Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

A Couple of Interesting Developments

Posted on by
Reply

First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.

Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive!  — Just a reminder!

Noel Brings Reminder to Review DR/BC Plans

Posted on by
Reply

For those folks on the east coast, Hurricane Noel should probably figure into your weekend plans. The storm is looking like a near miss for much of the eastern seaboard, but should be a strong reminder for folks to review their Disaster Recovery and Business Continuity plans for currency.

If you look in your policies folders and don’t see a DR/BC plan, now might be a good time to form a task group for making them. Given the wacky weather patterns lately, they might prove to be handy in the future. At the very least, you can rest a little easier just knowing they are there.

For those folks wondering what I am talking about, click here for more info on the storm.

If you want to do more reading on DR/BC policies, check out this wikipedia article.

Slight Increases in SSH Probes

Posted on by
Reply

Our HoneyPoints have been picking up slight increases in the probes and brute force attacks against port 22 – SSH. We are seeing increases in wide scale SSH scans and attacks against common login/password combinations.

Now might be a good time for folks to take a look at their perimeter and make sure no one has poked an SSH exposure through. If you have some, they should be immediatly audited for common account use. Treat any system with these issues as likely compromised and initiate an investigation.

Most of these compromised systems are used for further scanning and many have bot-net clients installed. Keep an extra eye on your logs for obvious forms of bot-net traffic, such as IRC connections, odd ports and outbound half-open TCP connections.

Things You Need to Know about Bot Net Attacks

Posted on by
Reply

Bot nets are one of the most common forms of compromise on the Internet today. Bot networks grew out of the explosion of home and user systems and the common availability of high speed Internet connections. Basically, they are little more than systems that attackers have compromised and put under their control that use some type of mechanism to get new tasks or commands and report their results.

Mostly, bot infected computers are home systems that attackers often use for scanning other systems, sending spam or performing other illicit activities. Often, the controller of the bot systems will rent or sell the bot services to others. No matter if they use the systems themselves, or sell their services – usually the master is after one thing, MONEY.

That’s right. They make money from the illicit use of YOUR system, if it belongs to a bot network. They use your hardware and your bandwidth, and they receive the returns. Even worse, if your system would be used in a serious crime, there may be criminal and civil penalties for YOU. While case law continues to grow on this, it appears there may be some capability for some victims of the bot net to come back at you for failing to adequately protect your system – which ultimately caused them damage.

So, the big question is – how do home users protect themselves from bot infections and the other issues associated with them? Primarily, they do by following this advice:

  1. Ensure that your computer has a firewall and anti-virus at all times. Make sure the firewall is engaged and that the anti-virus software is up to date.
  2. Keep your computer current on patches. Turn on the auto-update capabilities of the operating system and make sure you patch your applications if they have available update mechanisms as well. This is a lot like safe sex in that failure to be safe even once can have long term implications on your security.
  3. Consider using a browser that is somewhat hardened or hardening your browser. There are a ton of browsers out there, and a ton of tools for hardening the common ones. Check them out and make sure your browsing tools are protecting you against attack. Don’t use default installs of IE or FireFox – configure them for higher protections, if at all possible.
  4. Consider other security tools and mechanisms. You need spyware tools and other security mechanisms if you travel. Spend some time reading about mobile security and apply what you can to your life.
  5. If in doubt, rebuild your system. THIS IS CRITICAL – there are simply some things that can be done to a computer that impact the long term security of it. If you have doubts about your system’s security – rebuild it and protect it from the start. If you know you have an infection or problem – backup your critical data and rebuild. It is much easier than most other solutions.

Take these steps and some basic vigilance and apply them to your computing experience. Bot nets will continue to be a primary threat to Internet users, but being smart about them and aware of the defenses makes you less likely to be a victim.

WatchDog Content Moving to StateOfSecurity.com

Posted on by
Reply

If you are a regular WatchDog product user, then you may already know this, but on November 1, 2007 MSI will move all WatchDog content to this blog and begin to phase out the WatchDog client program.

This is being done to simplify the use and access to the information and to enable users to easily leverage our threat intelligence offerings via RSS and other popular mechanisms without using our locked-in client.

The same information that WatchDog has brought to you for years will continue, but hosted here instead of through the WatchDog client. It will also be stored in the emerging threats category – thus making it easy to subscribe or filter on.

We hope you continue to benefit from our work and insights, and please, let us know how you like the WatchDog content and if we can do something better or more helpful with the data.

Do It Yourself Identity Theft Protection

Posted on by
3

By now you have probably heard the commercials. The CEO of the company gives you their social security number to prove that they have his identity locked down. He is so confident in their process that he is willing to give the world his name, information and SSN.

I probably get asked twice a week about this service, so I decided to take a look at it a bit closer. What I found was a pretty easy manipulation of the credit management system in the US combined with some customer service and consumer offloading of tedious work. What does that mean? It means that you can outsource your identity theft protection to them or you could save $10 a month and do it yourself – IF YOU REMAIN VIGILANT.

How does it work? It works like this. Inside the US credit reporting system, there exists a  mechanism called “fraud alert”. This mechanism can be placed on any account, at any time, by the consumer. The purpose of the mechanism was originally to give people who have already been a victim of identity theft a tool for ensuring that no further damage would occur. The mechanism works like this:

  1. The consumer, or someone with their power of attorney, contacts the major credit reporting agencies and requests a “fraud alert” be placed on their account.
  2. The credit agency places the “fraud alert” on the appropriate credit file. There is no charge for this, it is required by law.
  3. The credit agency MUST contact the consumer prior to approving any change, addition or new activity on the consumer’s account. Failure to do so is a violation by the credit agency of federal lending laws.
  4. The consumer must either approve or disapprove the addition or change. If they disapprove, the creditor should refuse the account activity – THUS STOPPING THE FRAUD.
  5. ** PAY ATTENTION TO THIS ONE ** The credit reporting agency removes the “fraud alert” after 90 days from the date of placement. The consumer, or their legal agent, may renew the “fraud alert” at any time after that 90 day period.

So, that said, you could save the $10 per month and contact the credit reporting agencies yourself. You simply call them and ask that the “fraud alert” be placed upon your own file. If you do that every 90 days, you will have protection from credit attacks caused by identity theft. The key is, you HAVE to do it every 90 days. Miss a day, and you have exposure…

Before you run to the phones, you should also know that having the “fraud alert” on your accounts can be a bit frustrating if you actually want to use your credit or open new loans, accounts, etc. Sometimes, creditors will simply refuse the accounts until the “fraud alert” is removed – regardless of your consent to open the account. Other than that, it is a pretty tight mechanism for protecting your information.

There has been a lot of media attention to the company in question that has made this service popular. They seem to be everywhere. Their marketing is certainly working – though I would estimate, mostly due to consumer fear. My guess is that it won’t be too long until the fears they seem to be playing to will lead to saturation and slower growth, but my friend Alex always told me “You can sell just about anything for $10 a month.”

So, at the end of the day, is this a service you buy or a task you manage yourself? Is it worth worrying about, or is it something you deal with if you have a problem? Only you can decide if you are capable of managing the work or if you would rather have someone do it for you. No matter what you decide, at least you know the facts. As with most security things, it is less magic and mystery and more of a common thing.

Should you decide to do it yourself, here are the contact numbers for the three primary credit reporting agencies and for the primary checking account verification house in the US (same thing applies)….

Equifax – 1-800-525-6285
Experian – 1-800-422-4879
Trans Union – 1-800-916-8800
Chex Systems (check fraud management) – 1-800-428-9623

VMWare Virtual HoneyPoint Host Appliance

Posted on by
Reply

MSI is proud to announce a VMWare appliance based on Damn Small Linux (DSL) for HoneyPoint hosting.

The VM appliance is available free from the HoneyPoint FTP site provided in your license documents. The appliance currently has all available HoneyPoints installed and configured to autostart with the installation.

Root and “dsl” account passwords are “hpss”. Obviously, please change the passwords when you configure the system!

All HoneyPoints have basic configurations provided, and will need to be edited for the location of your console. Currently, they point to 127.0.0.1.

The appliance is capable of being used in any of the VMWare products from Player to ESX and includes use in the OS X Fusion environment.

You can use the VM to emulate entire workstation(s) on the network using Player and such, or use ESX to sprinkle them around your virtual environments en masse. The image is smaller than 60Meg and needs less than 128 Meg of RAM at full utilization. In testing, we easily ran 10 of them on older machines still waiting in the lab for death or recycle….  😉

Let us know if you have any questions, or comments. We really dig this idea and folks seem to really want it.

Book Review: IT Auditing by Davis, Schiller & Wheeler

Posted on by
Reply

This book is an interesting read, especially if your organization is concerned with SOX, GLBA or other regulations. It is written in the Hacking Exposed series style and features excellent examples and a user friendly layout.

Detailed examples of how to audit systems, applications and policies lie inside. From the basics of the audit process and function to command-line details, it’s all here. All the layers of the IT department are covered, in deep enough detail to be useful.

If you are new to IT auditing, this could become your handbook. If you have been around the block a few times, it is still likely you will find something new inside. Published by McGraw Hill and Osborne, the book is well worth the $59.99 cover price. It should do fine for a fireside read.

A Month in the Life of a HoneyPoint Deployment

Posted on by
Reply

Hello. I am a HoneyPoint deployment. My administrator has deployed me on a small business network of a financial institution. I have around 25 HoneyPoints deployed throughout their network, all reporting back to my console. It has been an interesting first 30 days of my life, indeed.

It all started when I was initially deployed. The admin started my listeners on a small group of servers and a couple of virtual workstations. Almost immediately, there was trouble! In my first few hours, I picked up scans of my web server psedo-service HoneyPoints. I was getting continually bombarded by four workstations from the sales group that were probing my pseudo-web services for a whole bunch of PHP files! I alerted the admin, and she found that those four laptops had been infected with an evil bot-net that was systematically scanning our networks for vulnerable PHP applications that the human controllers would later exploit. Good thing I came online when I did, because those four sales folks had just returned from a conference in Las Vegas, and it looks like their systems should have been running my younger cousin HoneyPoint:Network Trust Agent, because they had really been compromised. Ah well, what happens in Vegas, stays in Vegas I always heard. I guess not this time.

All went well for a couple of weeks, but then I had to alert the admin again. This time I had some joker consultant who was poking at my SMTP HoneyPoints. From the looks of it, that guy was trying to send email to the Internet and was looking for an open mail relay inside our network that would let him get through our firewall. The admin had a stern conversation with him and he behaved from then on.

Then, things got really exciting!  Yesterday, a new event came into my proxy from our DMZ segment. My admin had stealthily added some HoneyPoints into the DMZ that listened for SQL database traffic on the appropriate ports. Sure enough, I suddenly caught wind of some odd packets that were hitting my listeners out there. Nothing sets me off like SQL traffic to systems that are not running SQL. I hated to have to bother the admin again, but she told me afterward that her old IDS used to send her thousands of alerts a day (and many of those were false positives!!!) – so I didn’t feel so bad after all when I sent an email to her cell phone with the news.

She came running and through some quick analysis found that an attacker had compromised one of the web-applications in the DMZ and had gained control of the web server! Of course, not knowing that I was on guard, they began to use SQL tools to search for database servers that might hold valuable data – like human credit card numbers or something called Social Security Numbers. Either way, their plan was foiled and my admin took the web server offline and rebuilt it – this time with the missing patch for the web-application hole.

So, that’s my story so far. Not too bad for my first 30 days, huh? Who would have thought that I would have such an interesting story to tell. I always feared I might not see much action, but it looks like I have found my home. I have a good admin, a cool server rack and enough security work to keep me busy. Heck, since I don’t have any signatures to update and don’t require my admin to do more than “deploy and forget” about me, I wonder what she will do with all of her new found time? Maybe she will take up a new hobby, or get to learn about something called vacation. No matter, I will be here, ever vigilant, just waiting for the next security issue to arise. Yes, sir, who could ask for more?

Blast(s) From the Past

Posted on by
Reply

A few of my HoneyPoints delivered an interesting blast from the past to me this morning. Around 2pm Eastern yesterday, one of our IP ranges got hit by a scan with this signature on port 80:

GET /level/16/exec/-///pwd HTTP/1.0

The web connection was then followed by a series of connections on port 23, though the tool did not do anything more than banner grabbing on the telnet port.

While the scan was obviously an attempt to exploit the old Cisco HTTP vulnerability (circa 2001), I had not seen probes for those issues in quite some time. I also had not seen a tool that also connected on port 23 of the same host and did banner grabbing, so thus why this stood out above the usual noise.

This brought about a very interesting point that many of these old vulnerabilities are making comebacks. Scans for old web vulnerabilities like Unicode issues, Double Decode, Code Red and the ASN.1 worm continue to be among the most seen probes on the Internet. Other folks have talked about the idea that perhaps as more third world countries become more Internet connected, that technology may not be updated there as rapidly – which could cause the lifecycle of older vulnerabilities to either be reborn or at least, eek out a longer existence. Could ancient vulnerabilities like RDS and .HTR buffer overflows still be leveraged for Internet compromise? The possibility is high that some small percentage of systems is likely available as a vulnerable target.

Does this mean that vulnerabilities will have a lifecycle that approaches infinity? If there are still systems out there that are vulnerable, why would some attacker without general worries of discovery not just keep building a super-worm that continually crawls the net looking for every known web vulnerability to date? If incorporated and distributed through bot-net style approaches, this is likely pretty feasible – particularly if you can make the attack smart enough to adapt its vulnerability testing to the specifics of a target – much like a modern scanning tool.

How will some of these older vulnerabilities fair? It remains to be seen, but my bet is that blasts from the past are likely to keep on rolling in some diminutive way. Let’s just say that I think it will be a long time before we live in a Code Red free world.