Yesterday I followed up on some HoneyPoint traffic signatures that have been floating around for a while. I have been seeing a pretty steady increase in various scans for several types of PHP vulnerabilities over the last few months, so I started looking around at some of the script kiddie PHP scanners that were out there.

Interestingly, I found a couple of scanners on a forum that were pretty advanced. They each include 250 – 300 signatures for PHP vulnerabilities, several modes of “IDS evasion” that are minimally successful, at best, but do have options to adjust scanning speeds, manage scan target lists and other useful stuff. Overall, I was actually impressed with the depth, stability and capabilities that these script kiddy style tools possessed.

I will continue to troll through some more lower end tools and check them out for how their coding has improved. I think it is likely that compared with the many of the script kiddy tools of yesteryear, I will find that even the basic development and coding skills in the lower end of the attacker pool has improved. The attackers who develop basic tools and feed the script kiddy crowd seem to be becoming more and more capable of in-depth coding and development. While far from a shock to infosec folks, it does represent a phase shift that we should be aware of. Likely, their tools will continue to grow in stability and sophistication – all of which makes for more formidable opponents.

Just something to think about….

So, here I am working on a vulnerability I discovered in OS X. I am deep into doing the final work of making sure it is exploitable and writing proof of concept code. My fuzzers had identified the issue a week or so ago, but with my busy schedule I just had not had time to pursue what was looking to be a local exploit with a little capability for malicious activity – like perhaps exposing the contents of file vault or other things that are based on user context.

But, low and behold, along comes an update from Apple that patches the vulnerability. Upon deeper research, it appears that they also discovered the issue (or blindly mitigated the hole) while they were repairing another problem included in this patch cycle! Congrats to Apple for fixing what appears to have been an unrelated issue and for seeming to actually be doing the right thing of performing additional testing or mitigation on code they are working on. To me it looks like they may actually have implemented a process where as one issue is found with a piece of code and addressed, the whole piece of code is more deeply inspected, tested and assessed. That’s FANTASTIC news!

So, while I am doing the “poor me” shuffle for spending cycles on an issue that has become NOT AN ISSUE, I am also bouncing around with joy that the right approach to securing code seems to be spreading. That alone, is worth a smile. I really like it when the right thing happens and some part of the world gets a little more secure!

That’s just another part of life as a security researcher. Things continue to break in new and exciting ways, but sometimes, even while you are working on the rabbit hole, someone comes along and fills it in….

CNet reviewers gave HPPE four out of five stars!

They loved the useability of the product, the interface and the idea surrounding it.

You can read more about it here.

Apparently, it would have gotten 5 stars, but they did not like the fact that connections from 127.0.0.1 (localhost) are ignored and that this feature is not in the documentation. We will add it into the docs in the future, but 4 out 5 stars is a wonderful response. Thanks CNet!

One of the unexpected side effects of HoneyPoint deployments has been the discovery of misconfigured applications and hardware in the network. Many customers have identified several applications and devices that were either not configured properly or were acting in unexpected and undocumented ways. HoneyPoint clients have been giving us great feedback that this has helped them reign in this wrongful behavior and that they would likely have never known about it if they had not deployed HoneyPoint.

Some of the items they have discovered have included web-applications that open return sessions to port 80 or 443 on the host – often for no apparent reason, illicit web-requests to domain servers due to misconfigured SQL and LDAP controls and even a couple of applications that performed simplistic host port scans in odd attempts to identify the originating host or use as a “host fingerprint” – neither of which are effective mechanisms for access control.

Clients have also told us that HoneyPoint has helped them find hosts that are not obeying the standard rules of their environment. For example, one client moved their DNS server from the DNS location assigned by DHCP and then changed the DHCP server. A few days later, he stood up a port 53 HoneyPoint to capture hosts that had set their DNS as static instead of using the established DHCP method. Doing so helped him clean up some hosts that remained in older configurations and even identify a help desk technician that was not configuring systems accordance with their standards. They claim that HoneyPoint was an incredible tool in helping them find the hosts that were just not up to par.

As the product matures, we continually get more and more feedback from clients about innovative uses for the tools. If your organization has leveraged HoneyPoint in new ways, please let us know so we can share them with others who may be able to benefit from the idea. As always, thanks for the attention to the product, we truly love the feedback and the incredibly warm response it continues to receive from people and organizations around the world!

MicroSolved, Inc. is pleased to announce that its SecureAssure vulnerability assessment solution has successfully completed the PCI Scanning Vendor Compliance Testing. This process allows MicroSolved to serve as an ASV for organizations concerned with PCI compliance.

“More organizations can now benefit from working with MicroSolved as their information security partner. Companies with compliance needs centering on payment cards can now leverage our exceptional methodologies and world class reporting. In addition, our process of manual vulner- ability verification eliminates much of the overhead and complexity of compliance by removing false positives and keeping your resources focused on the real problems.” stated Brent Huston, CEO of MicroSolved.

For more information, or to schedule assessments of your organization, please contact your account executive via phone or click here for email.

MSI attended the latest CUISPA event in Boston last week and it was a fantastic show. Credit union security folks were in attendance from all around the US and the speakers did a fine job of knowledge transfer.

Many thanks to all who stopped by the booth and showed their appreciation for our State of the Threat updates to CUISPA members. We have made arrangements with CUISPA to keep them coming each quarter!

I am not allowed to “spill the beans”, but in appreciation of our warm reception, we will soon be making a very special offer to all CUISPA members. Stay tuned to both CUISPA and our site to learn about this special offer that just might make your future workload quite a bit lighter!    😉

Thanks again for the warm welcome in Boston. Special thanks to Kelly at CUISPA for the awesome event!

Code Craft

By: Pete Goodliffe

Publisher: No Starch Press

Price: $44.95

Rating (out of 5): *****

This is an excellent book about moving from average software development to professional-grade software development. The book basically covers the topics needed to teach developers how to make better software in a more effective manner than may be happening in many organizations today. Topics covered include: effective commenting and documentation, industry standards for software testing (including security), interface design standards, group development practices, mechanisms for spec development and code review and even insights into managing programmers more effectively.

If you are a developer or manage a group of developers, this book will teach you the softer skills to complement the technical skills you have already mastered. Given the complexity of today’s software, it is these softer skills that often make all the difference between career success and remaining “one of the code jockeys”.

My favorite thing about this book is the insightful tone it uses to get its point across. It truly reflects wisdom and experience from the author without getting the “preachy tone” some technical books seem to take on. Be prepared though, the book is big, some 500+ pages of actual content – so if you just finished that huge Harry Potter book everyone is reading, this may seem a little longer than you like for reading in your easy chair. But, unlike Harry Potter, this book’s payoff is long term career growth and skills improvement!

Practical Packet Analysis

By: Chris Sanders

Publisher: No Starch Press

Price: $39.95

Rating (out of 5): ****

This book is an excellent introduction to the basics of packet analysis. It gives good introductions to the basics of protocols, use of Wireshark, sniffer deployment and the other skills needed to perform packet capture and inspection.

Packet analysis is a vital skill for network technicians and security folks. This book takes users through a variety of scenarios including wireless network sniffing, protocol debugging and even attack inspection. In addition to Wireshark, it also covers getting dumps from Cain and other common sources.

The book is easy to read, easy to follow and the graphics are very readable. The scenarios are very detailed and reality based. All in all, if you need to get the basics of packet analysis down pat, this is a very good place to start.

Scripting and an understanding of scripting languages are critical skills for infosec folks. Not only do they lend themselves to understanding threats and attacker tools, but in many cases they make it possible for automation to assist the infosec practitioner in performing many of their duties and can help them be more effective in environments where large quantities of data must be analyzed against common issues or have similar functions performed repeatedly.

In my opinion, here is a quick summary of the top 5 scripting skills infosec folks should have or pursue.

1. Shell scripting or batch file programming – These skills are essential for the day to day work of an infosec technician. Such programming often increases the effectiveness of work tasks and brings greater quality to things like data analysis, basic reporting and other essential functions.

2. PERL – Perl is just plain critical. It is THE language of performing complex analysis of data, automating many security focused tasks and even doing socket-based network and application work. Perl is easy to learn, simple enough to manage and powerful enough to automate complex tasks. If you need a swiss army knife programming language, Perl will rise to the challenge.

3. Javascript – This language is essential to understanding modern web mechanisms and attacks. Basic knowledge of Javascript will take practitioners far into the web-application realm and can be leveraged to gain knowledge of AJAX, SOAP and deeper web architectures. While it can also be used for some simple forms of web-based assistance or aggregation, it may not be an overwhelming aid to your productivity like other languages, but in order to have even basic web-application skills, it is simply a must.

4. Python – Python is the quick hack choice for doing network and socket-based tool prototyping. Its rich and simple socket controls make it a clear choice for pen-testers and other developers of “quick and dirty” code. It makes a fantastic alternate choice for Perl folks, and can be used to do some effective data parsing as well. The syntax seems to be even easier than Perl and many folks become proficient in it more quickly than Perl.

5. Ruby – Ruby is the Perl of the future. It is a fantastic prototyping language and of course, it powers Rails, which makes it a growing giant in Web 2.0. Ruby and Ruby on Rails (RoR) can be leveraged by security folks to quickly create demonstration sites, to establish honeypot sites and even to create web-based tools quickly to share with others in their organization. In addition, Ruby alone can be used to automate large amounts of data processing, create custom reports and can be just as useful and powerful as Perl. Depending on how the future of Ruby shakes out, it might even surpass Perl in the future as the critical language for doing real work, so it makes sense to add it to your repertoire.

There you have it. Take the time to learn the basics of these scripting languages and then look for places in your daily work to apply automation. As your skills grow, likely your capabilities to automate much of the manual work you do will grow as well. Who knows, you might just automate yourself back into having free time again. Not to worry though, that would just give you even more time to concentrate on your scripting skills!

Is this what it has come to in Homeland Security now?

Chertoff Claims “Gut Feeling” About Summer Attacks

I normally try and stay away from public commentary on DHS goings on, but this seems so devoid of reason that I just had to talk about it. So, here we go…

First off, I would like to see the true risk assessment behind the idea that terrorists prefer summer for attacks. I simply do not believe this and in my opinion, it smacks of a lack of reason. Do we really believe that if our enemies discovered a soft target that they could exploit that they would even consider waiting for a specific season to attack us? I mean, everything we know about terrorism shows patterns of exploiting identified weaknesses with haste. Even the attacks sited as references to the summer attack pattern talked about in the articles were performed with minimal planning and tactical processes. They certainly were not part of campaigns designed to be sustained over long periods like multiple seasons. What from these events and other recent attacks around the world do we leverage to gain the insight that terrorists attacks are more likely in the warm summer sun?

Secondly, the idea that we are now making public announcements about potential threats using the DHS leader’s “gut feelings” as a barometer makes me pretty crazy. Now, I understand that he might have intelligence that is not open to the public, or he may be privy to some other form of insight that can’t yet (or ever) be shared, but the idea that we as Americans should take any action based on his own described “gut feeling” is preposterous. With all of the money we are budgeting for DHS and the war on terror, is “gut feelings” seriously the best they can offer in terms of threat prediction? I mean, honestly, wouldn’t we all feel better if they even tried to make something sound more plausible – like increased chatter, new emerging patterns in a chaotic stream or even some super computer somewhere that raised the theoretical attack threshold versus the overall security against terror inverse logarithmic curve or something. Anything. What’s next, war strategies by crystals, cards and dice? We are supposedly the most advanced culture in the history of this planet, I really really want something more reasonable from someone who is in charge of protecting our way of life…

Again, sorry for the rant, but I just couldn’t let this one pass by without raising my hand and asking “Huh?”…