MSI continues to see increasing scans for vulnerabilities associated with port 4899/TCP. These scans are attempting to identify a particular product and gain access to the system through a known exploit.
Please verify that you have eliminated all traffic from the public Internet destined for this port. The original vulnerability has been around a while, but increasing blocks of IP addresses in EMEA are propogating the malicious traffic.
I have been toying with lock bumping since it became a national hot item a few months back. If you have not heard about it yet, check out the basics here.
OK, so a lot of this is overblown and the hype is pretty high to cause Mom and Pop to panic and buy some new locksmith services and products. I get it. I really do.
I also realize that the actual threat has been around a long time, and that criminals have known the technique for a while. I too have read that there has been little significant increase in break-ins since the lock bumping technique made headlines…
That said, I have been focusing on the long beloved friend of accounting folks everywhere – the venerable locking file cabinet. Best-practices for securing offices and accounting departments have long held that locking a file cabinet or desk drawer was a pretty decent layer of protection for the contents. Unfortunately, lock bumping very much changes that perspective.
I have attempted to bump quite a few file cabinets and desk drawers over the last few months. I am averaging in the 90th percentile in terms of gaining access. In many cases, it takes just about the same time as using the real key and I easily gain access to the contents to do with as I may.
How serious is this? Well, it makes much of the physical security associated with open cubicle environments suspect. Public access to receptionist desks and the like have proven pretty fruitful – including the usual suspects of phone lists, password lists and other generally attacker friendly items. Not to mention the items available for outright theft – often including just plain money…
The old rules of physical access trumping many security mechanisms still exist. Lock bumping techniques are just the newest way to reinforce the lesson. If you have not taken a good look at your file cabinets, desk drawers and the availability they might have to an intruder with a simple bump key – it might be time to at least think about it. Especially sensitive materials like regulatory data, personnel data and the like may have to be given some other special protections if your relying on rows of locked filing cabinets to secure it.
As an exercise last week, 5 members of the MSI penetration testing team got together for a lunch hour exercise. The results were well worth noting.
In just under 1 hour, the team set forth to find out how many web-based application security issues they could identify in public sites. The rules were that they could not use any search engines, scanning or tools except the browser. Obviously, they could only footprint for the vulnerabilities and not verify or exploit them. However, since foot printing the presence of application issues is usually quite accurate, the data should be viewed as serious.
The sites they could target were also focused to common sites, and the list was adaptive – for example, several times they would find that several types of sites would be vulnerable, after they had identified a few of those types of sites, then further counting those types of sites would be off the table, so to speak. This ensured that the gathering did not get focused on specific types or trends of sites.
The team had decided beforehand that they would focus on three specific types of web-application issues: SQL injection, bad error pages that leaked too much information and cross-site scripting. All three of these issues are contained in the OWASP top 10 vulnerabilities.
Here is what they found:
• 12 bad error pages – we were surprised there were not more of these, but a dozen was bad enough and we were pretty stringent on what qualified, the leaking data had to be pretty egregious.
• 2 SQL injections – one revealed an underlying MySQL database in the error message, the other showed an ODBC error and revealed some source code for a connection to Microsoft SQL Server.
• 28 cross-site scripting issues – these were found so often that they kept us hopping to keep count of them, it seems that many many common sites suffer from XSS vulnerabilities. It is no wonder attacks leveraging them have become so common.
There you have it – 42 vulnerabilities in under an hour! Some of the sites identified were government sites, popular retailers and all kinds of other sites. I guess it just goes to show that we still have some to work to do…
If you have not seen this yet, it is a pretty funny piece about just how stupid some of the TSA travel rules are. I have been railing against the security through theater of the TSA routines and the seeming madness of some of their decisions, bad moves and general practices for some time now. I truly believe that much of their efforts have been in vain, and that very few of their moves have truly significantly lowered any overall risks.
But, so I don’t get off on a rant here, take a just under 5 minutes and enjoy the humor!
Please feel free to comment and give feedback on the blog. The comment and feedback system was repaired yesterday. Sorry for the issues.
I have been paying attention to the way the US Government has been managing their cyber-security lately. I guess, since they have such a large responsibility to maintain security that I continue to be amazed at the poor examples that they set for others. How in the world can they expect organizations and businesses to maintain security when they cannot seem to do it themselves, even in the most critical of circumstances?
As an example, here is a recent article in the news about the TSA (a division of Department of Homeland Security) losing a hard disk full of employee private data. The identity of TSA employees, given their mission critical role in the War on Terror, I would assume is a fairly important piece of data for TSA to protect. How can government staffers and Congress rail against organizations losing back-up tapes and databases of information when the very people who are supposed to protect us show an example so egregious as this one?
I was reminded of this topic yesterday when on a visit to a website that is managed by the US Secret Service, I cut and pasted the URL between virtual machines in one of my virtual labs. In the cut and paste mechanisms, unbeknown to me, some character encoding was performed and the URL I was attempting to view got munged. Much to my shock, the web site in question spits out an incredibly in-depth application error page! The error page was a default .NET error page that revealed code, specific version information about the server, the applications and the environment. Now many of you might say “So what?!?”. Well, my answer to that is that bad error pages that display too much information are a basic component of the OWASP Top Ten issues that define the most common security baseline for web-based applications and web servers. Why in the world would an organization with the security requirements of the US Secret Service be missing such a simple issue? I can only hope (though I seriously doubt) that it is because they have performed an adequate risk assessment and identified this specific server as being of such a low risk that simply configuring it to spit back a standard error page is not worth the effort. How likely do you think that might be?
If you do some simple Google searches around US Government security, you will find all kinds of bad examples. I know that their attack surface is immense, their threat models are severe and that their resources are limited, but I truly hope they begin to address some of these basic issues. I really think they should be in a position to set an example of proper security and data protection and be more of a role model for how it is done. I would much prefer that to the way it is now. What do you think?
A security researcher has revealed the details and mechanisms for a technique to circumvent multi-factor authentication on some banking and other web-applications. The attack depends on the fallback to a secret question type of authentication when no cookie or token is available for the user. The researcher has demonstrated using the technique to perform successful phishing attacks against some systems.
The attack heavily leans on the fallback mechanism that many organizations have put in place to allow customers to skip multi-factor mechanisms and resort to a single secret question – though it could also be used against sites that fallback to passwords or other single factor mechanisms. If your organization uses fallback access tools that are only single factor – this could be a serious risk to you.
The fact that the attack technique was made public means that copycat and attack evolutions are very likely. Certainly, we will see probes of authentication fallback mechanisms and web-applications go through yet another rise in probes and scans. The resources required to perform the attack vary little from traditional phishing, and any development required to code the proxy mechanisms is likely to happen fairly quickly.
Organizations should carefully inspect their authentication mechanisms and configurations and should consider eliminating single factor fallback if that is an option.
You can read more about the researcher, the attack and the mechanisms used here.
ISS and TippingPoint seem to be battling it out publicly over the ethics of hacking contests, buying exploits and responsible disclosure.
This is a discussion that has been a long time coming. Companies like TippingPoint and others who buy zero-day exploits and sponsor hacking for money contests and the like seem to be very shortly distanced from people or companies who release exploit code and tools that make attackers better at what they do.
I think that it is high time that someone holds the ethics of these firms and individuals feet to the fire, so to speak. How companies or people can create attack tools, sponsor the creation of zero-day attack code and teach attack techniques to the public while still saying to customers – “trust and pay us to protect you” seems pretty odd to me. It certainly makes me think of movies where small business owners pay large men with baseball bats for “protection”.
While the bat may have changed to computer code, I just don’t see how making attackers more effective, funding underground research and encouraging attacker behaviors are responsible, ethical and proper for those persons and organizations that claim to be out to protect businesses from such attacks.
I have been hearing a lot of questions lately about how to create effective awareness programs inside your organization. To most companies, this is a very difficult task. Here are three strategies to make this easier for everyone and a whole lot more effective than what you are likely using now:
1) Ask your employees. Hold a few round table sessions with various randomly selected employees. Stress to them the importance of information security awareness and ask them what they think would be effective to reach into their peers. You might just be surprised by what they have to say. Incorporate some or all of their ideas into your program, of course, with appropriate metrics and monitoring. Don’t be afraid to embrace these new mechanisms, they are often hidden gems.
2) Think like marketing. Stop thinking of security awareness as a security function. Only the message/content is security, the rest is plain old marketing. Include your marketing department in the process. Actively engage them in the process of selling security to your employees. It makes a world of difference. Also, on this note, make sure you support their efforts to tune and refine the message and profile the employee audience. Those traditional marketing approaches may seem fuzzy to security folks, but they are what clearly separate the wheat from the seed in this undertaking.
3) Embrace new technologies and multi-media. Face it, if posters and such worked so well, the problem would be solved already. The fact of the matter is, you need multiple forms of contact with the employees to cause change and sell them security concepts. The more mixed media and content with common themes, the better. This simply works. Think about it, again from marketing terms – does Coke just use posters to sell sugar water? No, they use a variety of media and messages with a common theme to get people to drink their products. Do what works; don’t be afraid to move beyond posters and meetings to really make awareness work for you and your organization!
For more than a year and a half now we have been traveling the world, talking about HoneyPoints and the fundamental change that this technology represents to providing internal network security and threat detection. What a long road it has been…
Over the last 18 months, we have had an incredible amount of success in capturing emerging theats, helping companies spot compromises and evaluate their attackers. We have learned a lot about internal attack motivations and mechanisms and we have seen first-hand the power of HoneyPoints to really free organizations from the overhead and false-positive nightmares that signature-based Intrusion Detection has come to represent.
Today, we take another step forward. Today, we are proud to announce the availability of the newest version of HoneyPoint Security Server. Based on client feedback and expert security insight, we have evolved the basic HoneyPoint premise to a new level. Today’s release includes a complete re-write of the console and further expands our ability to integrate into existing monitoring and SIM infrastructures as well as offering organizations without SIM a robust and full lifecycle HoneyPoint event management system!
The new console features a back-end database with roles and event management plus it also includes integrated trending and reporting. The new plugin interface, included with the release, allows users and MSI to design new and exciting features for event management, automated responses and alerting without changes to the core code – or the need for upgrades. Centralized ignore host configuration, HoneyPoint inventory and enhanced event clarity are also key points of refinement in the new version.
But, among the most exciting news about this new HoneyPoint release, is the availability of new, deeper HoneyPoints for emulating additional services and applications. New HoneyPoints, console plugins and configurations are planned over the next few weeks as MSI continues to increase the power and flexibility of the product.
Stay tuned for some new information about online resources, newly available tools and other supporting materials as they emerge over time. Our plan is to continue to spread the word, evangelize this change in tactics and to keep telling the world that there is a better way to secure your internal networks – without management overhead and without the false postives that keep you from focusing on your real threats.
To find out more about version 2 of HPSS or more about why we truly believe that we ARE going to “change the world”, simply give us a call or drop us line. We would be happy to share the message with you!