Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Ohio Votes Today

Posted on by
Reply

The day for the Ohio primary is here. With a ton of media attention focused on our state, a new voting process in place and the removal of the touch-screen systems our primary is certain to have its ups and downs today.

When we reviewed the security of the Ohio voting system, we did find some serious issues. However, the optical scanning systems from our review were less prone to problems under normal voting use than the touch screens. Therefore, we agree that the optical scanners are a more secure choice, especially in the way that our Secretary of State has outlined their use.

Voters in Ohio today should expect some lines and a small amount of confusion and hype. But, careful review of your ballot, care marking of your selections and following the published procedures should make the process easy, reliable and interesting. Our only words of caution are to ask for another ballot if you make a mistake and refrain from marking anywhere except in the square of your chosen candidate. Again, take a few moments and review the ballot before you turn it in.

The Secretary of State has taken great measures to ensure oversight and accountability for all votes and voters around our state. The various boards of election and other officials have also taken great steps toward improving the security of the process. They are all to be commended for achieving the progress we have made thus far, in such a short amount of time.

While there is still quite a bit of work to be done around electronic voting and elections security; today is a good day to look at the work we have done so far. Together, citizens, politicians and government can work to find a useful, reliable and secure way to continue the wonderful democracy that we, as Americans, enjoy.

Do your part. Vote. Stay engaged in the debate about electronic voting and don’t be afraid to let others know what you think…

Increase in European “Options” HTTP Scans from Linux Systems

Posted on by
Reply

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues. 

More Chinese Scans for Web Bugs

Posted on by
Reply

This morning I was checking through my usual HoneyPoint deployments and it was a normal day. As usual, the last 24 hours brought a large number of web application bug scans from hosts in China. They are the normal PHP discovery probes, some basic malware dropper probes against known web vulnerabilities and a ton of web server fingerprinting probes from various Chinese hosts.

China has now surpassed the US as the source of most global probes and attacks, a least according to Arbor. Check out the China profile here.

One of my close friends, JK, claims that there is a massive initiative underway in China to map the Internet on a global scale and to have a fairly up to date global vulnerability matrix for the world’s systems. While this could be true, and is certainly possible, with a large enough set of bot-infected hosts that dropped data back to a centralized database, it is an interesting thought.

For sure, these probes and scans exist on a global basis. Our international HoneyPoints pick up much of the same Chinese traffic as our US ones. Perhaps a quick check of some of your logs will show the same. Much discussion of pro-active blocks against Chinese address space is underway in several organizations. Perhaps this is something we should all think about?

Hardware Security Testing Presentation & MP3 Available

Posted on by
Reply

The pdf of the slides and the audio from yesterday’s presentation on Hardware Security Testing is now available.

You can get the files from this page on the main MicroSolved site.

Thanks to the many who attended and who sent me the great feedback this morning. I am really glad everyone liked the content so much!

Check out the next virtual event scheduled for March 25th at 4 PM Eastern. The topic will be 3 Application Security “Must-Do’s”.

Here is the abstract:

This presentation will cover three specific examples of application security best practices. Developers, security team members and technical management will discover how these three key processes will help them mitigate, manage and eliminate risks at the application layer. The presenter will cover the importance of application security, detail the three key components to success and provide strategic insight into how organizations can maximize their application security while minimizing the resources required.

We look forward to your attendance. Email info@microsolved.com to sign up!

Underground Cyber-Crime Economy Continues to Grow

Posted on by
Reply

I read two interesting articles today that reinforced how the underground economy associated with cyber-crime is still growing. The first, an article from Breech Security, talked about their analysis of web-hacking from 2007. Not surprisingly,  they found that the majority of web hacking incidents they worked last year were geared towards theft of confidential information.

This has been true for the majority of incident response cases MSI has worked for a number of years now. The majority are aimed at gaining access to the underlying database structures and other corporate data stores of the organization. Clearly, the target is usually client identity information, credit card info or the like.

Then, I also read on darknet this morning that Finjin is saying they have been observing a group that has released a small P2P application for trading/sale of compromised FTP accounts and other credentials. Often, MSI has observed trading and sale of such information on IRC and underground mailing lists/web sites. Prices for the information are pretty affordable, but attackers with a mass amount of the data can make very good incomes from the sale. Often, the information is sold to multiple buyers – making the attacker even more money from their efforts.

Underground economies have been around since the dawn of capitalism. They exist for almost every type of contraband and law enforcement is usually quite unsuccessful at stamping them out. Obviously, they have now become more common around cyber-crime and these events that have “bubbled to the surface” are only glimpses of the real markets.

It is critical that information security teams understand these motivations and the way attackers think, target victims and operate. Without this understanding, they are not likely to succeed in defending their organizations from the modern attacker. If your organization still spends a great deal of time worrying about web page defacements and malware infections or if your security team is primarily focused around being “net cops”, it is pretty likely that they will miss the real threat from today’s cyber-criminals and tomorrow’s versions of organized crime.

Laying the Trap with HoneyPoint Personal Edition & Puppy Linux Live CD

Posted on by
Reply

Recently, I have been capturing quite a bit of attacker probes and malware signatures using a very simple (and cheap) combination of HoneyPoint Personal Edition (HPPE) and a Puppy Linux Live CD. My current setup is using an old Gateway 333MHz Pentium Laptop from the late 90’s!

The beauty of this installation is that it lets me leverage all of the ease of a Live CD with the power and flexibility of HPPE. It also breathes new usefulness into old machines from our grave yard.

So, here is how it works. I first boot the machine from the Puppy Live CD and configure the network card. From my FTP server (or a USB key) I download the binary for HPPE Linux (available to licensed HPPE users by request), the license and my existing config file. That’s it – run the binary and click Start. Now I am set to trap attack probes and malware to my heart’s content!

It really is pretty easy and the new email alerting now built into HPPE allows me to remotely monitor them as well from my iPhone email. This makes a nice, easy, quick way to throw up HoneyPoints without needing a separate console or a centralized monitoring point.

This setup is very useful to me and has even got me thinking about adding a plugin interface to HPPE in future releases. That would essentially give you the power to write custom alerting mechanisms and even fingerprinting tools for attacking systems.

Give this setup a try and be sure to let me know your thoughts on HPPE. As always, MSI really wants to hear your ideas, input and feedback on our work.

Thanks for reading and have fun capturing attack data. Some of this stuff is pretty darn cool! 😉

Incident Reporting & Handling WorkFlows

Posted on by
Reply

I had an interesting conversation with a client today and they are planning to implement a web site that would give their internal employees a centralized resource for looking up how to report security incidents, building/facilities issues, HR problems, policy violations, etc.

They picture this as a web page with a list of phone numbers, intranet applications and other contact mechanisms for their staff to use to report issues. The conversation was around attempting to create a workflow or flowchart for decision making about how to report an issue and how to decide which contact method to use.

I know a few other organizations have created formal incident reporting and such for their employees. Would anyone care to share their decision trees or the like for incident handling and user training around this topic (sanitized, of course!)?

Thanks, in advance, for any insight on this. The client will be monitoring the thread and it may help others as well.

Risk Increase in Laptop Loss with Encryption?

Posted on by
Reply

There has been a bunch of buzz in the last few days about researchers who figured out how to retrieve crypto keys from RAM on stolen laptops. Several analysts have talked about this raising the risk for data loss from laptop theft and some are even questioning the effectiveness of crypto as a control. I think that much of this is hype and will prove to be overblown in the coming months.

First, the attack has some difficulty and knowledge requirements. This essentially makes it equivalent to a forensic technique and as such is well beyond the capabilities of basic attackers. It requires knowledge deeper than an average computer user or power user would possess. While this does not eliminate the risk, it does significantly reduce the pool of attackers capable of exploiting the vulnerability. Further risk reductions could be gained by understanding that the attackers must gain access to the device (what controls are in place for this?, what training have you done on laptop loss control?)  and the device must be in a sleep state or recently powered down (have you taught users to power down laptops completely when removing them from the office or other controlled areas?). Each step in training and additional controls further serves to reduce the risks from this vulnerability.

Vendors are also reacting to the problem. Many are identifying the key management processes in their products and moving to change them in such a way as to make them more effective with this attack in mind. Their results and effectiveness are likely to vary, but at least many of them are trying.

So, while laptop loss remains a potential data theft risk, even with crypto in place, it is likely to remain a manageable and acceptable risk if proper awareness controls are in place. So before you put too much stock in some of the “near panic” FUD levels some security analysts are shouting, step back, take a look at it from a rational risk standpoint and then identify what you can do about it.

This issue again reinforces that there aren’t any silver bullets in security. Nothing is “absolute protection”, even high level math. The only real way to do security is through proper, rational risk management…

Security Team Leadership Matters

Posted on by
Reply

Leading a team of security technicians can be a tough job, but in most corporations the manager of the team must also be an evangelist. The task of leading a security team often requires that the leader have a vision of the goals of the team and is capable of “selling” that vision both to upper management and the user base of the entire organization. Since many teams are led by technicians who have ascended through the ranks, they often have limited understanding of management needs and marketing approaches.

If you are such a security manager, here are a few tips to help you get started. The first one is a quick list of required reading. Leading the team means being a management consultant and an evangelist. To help strengthen or develop these skills, check out a couple of these titles:

The Macintosh Way by Guy Kawasaki – this is the Bible of evangelism from one of the greatest evangelists of the silicon age

The Idea Virus by Seth Godin – this book’s insight is the basis for viral marketing and can be a powerful tool for selling ideas inside of an organization, all of Seth’s work is great and could be helpful

A book about corporate structure and management goals – these are easy to come by and can vary by industry and organization type but a quick Amazon.com search is likely to reveal several that fit the needs

It is essential and critical that security team managers and leaders come up to speed on the needs and goals of management. It should be an immediate goal to learn the style and language of your management team. Only when you can act as a liaison and converse with them on their own terms can you begin the process of “selling” them on the security plan and process. Only when you understand them and have earned their trust can you begin to align security operations with the various lines of business and move further towards adding perceived value to their bottom line.

SQL Worms Continue to Raise Their Ugly Heads

Posted on by
Reply

For the last few weeks I have been watching old versions of SQL attacks, worms and probes continue to circulate around the Internet. For a year or so now, I have continued to be fascinated by the life span of old attacks and worms. I have written a couple of articles about how our HoneyPoints continue to capture both NIMDA and Code Red worm traffic.

The thing about these SQL worms is that their traffic is so large, even today. According to popular sources like ATLAS, they represent nearly 70% of all malicious traffic on the Internet today. 70% is a large number, especially for vulnerabilities that date back to 2002. Here we are more than 5 years later and these threats are still propagating!

Port UDP/1434 is still the most commonly threatened port according to ATLAS, which I find hard to believe. Our HoneyPoint experience shows that ports 25 and 80 are the most frequently attacked, unless you add in the myriad of Windows RPC noise you get on the Windows SMB and RPC ports. Maybe ATLAS does not include spam or PHP probes in their attack statistics?

While I am unsure of the frequency of global 1434 attacks, it is very true that the traffic is still around. Our HoneyPoints often detect Slammer worm activity and illicit SQL probes from the Internet. These probes originate from all around the world and no particular region seems to emerge as the most common, though we should study these frequency statistics more deeply when time allows.

But what of targets? How many SQL server instances are still exposed to the raw Internet? Our assessment technicians say they almost never run into one in corporate environments today. I suppose that they still exist in more than a few cable modem or other systems without proper firewalls, but certainly the availability of SQL services to the raw Internet has to have dwindled to almost none. If that is true, then why all the scanning activity?

I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common bot-net infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank “sa” passwords and other age old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive.

In either case, significant efforts should be made to reduce or eliminate these older vulnerabilities and to remove them from our current threats that we face today. So long as we have this noisy attack traffic from the past circulating, it makes it even harder for us to focus on emerging threats and risks that affect our Internet facing systems today. It is simply one more set of alerts, log entries and intrusion deception emails to sort through…