. We have even done some heavy testing of data destruction systems in conjunction with another lab who was testing data recovery capabilities.

Our lab has also been used by Information Security and ITWorld magazines for reviews, technology analysis and vendor evaluations. We have extensive experience in reviewing products for client companies, performing/managing vendor product bake-offs and leveraging our publicly acclaimed processes for proactive threat modeling to help companies spend their IT and infosec budget dollars as wisely as possible.

Our team loves to learn about, play with and exploit new technologies and products. They are continually involved in analysis of various products and projects. We are now accepting a few new projects for lab review and testing for the 4th quarter, so if you or your company are interested in establishing security as a differentiator for your product or having your new web-application branded with our labs SecureAssure logo, get in touch with an account executive as soon as possible. We only accept a few new products every quarter due to our schedule and the intensity of our process and those slots usually fill up very very quickly.

E-Voting Follow Up

Posted on October 17, 2008 by Brent Huston

I think the presentation at TechColumbus went well. The crowd seemed into it and their questions, comments and feedback were good. Sorry to the person I had to shutdown during the talk – but we had a time limit and such for the presentation and we had to keep from getting on a tangent.

Overall the e-voting summary was that yes, the systems are broken. Yes, they have vulnerabilities. But, we know what many of them are and we know what many of the exploits look like when performed. The Secretary of State has implemented process controls and new techniques for monitoring and detection of many of the attacks that EVEREST identified. Even though the system might be less than perfect – YOU SHOULD STILL GET OUT AND VOTE.

Thanks to Terry Dick, the Ohio Secretary of State’s Office, TechColumbus, Platform Labs, Mike Krippendorf and David Garcia for the help with the presentation. Special thanks to the rest of the EVEREST team, without everyone’s dedication to the cause, it would not have been as successful as it was. Extra special thanks to those who attended, without you guys, we are just strangers talking to ourselves in a dark room!

Here’s hoping everyone has a nice weekend.

Microsoft Patches Now Have an Exploitability Rating

Posted on October 16, 2008 by Brent Huston

Microsoft patches now include a new exploitability index. This new rating attempts to quantify when/if an exploit is likely to become available for a given vulnerability. The rating also attempts to take into consideration how stable a given exploit is likely to be.

Personally, I think this is a good idea, especially if they keep their methods for rating issues consistent and transparent. Already, a number of vendors have said that they will be adding support for the new index value in their tools and software. As might be expected, reaction has been mixed from the community, though, I have yet to see any response that included how such information could be truly harmful.

You can read Microsoft’s published information here.

I hope more vendors embrace this seemingly small detail. I think it is helpful for more than a few organizations overwhelmed by patch cycles. It may not be the “holy grail of patch risk”, but it is likely better than what we have now.

How does your organization plan to use this new information, if at all? Drop us a comment and let us know!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston