Author Archives: Phil Grimes

About Phil Grimes

Phil Grimes was a Security Analyst for MicroSolved, Inc.

MSI Says: Know Yourself – Unlock a DoS by Asking: Who Has Access?

Posted on by
Reply

Recently, a client was experiencing interesting issues during a scheduled assessment of their internal networks around the world. It appeared as if the assessment was causing a Denial of Service and affecting a specific location due to automation controllers within their environment. An interesting anomaly, considering these controllers are deployed at other locations. However, only one specific location seemed to be having issues. The DoS was even more intersting from our perspective because it was literally locking the doors to the facility in question! We weren’t testing for this vulnerability; but found it was a side effect of an internal assessment we completed to provide metrics and action plans according to our 80/20 guidelines. These are exactly the type of issues that help our clients understand the value of these ongoing assessments.

So what’s the big deal? Let’s say an employee just got nagged about their three 15 minute smoke breaks every hour. Let’s also say he has knowledge of the environment and/or experience with a vulnerability scanner. Technically, he could lock the facility down while searching out possible ways to retaliate and his employer wouldn’t even know it. Worse yet, those who know this flaw exists could exploit it at will with a few keystrokes from their workstation. Not a good thing!

Controllers and sensors of similar types are used in businesses around the globe. This case study provides another point for enclaving in any environment. The overall threat could have been reduced significantly simply by segregating traffic. There are few reasons these specific hosts should be accessed by most workstations. Fortunately, the issues didn’t last long. After some communication with the manufacturer, a firmware update was released that appears to have resolved the issues previously experienced.

So the bottom line is know your environment. It is the foundation for our 80/20 Rule for Security (link) and can lay the groundwork for discovering where vulnerabilities may lurk. Forewarned is forearmed.

Mobile Directory scanning efforts

Posted on by
Reply

The HITME has been abuzz with alerts from around the globe of scans attempting to find various mobile directories on HoneyPoint hosts. Here is a list of targets that are being checked for:

/iphone
/m
/mobi
/mobile

While no scanner signatures or identifiers are being sent with the probes, it’s still cause for concern over the recent surge in interest of these directories. Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like (FREE). You can copy and paste the signatures from this page into the brain file and scan your environments for these targets.

How Default Credentials and Remote Administration Panels Can Expose Security

Posted on by
Reply

In a recent article, a project led by a computer science professor at Columbia University conducted preliminary scans of some of the largest Internet Service Providers (ISPs) in North America, Europe, and Asia. He and his team uncovered thousands of embedded devices susceptible to attack – thanks to default credentials and remote administration panels being available to the Internet.  It is amazing to us that there are still many people (and possibly organizations) who don’t take into account the security implications of not changing credentials on outward facing devices! This goes beyond patching systems and having strong password policies. It’s highly unlikely you’re developing strong passwords internally if you’re not even changing what attackers know is true externally.

The fact that these devices are available is quite scary. It becomes trivial for an attacker to take over control of what is likely the only gateway in a residential network. The average user has little need to access these devices on a regular basis, so hardening the password and recording it on paper or even using a password vault like TrueCrypt is a good option for reducing the threat level. More importantly, how many home users need outside access to their gateway?

This all goes back to the common theme of being an easy target. If you let attackers see you as the low hanging fruit, you’re just asking to become a statistic. This is the digital equivalent to walking down a dangerous street at night with your head down, shoulders slumped, avoiding eye contact, and having hundred dollar bills popping out of your pockets! We can’t make it easy for them. It’s important that we make them think twice about attacking us- and simple things like changing default passwords or patching our machines (automatic updates, anyone?) allow us to take advantage of that 80% result with only 20% effort!

Encryption: 3 solutions to fit your budget

Posted on by
Reply

When your worst fears become a reality and you notice there has been some breech of your data (a stolen laptop, an unlocked or unattended computer) and someone has either access to your machine or has a copy of it for themselves, is there any hope left? Although most don’t think it’s necessary, encrypting data is another link in the chain mail that is our security policy. While this link is not substantial on it’s own, the entire suit of armor is where the true strength lies.

Data encryption sounds scary. People think of lines of binary crossing the screen at lightening speed like a scene from The Matrix or Hackers, but it’s become something so simple that everyone should be doing it! In this post, we’ll review some free and open source solutions to offer protection and peace of mind that what’s yours stays yours!

Encrypted Password Manager: KeePass

KeePass is a powerful password manager that supports the Advanced Encryption Standard (AES) and the Twofish algorithms to encrypt your passwords and various account information. In addition, SHA-256 is used as password hash. This means a master password is hashed using this algorithm and the output is used as a key for the encryption. One master password will decrypt the entire database which supports multiple user keys, which offers the option to have your key on CD, USB or floppy (floppy disk, really?) in addition to or in lieu of a password. KeePass is small and portable. This means it runs just as smoothly from a USB disk as it does installed to a hard drive. KeePass doesn’t store anything on your system. No registry keys are created or modified and no INI files are added to the Windows directory. Deleting the KeePass directory or using the uninstaller leaves no trace of the program after removal. This tool has too many features to list completely if we intend to discuss others, but a random password generator allows you to create a password within KeePass and then copy it and paste into the necessary forms using intuitive and secure clipboard handling. One final feature that can’t be left out is the ease of database transfer. When passwords need to be available on multiple machines or in a multi user setting, a simple copy and paste of a single database file is all it takes to solve the problem.

The sun will go nova before you can decrypt the database”- www.KeePass.info

Encrypted Volume Manager: TrueCrypt

TrueCrypt is an open source disk encryption program that creates a virtual encrypted disk within a file and mounts it as a real disk. Encryption is automatic, real time, and transparent. This virtual partition can be read and written to as fast as if it were not encrypted thanks to the use of parallelization and piplelining of data. This tool allows multiple encrypted volumes to be created and relies on AES-256, Twofish, and Serpent algorithms to protect your sensitive data. TrueCrypt can be downloaded and installed quite easily and includes a setup wizard which will guide the creation of the encrypted volume. Once created, the interface allows you to mount one or multiple volumes, which then gives the ability to treat these as local drives to store data at will. Very smooth in use, very user friendly, and something any user should employ to protect personal and/or private data of any kind. – www.truecrypt.org

Email Encryption: x.509 Certificates

x.509 email encryption assumes a strict hierarchical system of certificate authorities, much unlike the “web of trust” models like PGP, x.509 is a ITU-T standard for public key infrastructure (PKI) for single sign-on and Privilege Management Infrastructure (PMI). Specified within x.509 are standard formats for public key certificates, certificate revocation lists, attribute certifications, and certification path validation amongst other things. While the TrueCrypt’s use of MD5 based certificates was in question as recently as 2008, x.509 certificates based on SHA-1 are deemed to be secure. While it is prudent for companies to use enterprise level encryption solutions, individuals can protect themselves with the help of a free x.509 personal email certificate from www.thawte.com.

More often than not people see encryption, passwords, and monitoring policies more of an annoyance than anything else. Few would argue that it’s a pain to have to input a password to do anything at the system level or to have to remember to mount, unlock, and unmount an encrypted volume, or to have to allow access through a firewall- until you need it. When someone steals your data, you’ll be happy to know your passwords are locked up safe, and your data is encrypted to the point you can back up and change anything sensitive before the bad guys can get to it! Keep your armor strong and polished and most foes will seek alternative victims. Don’t be an easy target!

Conficker: A serious threat or the world’s biggest Rick Roll?

Posted on by
Reply

The Conficker worm was touted with nearly as much danger and fear as was Y2K… I remember that New Year’s better than any other in my lifetime simply because we were all standing around the day after to realize “hey, that wasn’t so bad… my computer really could count to 2000!”

With the media’s sensationalism of Conficker/Downadup/Kido, people started to panic once again. Our machines would rise up against us and human kind would become slaves to the technology we’ve become so dependent upon. The best part was that this was all supposed to happen on April Fool’s Day, 2009. Really?

So our team sat back and watched the story unfurl. We infected a machine in our lab to monitor the traffic, or lack thereof. We waited and studied and watched the story unfold- or not. After days of non-activity, the P2P functionality of the worm kicked into effect. Conficker began what appeared to be an update process, as well as dropping an unidentified payload on infected machines. These updates are prime vehicles for changing the modus operandi of the infection as well as adding to the near endless list of methods for killing nearly two dozen security applications and update programs reportedly affected by the infection.

When the P2P traffic trailed off, there was some speculation of a “cease fire” on or around 3 May, 2009 but this may not necessarily be the case. Reports have come from India this week where systems have been observed to have installed a second infection referred to as Waladec, which is known to send spam without the user’s knowledge. Shantanu Ghosh, VP, India Product Operations, Symantec India has been cited to say research has shown that widespread use of peer-to-peer file-sharing programs, low awareness of the need to update anti-virus software regularly and rampant use of pirated software have contributed to India’s high rank among countries affected by Conficker.

Well we may not be out of the woods yet, but this takes me to the moral of our story. Updates are not optional. These things are necessary in order to ensure proper functionality and security within a network. This infection is certainly containable and should not be the end of the Internet as we know it, but if something as simple as an update could stop this thing in it’s tracks, why doesn’t everyone do it?

Domestic Defense: 3 Steps to Hardening Home PCs

Posted on by
Reply

As we wander the information superhighway it’s no secret there is an abundance of thieves, pirates, and stalkers out there just looking for low hanging fruit to make a quick buck and move on to the next mark. We’ve all heard horror stories of hacker-ish ways good people have fallen prey to the black hats out there, this is encouragement for those who’d like to take as much power back into their own hands as possible; to make thyself a harder target.

Microsoft’s Windows operating system is the market leader in terms of home computer users  and there is an entire subculture of people out there who pretty much work to break it by any means for fun and profit! Taking the following countermeasures makes you a little less susceptible to the threats on the Internet.

Windows Automatic Updates

This is a necessary evil of using the Windows operating system. Microsoft launches updates weekly as well as periodic urgent updates that are designed to keep your computer patched against the latest threats. While some prefer to have control over when these updates are applied, it is strongly encouraged to take advantage of the automatic feature- a sort of “set it and forget it” tool that allows one to not continually worry whether they’re up to date or not. Enable or modify your update settings as follows:

Click on Start, open the Control Panel and select Security Center. At the bottom, open Automatic Updates.

automatic-updates

By selecting the automatic option, windows will phone home at the time specified by you. Some prefer to set this for a time when the machine is not in use to prevent the updates from interfering with normal use, such as overnight. Once the desired settings are chosen, click “Apply”, then “OK” and close up shop.

Anti Virus Solutions

Anti Virus and Firewall programs are essential to the protection of any windows computer that is connected to a network. These programs work together to monitor the flow of data through your machine and to give warnings or indications of what might not be “quite right”. While there are premium options available on the market, there is also a set of free tools that do a fine job of protecting the average user.

AVG Anti Virus offers a free solution that offers extensive virus protection with live updates and a nice user interface that allows at-a-glance confirmation that the program is functioning. While there are more features in the subscription version of this product, there is a very comprehensive program in the Free Edition:

avg-free-edition_1

The update menu also has an automatic feature that allows for the “set it and forget it” freedom. Updating immediately will allow AVG to “phone home” and get the latest virus definitions before the first scan of your system. Once these updates are complete (a restart may be required), you’re ready to spend time in the Computer scanner menu setting up preferences and then scanning your system to ensure it’s clean.

avg_free_com_scanner

It’s important to first set a scan schedule. Once you’ve got that done, scan the whole computer. This will take some time. Grab a cup of coffee (or my preference, a Monster Drink) and find something to kill some time with. If your Windows partition has any chance of infection (ie, this is NOT a fresh install) then you’ll want to check in periodically to ensure you’re not prompted to address any juicy discoveries. After the initial scan of your machine, you’ll have FREE, real time protection against a good portion of the software threats facing home users today.

Comodo Firewall

Yes, it’s true Comodo offers an “all in one” solution which is a firewall AND an anti virus in one package, but I’ve always been of the mind that my proctologist shouldn’t be doing my mechanic’s work and vice versa. AVG has been my go-to anti virus for some time and it out performs the other freebies while still offering a very easy to use program, and Comodo makes for a great firewall- so I recommend exactly that in Comodo’s Personal Firewall Free Edition. This means it will be important NOT to install the anti virus that comes with the Comodo package:

comodo_uncheck_install_antivirus

This is VERY important because having more than one anti virus program running at once can cause them to conflict each other and might not protect you to their fullest potential.

Once installed, spend some time learning the interface. Again you’ll want to allow it to update (which is an option under the MISCELLENEOUS menu). When the update is complete, the firewall will want to scan your system. This again sets a baseline by which Comodo can assess future changes to alert you and get permission before taking place.

After the initial scan, you’ll want to spend some time doing typical tasks to let the firewall learn from you. Comodo pops up alerts from the system tray with an outline of a detected action. When you’re teaching it something new, you’ll want to allow the action and usually to “Remember my answer”. It’s a good idea to read these alerts and thoroughly understand this interface to ensure your firewall is functioning properly. This learning period tends to be tedious, but is necessary for the full benefit of “educating” the firewall. Notice the “Treat this application as” option. This puts the firewall into an “installation mode” which will let software be updated or installed without asking permission for every single change.

comodo_alert

Once Comodo learns your typical activities, you’ll rarely hear from it. The updater will ask permission to phone home and it will alert you of any odd looking traffic, but in reading the alert you should get a good understanding of whether you want to allow it or not. I actually use the Firefox addon “Malware Search”; which adds right click menus that link you to Process Library, &System Lookup, and Google where I’ll search down anything I don’t recognize. If it’s unidentifiable, it doesn’t get through.

Secunia Personal Software Inspector

Secunia PSI is an invaluable tool to the home user. In a nutshell, this program will monitor your system for any available updates and let you know. It’s like a central command and control center for all your software. PSI will advise you of new updates, and re-evaluate to ensure you’re fully covered.

secunia_scan

After scanning the computer, PSI will ensure all programs are up to date and will set the process in motion to address any that might not be.

psi_scan_complete

These free tools will set a solid security foundation on any home computer. These things are necessary today in a cyber world where identity theft, spam, and botnets are rampant. It’s us against them and we shouldn’t allow ourselves to be easier targets than absolutely necessary. The MSI team will continue to search out ways of protecting and educating the good guys while thwarting the bad guys.