Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

0wned By a Picture Frame & Other Digital Errata

Posted on by
Reply

First it was Trojan firmware on network routers, firewalls and other network appliances. That was followed by attackers installing trojans and malware on USB keys and then dumping them back into those sale bins by the registers. Now, SANS is reporting that a number of digital picture frames sold by retailers were pre-infected with malware, just waiting to be mounted on a PC during the picture loading process.

As we have been predicting in the State of the Threat presentations for more than a year, the attackers have found new and insidious ways to turn the newest and seemingly most benign technologies into platforms of attack. Now that just about everything from refrigerators to washing machines and from toasters to picture frames have memory, CPU and connectivity – the vectors for malware introduction and propagation are becoming logarithmically more available. As computers, mesh networks and home automation continue to merge, we have to think differently about risk, threats and vulnerabilities.

Until we as security folks can get our head around overall strategies for securing the personal networks and tools we become more dependent upon each day, we have to rely on point tactics like wiping drives when we get them, reloading firmware on all devices – even new ones – from trusted vendor sources and doing the basics to secure home and business networks and systems. Hopefully, one day soon, we can build better, more proactive solutions like integrated hashing, malware identification and other mechanisms for alerting users to basic tampering with our devices. While we geeks are getting the wired world we always dreamed of, we are learning all too quickly that it comes with some unexpected risk…

Commentary on Security Assessment/PCI Scanning RFP Processes

Posted on by
Reply

Since MSI is a PCI scanning vendor, we are often included in various RFP/RFQ processes for the purchase of network scanning and assessment services. Over the last couple of years, one problem continually seems to raise its ugly head in RFP after RFP.

That issue is the lack of clarity in the RFP. Usually, the RFP issuer does not want to clarify the number of systems, applications, IP addresses or other relevant materials to the vendors. They want to keep that information private until after they award a contract. Below is a response I wrote this morning to a particular RFP issuer who is following this same pattern. Please read it and feel free to comment on the process, my response or any other items. I truly believe that only through communication, debate and eventual education can we find ways to take the customer and vendor pain out of these processes. Here is what I wrote in response to their posting about not wanting to reveal the number of IP addresses, except to the winner after the contract is awarded:

*Paste*

While I appreciate your process, I would suggest to you that your approach is not likely to achieve the best value for your organization.

Since you are choosing not to disclose the number of IP addresses to be assessed until after the winner is chosen, you essentially remove the very metric that the majority of scanning vendors use to create pricing models.

Thus, you force vendors to either respond with an hourly rate, or you force them to estimate the work and resources required. There is a risk to them and you in this estimation process. Their risk is that they could under estimate, thus causing themselves undue financial burdens. Your risk is that they will consistently overestimate, thus raising the prices that you get for a comparison and increasing the overall cost of the services you receive.

Of course, another possibility exists – that some vendors with ethical issues might respond to your lack of information by attempting to footprint your network and IP spaces to gather the relevant information themselves. Depending on their skills, tools and moral compass could cause a myriad of problems ranging from network congestion to denial of service attacks (inadvertent) as the various vendors who fit this model identify and map your visible Internet presence.

In our experience, the more information and clarity you can achieve in your requests for pricing information, the better. The clearer the scope of work, the more focused and relevant the responses will be and the more “real world” the costs. In every situation where we have seen prospects use the RFP process as a veil, the resulting engagements are damaged by scope creep, misunderstandings, miscommunications and higher than average costs in money AND relevant resources.

The most often quoted reason for RFP ambiguity that we have heard over the last 15 years is that the issuer did not want to “expose details to attackers”. After more than a decade and a half in this business, I have learned from experience that attackers already have exposure information. If they want it, they will simply map the network and gather it. They will also do so in ways that have little to no respect for your business processes, customer uptime commitments, maintenance schedules and other potential impacts to your business.

All of this said, again I respect your process and your right to proceed however you choose. Perhaps your intentions or requirements are not as presented above – which is fine. I simply wanted to address RFP/RFQ processes at large and I hope this information sparks discussion and comment among vendors and end-customers of security services alike.

*End Paste*

I went on to thank them for their inclusion in the process and to invite them to comment on this blog about the content. I hope they, and others do so. Please let me know your thoughts on this and other issues around RFP ambiguity. I would love to create a discussion between both vendors and customers about their ideas and feelings on the process!

** Reminder ** – New Systems Should Be Patched Before Use

Posted on by
Reply

Please remind teens, kids and adults who might receive computers for the holidays this year to patch them before general use. They should ensure that software and network firewalls are in place before connecting them to ANY network.

They should also ensure that they have anti-malware software that is up to date for any and all operating systems (even Linux and OS X) and that they follow other general guidelines of safe computing.

Remember, fight the urge to save the safety speech for another time. If the system gets compromised while they are using it for a test drive – being safe later will likely not help them be protected against bots, identity theft and other illicit computing dangers. It only takes one moment of exposure to compromise the system on an irreparable scale.

Happy and safe holidays to everyone. Have a joyous, peaceful and wonderful holiday season!

Storm Worm Goes Active Again and Odd Port 56893/TCP Probes

Posted on by
Reply

Two fairly interesting items tonight:

1) SANS is getting reports that the Storm worm is active again. This time sending messages attempting to draw victims to the “merry christmasdude.com” <take out the space> domain. As of 10:30 PM Eastern tonight, the domain is being flooded with traffic, but appears to be functional. SANS is suggesting applying domain blocks to the domain, and it would probably be good to add mail and other content filtering rules as well, if you are still using the blacklist approach. Here is the whois for the domain:

Domain name: MERRYCHRISTMASDUDE.COM
Creation Date: 2007.11.27
Updated Date: 2007.12.17
Expiration Date: 2008.11.27
Status: DELEGATED
Registrant ID: P4DHBN0-RU
Registrant Name: John A Cortas
Registrant Organization: John A Cortas
Registrant Street1: Green st 322, fl.10
Registrant City: Toronto
Registrant Postal Code: 12345
Registrant Country: CA
Administrative, Technical Contact
Contact ID: P4DHBN0-RU
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008@yahoo.com
Registrar: ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.24 06:17:35 MSK/MSD

2) Also, on a secondary note, we are getting a rapid increase in probes to TCP 56893. This port has been a known port for an SSH trojan and botnet deployment in the past. This may be related to the Storm worm activity or may be another bot group gearing up for activity.

It looks like the holiday is likely to bring a high level of increase in bot activity and as always, attackers will be looking for new machines received as gifts that will suddenly appear online and may be missing a patch or two. Make sure you give some advice to new techies and computer owners this holiday – patch early, patch often and make sure you build layers of defense against today’s emerging threats!

Ohio Voting Systems Review (EVEREST)

Posted on by
Reply

MicroSolved, Inc. announced today that it has completed its assessment of the security of Ohio’s electronic voting systems. The testing, a part of project EVEREST, was lead by the Ohio Secretary of State’s office and was designed to seek a comprehensive, independent and objective assessment of the risks to elections integrity associated with Ohio’s voting systems. The project leveraged MicroSolved’s advanced methodologies and in-depth experience to perform “red team” penetration testing of the voting systems. MicroSolved emulated various attacks against the voting systems and analyzed the impact of these attacks on the confidentiality, integrity and availability of the voting systems and their elections data.

While the study revealed several critical security issues in the various elections systems, MicroSolved also identified specific strategies for mitigating or managing these risks. “By applying the identified mitigation strategies, all of the administrative stakeholders in the elections process have an opportunity to demonstrate their commitment to the integrity of Ohio’s elections.”, said Brent Huston, CEO of MicroSolved. “While these strategies require hard work, significant investment in resources and continued vigilance, they represent the best approach to creating truly secure mechanisms for electronic voting in Ohio.”

“We appreciate the opportunity to participate in the EVEREST project and to help the Secretary of State further her goal of restoring trust in Ohio’s elections.”, Huston added.

For information about the specifics of the project, MicroSolved’s role and findings, please see http://www.microsolved.com/everest/.

Bad News in Trends of 2007

Posted on by
Reply

The infosec community got some bad news today in the first release of trends for 2007. Overall, things are not going as well as we would like. Attacks continue to rise and successful compromises that end in data compromise are up.

Attackers seems to have fully embraced client-side attacks and bot-nets for performing illicit activity and laptop theft is also seen as rising. As expected, identity theft is rapidly becoming a huge criminal enterprise with an entire underground economy emerging to support it.

Reports came out today that showed that malware attacks have doubled in 2007 and that data theft rates have TRIPLED!

From our standpoint, this validates that existing traditional security controls based around the perimeter simply are NOT WORKING. We must establish defense in depth. We must embrace enclaving, encryption of sensitive data and portable systems and establish proactive security mechanisms that can raise the bar of compromise out of the reach of the common attacker. Until we begin to think differently about security, data protection and privacy – these trends remain likely to increase even further.

A Plethora of New Issues for Today

Posted on by
Reply

It’s been a busy morning for vulnerabilities so far. We are tracking new vulnerabilities in the following applications:

Squid Proxy – a DoS problem has been identified in the ICAP implementation that could allow attackers to spike the CPU of the server, a patch is available and should be applied on your next maintenance process

Samba – A buffer overflow in Samba version 3.0.27a allows remote execution of code if the “domain logons” option is enabled, patches are available on the Samba site for the problem.

WordPress – A SQL injection has been found in the charset implementation. Dumping the database is possible and when combined with other exploits already available can allow remote compromise of the WordPress Admin password. There is a workaround, but it is very specific to each WordPress deployment, so check the WordPress site carefully for info on this issue.

We are also tracking a few new tools of interest, that might increase some of the scan and probe traffic over the next few weeks while attackers play with their new toys. They are:

HttpRecon – a tool for advanced web server fingerprinting, likely to increase web server probes as the tool is examined and included into other tools

BurpSuite – a new revision of this tool for testing websites for things like SQL injection and XSS is now available, likely to cause scans for web application problems

EchoVNC – a firewall, proxy and network access control avoidance enabled version of the VNC server has been released, this is likely to be a useful tool for attackers and bot-masters as they compromise networks

Lastly, Microsoft is releasing a large load of patches today. Amongst them are 3 remotely exploitable “critical” patches. Look for exploits and such to follow very quickly if they are not already available. Wide scale exploit distribution and inclusion into bot-net clients is likely to follow in the next few days. As always, patches should be tested and applied as soon as possible.

Evolution, Maturity and Rethinking the Problems…

Posted on by
Reply

I have been following a number of attacker trends and I see a potential point of convergence just over the horizon.

Most especially, I think that an intersection is likely to occur between bot development/virtual machines/rootkits and man-in-the-browser. My guess is that a hybrid juggernaut of these technologies is likely to emerge as an eventual all-in-one attack platform.

The use of these technologies alone are already present in many attack platforms. There are already a ton of examples of bot/rootkit integration. We know that man-in-the-browser has already been combined with rootkit technologies to make it more insidious and more powerful. If we add things like installation of illicit virtual machines, evil hypervisors and other emerging threats to the mix, the outcome is a pretty interesting crime/cyber-war tool.

If all of these problems would come together and get united into a super tool, many organizations would quickly learn that their existing defenses and detection mechanisms are not up to the challenge. Rootkit detection, egress traffic analysis, honeypot deployments and a high level of awareness are just beginning to be adopted in many organizations whose infosec teams lack the budgets, maturity and technical skills needed to get beyond the reactive patch/scan/patch cycle.

Vendors are already picking up on these new hybrid threats, much like they did with worms – by offering their products wrapped with new marketing buzzwords and hype. We have heard everything from IPS to NAC and hardened browsers (that mysteriously resemble Lynx) to special network crypto widgets that provide mysterious checksums of web transactions with other users of the special widgets… I don’t think any of these thigs are going to really solve the problems that are coming, though some might be interesting as point solutions or defense in depth components. My guess is that more than a few of the currently hyped vendor solutions are likely to be practically useless in the near future.

The real problem is this – security team maturity needs to be quickly addressed. Attackers are nearing another evolutionary leap in their capabilities (just as worms were a leap, bots were a leap, etc…) and we are still having issues dealing with the current levels of threats. It is becoming increasingly clear that we need to have infosec folks start to think differently about the problems, learn more about their adversaries and embrace a new pragmatic approach to defending data, systems and networks.

Maybe we need less whiz bang technology and more Sun Tzu?

Buffer Overflow Ouchies for Skype and HP OpenView

Posted on by
Reply

Two traditional buffer overflow vulnerabilities have emerged today. The first is in the Skype product. It suffers from a heap overflow in the skype4com module. Attackers can exploit this by getting users to visit a malicious page, triggering the overflow. Obviously, Skype users should beware of any links, files or other items sent to them through the Skype network. User awareness of issues with trusting Skype content is the best solution, if your organization allows Skype at all.

Skype users should ensure that they are running the most current version, which is protected from this attack.

The second buffer overflow, this one in HP OpenView’s Network Node Manager, only impacts the following versions:

HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux

Attackers can leverage this issue to execute arbitrary code on the vulnerable system. Patches are available through the OpenView support site. Patches should be applied as soon as possible!

Cisco’s PCI Ultimatum Movie was a Big Hit!

Posted on by
Reply

The movie premiered in Columbus yesterday and seemed to be a great way to learn about PCI requirements.

It was hilarious to see people you know on the big screen.

Check it out when it comes to a city near you. You can check out the trailers and such at http://www.businessofsecurity.com.

We have put up a separate blog site to follow the movie as it tours and to give follow up info. You can check it out at http://pcimovie.blogspot.com!

Respond in comments and let us know what you thought of it!

Added Note: It is our CEO who gets killed in the opening scene, persistent isn’t he…  😉

Also, the movie premier followed our State of the Threat presentation yesterday morning, adding even more info to what has quickly become one of the leading edge security presentations around!