Just a little Holiday reminder. As we get nearer to popular Holiday’s we normally see an increase in malware attacks. Remember not to open any “e-cards” or other assorted potentially malicious email from random addresses, and closely examine any that appear to come from a trusted source, such as a co-worker.
Category Archives: Emerging Threats
New Twitter Feed of “Bad Touches” Available
For those of you interested in security, black listing or HoneyPoint stuff, check this out.
I used the TweetCLI tool I blogged about earlier to write a HoneyPoint Security Server plugin. The plugin fires for each event and tweets the attacker IP and source port that the deployed HoneyPoints covered by this console saw.
There are several hosts and networks reporting HoneyPoint alerts to this console. All of these HoneyPoints are Internet exposed, so you should be able to see some basic sources of scans, probes and malware attacks.
I am not presently publishing the payloads, though I may in other ways in the future or show aggregate data in some manner.
The basis for the “bad touches” is that these are hosts and ports not truly offering any services, thus any interaction with them could be considered suspicious at best and malicious at worst. An IP address will only be tweeted once per 24 hour period currently, regardless of the amount of interaction it has with HoneyPoints reporting to this console.
You can watch the stream via the web at http://www.twitter.com/honeypoint or by following @honeypoint on twitter. There could be a lot of tweets depending on attack trafffic, so know that up front.
Please let me know if you like the feed, any plans or ways you can think of that it might be helpful to you or other feedback. We are offering this up to the community and we hope that it is helpful to those interested in HoneyPoints, security trending and/or black list generation.
Let me know your thoughts and thanks for reading!
Be Aware: Twitter API Uses Basic Authentication and a Twitter Toy
For those of you who have embraced the web movement that has become known as Twitter, be aware that the widely used Twitter API employs only web-based Basic Authentication. The credentials (login and password) are sent to the web API with only a simple HTTP POST and are unencrypted. I could not locate a means of even using HTTPS when sending tweets to the API.
The credentials are sent over the web in the standard form of “login:email”. They are base64 encoded first, so they are not exactly in plain sight, but base64 is far from cryptography and is beyond trivial to identify. Any attacker with a sniffer or sitting at a proxy in the stream can easily capture and decode those credentials.
The moral of the story is, if you use Twitter, make sure you use a password uniquely created for that service, since it will be trivial for an attacker to expose. Be aware that most, if not all, existing clients and twitter extensions use this same mechanism.
While twitter is proving to be a popular and useful mechanism for micro-blogging, it also comes with some inherent risks that include exposure of information that could lead to social engineering attacks and password exposure issues. Use twitter with some caution and all should be well, but without common security sense, twitter (like many other things) may be sharper than expected.
You can find a ton of information about the Twitter API here.
You can follow me on twitter here.
You can download the tool, twittercli, that I was writing when I saw this from the following locations (Not endorsed by MicroSolved, Inc. — Just a personal project!):
TwitterCLI will let you send tweets from a command line, schedule them with at/cron/iCal or call them from scripts, etc. Freeware from L. Brent Huston (NOT MSI!)
Thanks for reading!
Hackers Hate HoneyPoint
We have been getting so much great feedback and positive response to our HoneyPoint products that Mary Rose, our marketing person, crafted this logo and is putting together a small campaign based on the idea.
We are continuing to work on new capabilities and uses for HoneyPoint. We have several new tricks up our sleeve and several new ways to use our very own “security swiss army knife”. The capabilities, insights and knowledge that the product brings us is quickly and easily being integrated into our core service offerings. Our assessments and penetration testing brings this “bleeding edge” attack knowledge, threat analysis and risk insight to our work. We are routinely integrating the attack patterns and risk data from our deployed HoneyPoints back into the knowledge mix. We are adding new tools, techniques and risk rating adjustments based on the clear vision we are obtaining from HoneyPoint.
This is just one of the many ways that HoneyPoint and the experience, methodology and dedication of MSI separate us from our competitors. Clients continue to love our rapport, reporting formats, flexibility and deep knowledge – but now, thanks to HoneyPoint, they also enjoy our ability to work with them to create rational defenses to bleeding edge threats.
You can bet that you will see more about HoneyPoint in the future. After all, hackers hate HoneyPoint, and in this case, being hated is fine with us!
Spam Bots
We are continuing to see more and more spam bots. Spammers are not letting up and are still actively researching and breaking “captchas”. We have seen several of them broken within the past few weeks. It seems it’s about time to adopt a new system of anti-bot measures for registration forms, or increase the complexity of the captcha (while also increasing user frustration).
That reminds me of a study I was reading about spam though. The researchers in this study found that only about 1 in 12.5 million spams result in a sale of whatever was being spammed about. However, even with this atrocious rate, the spammers are estimated to be generating around $7,000 a day!
MicroSolved Studio Chat: Podcast Interview With Gary Moser
Welcome to the MSI Podcast Studio! In this edition, we interview Gary Moser, MicroSolved’s Project Manager. We chat about the current threats and trends facing businesses today, and what a business can do to protect itself.
MS08-067 – The Worm That Wasn’t – Wait… Might Be?
So, the worm based on MS08-067 was rumored last week and now SANS confirms that the worm is spreading from at least one host. SANS is blaming 61.218.147.66. We also have seen scans from 208.23.24.52, 66.100.224.113, 97.89.26.99, 219.158.0.96, 88.178.18.41, 91.142.209.26, 189.20.48.210, 212.122.95.217, 131.118.74.244, 84.3.125.99, 81.57.69.99 and a ton more. Those started to increase dramatically starting this morning around 9:25 am Eastern and have continued throughout the day.
HoneyPoints on consumer bandwidth networks and commercial ISP’s alike are picking up a spike in 445 scans and traffic.
Obviously, given the metasploit framework’s improvement of the exploit in the last week or so and the myriad of proof of concept tools that have been filtering around the underground, the threat of a worm is a reality. Worm code was first announced several days ago, but seemed to fail to propagate likely due to the lack of port 445 being available on most Internet connections. However, it appears that some victims have been found and have been slowly accumulating.
While we are not yet seeing the massive scans and probes associated with the worms of the past, we are beginning to see traffic levels that indicate increasing worm behaviors.
Obviously, if you have not yet ensured that port 445 is blocked at your Internet connection, you should immediately do so. HoneyPoint users can also setup TCP listeners or basic TCP HornetPoints to discover and attempt to “defensive fuzz” the worm code. Mixed results of causing termination have been shown so far, but our lab is working on a HornetPoint configuration to cause exceptions in the worm code in a stable manner.
HoneyPoint TCP listeners can be deployed on Linux boxes and other platforms where port 445 is undialated and used to identify hosts performing 445 scans and probes. This is an excellent approach to finding laptops and portable devices that might be infected on the internal network.
The Flu Season is Upon Us Again!
Officially, the flu season begins on the first of October and runs until spring. Even though the CDC says that this year’s flu is starting out a little bit milder than the two previous years, I know several people that are suffering through a nasty type of flu already this year. This stuff starts out with the usual fever and aches, and then turns into “cold” symptoms that hang on for weeks! We all know how nasty this is on a personal level, but a virulent long lasting flu like this can also really stress your business as well. So, let’s take a look at how the flu really works and what we can do about it.
First off, there are few real defenses against the flu if you are going to interact with other people. “Flu’s” are viruses that can infect you in several different ways and that mutate often and rapidly. The flu vaccine that is produced every year is really only devised to have some effect on the top three dominant flu strains of the year. The amount of effect they really have also depends on just how and how much each virus strain has mutated by the time you get the flu shot. So, although it is liable to help, don’t put too much faith in the flu vaccine.
So how can flu infect you? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?
The best thing you can do, even though it is a pain, is wash your hands. I mean wash your hands each time before you touch anything and put it in your mouth, or before you rub your eyes. Also, I wouldn’t eat food that has been sitting uncovered around where people have been coughing or sneezing.
There are also a number of different things that can kill microorganisms like flu viruses. Ultra violet radiation, such as direct sunlight, kills microorganisms almost instantly. Also, Microorganisms die quickly when they come in contact with hard, smooth, dry surfaces. And, microorganisms can be killed or removed by the use of soaps and other chemical cleaners such as hand sanitizing lotions or disinfectant sprays.
So how do you protect your business from the flu? When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. Have your workers do any work remotely that they can. If they can VPN into the network securely and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism. Expect the best, but plan for the worst – the height of the flu season is just two or three months away!
MS08-067 Gone To Worm
A worm has been spotted in the wild that is exploiting the MS08-067 vulnerability for which Microsoft released an out-of-band update for yesterday. We urge you to update as soon as possible as there is now working code in the wild. All servers should be patched, especially external ones. If for some reason you have RPC exposed to the world, a very close look should be given to those systems as they may have already been compromised. Internal systems should be patched as soon as possible since this is now a worm, a worm that could be brought in through laptops or other means of access.
A little info on the worm itself, it has been dubbed Gimmiv.A. When the worm executes it will drop three files, winbase.dll, basesvc.dll and syicon.dll into the %System%\Wbem\basesvc.dll. It will then install a service named BaseSvc which will then force svchost.exe to load the trojan dlls. The trojan will collect data from the machine, including passwords, and send them to a remote machine.
Critical Windows Update
Today Microsoft is rolling out an unscheduled update. This vulnerability is critical and there are reports that it has been exploited by malware for the last few weeks. The most vulnerable systems are Windows 2000, Windows XP and Windows 2003. On these systems it is possible exploit the system without authentication. On Windows Vista and Windows Server 2008, the exploit requires authentiation to run, it would likely also lead to a Denial of Service condition due to the use of DEP and ASLR in these versions of Windows.
This is the first vulnerability that can be easily wormable in the past few years. It is very important that this update be tested and rolled out by your organization as soon as possible to prevent exploitation. The Security Bulletin can be found here.