As an exercise last week, 5 members of the MSI penetration testing team got together for a lunch hour exercise. The results were well worth noting.

In just under 1 hour, the team set forth to find out how many web-based application security issues they could identify in public sites. The rules were that they could not use any search engines, scanning or tools except the browser. Obviously, they could only footprint for the vulnerabilities and not verify or exploit them. However, since foot printing the presence of application issues is usually quite accurate, the data should be viewed as serious.

The sites they could target were also focused to common sites, and the list was adaptive – for example, several times they would find that several types of sites would be vulnerable, after they had identified a few of those types of sites, then further counting those types of sites would be off the table, so to speak. This ensured that the gathering did not get focused on specific types or trends of sites.

The team had decided beforehand that they would focus on three specific types of web-application issues: SQL injection, bad error pages that leaked too much information and cross-site scripting. All three of these issues are contained in the OWASP top 10 vulnerabilities.

Here is what they found:
•    12 bad error pages – we were surprised there were not more of these, but a dozen was bad enough and we were pretty stringent on what qualified, the leaking data had to be pretty egregious.
•    2 SQL injections – one revealed an underlying MySQL database in the error message, the other showed an ODBC error and revealed some source code for a connection to Microsoft SQL Server.
•    28 cross-site scripting issues – these were found so often that they kept us hopping to keep count of them, it seems that many many common sites suffer from XSS vulnerabilities. It is no wonder attacks leveraging them have become so common.

There you have it – 42 vulnerabilities in under an hour! Some of the sites identified were government sites, popular retailers and all kinds of other sites. I guess it just goes to show that we still have some to work to do…

If you have not seen this yet, it is a pretty funny piece about just how stupid some of the TSA travel rules are. I have been railing against the security through theater of the TSA routines and the seeming madness of some of their decisions, bad moves and general practices for some time now. I truly believe that much of their efforts have been in vain, and that very few of their moves have truly significantly lowered any overall risks.

But, so I don’t get off on a rant here, take a just under 5 minutes and enjoy the humor!

SNL Video from YouTube!

Please feel free to comment and give feedback on the blog. The comment and feedback system was repaired yesterday. Sorry for the issues.

I have been paying attention to the way the US Government has been managing their cyber-security lately. I guess, since they have such a large responsibility to maintain security that I continue to be amazed at the poor examples that they set for others. How in the world can they expect organizations and businesses to maintain security when they cannot seem to do it themselves, even in the most critical of circumstances?

As an example, here is a recent article in the news about the TSA (a division of Department of Homeland Security) losing a hard disk full of employee private data. The identity of TSA employees, given their mission critical role in the War on Terror, I would assume is a fairly important piece of data for TSA to protect. How can government staffers and Congress rail against organizations losing back-up tapes and databases of information when the very people who are supposed to protect us show an example so egregious as this one?

I was reminded of this topic yesterday when on a visit to a website that is managed by the US Secret Service, I cut and pasted the URL between virtual machines in one of my virtual labs. In the cut and paste mechanisms, unbeknown to me, some character encoding was performed and the URL I was attempting to view got munged. Much to my shock, the web site in question spits out an incredibly in-depth application error page! The error page was a default .NET error page that revealed code, specific version information about the server, the applications and the environment. Now many of you might say “So what?!?”. Well, my answer to that is that bad error pages that display too much information are a basic component of the OWASP Top Ten issues that define the most common security baseline for web-based applications and web servers. Why in the world would an organization with the security requirements of the US Secret Service be missing such a simple issue? I can only hope (though I seriously doubt) that it is because they have performed an adequate risk assessment and identified this specific server as being of such a low risk that simply configuring it to spit back a standard error page is not worth the effort. How likely do you think that might be?

If you do some simple Google searches around US Government security, you will find all kinds of bad examples. I know that their attack surface is immense, their threat models are severe and that their resources are limited, but I truly hope they begin to address some of these basic issues. I really think they should be in a position to set an example of proper security and data protection and be more of a role model for how it is done. I would much prefer that to the way it is now. What do you think?

A security researcher has revealed the details and mechanisms for a technique to circumvent multi-factor authentication on some banking and other web-applications. The attack depends on the fallback to a secret question type of authentication when no cookie or token is available for the user. The researcher has demonstrated using the technique to perform successful phishing attacks against some systems.

The attack heavily leans on the fallback mechanism that many organizations have put in place to allow customers to skip multi-factor mechanisms and resort to a single secret question – though it could also be used against sites that fallback to passwords or other single factor mechanisms. If your organization uses fallback access tools that are only single factor – this could be a serious risk to you.

The fact that the attack technique was made public means that copycat and attack evolutions are very likely. Certainly, we will see probes of authentication fallback mechanisms and web-applications go through yet another rise in probes and scans. The resources required to perform the attack vary little from traditional phishing, and any development required to code the proxy mechanisms is likely to happen fairly quickly.

Organizations should carefully inspect their authentication mechanisms and configurations and should consider eliminating single factor fallback if that is an option.

You can read more about the researcher, the attack and the mechanisms used here.

ISS and TippingPoint seem to be battling it out publicly over the ethics of hacking contests, buying exploits and responsible disclosure.

This is a discussion that has been a long time coming. Companies like TippingPoint and others who buy zero-day exploits and sponsor hacking for money contests and the like seem to be very shortly distanced from people or companies who release exploit code and tools that make attackers better at what they do.

I think that it is high time that someone holds the ethics of these firms and individuals feet to the fire, so to speak. How companies or people can create attack tools, sponsor the creation of zero-day attack code and teach attack techniques to the public while still saying to customers – “trust and pay us to protect you” seems pretty odd to me. It certainly makes me think of movies where small business owners pay large men with baseball bats for “protection”.

While the bat may have changed to computer code, I just don’t see how making attackers more effective, funding underground research and encouraging attacker behaviors are responsible, ethical and proper for those persons and organizations that claim to be out to protect businesses from such attacks.

I have been hearing a lot of questions lately about how to create effective awareness programs inside your organization. To most companies, this is a very difficult task. Here are three strategies to make this easier for everyone and a whole lot more effective than what you are likely using now:

1) Ask your employees. Hold a few round table sessions with various randomly selected employees. Stress to them the importance of information security awareness and ask them what they think would be effective to reach into their peers. You might just be surprised by what they have to say. Incorporate some or all of their ideas into your program, of course, with appropriate metrics and monitoring. Don’t be afraid to embrace these new mechanisms, they are often hidden gems.

2) Think like marketing. Stop thinking of security awareness as a security function. Only the message/content is security, the rest is plain old marketing. Include your marketing department in the process. Actively engage them in the process of selling security to your employees. It makes a world of difference. Also, on this note, make sure you support their efforts to tune and refine the message and profile the employee audience. Those traditional marketing approaches may seem fuzzy to security folks, but they are what clearly separate the wheat from the seed in this undertaking.

3) Embrace new technologies and multi-media. Face it, if posters and such worked so well, the problem would be solved already. The fact of the matter is, you need multiple forms of contact with the employees to cause change and sell them security concepts. The more mixed media and content with common themes, the better. This simply works. Think about it, again from marketing terms – does Coke just use posters to sell sugar water? No, they use a variety of media and messages with a common theme to get people to drink their products. Do what works; don’t be afraid to move beyond posters and meetings to really make awareness work for you and your organization!

For more than a year and a half now we have been traveling the world, talking about HoneyPoints and the fundamental change that this technology represents to providing internal network security and threat detection. What a long road it has been…

Over the last 18 months, we have had an incredible amount of success in capturing emerging theats, helping companies spot compromises and evaluate their attackers. We have learned a lot about internal attack motivations and mechanisms and we have seen first-hand the power of HoneyPoints to really free organizations from the overhead and false-positive nightmares that signature-based Intrusion Detection has come to represent.

Today, we take another step forward. Today, we are proud to announce the availability of the newest version of HoneyPoint Security Server. Based on client feedback and expert security insight, we have evolved the basic HoneyPoint premise to a new level. Today’s release includes a complete re-write of the console and further expands our ability to integrate into existing monitoring and SIM infrastructures as well as offering organizations without SIM a robust and full lifecycle HoneyPoint event management system!

The new console features a back-end database with roles and event management plus it also includes integrated trending and reporting. The new plugin interface, included with the release, allows users and MSI to design new and exciting features for event management, automated responses and alerting without changes to the core code – or the need for upgrades. Centralized ignore host configuration, HoneyPoint inventory and enhanced event clarity are also key points of refinement in the new version.

But, among the most exciting news about this new HoneyPoint release, is the availability of new, deeper HoneyPoints for emulating additional services and applications. New HoneyPoints, console plugins and configurations are planned over the next few weeks as MSI continues to increase the power and flexibility of the product.

Stay tuned for some new information about online resources, newly available tools and other supporting materials as they emerge over time. Our plan is to continue to spread the word, evangelize this change in tactics and to keep telling the world that there is a better way to secure your internal networks – without management overhead and without the false postives that keep you from focusing on your real threats.

To find out more about version 2 of HPSS or more about why we truly believe that we ARE going to “change the world”, simply give us a call or drop us line. We would be happy to share the message with you!

Over the last few weeks we have measured a fairly slow, but steady increase in the amount of general web site scanning. More and more often, our HoneyPoint systems are identifying PHP scans, scans for older vulnerabilities dating back to Nimda and Code red and a slew of newer scans for specific bulletin board, blog management and other web-based application code.

These scans are appearing from a number of locales and appear to be mostly automated. Their sources appear to be from mostly compromised systems on small to mid-sized company networks.

As these scans increase in frequency and capability, it is essential that organizations ensure that they have secured their web servers against common known vulnerabilities. There are a number of tools such as nikto, Sandcat and others or available services to scan sites for little or no charge. Organizations should utilize these tools or their existing managed vulnerability assessment services to ensure they are protected against these common worm-style attacks.

We have been getting large numbers of requests to try our HPPE and HP:NTA products, but up until no demo versions have been available. This is no longer true, effective today!

Users who would like to try out either or both of these leading edge products can download fully functional versions from our website. Both products will run for fifteen minutes at a time, then pop up a message advising you about how to obtain a key and quit. The products can be restarted as many times as you wish, with each execution running 15 minutes!

We hope this new capability really gives everyone a chance to explore, analyze and play with these amazing tools. The feedback from other users has been so strong that we have been very hard at work to find a way to offer them to everyone.

To check them out and begin securing your workstation with the power of HoneyPoints, click below, then click on the time limited demo link at the bottom of the page (no registration required):

HoneyPoint Personal Edition

HoneyPoint:Network Trust Agent