About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

~’>{[\|/.:”;,]}<`?

Say what?? Some special characters are better than others for passwords.

When an attacker gets a password hash, they need to pick which charset to use to crack it. Some people say there are only 4 categories: lower alpha, upper alpha, numbers, and special characters. However brute-force password crackers like Cain, and more advanced cracking tools like rainbowtables, distinguish between types of special characters. They ask if you’d only like to include the weaker special characters which are more commonly used: !@#$%^&*()-_+=

…or would you like to include the far less likely to be chosen set of extended special characters? ~’>{[\|/.:”;,]}<`? Since cracking tools distinguish between these sets, you should too, and you should use characters from all 5 groupings. Even a password like Abc123 is more secure as "A,b,c,1.2.3?" - and how much harder is that to remember? It's easier than you think to bulletproof your password against advanced cracking technologies. You could surround your password in "quotes", or with [square brackets]. You could make it something easily memorable like {$19.95!}Ca||-n0\/\/ or "C:\WinNT\$Y5T3M\" or `Ta~0!!' The possibilities are, of course, endless. But the key is to use all 5 sets. Set 1: ABCDEFGHIJKLMNOPQRSTUVWXYZ Set 2: abcdefghijklmnopqrstuvwxyz Set 3: 0123456789 Set 4: !@#$%^&*()-_+= Set 5: ~'>{[\|/.:”;,]}<`? To further throw attackers off the trail, you could refuse to use commonly used characters, such as !, 1, e, 3, E, o, O, 0, 5, S, s, and some others. Then every time a cracker tries a pw with those chars in it, they will fail every time, and you can take comfort in their wasted CPU cycles.

Handling Unknown Binaries: A Quick How-To

You check your email and receive a suspicious file and your antiviral scanner didn’t throw any flags so you wonder, is it safe to open? There are some things you can do when you get a possible virus that not only helps you, but the entire security community as well.

1. Surf to http://www.virustotal.com and upload the possible virus. VirusTotal then scans the file using numerous antivirus programs to determine which ones detect the file as a virus and which do not.

Now if none of them detect it as a virus, this doesn’t necessarily mean its safe to open, but at least you’ll know for sure if VirusTotal does detect it. Another site that offers a similar service is http://virusscan.jotti.org

2. Review the binary with your favorite “strings” type program, which grabs any text out of a binary for you to view. You might use strings from Unix/Linux or BinText for Windows, or even some editors. Be very careful not to execute the file, but examine it for strings. Keep on the look out for things like registry keys that execute commands, networking calls, URLS, etc. This isn’t 100% effective, since some information could be encoded or encrypted inside the binary code. Note that you might also need to use an unpacker on the binary to do this. Try this before hand with known good tools and get some practice with both unpackers and strings-type utilities.

3. Lastly, if both of the previous steps show nothing, you might also consider setting up a test machine or a virtual VM image and run the possible virus in that test environment, but this is not recommended for the faint of heart or techinically unsavvy. For the average user, uploading it to VirusTotal and then deleting it would be enough. Tools like wireshark that capture incoming and outgoing packets would provide valuable insight in an investigation of this sort. Some malware is smart and won’t immediately begin sending data as soon as it starts, but will delay its actions to fool investigators into thinking it is benign, so be aware.

4. For those of you who are more advanced with code and development, or those looking to become more advanced, you could also investigate the use of a debugger or other reverse engineering tools. If so, it is beyond the scope of this article, but check around the Net – there are many articles dedicated to these tools and techniques.

These are merely basic steps and ideas. Each step requires skills and additional practice that new users or less advanced users may not have. When in doubt, simply delete. If the file was sent to you by someone you know personally, play it safe and call them.

So, try these at your own risk. Your mileage and paranoia may vary…

“Retreat, hell! We’re just attacking in a different direction”

The CEO of my company (MicroSolved, Inc.) recently returned from a trip to Aruba, in which he was forced to endure the ban on liquids and gels on airlines. While patiently complying with the wishes of the TSA inspectors, he began to wonder if the additional inconvenience was worth the minimal decrease in security risk that the average airline customer would experience. Upon his return, he did a little research about the current rates of injury or death when performing everyday tasks, such as flying, driving, swimming in your backyard pool, and walking in the rain.

While the research revealed some very interesting facts regarding the risk involved with performing these everyday tasks, it prompted me to ask a different question. Our CEO was interested in knowing if the inconvenience was worth the reduction in risk. I asked whether the inconvenience was worth it at all. Did it even work?

I immediately began to think about how we got to the point we currently find ourselves, in regards to Anti-Terrorism and Information Security. Can we find a way to tie Anti-Terrorism measures and Information Security measures together to get an idea of whether the Anti-Terrorism measures can ever be effective?

When thinking of Information Security, the first thing that comes to mind is one despicable word: Signatures. Nearly every school of thought that has been bought into by security professionals involves the use of signatures to detect an attack. Your Anti-Virus relies on signatures to identify malware. Your Intrusion Detection/Protection devices rely on signatures to identify attacks. Your spware/adware detection devices rely on…you guessed it…signatures.

Signatures have proven to be quite effective…AFTER THE INITIAL ATTACK. The problem is that someone or something would have to have already seen the attack, in order to create an accurate signature. This holds true with today’s current Anti-Terrorism strategy. Think about just about every strategy that has been put into place to identify (or protect you from) a terrorist attack. We don’t implement bans on “liquids” until AFTER someone has already seen that particular method. We don’t restrict the use of metal silverware on a plane until AFTER someone has used a butter knife to hijack a plane.

There is a portion of the Information Security community (me included) who believe that we have already lost the war against malicious attackers. Of that portion of the community, several of us firmly believe that we are at a crossroads in what Information Security is now and will be in the future. A couple of us believe that it is now time to recognize that the good guys have lost the war and it is now time to pull back and focus our efforts on securing the critical data and leaving the users to their own devices.

There is a term floating around out there that speaks directly to this school of thought: Enclave Computing. Whereby, we would attempt to begin to identify the critical information that needs to be protected. Once we have identified the critical information, we move it to a secluded part of the network , or “enclave”, and wrap controls around it that dictate who and what has access to the information. We give the user base everything that we can give them for protection, but we don’t care about what happens to their boxes. We don’t care if they get compromised, because no critical information is stored on the machine. If one of their machines gets compromised, it becomes a turn-and-burn situation. That machine gets imaged and is back in operation in less than an hour. The information, being secluded from the compromised host, remains secure.

Now, I’m not condoning the thought that the government needs to consider leaving the citizenry to their own devices. I, a former US Marine, am absolutely certain that the War on Terrorism is something we can and will win, not to mention that we HAVE to win it. What I am afraid of is that we don’t know HOW to win. If we keep following the path of relying on signatures to protect our citizens and their information, as the War of Information Security has shown, we will lose.

As a country and an industry, we need to get back to our roots. We need to rely on that ingenuity that Americans so proudly brag about. We need to find pre-emptive solutions to defending our country and her information. I don’t know what the answer is to waging the War on Terrorism. I do know that MSI is using that “American Ingenuity” right now to create solutions to help us defend our information. What forward thinking organization will be the one to break new ground in providing a realistic method of waging the War on Terrorism?

One final, albeit scary, thought that remains just as true for National Security as it does for Information Security is something that the President has been quoted when saying that our enemies “only have to be right once; we have to be right 100 percent of the time”

RFID: Recipe For International Disaster?

RFID is the crest of an approaching wave of ubiquitous computing, a trend where small computing devices will be everywhere in your daily life. Manufacturers rushing to be first to market designed them to be cheap and to consume very little power. In the process, they sacrificed good security practices like strong encryption and proper privacy protection. Researchers at RSA and Johns Hopkins Information Security Institute are calling the RFID security protections “inadequate” and have demonstrated several ways to crack the devices. Another group at Vrije UniversiteitAmsterdam have created proof of concept viruses that would spread from one RFID tag to another effortlessly. How can something so high-tech be so fraught with security holes? RFID as implemented now in the lower-priced tags is a pandora’s box which has already been opened.

One of the more interesting uses of hacked RFID technology is when a man copied his hotel key’s RFID signature into the electronic price tag on a tub of cream cheese and opened his hotel door with the food container. Anyone with the right hardware and software could alter the price of every RFID tag in a warehouse or store to scramble them or swap them, due to poor encryption and other design flaws. As these devices grow in popularity, they will increasingly become a hot target for thieves and organized crime. RFID will soon be integrated into everyone’s passport which is sure to draw the attention of terror organizations in search of low-hanging fruit. These RFID tags aren’t just being used in experimental labs, no, they are in production in cars, hotels, toll lanes, and more. If a society is going to rely this heavily on a technology, shouldn’t it be secure?

Sacrificing security for cost in this case will cost the world more than the few cents they saved per chip. The short-sightedness of some RFID designers has set the stage for what could be one of the biggest disasters to hit ubiquitous computing. The problem is that the public knows nothing about the subtle nuances of what is needed for secure RFID, and manufacturers don’t feel any pressure to make their chips secure if their competitor doesn’t have to. Governmental standards should be enacted requiring strong encryption for these tags because the industry has failed to regulate itself in this regard. Consumers need to educate themselves about the power of and problems with RFID and how it can affect their own life. Ultimately, good security always comes back to user education.

Dodge phishing attacks and spam

ANTI-SPAM

– Run a consolidated email filtering solution at your email gateway, and use a good AV product.
– If you don’t know who sent it, especially if you are not in the TO: or CC: part, delete it.
– If the subject looks mangled so it could get by perimeter spam sensors, delete it.
– Have a good email policy in your business or organization, and also for your family at home.
– Don’t open email attachments unless you are prepared to infect your computer with a virus.
– Never ever open unsolicited MS Word or MS Excel or any other MS Office document.
– Never make a purchase from an unsolicited email, or give out your credit card numbers.
– Use a disposable email address when signing up for websites to avoid unsolicited email.
– Don’t click the unsubscribe link, which can add your email address to more spam lists.
– Avoid using the preview functionality of your email client software to avoid inadvertent infection.
– Don’t post your email address on every single message board you visit like some people do.
– When mass mailing, use BCC (blind carbon copy) to conceal recipients from one another.

ANTI-PHISHING

– Phishers make a fake site that looks like the real website to collect private information.
– Never respond to emails that request personal financial information or identity information.
– Banks or e-commerce companies generally personalize emails, while phishers do not.
– Visit bank sites by typing https://www.bank.com to have a securely encrypted connection.
– No matter how well you think you know someone from the internet, you don’t know them at all.
– Vigilently keep good track of your finances and credit report to check for suspicious activity.
– If you’re unsure of a link, search for the URL in a search engine to check its legitimacy.
– Use the latest version of your favorite Internet browser and allow script only on sites you trust.
– Keep your computer patched with all of the latest updates from your operating system vendor.
– If you think your bank has emailed you, call don’t click. Especially if it seems very urgent.
    Ask a customer service representative for help on the phone.
– If your financial institution calls you: hang up, call them back. Always initiate the call.
– Phishers often send false but sensational messages to socially engineer you:
      (“urgent – your account details may have been stolen”)

Following these steps cannot keep you 100% safe but it will reduce your risk against attack.

Users: Greatest Asset or Weakest Link?

Recent events at very large and very important institutions, such as the Veterans Administration, have highlighted the importance of having an informed, security minded user-base.  Many, if not all, organizations, that electronically processes client or customer information, have begun to recognize the importance of having a comprehensive Information Security Policy in place.  While every well-prepared Information Security Policy includes provisions that speak directly to the roles and responsibilities of the common user base, it is becoming apparent that few organizations actually provide the training and awareness programs, which have proven effective, in creating that sought after, informed user-base. 

 

As cyber-criminals realize that organizations’ perimeter defenses have become increasingly more difficult to circumvent, attackers have begun focusing their attention on the individual user, as a means for compromise, instead of the organization as a whole.  Cyber attacks such as Phishing attacks and E-Mail scams attempt to trick a user into providing some sort of personal or confidential information to an attacker, without the user knowing.  With the advent of the slew of different removable “Destructive Technology” devices (i.e.…Laptops, USB Thumb Drives, Smart Phones, PDA’s, etc…) that are available to the layperson, it is quite possible for a common user to contract some sort of malware, while outside of the organization, only to inadvertently introduce the malware to the organization’s “squishy underbelly” that is the internal network. 

 

It is incredibly important, often mandated by law, for an organization to have a comprehensive Information Security Policy in place.  Even more important, is the requirement that the Information Security Policy includes provisions that explicitly detail the roles and responsibilities of the user-base, in the organization’s overall security posture.  Every organization should include a comprehensive Information Security Awareness Program that speaks directly to how a user should interact with the onslaught of cyber attacks that they are certainly going to encounter.  It should be the ultimate responsibility of the user-base to ensure that they are doing their part in defending their organization’s client/customer information.  It should be the responsibility of the organization to ensure that the policies that detail the responsibilities of the user-base are in place.  But, it ultimately comes down to the user to make sure that they are practicing their due-diligence and adhering to those guidelines.

Does your organization have a Security Awareness Program?  Better yet…do you follow it?

Hat trick of Excel vulnerabilities

Three vulnerabilities were identified in Microsoft Excel recently. The worst of them, in which a specially-crafted flash video can be inserted into a spreadsheet to remotely compromise a computer, doesn’t even require that the user click on anything. All they have to do is open the Excel file from an email attachment and their system is compromised. Excel spreadsheets can even be embedded into web pages, which allows for yet another attack vector.

The other two Excel vulnerabilities were found less than a week earlier. One exploited Excel’s apparent inability to successfully handle long URLs, and the other was a targeted attack that Microsoft has barely commented on. We expect all of these holes will be patched by Microsoft in their upcoming monthly security update. Until then you should handle unknown excel documents as if they could very well be infected with a virus.

Veteran’s Administration loses 26.5 million records

A recent report from the Veteran’s Administration (VA) indicates that a data analyst illegally removed the personal records of over 26.5 million former service members from the VA, which was subsequently stolen from the analyst’s residence.  Fortunately, the records did not contain any medical or financial information on every service member that has served this country’s armed forces since 1975.  However, the names, dates of birth, and Social Security Numbers were among the information that has been stolen.  The authorities do not believe that the information was specifically targeted, as there has been a string of burglaries in the analyst’s area of residence.  They also believe that the thief(s) may not even know that they have this particular information.  How the data analyst got the data out of the building is unclear, whether it was on a laptop, USB drive, CD/DVD or some other type of destructive, transportable media.  However, the incident does pose several questions, for me, about the organization’s Information Security policies and procedures.  Especially, if you consider that my name, date of birth, and Social Security Number is included in the 26.5 million other veterans that have been affected.

My first question about this incident is, naturally, what were the motivating factors that allowed this series of events to take place?  If you recall from my previous blog entry, my research for the State of the Threat presentation indicated that there is a growing market for our personal information to be used in identity theft schemes.  With organized crime groups doing all they can to get the SSN’s of innocent people to be used to steal their identities for monetary gains, I have to wonder (pure speculation!) if there was some sort of cooperation between the data analyst and an external entity to have this information removed from the Veteran’s Administration.  With all the talk about the illegal immigration issue, we all know that many of those immigrants are using stolen identities in order to be able to work.  There is a debate going on in the Senate that may end up allowing those same illegal immigrants to keep the Social Security benefits that they paid into by using the stolen identities.  Could the underground market for names and SSN’s (and the finders fees for those numbers) be a motivating factor?

More imporant than the motivators is what security policies were in place that were supposed to safeguard against this type of thing occurring?  By now, most companies or agencies are being regulated by some sort of legistlation, whether it be GLBA, HIPPA, SOX, or NCUA 748, that mandates certain controls be implemented to prevent just this very thing from happening.  Were these safeguards implemented at the Veteran’s Administration?  If they were implemented, were they being followed?  Was there an awareness program in place to inform the employees of their roles and responsibilities in the organization’s Information Security posture?  Has a third party ever performed a risk assessment of the VA’s security posture, to include security policies and business processes?  What was the VA’s policy about USB Drives or other transportable media?  Is there unmitigated access to this type of data, once access is gained to the internal network?

For years, security professionals have been screaming, at the top of their lungs, that the user will always be the weakest link in an organization’s security posture.  Could this incident have been avoided with a comprehensive, standards based Risk Assessment and follow on Awareness Program?  Or, will the theoretical disgruntled employee (I don’t know if that’s the case in this incident) always be the worst fear of any organization?

This incident, or one of the dozen or so incidents that have been reported from some of the largest companies in the world, should put the need for a comprehensive, repeatable, and standards-based, third party risk assessment at the top of the list on every security professional’s mind.  If the thought of being the company or organization that is responsible for the identity theft and ruined credit of 1 person to millions of people doesn’t get the job done, maybe the fines and lawsuits that could ensue if an incident of this nature occurs at your organization, will be the motivator that enables your organization to realize that information security is not just a new buzz word.  It’s a reality….and a necessity.

As for me, I can be found at the nearest credit bureau trying to order my credit report.  OUT OF MY POCKET….NO LESS!!!

Recent State of the Threat Presentation

We, here at MicroSolved, dedicate our lives (yes we work at home, too) to the goal of helping to ensure a safer and more secure Internet for every user that may be inclined to partake in the wonder that is the Internet community. Ideally, we would love to work ourselves out of a job. Fortunately, we know that will never be possible. To that end, we have been providing a service that we like to call the State of the Threat, by which we take a look at the current state of the Internet and report on major events that have affected the community. Additionally, we attempt to make some forward looking guesses about where we think security professionals should expect to see upcoming issues or problems. In doing so, we have been performing quarterly presentations that address the threats that we saw to be of major concern over that 3 month period. During these presentations, we also attempt to guess where we think the hacker community may be investing more and more time toward research for newer attack vectors.

Our most recent State of the Threat presentation was performed this past Friday, May 12, 2006, in Fairmont, West Virginia. I delivered the presentation to the local chapter of InfraGuard, which is an initiative by the FBI to share and gather information with security professionals in the commercial sector. During my research I noticed a trend that appears to be the changing of the playing field that we have all been engaged in. Our presentation usually starts out with some astronomical numbers that represent the increase (or decrease, if that would ever happen) of cyber attacks that were noted during the past quarter. However, I had to depart from that normal format to talk about something that seems considerally more important, and definately more dangerous, if not expensive. After quite a bit of research done by myself and various other security gurus in the business, it is definately obvious that the profile of the most prolific attackers has changed from your everyday hobbyist with a desire to crack boxes and break applications, to attackers with a more devious intent. That’s right….criminals. We are starting to see more and more attacks that are financially driven. Unless you have some very good mail filters in place on your mail servers and in your inboxes, you have probably noticed an increase in Phishing attempts and everyday SPAM. Everyone has heard of at least one large company report that serveral thousand credit card numbers or customer’s personal information has been stolen. It’s worth noting that one major university here in Ohio experienced it’s third major compromise and data theft event in a couple of months. Try to imagine how important the social security numbers of a couple thousand students might be in the next couple of years. While their credit may not be the best now…imagine 10 years down the road when they are in the workforce heading up departments or entire firms. That information could be very lucrative to the organized crime rings around the world. If I were you, I would expect to continue seeing these types of attacks in the future.

The State of the Threat presentation talks about some of the more fun things going on out on the Internet, such as the threat that is MySpace.com. I talk about where to look for the problems your cell phones, PDA’s, Bluetooth devices, and Smart Phones are going to bring into your organizations and homes. I even go into the theoretical threat that RFID tags are going to bring. Anyone get one of those neat chips installed under their skin? It might be infected with a virus. How about the fact that there has been almost a 1700% increase in Instant Messenger attacks over the past year. Do you have bots or botnets? I’d bet my next paycheck that you do, or you will in the near future!!! Any takers?

I can’t forget my favorite fun fact. The Windows System Time To Live is down to 18 minutes. The Windows System TTL is simply the amount of time it takes for an unpatched, unfirewalled Windows box, that is placed on the wild Internet, to become compromised or infected with some sort of malware. That time is 18 minutes. The fun fact, it actually takes longer for a brand new, out of the box, Windows XP Home Edition machine to connect to Windows Update and download all of the hot fixes than it would for it to become compromised.
We will be posting the full presentation on our website at www.microsolved.com in the next couple of hours. Please check back for the direct link to the presentation.