Malware Can Hide in a LOT of Places

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

Podcast Episode 2 is Now Available

In this episode we sit down with Mark Tomallo, from Panopticon Labs, and RSA’s Kevin Flanagan. We discuss mentoring, online crime, choosing infosec as a career and even dig out some tidbits from Mark about online gaming fraud and some of the criminal underground around the gaming industry. I think this is a very interesting and fun episode, so check it out and let us know what you think on Twitter (@microsolved, or @lbhuston). Thanks for listening! 

Listen Here:

Keep Your Hands Off My SSL Traffic

Hey, you, get off my digital lawn and put down my binary flamingos!!!!! 

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…) 

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter! 

Podcast Episode 1 is Now Available

This episode is about 45 minutes in length and features an interview with Dave Rose (@drose0120) and Helen Patton (@OSUCISOHelen) about ethics in security, women in STEM roles and career advice for young folks considering Infosec as a career. Have feedback, let me know via Twitter (@lbhuston).

 
As always, thanks for listening and reading stateofsecurity.com!
 
Listen here: 
 
PS – We decided to restart the episode numbers, move to pod bean.com as a hosting company and make the podcast available through iTunes. We felt all of those changes, plus the informal date-based episode titles we were using before made the change a good idea.

Recently Observed Attacks By Compromised QNAP Devices

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit.  For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices.  If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system.  If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices.  The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system.  These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems.  If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-01-27 at 1.41.31 PM

How to Avoid Getting Phished

It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

Young IT Professionals, Cybercrime, Script Kiddies & CyberWarriors, OH MY!

Recently I came across a couple of articles that both centered on the potential roles that young people entering into the IT Security field may face. Some of them, for example, may be lured away from legitimate IT security jobs and into the world of cybercrime. Others may follow the entrepreneurial role and fight cybercrime alongside myself and other professionals.

I suppose such dichotomies have existed in other professions for quite some time. Chemists could enter the commercial or academic world or become underground drug cartel members, ala Breaking Bad. Accountants could build CPA tax practices or help bad guys launder money. Doctors could work in emergency rooms or perform illegal operations to help war lords recover from battle. I suppose it is an age old balancing act.

I am reminded of Gladwell’s Outliers though, in that we are experiencing a certain time window when IT security skills are valuable to both good and bad efforts, and a war for talent may well be waging just beyond the common boundary of society. Gladwell’s position that someone like Steve Jobs and Bill Gates could only emerge within a specific time line of conditions seems to apply here. Have we seen our IT security Bill Gates yet? Maybe, maybe not….

It is certainly an interesting and pivotal time isn’t it? These articles further solidified my resolve to close a set of podcast interviews that I have been working on. In the next couple of months I will be posting podcast interviews with teams of IT and Infosec leaders to discuss their advice to young people just entering our profession. I hope you will join me for them. More importantly, I hope you will help me by sharing them with young people you know who are considering IT security as a career. Together, maybe we can help keep more of the talent on the non-criminal side. Maybe… I can always hope, can’t I? 🙂

Until next time, thanks for reading, and stay safe out there! If you have questions or insights about advice for young security professionals, hit me up on Twitter (@lbhuston). I’ll add them to the questions for the podcast guests or do some email interviews if there is enough interest from the community.

Benefits of using TigerTrax to Monitor Your Industry

Have you ever wanted to know what is being said in regards to your business or product line on social media? How about getting the scoop on a company prior to your big merger or acquisition? Perhaps you have a need for continual code of conduct monitoring for your business or franchise. These are but a few of the things that we at MicroSolved, Inc can provide for you and your company! MicroSolved has a whole host of proprietary software including TigerTrax, that will give your company an edge over your competition!

With our TigerTrax platform we can help provide you with a competitive advantage by receiving actionable intelligence about your product line from the social media hemisphere. Imagine scouring the entire population of Twitter, which boasts some 645 million registered users with over 115 million active users monthly. That is an enormous market that you can tap into with our help. A market where you can see where you think that your product line may be heading versus what people are actually talking about in regards to your product line. Imagine being able to fine-tune your marketing campaign based on our intelligence gathering ability!

In every business there are times whether for a short duration or a long term one where you may want us to provide you with code of conduct information about your employees. Perhaps their contracts clearly state what sort of things they may or may not post on social media and the internet; but also and more importantly you may want to know what everyone else is posting about them. We can help provide you that information. Our TigerTrax platform does in minutes what takes a roomful of employees days or weeks to do and in a very short time you can have actionable information that may be used to help protect your companies brand!

As you can see TigerTrax is a wonderful tool in your arsenal for providing actionable data that will enable you to adjust your marketing campaign or perform ongoing code of conduct monitoring. We can also perform threat intelligence, assess whether your intellectual property has been leaked online, and of course perform brand intelligence. As you can imagine we are only scratching the surface of what we at MicroSolved, Inc and the TigerTrax platform can do for you. So please if you need any assistance for your company feel free to contact us by sending an email to: info@microsolved.com.

This post by Preston Kershner.

My Time as a HoneyPoint Client

Prior to joining MicroSolved as an Intelligence Engineer, I was the Information Security Officer and Infrastructure Manager for a medical management company.  My company provided medical care and disease management services to over 2 million individuals.  Throughout my tenure at the medical management organization, I kept a piece of paper on my bulletin board that said “$100,000,000”.

 

Why “$100,000,000”?  At the time, several studies demonstrated that the average “street value” of a stolen medical identity was $50.  If each record was worth $50, that meant I was responsible for protecting $100,000,000 worth of information from attackers.  Clearly, this wasn’t a task I could accomplish alone.

 

Enter: MicroSolved & HoneyPoint

 

Through my membership with the Central Ohio Information Systems Security Association, I met several members of the MicroSolved team.  I engaged them to see if they could help me protect my organization from the aforementioned attackers.  They guided me through HIPPA/HITECH laws and helped me gain a further understanding of how I could protect our customers.  We worked together to come up with innovative solutions that helped my team mitigate a lot of the risks associated with handling/processing 2 million health care records.

 

A core part of our solution was to leverage the use of HoneyPoint Security Server.  By using HoneyPoint, I was able to quickly gain visibility into areas of our network that I was often logically and physically separated from.  I couldn’t possibly defend our company against every 0-day attack.  However, with HoneyPoint, I knew I could quickly identify any attackers that had penetrated our network.

 

Working for a SMB, I wore many hats.  This meant that I didn’t have time to manage another appliance that required signature updates.  I quickly found out that HoneyPoint didn’t require much upkeep at all.  A majority of my administrative tasks surrounding HoneyPoint were completed when I deployed agents throughout our LAN segments that mimicked existing applications and services.  I quickly gained the real-time threat analysis that I was looking for.

 

If you need any assistance securing your environment or if you have any questions about HoneyPoint Security Server, feel free to contact us by sending an email to: info@microsolved.com.

 

This post contributed by Adam Luck.

Using TigerTrax to Analyze Device Configurations & Discover Networks

One of the biggest challenges that our M&A clients face is discovering what networks look like, how they are interconnected and what assets are priorities in their newly acquired environments. Sure, you bought the company and the ink is drying on the contracts — but now you have to fold their network into yours, make sure they meet your security standards and double check to make sure you know what’s out there.

That’s where the trouble begins. Because, in many cases, the result is “ask the IT folks”. You know, the already overworked, newly acquired, untrusted and now very nervous IT staff of the company you just bought. Even if they are honest and expedient, they often forget some parts of the environment or don’t know themselves that parts exist…

Thus, we get brought in, as a part of our Information Security Mergers & Acquisitions practice. Our job is usually to discover assets, map the networks and perform security assessments to identify gaps that don’t meet the acquiring company’s policies. Given that we have had to do this so often, we have designed a great new technique for performing these type of mapping and asset identification engagements. For us, instead of asking the humans, we simply ask the machines. We accumulate the router, switch, firewall and other device configurations and then leverage TigerTrax’s unique analytics capabilities to quickly establish network instances, interconnections, prioritized network hosts & segments, common configuration mistakes, etc. “en masse”. TigerTrax  then outputs that data for the MSI analysts, who can quickly perform their assessments, device reviews and inventories — armed with real-world data about the environment!

This approach has been winning us client kudos again and again!

Want to discuss our M&A practice and the unique ways that TigerTrax and MSI can help you before, during and after a merger or acquisition? Give us a call at (614) 351-1237 or drop us a line at info (at) microsolved /dot/ com. We’d be happy to schedule a FREE, no commitment & no pressure call with our Customer Champions & our security engineers.