Over the last few weeks we have measured a fairly slow, but steady increase in the amount of general web site scanning. More and more often, our HoneyPoint systems are identifying PHP scans, scans for older vulnerabilities dating back to Nimda and Code red and a slew of newer scans for specific bulletin board, blog management and other web-based application code.

These scans are appearing from a number of locales and appear to be mostly automated. Their sources appear to be from mostly compromised systems on small to mid-sized company networks.

As these scans increase in frequency and capability, it is essential that organizations ensure that they have secured their web servers against common known vulnerabilities. There are a number of tools such as nikto, Sandcat and others or available services to scan sites for little or no charge. Organizations should utilize these tools or their existing managed vulnerability assessment services to ensure they are protected against these common worm-style attacks.

We have been getting large numbers of requests to try our HPPE and HP:NTA products, but up until no demo versions have been available. This is no longer true, effective today!

Users who would like to try out either or both of these leading edge products can download fully functional versions from our website. Both products will run for fifteen minutes at a time, then pop up a message advising you about how to obtain a key and quit. The products can be restarted as many times as you wish, with each execution running 15 minutes!

We hope this new capability really gives everyone a chance to explore, analyze and play with these amazing tools. The feedback from other users has been so strong that we have been very hard at work to find a way to offer them to everyone.

To check them out and begin securing your workstation with the power of HoneyPoints, click below, then click on the time limited demo link at the bottom of the page (no registration required):

HoneyPoint Personal Edition

HoneyPoint:Network Trust Agent

Our HoneyPoints are still seeing an increase in the overall numbers of attacking systems exploiting the newest **CENSORED** vulnerability. The traffic has a destination port of TCP/4899.

Most sites should be filtering this port by now, but it seems some smaller organizations have not yet gotten the word about the problem.
Eastern Europe seems to be the home of more than a few systems scanning for this issue.

If you have not yet begun blocking this port, and are a **CENSORED** user who has not upgraded to date, then now would likely be a good time to implement blocks and inspect your exposed systems.

PS – I HAVE UPDATED THIS POSTING AS A RESULT OF A LETTER FROM THE VENDOR INVOLVED WHO REQUESTS THAT WE STOP USING THE TRADEMARKED NAME OF THEIR PRODUCT.

With the official release of MetaSploit 3 occurring today, look for a likely increase in scans and probes associated with the tool and it’s 117 exploits. To date, MetaSploit accounts for a large percentage (some 75-80%, we believe) of manual attack traffic to our HoneyPoints.  It is widely adopted and easily used to compromise systems.

If you have not had a vulnerability assessment recently, now might be the time to get one underway and get some mitigations in place. The more publicity this tool gets, the more attack traffic that everyone will likely encounter in the coming few weeks.

This version of MetaSploit looks to be a very powerful upgrade, and there are a lot of tools built in for professional security testers, researchers and others. Modules for host identification, Denial of Service testing and all kinds of goodies are here. How those get used in the future, and whether or not they lead current script kiddies down the path of enlightenment and knowledge, remains to be seen.

In the meantime, get ready for some packet, network stream, log and IDS analysis. As the underground learns the new version, some of us are likely to be caught in the crossfire…

I really think “risk” is emerging to be the next big hype term used to sell security products. Check out my article at ITWorld, and see why I urge everyone to use their instincts more than they listen to vendor’s marketing pushes…

Check it out here.

We just released a new Manager’s Guide white paper. This one is by John Davis, CISSP, and examines the human side of information security programs, a bit of history and some concrete suggestions for creating an effective information security program inside your organization.

Check it out here.

Application security is all the rage these days. As such, vendors, open source projects and individual developers are flooding the market with tools for scanning, pen testing, application firewalls and all kinds of other stuff.

With so much “stuff” available, we though we should ask you, the users about what your favorite application security tools are. So, drop us a line or a comment and let us know about your coolest appsec toy. We will aggregate and post the best in an upcoming blog post.

Please share the name, the basic functionality and the reasons you like the tool so well.

Thanks for contributing!

The US military and CERT have released some interesting data on the insider threat to organizations. You can find a media write up of it here.

Of most interest were some of the numbers. I was pretty amazed by the fact that 86% of the insider threat originates in IT and that some 90% of incidents involved people who already had Administrator/root privileges on the network!

It makes sense that IT would be a large source of cyber threats, but I really had always thought that we were doing a better job of teaching ethics to IT staff. The percentages seem to disagree with that and I think it makes a clear statement that we need to improve on developing not just technical skills in our teams, but also ethical behaviors and insight.

That 64% of incidents involved remote access systems like terminal servers, VPN and such combined with non-terminated password accounts or known accounts that did not change their passwords is NOT amazing to me. This remains one of the most serious threats that organizations face today – especially if they are larger than a small company.

Quite simply, password management has become a nightmare, and passwords remain the largest threat to the security of any organization. Password changes are too difficult in most environments, too many applications require administrative access to operate and there are little true technical solutions to the problem. Hopefully in the future, some real and functional technology will arrive to replace passwords – but most of the current solutions seem to fall far short in terms of cost, reliability and ease of management. (Bonus to vendors and developers: Make something to fill this niche that meets those three requirements and get rich!)

I don’t think anything in the article is rocket science, but it is nice to get firm numbers that confirm what security pundits (myself included) have been saying for close to a decade. Insiders matter. Ethics matter. Passwords just have to go.

In the meantime, while we wait for maturity of technical solutions on the password front, we can certainly begin to identify ways to increase cyber ethics and to help educate people and companies about the insider threat. Truly, as with most cases, education seems to be the key to affecting change. Maybe, if we begin to strengthen the ethical training of tomorrow’s network and system admins, we can lower those percentages and the risks for future generations.

With the release of our HoneyPoint:Network Trust Agent (HP:NTA) product this week, we have completed our promise to develop HoneyPoint technologies that are deployable throughout the entire organization. For more than two years, our clients and other security folks have been telling us that Intrusion Detection technologies were just not cutting it when it came to defending the internal network and the systems that you depend on to run your businesses. I personally and publically promised, last year, that I would find a better way forward and I now feel that we have lived up to that promise.

HP:NTA, along with the rest of the HoneyPoint product family, gives organizations a platform to deploy host-based intrusion detection built on an entirely new paradigm. The products require no signature updates, have no false positives to contend with, run on existing hardware and are based on the idea of “deploy and forget”. When you combine these factors, you get the highest ROI in the market today, the easiest solution to deploy and manage AND what I believe to be the best security mechanism you can buy.

One of the leading factors in HoneyPoint’s importance is that the technology detects intrusion earlier than most other technologies. By that, I mean that the idea of HoneyPoints tend to capture attackers, focused attackers, when they are still in their targeting mode. If you look at other dectective technologies like signature based tools, NIDS and such – they detect the attacker in the act of EXPLOITING a target. One of the key reasons that HoneyPoint has been so successful at capturing intruders and allowing their threats to be mitigated, is that HoneyPoints key in on the attacker methodology. They capture attackers while the attacker is performing their initial probes – even as they attempt to identify potentially vulnerable services and systems to exploit.

That simple difference, of capturing the attacker earlier in their approach, may well allow organizations to save themselves immense amounts of financial damages, regulatory exposures and loss of confidence. That alone, makes all of our work developing the HoneyPoint product family worth the effort. If we can help one organization better protect one consumer, then all of our work was worth it!

Now, with the release of HP:NTA, HoneyPoint Personal Edition and the flagship, revolutionary HoneyPoint Security Server we have created the tools that organizations deploy on their servers, their administrative workstations and even the systems of everyday users and road warriors. Each product is geared to the appropriate skill level of the user, and in each case – we made every attempt to keep the interfaces easy to use, easy to manage and easy to understand. The tools are all deployable en masse, upgradable with little more than file exchanges and include personalized support from our simply amazing staff of security engineers. In short, these products represent the completetion and embodyment of our promise to our clients and the world. We said we would find a better way, and we did. We said we would make it possible for you to better protect yourselves, more easily than ever before. We have lived up to our word.

Looking forward, as we complete the development of HoneyPoint Security Server 2.00, we are about to again revolutionize the industry. The 2.00 release promises to bring more power, more flexibility and even more customization to enable our clients and the world to achieve yet another security plateau. Our commitment to you is to listen to your needs, continue to develop HoneyPoint technologies and work together to find new solutions.

As the 2.00 release draws near, stay tuned for more information, sneak peeks and discussions about what other changes to the product line are being planned. As always, please feel free to send us your thoughts, questions or input.

Thanks for making MSI your security partner. We appreciate working with each and every one of you!

I was doing some research recently on the various platforms available for hosting virtual machines. I found this great comparison matrix at Wikipedia.

There are now a ton of platforms available for just about every OS out there. Some are certainly friendlier than others, but this is a great place to narrow things down to a short list.

Combining VM capabilies, the availability of LiveCDs and the low cost of memory and hard disk space these days, there is little reason that just about anyone could not easily and cheaply make their own very functional virtual lab for research, training and/or development. Security teams should rush to embrace this technology, as they could really use VM labs for experimentation, application analysis, tool evaluation, forensics and ongoing training.

VM has come a long way, and with solutions starting at FREE, they make enconomical sense for a ton of situations ranging from disaster recovery to prototyping. Maybe there will even be a new line of consulting services on the horizon where experts at virtualization will make small fortunes helping organizations port their complex apps and environments over to VM platforms for reduction of hardware footprints and ease of management.

The bottom line is this – if you haven’t played with VMs in a while, now might be a good time to look at them again. Things in this space are maturing nicely….