About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Ignuma 0.0.9.1 Overview

Posted on August 15, 2008 by Brent Huston

I spent a few minutes this morning looking at the newest release of Ignuma. If you aren’t familiar with it, it is another penetration testing framework, mostly focused on Oracle servers, but has plenty of other capabilities and front ends a number of fuzzing and host discovery tools.

The tool is written in Python and has both command line and GUI interfaces, including a QT-based GUI and a more traditional “curses-based” GUI. The tool is pretty easy to get working and adapts itself pretty well to some easy scans, probes and fuzzing. In the hands of someone with skills in vuln dev, this could be a capable tool for finding some new vulnerabilities.

The tools is written to be extendable and the Python code is easy to read. It is not overly well documented, but enough so that a proficient programmer could add in new modules and extend the capabilities of it pretty easily.

The tool is still in heavy development and it looks like it could be interesting over the next few months as it matures. Keep you eyes on it if you are interested in such things. You can find the latest version of Ignuma here.

Patched DNS Servers Still Not Safe!?!

Posted on August 13, 2008 by Brent Huston

OK, now we have some more bad news on the DNS front. There have been new developments along the exploit front that raise the bar for protecting DNS servers against the cache poisoning attacks that became all the focus a few weeks ago.

A new set of exploits have emerged that allow successful cache poisoning attacks against BIND servers, even with the source port randomization patches applied!

The new exploits make the attack around 60% likely to succeed in a 12 hour time period and the attack is roughly equivalent in scope to a typical brute force attack against passwords, sessions or other credentials. The same techniques are likely to get applied to other DNS servers in the coming days and could reopen the entire DNS system to further security issues and exploitation. While the only published exploits we have seen so far are against BIND, we feel it is likely that additional targets will follow in the future.

It should be noted that attackers need high speed access and adequate systems to perform the current exploit, but a distributed version of the attack that could be performed via a coordinated mechanism such as a bot-net could dramatically change that model.

BTW – according to the exploit code, the target testing system used fully randomized source ports, using roughly 64,000 ports, and the attack was still successful. That means that if your server only implemented smaller port windows (as a few did), then the attack will be even easier against those systems.

Please note that this is NOT a new exploit, but a faster, more powerful way to exploit the attack that DK discovered. You can read about Dan’s view of the issue here (**Spoiler** He is all about risk acceptance in business. Alex Hutton, do you care to weigh in on this one?)

This brings to mind the reminder that ATTACKERS HAVE THE FINAL SAY IN THE EVOLUTION OF ATTACKS and that when they change the paradigm of the attack vector, bad things can and do happen.

PS – DNS Doberman, the tool we released a couple of days ago, will detect the cache poisoning if/when it occurs! You can get more info about our tool here.

MSI Releases DNS Doberman to the Public

Posted on August 11, 2008 by Brent Huston

Now your organization can have a 24/7 guard dog to monitor key DNS resolutions and protect against the effects of DNS cache poisoning, DNS tampering and other resolution attacks. Our tool is an easy to use, yet quite flexible and powerful solution to monitoring for attacks that have modified your (or your upstream ISPs’) resolutions for sites such as search engines, software updates, key business partners, etc.

DNS Doberman is configured with a set of trusted host names and IP address combinations (yes, you can have more than one IP per host…) which are then checked on a timed basis. If any of your monitored hosts returns an IP that the DNS Doberman doesn’t trust – then it alerts you and your security team. It supports a variety of alerting methods to support every environment from home users to enterprises.

You can learn more about the tool and download the FREE version from the link below. The FREE version is completely useable and if it suits your needs, you are welcome to continue to use it indefinitely. The FREE version is restricted to 5 hosts and only checks each host once per hour. Registered users ($99.95) will receive support, minor version upgrades and the ability to check an unlimited number of hosts every 15 minutes!

To learn more or get your copy today, please visit the MSI main web site, here.

[Tangent] Can infosec VARs Really Make an Evangelical Sale?

Posted on August 1, 2008 by Brent Huston

We have been having quite a struggle finding infosec VARs to resell our HoneyPoint products. The problem seems to be that HoneyPoint and the idea of a Next Generation Distributed Honeypot product are such a radical concept to most organizations that they require evangelism and education for the customers to understand the value of the product and why it is a better solution that they are using now. It usually takes a while for them to understand that they can free themselves from false positives and the overhead of many of the detective tools they are using today if they simply embrace the idea of thinking differently about the problem.

VARs today seem to be focused solely on the products that are demand driven. They want to sell the Cisco products, the copies of anti-virus and the stuff that clients are already used to asking for. The days of VARs looking for ways to shake up the markets, establish value with fresh approaches and build their businesses by leveraging rapport with their customers by solving their deeper problems seem to be all but gone. Sure, you can find VARs to resell your widget or appliance if you have a model that requires little work, even if it has a small margin. But, it seems like finding evangelical VARs is nearly impossible in today’s market. If they are out there, we don’t seem to be able to find them.

I really feel like that is a bad thing for the market and for the clients. In the early days of MSI and the security industry, there was a lot to be gained by being a VAR that was able to bring bleeding edge solutions to customers. I can remember working with clients to help them understand new protective technologies like the Sidewinder firewall from Secure Computing, Real Secure from ISS and spending a lot of time traveling, talking to clients and listening to them explain the things that hurt them – then digging into the net and our brains for REAL, DEEP solutions that addressed the root problems that they were experiencing. For me, at least, that was the exciting thing about being a VAR – finding that next breakthrough that could really empower some of my clients in a way that they may not even have known that they needed until we showed them that a better way was available. That was exciting, fun and really gained us the trust of organizations who have been clients for nearly two decades now.

If there are any VARs out there that you think fit this model, I would like to hear about them. I would love to find a few folks who are willing to help evangelize what is clearly a better solution to the insider threat and to securing virtual environments. I would like to work with someone who shares that energy, passion and willingness to help solve deeper problems than traditional “network gear” resellers will ever be able to uncover. If you’re out there, give me a call – I think we have something to talk about…

Wait a Minute, You’re Using the Wrong DNS Exploit!

Posted on July 31, 2008 by Brent Huston

Attackers are apparently zigging when we thought they would be zagging again. An article posted yesterday talks about how attackers have passed on using the exploits published by the common frameworks and instead, have been pretty widely using a more advanced, capable and less known tool to exploit the DNS vulnerabilities that have been in the news for the last few weeks.

In the article, HD Moore, a well known security professional (and author of Metasploit), discusses how the attackers seem to be bypassing the exploit that he and his team published and instead have been using another exploit to perform illicit attacks. In fact, the attackers used their own private exploit to attack the Breakingpoint company that Moore works for during the day. I was very interested in this approach by the attackers, and it seems almost ironic somehow, that they have bypassed the popular Metasploit tool exploits for one of their own choosing.

This is interesting to me because when an exploit appears in Metasploit, one would assume that it will be widely used by attackers. Metasploit, after all, makes advanced attacks and compromise techniques pretty much “click and drool” for even basic attackers. Thus, when an exploit appears there, many in the security community see that as a turning point in the exploitability of an attack – meaning that it becomes widely available for mischief. However, in this case, the availability of the Metasploit exploit was not a major factor in the attacks. Widespread attacks are still not common, even as targeted attacks using a different exploit has begun. Does this mean that the attacker community has turned its back on Metasploit?

The answer is probably no. A significant number of attackers are likely to continue to use Metasploit to target their victims. Our HoneyPoint deployments see plenty of activity that can be traced back to the popular exploit engine. Maybe, in this case, the attackers who were seriously interested had a better mechanism available to them. Among our team there is speculation that some of the private, “black market” exploit frameworks may be stepping up their quality and effectiveness. These “exploits for sale” authors may be increasing their skills and abilities in order to ensure that their work retains value as more and more open source or FREE exploit frameworks emerge into the market place. After all, they face the same issues as any other software company – they have to have high value in order to compete effectively with low cost. For exploit sellers this means more zero-day exploits, more types of evasion, more options for post-exploitation and higher quality of the code they generate.

In some ways, tools like Metasploit help the security community by giving security teams exploitation capabilities on par with basic attackers. In other ways, perhaps they also hurt the security effort by enabling more basic attackers to do complex work and by driving up the quality and speed of exploit availability on the black market. It is hard to argue that such black market efforts would not be present anyway as the attackers strive to compete amongst themselves, but you have to wonder if Metasploit and tools like it serve to speed up the pace.

There will always be tools available to attackers. If they aren’t widely available, then they will be available to a specific few. The skills to create attack tools are no longer the arcane knowledge known to a small circle of security mystics that they were a decade ago. Vendors and training companies have sliced and diced the skills into a myriad of books, classes, training sessions, conventions and other mechanisms in order to “monetize” their dissemination. As such, there are many many many more folks with the skills needed to develop attack tools, code exploits and create malware that has ever increasing capability.

This all comes back to the idea that in today’s environment, keeping anything secret, is nearly impossible. The details of the DNS vulnerability were doomed to be known even as they were being initially discovered. There are just too many smart people with skills to keep security issues private when there is any sort of disclosure to the public. There are too many parties interested in making a name, gaining some fame or turning a buck to have any chance at keeping vulnerabilities secret. I am certainly not a fan of total non-disclosure, but we have to assume that even some level of basic public knowledge will eventually equal full disclosure. We also have to remember, in the future, that the attacker pool is wider and deeper than ever before and that given those capabilities, they may well find mechanisms and tools that are beyond what we expect. They may reject the popular wisdom of “security pundits from the blogosphere” and surprise us all. After all, that is what they do – surf the edges and perform in unexpected ways – it just seems that some of us security folks may have forgotten it….

Awareness Forum Launched for MSI Customers

Posted on July 30, 2008 by Brent Huston

We are proud to announce the immediate availability of a complimentary site that is dedicated to the offering clients of MSI a source for quality information security materials.

The site is located at http://awareness.microsolved.com and requires a login and password for access. The accounts, which are free or charge, are available to those organizations who have been customers of MSI in the last 12 months and will remain valid as long as the organization is a client within 12 months. Simply sign up at the site for an account and you should be validated shortly.

Once you have activated your login, the site offers an online forum for the discussion of information security awareness topics and the relevant strategies that can be used to build security awareness. The account also allows you to download PDF posters, articles, podcasts and other materials produced by MSI for use in supporting your security awareness efforts.

The materials, which may be reproduced and used at no charge, are branded with the MSI logo and such, but can also be customized and branded to your organization for a small additional fee.

New content will be added to the site regularly. The content is already divided into end user, consumer, developer, executive and technical audience targets. A variety of formats, designs and materials are planned for the coming months on the site.

Brent Huston, our CEO had this to say about the new site: “I truly believe that security awareness is a critical part of any security program. The general user populace must be educated about making better decisions concerning online risk and even IT practitioners can benefit from ongoing security education. I really think this is a way that MSI can give back to our clients for all of their trust and belief in our firm over the years! ”

Constance Matthews, Account Executive with MSI added “Clients have been asking me about awareness solutions for their company for a long time, but we were really committed to finding a strong solution for our customers and to finding an inventive approach that really increased the value of our work. I’m confident that these multi-media tools will help our clients achieve meaningful growth in their security awareness initiatives.”

Sign up today for an account on the site and we look forward to hearing from you on the forum. Please give us any feedback and as always, thanks for choosing MSI as your information security partner!

Some Potential DNS Poisoning Scenarios

Posted on July 24, 2008 by Brent Huston

We have kind of been breaking down the DNS cache poisoning exploit scenarios and have been dropping them into 3 different “piles”.

1) Massive poisoning attacks that would be used a denial of service style attack to attempt to “cut an organization off from the Internet” or at least key sites – the damage from this one could be low to medium and is obviously likely to be discovered fairly quickly, though tracking down the issue could be difficult for organizations without adequate technical support or on-site IT teams

2) Large scale attacks with malware intent – these would also be largely executed in an attempt to introduce malware into the organization, browser exploits, client-side exploits or forms of social engineering could be used to trick users into activating malware, likely these attempts would introduce bot-net agents into the organization giving attackers remote control of part or all of the environment

3) Surgical poisoning attacks – these attacks would be more focused and much more difficult to identify, in this case, the attackers would poison the cache of sites that they knew could be critical- this could be as obvious as the windows update sites or as focused as the banking sites or stock trade sites of executives, this attack platform is likely to be focused on specific effects and will likely be combined with social engineering to get insight into the specifics of the target

There certainly may be a myriad of additional scenarios or specific focus points for the attacks, but we wanted to give some examples so that folks can be aware of where attackers may go with their new toys and techniques.

Doing incident response and forensics on these attacks could be difficult depending on the levels of the cache time to live and logging that is done on the DNS systems. Now might be a good time to review both of these variables to make sure they will be adequate to examine any attack patterns should they be discovered now, or in the future from this or any other poisoning attack vector.

As we stated earlier, please do not rely on the idea that recursion is only available from internal systems as a defense. That might help protect you from the “click and drool” exploits, but WILL NOT PROTECT YOU from determined, capable attackers!

Myriad of Ways to Trigger Internal DNS Recursion – Please Patch Now!

Posted on July 24, 2008 by Brent Huston

For those organizations who have decided not to patch their DNS servers because they feel protected by implemented controls that only allow recursion from internal systems, we just wanted to point out that there a number of ways that an attacker can cause a recursive query to be performed by an “internal” host.

Here is just a short list of things that an attacker could do to cause internal DNS recursion to occur:

Send an email with an embedded graphic from the site that they want to poison your cache for, which will cause your DNS to do a lookup for that domain if it is not already known by your DNS

Send an email to a mail server that does reverse lookups on the sender domain (would moving your reverse lookup rule down in the rule stack of email filters help minimize this possibility???)

Embed web content on pages that your users visit that would trigger a lookup

Trick users through social engineering into visiting a web site or the like

Use a bot-net (or other malware) controlled system in your environment to do the lookup themselves (they could also use this mechanism to perform “internal” cache poisoning attacks)

The key point here is that many organizations believe that the fact that they don’t allow recursion from external hosts makes them invulnerable to the exploits now circulating in the wild for the DNS issue at hand. While they may be resilient to the “click and drool” hacks, they are far more vulnerable than they believe to a knowledgeable, focused, resourced attacker who might be focused on their environment.

The bottom line solution, in case you are not aware, is to PATCH YOUR DNS SYSTEMS NOW IF THEY ARE NOT PATCHED ALREADY.

Please, do not wait, active and wide scale exploitation is very likely in the very near future, if it is not underway right now!

DNS Exploit is in the Wild – Patch NOW!!!

Posted on July 22, 2008 by Brent Huston

Unfortunately, the blackout period for the DNS issues has been broken. The exploit details have been made public and have been in the wild for a number of hours. While the security researchers involved have tried to remove the details and analysis, Google had already cached the site and the details are now widely known.

Please patch IMMEDIATELY if you have not already done so!

If you can not patch your existing DNS product, please switch to a patched public DNS (for Internet resolution) or deploy OPENDNS as soon as possible.

Here is a quick and dirty plan of action:

1. Catalog the DHCP Servers you use on the Internet and internally. Be sure you check all branch locations, firewalls and DHCP servers to ensure that you have a complete picture. If you find any Internet facing DNS with recursive enabled, disable it ASAP!

2. Verify that each of these DNS implementations are patched or not vulnerable. You can check vulnerability by using the “Check DNS” tool at Mr. Kaminski’s page, here.

3. Test the patch and get it implemented as quickly as possible.

4. Note that you may have to upgrade firmware and software for firewalls, packet filters and other security controls to enable them to understand the new DNS operations and keep them from interfering with the new way that DNS “acts”.

Please note that the exploit for this cache poisoning attack in now public and exploitation on a wide scale could already be underway. PATCH AS SOON AS POSSIBLE!

Symptoms to look for include:

Vulnerability: unpatched and non-random source ports for DNS query responses.

Exploit: check for a large number of non-existent subdomains in your DNS records (or subdomain requests in your logs) if you are an authoritative DNS for a domain, attackers will be poisoning the cache with subdomain records at least according to some researchers.

If you have questions or concerns, please contact MSI for more information or assistance.
Updates to our DNS paper and other details will be released soon, so check back with stateofsecurity.com for updates.

MicroSolved is Hiring!

Posted on July 17, 2008 by Brent Huston

We are seeking a new member for our team of security analysts, engineers and consultants. This is a junior level, full time, salary position. We are seeking technicians with the following skills and interests. You do NOT need security experience, as we will teach the successful applicant our award-winning methodologies and approaches to information security.

What you bring:

Technical Skills:

Knowledge of Perl, PHP and/or Python or other programming language(s)

Knowledge of Windows and/or Linux/OS X/BSD

Understanding of basic IP networking, TCP protocols and network troubleshooting, etc.

Personal Skills:

Ability to work as a member of an elite team

Personal diligence, attention to detail and a dedication to learning and exploring infosec topics

Self reliance, initiative and the ability to pass a full background check

An already existing capability to work in the United States

Flexibility and great customer service skills

This position is located in Columbus, Ohio and physical presence is required. Some occasional business travel will be required, usually in 3-5 day increments.

What we bring:

A unique business casual atmosphere with the most dedicated, enthusiastic and technically capable team that you can find.

A full benefits package including health, life and disability insurance, 401(K) with match, performance-based bonuses, paid vacations and personal time and much more.

Ongoing training programs and involvement in the information security community.

How to apply:

To apply to join our team, please send your resume, a technical writing sample and salary requirements to “jobs [at] microsolved [dot] com”.

Be sure to include the writing sample and salary requirements as incomplete submissions will not be reviewed.

Please, no phone calls, headhunters or third parties.

We are only interested in talking directly to folks who want to join our team and are willing to make the personal commitment to be the best at what they do. If this does not describe you, then please, ignore this posting. 😉

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston