About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Forget Solutions for a While, Let’s Think Differently About Security

Posted on September 10, 2008 by Brent Huston

As many of you may know, this has been my mantra for the last couple of years. It was the perspective that gave birth to HoneyPoint and many of our service offerings that we have launched in the last couple of years.

I was very pleased when SANS ran this article a few days ago and when they made their initial call for ideas.

Many of the ideas that they uncovered were excellent! I especially think that there might be a future in organized education of young people around cyber-ethics, security behaviors and deeper understandings of privacy in the physical and online world. I am an obvious believer in new technical frameworks and thought processes that dynamically change the nature of the game from responsive to proactive. Further, I am a stronger and stronger believer in Honey-based technologies and in adapting attacker techniques and strategies for use against attackers. The last two years have incredibly strengthened my belief that a true key to future security is to manipulate the ability for threat agents to tell the real assets from the pseudo-assets and the true exposures from the ones that only lead to capture. I am a true evangelist of the idea that active manipulation of threat agents is a both a productive mechanism for defense and an effective control for differentiating between real, dangerous risks and non-persistent “noise” risks. While these solutions do not apply to every situation, their leverage and power do apply to a number of them and provide both excellent feedback and education as well as an intense level of engagement.

The ideas of adopting principles of genetic engineering are excellent and should be a basis for research in the future. I think the cyber world could learn a lot about data analysis, correlation and visualization by looking at the physical and medical worlds as a baseline for exploration. The data sets of the cyber world are large, but nearly as large, complex or dynamic as some human and physiological systems that scientists are tackling.

I think that if we step back from the day to day security problems we face and spend some time considering and researching “game changing” ideas, we might just find some amazing ways to change the very essence of what we do. I know attackers will always have a say in how the game is played. I know how history shines and enumerates the role of the defender. But, I also know that true evolutionary leaps are possible. True change is powerful, violent and often obvious once it has been discovered, branded and explained to us. Maybe what we need now is more discovery, more exploration and more application of free flowing thought.

As always, let me know what you think about it. You can send email responses to me or comment through the blog. The more brains thinking about the problem – the better!

Web Proxy Scanning – Attack or Desperate Search for Free Information Flow

Posted on September 9, 2008 by Brent Huston

I remember when I was coming up in the infosec world, there used to be a rallying cry among “hackers” that “information wants to be free”. Certainly, we know from history and the present that information freedom has a high value to democratic society. The fact that unrestrained communications can be used to cause social, economic and political change is a given.

I often encounter hundreds of web proxy probes against our HoneyPoints every day. As I look through the logs, research the various traffic and analyze any new events, I am in the habit of largely ignoring these simple probes. Today, however, it occurred to me that many, likely not all (but many), of these probes were folks in less open countries trying to find access mechanisms to get unrestricted access to the web. They may well be searching for an SSL wrapped pipe to retrieve current news, conversations, applications and other data from sources that the “powers that be” in their country would rather not have them see.

Of course, I know that not all proxy scans are for the purpose of escaping political oppression. I know that there are attackers, cyber-stalkers, pr0n fanatics and criminals all looking for proxies too. I also know, first hand, from our HoneyPoints that when they think they find them, many of these probes turn out to be less “CNN” and more attempts to break into the organization offering the proxy. I have seen more than my share of proxied, “internal” probes when attackers believe that their new “proxy” is real and useful.

But, even with the idea that some folks use these tools for illicit purpose, I think, some folks must be dependent on them for free access to uncensored information. Of course, the big question is, how can we help the folks that would like to use the proxy for legitimate public access to free information while refusing illicit access through our system. This is very very difficult without resorting to blacklisting, if we want to offer access to the net as a whole.

However, one of my engineer friends chimed in that perhaps access to the entire web is not really needed. What if you somehow created a system that had proper controls in place to prevent most attacks, but had a white list of sites that traffic could be proxied to. You would still be acting as a sort of “information moderator” in that you could control the sources, but what if the default page listed the sites that were allowed, and you allowed the most common news sites or other commonly sought sources for information that somehow had been vetted beforehand. Not a totally optimal situation, I understand, but better than the current scenario for some folks.

The question is, how could such a solution be created? How could it be established and managed? How would sites get vetted and could existing software be used to create these mechanisms or would new tools require development cycles?

If you have thoughts on this idea, please drop us a line. I would be very interested in your feedback!

Changes to the State Of Security Blog

Posted on September 5, 2008 by Brent Huston

I just wanted to take a moment and update folks on some changes that we are making beginning next week on this blog.

We have decided, after much consideration, to discontinue the routine process of vulnerability announcements on the blog. This was changed over to the blog platform when we shifted from WatchDog, our vulnerability intelligence product. The time for those announcement services has passed. Today, thousands of sites give up to the moment vulnerability announcements and RSS feeds make this an all to easy source of information. As such, we feel that other folks do a fine job of that work and we can focus on other things.

Beginning Monday, the blog will transition to a more thoughtful platform and be used by our team of Security Mentors to add to the security conversation and education, instead of the flat process of announcing new significant vulnerabilities. Our team will blog several times per week, with each member contributing content – but the content will be more open, deeper in context and much more opinion based than just parroting simple announcements of XSS in XYZ product.

Thanks to all of the readers who enjoy the blog and we hope you will continue to read and even learn to love it more. We look forward to less noise and much more content with context in the coming months. Please, feel free to join in the conversation. We love hearing from you.

Changes to the look and feel of the blog are coming soon and the entire blog process is in flux. Let us know what you like and what you want us to scrap. Spread the word about us and we look forward to a whole new set of eyes!

See you next week and have a GREAT weekend!

Broadband Caps Could Mean Consumers Pay for Bot-Net Traffic

Posted on September 4, 2008 by Brent Huston

The broadband caps proposed by Comcast and other home ISPs would mean that consumers would now be paying for excessive traffic from their networks, even when malware or bot-nets caused the traffic. Much media attention has been paid to the effect of traffic from spam and video ads used in normal web pages, but little has been said about the effect on consumers that malware infection could now have.

Imagine a simple malware infection that sends email. That infected machine could send millions of emails a month, easily breaching the modest bandwidth limits that some are proposing. How will the average consumer respond when they get warnings and then large bills from their network ISP for traffic that they did not cause? Imagine the help desk calls, irate customers and the increased costs of handling such incidents. How will the average help desk technician handle claims that infected systems caused the excess traffic?How will courts handle the cases when the consumer refuses to pay these charges and the ISP pursues their clients for the money?

Attackers are the real winners here, at least those interested in causing chaos. Effective attacks to cause financial damages and ISP cutoff against a known/focused target become all that much easier to perform. If you hate your neighbor and her barking dog, then you get her machine infected with malware and cause her to get a huge bill from her cable company. Do this enough and you can damage her credit, get her cut off from the Internet and maybe even interfere with her ability to earn a living (especially if she is a web worker). Heck, malware isn’t the only way – break into her wireless network or find it open to start with – and you have the perfect entry point for making her “iLife” a true nightmare.

Sure, some folks say these risks already exist without the added pressures of ISP bandwidth caps. They are right, they do. Some folks also say that these threats may make average consumers pay more attention to security. I think they are wrong, this will be just another item on a long list of ignored and forgotten “bad things” that happen to “other people”. However, I do think that these attacks should be a serious concern for the ISPs implementing the caps. The ISPs seem to be sharing a primary of claim that they are adding these caps due to bandwidth issues and the costs required to handle the current and future traffic. Yet, I would suggest that bandwidth caps are very likely to raise their support and account management costs exponentially – which could mean that they are shooting themselves in the foot.

Bandwidth caps are a bad idea for a variety of reasons (including stifling innovation), but they play directly into attacker hands and lend attackers a new spin on how to cause damage and chaos. In the last few weeks, much has been made of the recent growth in bot-net infected systems. Experts point to a nearly 400% increase over the summer months alone. Imagine the chaos and issues that could stem from calculated campaigns that wrangle those bot-net infected machines into breaking the boundaries of their ISP. Maybe bot herders would even change from holding end users hostage to targeting ISPs with bandwidth cap breaking storms that would trigger massive client notifications, calls to technical support and account management systems. Maybe attackers could figure out a way to use bot-net infected systems to cause “human customer denial-of-service” attacks against cable companies. I am certainly not rooting for such a thing, but it seems plausible given the current state of infected systems.

I just don’t see a positive for anyone coming from these ideas. I don’t see how they aid the consumer. I see how they could be used to harm both the consumer and the ISP. I see how attackers could leverage the change in multiple ways – given than many are extensions of existing issues. Generally, I just fail to see an upside. I find it hard to believe that consumers will be thrilled about paying for illicit traffic that they will argue they did not create and I can’t see the courts doing much to force them to pay for that traffic. I guess only time will tell – but it seems to me that in this game – everyone loses…

Ignuma 0.0.9.1 Overview

Posted on August 15, 2008 by Brent Huston

I spent a few minutes this morning looking at the newest release of Ignuma. If you aren’t familiar with it, it is another penetration testing framework, mostly focused on Oracle servers, but has plenty of other capabilities and front ends a number of fuzzing and host discovery tools.

The tool is written in Python and has both command line and GUI interfaces, including a QT-based GUI and a more traditional “curses-based” GUI. The tool is pretty easy to get working and adapts itself pretty well to some easy scans, probes and fuzzing. In the hands of someone with skills in vuln dev, this could be a capable tool for finding some new vulnerabilities.

The tools is written to be extendable and the Python code is easy to read. It is not overly well documented, but enough so that a proficient programmer could add in new modules and extend the capabilities of it pretty easily.

The tool is still in heavy development and it looks like it could be interesting over the next few months as it matures. Keep you eyes on it if you are interested in such things. You can find the latest version of Ignuma here.

Patched DNS Servers Still Not Safe!?!

Posted on August 13, 2008 by Brent Huston

OK, now we have some more bad news on the DNS front. There have been new developments along the exploit front that raise the bar for protecting DNS servers against the cache poisoning attacks that became all the focus a few weeks ago.

A new set of exploits have emerged that allow successful cache poisoning attacks against BIND servers, even with the source port randomization patches applied!

The new exploits make the attack around 60% likely to succeed in a 12 hour time period and the attack is roughly equivalent in scope to a typical brute force attack against passwords, sessions or other credentials. The same techniques are likely to get applied to other DNS servers in the coming days and could reopen the entire DNS system to further security issues and exploitation. While the only published exploits we have seen so far are against BIND, we feel it is likely that additional targets will follow in the future.

It should be noted that attackers need high speed access and adequate systems to perform the current exploit, but a distributed version of the attack that could be performed via a coordinated mechanism such as a bot-net could dramatically change that model.

BTW – according to the exploit code, the target testing system used fully randomized source ports, using roughly 64,000 ports, and the attack was still successful. That means that if your server only implemented smaller port windows (as a few did), then the attack will be even easier against those systems.

Please note that this is NOT a new exploit, but a faster, more powerful way to exploit the attack that DK discovered. You can read about Dan’s view of the issue here (**Spoiler** He is all about risk acceptance in business. Alex Hutton, do you care to weigh in on this one?)

This brings to mind the reminder that ATTACKERS HAVE THE FINAL SAY IN THE EVOLUTION OF ATTACKS and that when they change the paradigm of the attack vector, bad things can and do happen.

PS – DNS Doberman, the tool we released a couple of days ago, will detect the cache poisoning if/when it occurs! You can get more info about our tool here.

MSI Releases DNS Doberman to the Public

Posted on August 11, 2008 by Brent Huston

Now your organization can have a 24/7 guard dog to monitor key DNS resolutions and protect against the effects of DNS cache poisoning, DNS tampering and other resolution attacks. Our tool is an easy to use, yet quite flexible and powerful solution to monitoring for attacks that have modified your (or your upstream ISPs’) resolutions for sites such as search engines, software updates, key business partners, etc.

DNS Doberman is configured with a set of trusted host names and IP address combinations (yes, you can have more than one IP per host…) which are then checked on a timed basis. If any of your monitored hosts returns an IP that the DNS Doberman doesn’t trust – then it alerts you and your security team. It supports a variety of alerting methods to support every environment from home users to enterprises.

You can learn more about the tool and download the FREE version from the link below. The FREE version is completely useable and if it suits your needs, you are welcome to continue to use it indefinitely. The FREE version is restricted to 5 hosts and only checks each host once per hour. Registered users ($99.95) will receive support, minor version upgrades and the ability to check an unlimited number of hosts every 15 minutes!

To learn more or get your copy today, please visit the MSI main web site, here.

[Tangent] Can infosec VARs Really Make an Evangelical Sale?

Posted on August 1, 2008 by Brent Huston

We have been having quite a struggle finding infosec VARs to resell our HoneyPoint products. The problem seems to be that HoneyPoint and the idea of a Next Generation Distributed Honeypot product are such a radical concept to most organizations that they require evangelism and education for the customers to understand the value of the product and why it is a better solution that they are using now. It usually takes a while for them to understand that they can free themselves from false positives and the overhead of many of the detective tools they are using today if they simply embrace the idea of thinking differently about the problem.

VARs today seem to be focused solely on the products that are demand driven. They want to sell the Cisco products, the copies of anti-virus and the stuff that clients are already used to asking for. The days of VARs looking for ways to shake up the markets, establish value with fresh approaches and build their businesses by leveraging rapport with their customers by solving their deeper problems seem to be all but gone. Sure, you can find VARs to resell your widget or appliance if you have a model that requires little work, even if it has a small margin. But, it seems like finding evangelical VARs is nearly impossible in today’s market. If they are out there, we don’t seem to be able to find them.

I really feel like that is a bad thing for the market and for the clients. In the early days of MSI and the security industry, there was a lot to be gained by being a VAR that was able to bring bleeding edge solutions to customers. I can remember working with clients to help them understand new protective technologies like the Sidewinder firewall from Secure Computing, Real Secure from ISS and spending a lot of time traveling, talking to clients and listening to them explain the things that hurt them – then digging into the net and our brains for REAL, DEEP solutions that addressed the root problems that they were experiencing. For me, at least, that was the exciting thing about being a VAR – finding that next breakthrough that could really empower some of my clients in a way that they may not even have known that they needed until we showed them that a better way was available. That was exciting, fun and really gained us the trust of organizations who have been clients for nearly two decades now.

If there are any VARs out there that you think fit this model, I would like to hear about them. I would love to find a few folks who are willing to help evangelize what is clearly a better solution to the insider threat and to securing virtual environments. I would like to work with someone who shares that energy, passion and willingness to help solve deeper problems than traditional “network gear” resellers will ever be able to uncover. If you’re out there, give me a call – I think we have something to talk about…

Wait a Minute, You’re Using the Wrong DNS Exploit!

Posted on July 31, 2008 by Brent Huston

Attackers are apparently zigging when we thought they would be zagging again. An article posted yesterday talks about how attackers have passed on using the exploits published by the common frameworks and instead, have been pretty widely using a more advanced, capable and less known tool to exploit the DNS vulnerabilities that have been in the news for the last few weeks.

In the article, HD Moore, a well known security professional (and author of Metasploit), discusses how the attackers seem to be bypassing the exploit that he and his team published and instead have been using another exploit to perform illicit attacks. In fact, the attackers used their own private exploit to attack the Breakingpoint company that Moore works for during the day. I was very interested in this approach by the attackers, and it seems almost ironic somehow, that they have bypassed the popular Metasploit tool exploits for one of their own choosing.

This is interesting to me because when an exploit appears in Metasploit, one would assume that it will be widely used by attackers. Metasploit, after all, makes advanced attacks and compromise techniques pretty much “click and drool” for even basic attackers. Thus, when an exploit appears there, many in the security community see that as a turning point in the exploitability of an attack – meaning that it becomes widely available for mischief. However, in this case, the availability of the Metasploit exploit was not a major factor in the attacks. Widespread attacks are still not common, even as targeted attacks using a different exploit has begun. Does this mean that the attacker community has turned its back on Metasploit?

The answer is probably no. A significant number of attackers are likely to continue to use Metasploit to target their victims. Our HoneyPoint deployments see plenty of activity that can be traced back to the popular exploit engine. Maybe, in this case, the attackers who were seriously interested had a better mechanism available to them. Among our team there is speculation that some of the private, “black market” exploit frameworks may be stepping up their quality and effectiveness. These “exploits for sale” authors may be increasing their skills and abilities in order to ensure that their work retains value as more and more open source or FREE exploit frameworks emerge into the market place. After all, they face the same issues as any other software company – they have to have high value in order to compete effectively with low cost. For exploit sellers this means more zero-day exploits, more types of evasion, more options for post-exploitation and higher quality of the code they generate.

In some ways, tools like Metasploit help the security community by giving security teams exploitation capabilities on par with basic attackers. In other ways, perhaps they also hurt the security effort by enabling more basic attackers to do complex work and by driving up the quality and speed of exploit availability on the black market. It is hard to argue that such black market efforts would not be present anyway as the attackers strive to compete amongst themselves, but you have to wonder if Metasploit and tools like it serve to speed up the pace.

There will always be tools available to attackers. If they aren’t widely available, then they will be available to a specific few. The skills to create attack tools are no longer the arcane knowledge known to a small circle of security mystics that they were a decade ago. Vendors and training companies have sliced and diced the skills into a myriad of books, classes, training sessions, conventions and other mechanisms in order to “monetize” their dissemination. As such, there are many many many more folks with the skills needed to develop attack tools, code exploits and create malware that has ever increasing capability.

This all comes back to the idea that in today’s environment, keeping anything secret, is nearly impossible. The details of the DNS vulnerability were doomed to be known even as they were being initially discovered. There are just too many smart people with skills to keep security issues private when there is any sort of disclosure to the public. There are too many parties interested in making a name, gaining some fame or turning a buck to have any chance at keeping vulnerabilities secret. I am certainly not a fan of total non-disclosure, but we have to assume that even some level of basic public knowledge will eventually equal full disclosure. We also have to remember, in the future, that the attacker pool is wider and deeper than ever before and that given those capabilities, they may well find mechanisms and tools that are beyond what we expect. They may reject the popular wisdom of “security pundits from the blogosphere” and surprise us all. After all, that is what they do – surf the edges and perform in unexpected ways – it just seems that some of us security folks may have forgotten it….

Awareness Forum Launched for MSI Customers

Posted on July 30, 2008 by Brent Huston

We are proud to announce the immediate availability of a complimentary site that is dedicated to the offering clients of MSI a source for quality information security materials.

The site is located at http://awareness.microsolved.com and requires a login and password for access. The accounts, which are free or charge, are available to those organizations who have been customers of MSI in the last 12 months and will remain valid as long as the organization is a client within 12 months. Simply sign up at the site for an account and you should be validated shortly.

Once you have activated your login, the site offers an online forum for the discussion of information security awareness topics and the relevant strategies that can be used to build security awareness. The account also allows you to download PDF posters, articles, podcasts and other materials produced by MSI for use in supporting your security awareness efforts.

The materials, which may be reproduced and used at no charge, are branded with the MSI logo and such, but can also be customized and branded to your organization for a small additional fee.

New content will be added to the site regularly. The content is already divided into end user, consumer, developer, executive and technical audience targets. A variety of formats, designs and materials are planned for the coming months on the site.

Brent Huston, our CEO had this to say about the new site: “I truly believe that security awareness is a critical part of any security program. The general user populace must be educated about making better decisions concerning online risk and even IT practitioners can benefit from ongoing security education. I really think this is a way that MSI can give back to our clients for all of their trust and belief in our firm over the years! ”

Constance Matthews, Account Executive with MSI added “Clients have been asking me about awareness solutions for their company for a long time, but we were really committed to finding a strong solution for our customers and to finding an inventive approach that really increased the value of our work. I’m confident that these multi-media tools will help our clients achieve meaningful growth in their security awareness initiatives.”

Sign up today for an account on the site and we look forward to hearing from you on the forum. Please give us any feedback and as always, thanks for choosing MSI as your information security partner!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston