Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

“Scattersensing” on the Cheap for Insider Threats

Posted on by
Reply

I have been working with several clients to create a new process for combating insider threats. This new approach we have been calling “scattersensing”. Using this technique (or a variation of it), you can cheaply, effectively and efficiently identify overt insider threats that may be occurring around your organization’s network.

Scattersensing, when done with this method, costs less than $130 per scattersensor! Here’s what you need to do one scattersensing point of security visibility:

One older laptop or desktop system with a CDRom and a network card:

I use an old Gateway Solo like the ones found on this EBay page. None of the laptops on this page cost $100 and many are under $50. My scattersensor laptop that I use in the lab is a Pentium II 300 MHz with a small amount of RAM. The CD drive is built into the machine. The battery is long dead, but the rest of the hardware works. I bought the 100 Mbit PCMCIA card at a garage sale for $5, but they are also available on the cheap from EBay and a lot of other places. We don’t even really care about the hard disk, since we can run the entire system from a LiveCD if we need to, or if you have a working hard drive, you can do a hard disk install and make it even easier to use as you move it from place to place. You could also do this with just about any standard desktop, workstation or old PC you have laying around anywhere or can obtain at a garage sale or thrift store.

Now that you have the hardware, you need the operating system. For our approach, we suggest Puppy Linux. It has been tested to work as desired and can be easily hardened with a password change. You can read more about it and download the ISO image from here. Download it and burn it to a CD. You can then do the optional hard disk install if you like, simply follow the directions from the Puppy Linux site and/or from the included installer. (You may need to wipe the disk first if an NTFS partition is present). Cost of the operating system: FREE

Next, we need a copy of HoneyPoint Personal Edition from MicroSolved. You can get the zip file from here for Linux. To have the application run longer than 15 minutes at a time, you need to purchase a license for $29.95 from the online store here. Digital River will send you a license key via email. Use that license key when you first start HPPE and it will unlock the application for that system. You can use the license key over and over again on the same system if you are using a LiveCD (so keep it handy) or it will be maintained by HPPE if you did a hard disk install. Now, install, start, configure and license HPPE on your scattersensor.

Here is a picture of a scattersensor I use routinely in the lab and in the field for training/exercises. It is the Gateway Solo I referred to above.

IMG_0253.JPG

OK, so now that you have a scattersensor built, what next? Next you deploy it. You place it in your network environment, using it to detect overt insider threats like scanning, malware probes, bot-net activity and anyone looking around the environment. Since the services that are being offered by the HPPE deployment aren’t real, there is absolutely NO REASON you should see any activity at all. Any activity you do see, should be treated as suspicious at best and malicious at worst. Investigate any activity you see, period. Many organizations find things like misconfigured software, holes in ACL’s or the like and of course, the variety of attacks previously described.

Using scattersensor(s), you can easily move them from network segment to network segment on a semi-random schedule. Move them to the DMZ for a week or so, then on to the server network segment, then to a partner network, then to workstation segments. Build more than one and cover a lot of areas easily. For small to mid-size organizations, a couple of scattersensors with HPPE may be more than enough to give you good security visibility and coverage. Many organizations have used the scattersensing approach for a while and then moved up to use the full blown HoneyPoint Security Server enterprise product.

There you go, a first light touch on the subject from Operation Anaconda. A way to easily (and incredibly cheaply!) get security visibility in a powerful and evolutionary way. Give it a try and let us know how you fair. You can report your updates and progress in the comments or via the #anaconda hash tag on Twitter. Good luck out there!

Operation Anaconda: Putting the Squeeze on the Insider Threat

Posted on by
Reply

Organizations today are facing increased pressure to combat the “insider threat”. More and more compromises are occurring from “inside the secure perimeter”. The financial crisis, exploding use of mobile technologies, surges in bot-net infections and capabilities plus a myriad of other conditions are only making the problem more urgent. This condition exists across market verticals and it doesn’t matter whether you are charged with protecting national secrets, bank account information, credit card data or whatever, the insider is still the most dangerous threat of all.

At MicroSolved, we know that this is the most serious issue facing organizations today. We know that the threat is real, that budgets are tightening and that all of us will have to do more with less. We also know that as the economy worsens, data thieves, bot-herders and industrial espionage attacks will become more common.

Today, we have begun a special project – called Operation Anaconda. The purpose of this project is to study the problem of insider threats, identify rational approaches to reducing the risk of insider attacks and develop additional products, services, knowledge-based documents, methodologies and public information to help all of us better protect our businesses, data and assets from threats that originate inside our organizations. We don’t claim to have all of the answers, and we know that the risk can never reach zero, but we dedicate ourselves to finding better solutions to the problem than those that are common today.

“Normally, these kinds of press releases and articles are done in conjunction with new products or service offerings,” said Brent Huston, Security Evangelist (and CEO) of MicroSolved, Inc. “but we wanted to let customers and organizations know that we have heard them when they told us what was hurting them. We heard them and we are committed to doing our part to making that pain go away!”

“Over the next several months, you will see a plethora of articles, tools, techniques, products, services and approaches targeted at solving this problem. Our company will lead the way in identifying what works, what doesn’t and how to reduce the insider risk AND the security budget at the same time. Solutions have to be out there, and together, we will find them.” vowed Huston.

MicroSolved is currently building a project plan and forming study groups around facets of the problem. If you or your team would like to participate in one of the public study groups or discussions, please feel free to contact us. We will make more logistics known as the groups firm up their agendas. Stay tuned to http://www.stateofsecurity.com for more information and please feel free to comment on Operation Anaconda or responses to the insider threat. Thanks for reading and feel free to spread the word!

The New Version of HPPE OR Whoop, Here It Is!

Posted on by
Reply

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.

Prepping for Release of HoneyPoint Personal Edition 2.00

Posted on by
Reply

Great news!

We are currently prepping for the public release of HoneyPoint Personal Edition 2.00 on Monday. The product has been through two closed Beta’s and a great period of pre-release testing. Thanks to all who helped with the testing and for all who contributed to our cause with product feedback. A special thanks to “DA” from a local organization who really held my feet to the fire on changes and interface updates. Hopefully, everyone will be pleased with the interface and features! (BTW – D – we kept the “lights”…<grin>)

Here is a screen shot of the new main interface on the Mac.

Snapz Pro X001.png

New features include:

HornetPoint defensive fuzzing (patent pending)

Plugins capability from HPSS

Public support for Linux and OS X in addition to Windows

and a few other goodies….

Also, this represents the beginning of the new line for HPPE. Development will remain ongoing on it and we have few more tricks up our sleeves. We are also working on HPSS 3.00 and will begin alpha testing of that new architecture very soon.

Stay tuned for the launch and for more details as they become public!

Waiting for the Other Conflicker Shoe to Drop

Posted on by
Reply

OK, so by now you have probably read a 100 articles on Conflicker and the spread of the worm. I warned of impending trouble from the worm, which, thankfully did not emerge over the weekend. I really thought the traffic levels would be of importance, but indeed, there was little impact on global traffic levels. This is one of those cases where I am really glad I was wrong!

Now that the majority of the scanning and traffic spikes are over, we are waiting for the other shoe to drop on this attack. The initial worm spread and compromise was likely only the first phase of the attacker’s plans. They now have an immense network of bot-infected hosts at their command. What they will do with them and how they will focus these systems on compromise remains to be seen. Given the sophistication of Conflicker and the “intelligence” of its design and scanning code, the forthcoming use could be a pretty creative and powerful threat vector. We may well see some new form of attack or probe that we have not encountered before.

It is, of course, critical that organizations and individuals move to identify and mitigate any infected hosts. The less bot-infected hosts for the attackers to command, the better. The problem is that many of the compromised systems are in locales with limited IT knowledge resource levels. In many of the countries where infected systems are concentrated, IT admins and tech savvy users are difficult to locate and even harder to afford. This means that while some of the systems may get cleaned up, there is still likely to be a significant army of infected zombies for the bot-herder(s) to wield.

In general, in this case, other than mitigating compromised hosts, there is little you can do beyond standard security practices. You can deploy detective capabilities around logging and vision-enhancement tools like HoneyPoint, but other than the usual, there is little focused risk minimization you can do for this one.

My best advice is to remain vigilant, keep up to date and keep working to better the security across your organization. Eventually, the other shoe will drop, and when it does, we will have to do our best to turn aside whatever happens.

Virtual Appliances & Live CDs Make a Great Testing Lab

Posted on by
Reply

Appliances from the Parallels and VMWare appliance store make it very easy to set up a quick and dirty lab to practice security assessment skills. Want to try a new tool, or test a new approach for assessing a web application? Download an old, out of date, unpatched appliance with an older OS and app and you have a great target.

You can even do this for next to no cost. If you have a pretty beefy workstation or an old box laying around, do a base install of Windows, then install VMWare Player and you have what you need. Our team uses these virtual appliances in on-the-fly games of capture the flag, for skills practice and testing and for looking at new vulnerability patterns and threat vectors.

You will be amazed at just how easy setting up an effective security testing lab is when you combine virtual appliances with Live CDs. Together, they let you turn that machine graveyard behind your desk into a whole new playland. Live CDs are available for a ton of platforms, OS and application deployments. In most cases, you don’t even need a hard disk at all to get them up and running fully. Check them out and see just how far you can extend them into your new lab. Some of my favorites are Damn Small Linux, Puppy Linux, Knoppix, and BackTrack.

Using these two types of cheap approaches, you can build an easy testing lab for less than the cost of a new PC. Give it a shot and let me know how it goes!

Poor Visibility is a Solvable Problem

Posted on by
Reply

One of the big thing that many organizations lack today is visibility into their information security posture. Sure, they have vulnerability management and some have “false positive generators” (otherwise known as NIDS), some even have log analysis and event engines. But, with all of that technology, they still are very likely to miss insider attacks and attacks of a subtle nature.

I am continually amazed when organizations demo HoneyPoint technology and they have their first real “AH HA” moment. Usually a bot-infected machine triggers a HoneyPoint during a scan (like with Conflicker) or makes a login attempt against a decoy virtual machine. Occasionally, you see full on attacks underway that get caught by the demo. For example, one unlucky client caught a scan against a POP3 HoneyPoint that was a brute force attempt with VALID logins and passwords. The HoneyPoint alerted and they began an incident that lead to the discovery of a compromised domain. The attackers had cracked the SAM and were using the key admin accounts to see what else they could get into. You can rest assured, that client very quickly went from demo to customer.

Until organizations understand the value of putting forth bait to lure suspicious activity, it is hard for them to grasp that this is not just another source for noise. Once they get their head wrapped around the idea that since a resource is not real, any activity with it is, by default, suspicious at best and malicious at worst, they struggle to understand the leverage that HoneyPoint brings. But, the bad news for attackers is that more and more are getting it. More IT managers are flipping on that light switch and stepping out of the “dark ages” of infosec and into the age of the HoneyPoint.

What can I say, once security folks think differently about the problems, the game changes for the better. The time for threat-centric security has arrived. Things will never be the same again…

Danger: Conflicker Growing at Massive Rate **ALERT**

Posted on by
1

Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!

This is important to you for the following reasons if you are an IT person or Infosec person:

  • The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
  • Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
  • On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
  • You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!

What can you do?

  • HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
  • Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
  • Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
  • Prepare yourself and your team for the battle ahead.
  • If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
  • Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)

Please, pay attention to this one. It looks “slammer/code red” nasty…..

** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **

3 Links for Securing USB Drives

Posted on by
Reply

This project caught my eye. It is includes crypto and ease of use. It is called geek.menu and is based from the portableapps project. Installed and configured right, it makes an encrypted file system to protect your data if you lose the drive. It also allows you to easily configure some pretty powerful options around the apps you install. Check it out if you are a big thumb drive user.

This article is a great overview of risks from thumb drives. It should be a basic requirement for any user in the organization that gets provisioned one.

Lastly, for those of you want to make the most of security through obscurity to protect your precious USB thumb drive from discovery, check this article out about hiding your drive in the wall.

If you are both a thumb drive (USB drive) and a Windows user, you should probably read about the Conflicker malware. It is currently spreading wildly and can transit itself on USB drives. (Oooops, that was 4….)

Major Breach at Heartland Payment Systems

Posted on by
Reply

You’ve heard this story before. A major credit card company has experienced a massive breach. Tons and tons of data was stolen during the incident. They think they have it under control and are working with law enforcement. You should check your statements. Blah, blah, blah…

Once again, though, in this case, the company was certified as PCI compliant by their PCI auditors. If they were all compliant and filled to the brim with “fluffy, compliant goodness” then the attackers must have used some uber-hacking technique, right? Some bleeding edge tool or 0-day exploit that cut right through their defenses and rendered their compliant protections useless? Ummm…. NO…. The mighty technique that caused the damage? A sniffer!!!! (Some of the best technology that the late 80’s/early 90’s had to offer…)

How did I reach this conclusion? From their own press release:

“Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.” — sounds like a sniffer to me….(and a lot of other infosec folks…)

That’s right, the mighty sniffer strikes again. In the last couple of years, this same attack footprint has occurred over and over again. It has been largely successful. Why? Because companies don’t encrypt credit card data in transit across networks. Sure, many of them encrypt the database (not all, but many.) and some use various forms of endpoint protection, but many (way too many apparently) don’t encrypt the credit card data in transit across their networks.

Even worse, the PCI DSS DOES NOT REQUIRE THIS. That is how they can be compliant with PCI and still have this issue. What a cruel joke for consumers.

The DSS requires that organizations encrypt credit card data when it flows across “open, public” networks. Well, guess what, when your network gets compromised, even your “internal, private LAN”, it becomes “public” at least for the attackers. Misconfigure a firewall rule, get a workstation popped, allow a social engineer into the environment and that “private network” is not so private anymore, is it?

But, that never happens, right? Except when it does.

In my opinion, it is high time that organizations realize that compliance is not security. Compliance is a false goal set in sand. The real goal is risk management and data protection. In order to accomplish these goals, you have to make rational decisions and account for real threats, not just checklists compiled by some nebulous group of people in a “one size fits all fashion”. That is a fool’s errand.

As I have been saying for a while now, we have to start thinking differently about security. We have to forget the baselines and look at our risk from the view of a threat agent (a hacker, cyber-criminal, attacker, whatever!). We have to make rational choices that really do protect that which needs to be protected. We have to hope for the best and architect for abject failure. Anything less than that, and this is a story you we will just get to keep on telling….

Interested in learning more about “sniffing”? Click here for a great FAQ.

I also did an interview with Secure Computing Magazine about this. You can read that here.