Category Archives: End-user Focused

Malware in Many Places

Posted on by
Reply

 

GlobalDisplay Orig

Just a quick reminder that malware can come in many forms and from many places. These days, it isn’t just phishing, drive-by downloads and stray email attachments that you have to worry about. USB drives, digital picture frames, wireless devices, watches with USB plugs, exercise equipment with public “charge and data monitoring ports” and whole variety of other things.

Basically, today, if it can plug into your systems or talk to your network and has any kind of processing, memory or storage – it can likely carry malware. That’s certainly something to keep in mind as the “Internet of Things” becomes more and more a part of our daily lives. 

All of the usual defenses still apply, but today we need more than just anti-virus to keep us safe. We have to be using a variety of security controls from throughout the spectrum of prevention, detection and response. Since malware can be everywhere, so too must our vigilance against it. 

PS – Those of you with teens and older parents who use/depend on electronics and computers should discuss malware and safer computing with them. They likely have an entirely different risk profile than you do, and they may not be paying as much attention to the impacts that these attacks can have or where they can come from. They may be doing risky things without even knowing it. Talk to them about malware and help keep them safer in the online world.

Tool Review: Synalyze It! Pro for OS X

Posted on by
Reply

Rounding out this week with another tool review for the Mac under OS X. Earlier this week, we reviewed our favorite disassembler, Hopper for OS X. Synalyze It! Pro is another invaluable tool that we depend on. This tool is a hex editor with some very very useful features in the GUI. Namely, it lets you “lasso” different bits of text and highlight them in different colors. While this might sound basic, it is amazingly useful for performing reverse engineering of protocols and other deep-level analysis tasks of textual data.

Recently, we have been doing quite a bit of protocol testing in the lab and this tool has proven itself again and again as invaluable. My favorite feature of the tool is available by highlighting some piece of data and right clicking to bring up a menu, then selecting “compare code pages”. This brings up a window in which the highlighted data is run through a bunch of encoding/decoding schemes and presented to you both as ASCII and as hex. This makes reversing simple encoding on text as easy pie and as quick as swatting a fly. In my recent protocol work, this was a feature I used over and over again to identify various components of the data stream and figure out how each was encoded as a part of a bigger puzzle.

Another feature we have come to love is the “Show Checksums” feature. This feature displays a wide variety of checksums for the data that is highlighted and updates the checksums in realtime. This makes it pretty easy to figure out if different fields are included in the protocol’s checksum activities and leads to faster, cleaner reversing. However, I do have a couple of things I would like to see as future features for this capability. For one, I would like to see additional checksum mechanisms added and perhaps even an interface for creating your checksum scripts or equations. Additionally, I would really like it if you could get realtime updates, but with a mechanism for selecting multiple data elements and not just single strings. I really thought this would work, but could not seem to selections to “stick” so that I could add multiples. 

The real power of the tool is in the creation of the “grammar files”. This is an easy to use, intuitive and powerful mechanism for reversing. I still need to practice a bit more with the grammar definition mechanisms, but I can see where this will grow the product’s usefulness rapidly. The grammar definition could lend itself to a better toolbox in the GUI. It might be easier for beginners to learn to master this capability if an set of quick and easy tools were easily available without a bunch of menu navigation. However, the feature is still excellent and the tool remains a very powerful addition to our toolbox. 

The link to the App Store has a variety of screenshots of the product if you want to check it out. The product retails for $25 in the App Store and a non-Pro version is available for $5 – however, note that it lacks many features of the Pro version that make it such a useful tool. 

PS – MSI has no affiliation or relationship with the product and/or the developers. 

Tool Review: Hopper Disassembler for OS X

Posted on by
7

 

J0289552

I have recently been playing with Hopper, a disassembler for Mac OS X, quite a bit. The tool is essentially a mid-line tool for working to reverse engineer code. It is more accessible on the mac than firing up a VM and using the venerable OllyDbg and the interface is quite a bit more elegant and user friendly. It is even mid-line in price, coming in between Olly, which is free, and IDA Pro which can run over a thousand dollars per license. If you hack stuff, reverse stuff or study malware on the Mac, the $60 price point is likely to make this a big winner for your budget. The app store link for the tool, in case you want to check it out, is here

In terms of use, the tool does exactly what you expect from the description – it disassembles binaries into assembler and makes exploration of the deeper nuances of the code accessible. The newest release supports ARM, 32 & 64 bit ELF and iOS Mach-O. These add to the existing support for the standard Intel platforms of Mac OS X and Windows binaries, making this an all around useful tool for doing the basics. The flow control graphing, colorized interface and intuitive controls make the tool use less complex than Olly and IDA Pro. 

One of things I would like to see in future versions of the tool would be a detector for encoded binaries and support for some of the basic decoding tools to make analysis of obfuscated applications a bit quicker, easier and more intuitive. This a common issue among disassemblers and shows that we have a way to go to improve these products as the reverse engineering and malware study tool sets improve and mature over time. Overall though, that’s about the ONLY complaint I have about Hopper. It’s an amazingly versatile and useful tool at an incredible price. Truly, it is a worthwhile investment if you want to learn more about assembler, the inner workings of code and beginning malware analysis. You can’t go wrong with this one.

Lastly, I would like to thank the author of Hopper, Vincent Benony for his work on this tool and for his engagement with the infosec community on Twitter. Seriously, he is great. He responds quickly to questions and requests, plus provides great insights into where he is taking the product next. 

PS – If you want to see what the GUI looks like, there are a wide variety of screenshots in the App Store at the link above.

PSS – MSI has no affiliation or relationship with the product and/or the developers. 

CMHSecLunch Announcement

Posted on by
Reply

We wanted to take a moment and send out a special announcement to our Columbus, Ohio area readers. Brent Huston is pulling together a monthly casual event for IT and InfoSec focused folks in our area. He posted this a few days ago to Twitter (@lbhuston):

#CMHSecLunch 1st attempt – Monday, Nov 12, 11:30 -1pm at Tuttle Mall food court. Informal lunch gathering of infosec geeks. Be There!

We invite all of our local readers to attend. Just have a casual lunch with infosec friends and great conversations. No sign up, no membership fees, no hassle, no fuss. If you can make it, cool, if not, also cool. So, if you have time, drop in and break bread. We hope to see you there.

Let us know on Twitter or in the comments if you have feedback. 

Ask The Security Experts: Mobile Policy

Posted on by
1

This time around, the experts offer insights on this question:

Q: “Dear Experts, what are the key things I need to keep in mind when I write my company’s mobile security policy?” — MK

John Davis starts us off with:

I would say the most important thing is to actually write your own policy; don’t just copy a generic mobile security policy from the Internet and adopt it as your own. For a mobile security policy to be effective, it needs to be tailored to meet your organizations particular information security requirements and also needs to reflect the reality of mobile device use at your organization. It won’t do you much good to forbid using mobile devices for business purposes if you have no mechanisms in place to prevent or detect such uses. Effective information security policy, like effective statute law, is both practical and enforceable.

Adam Hostetler added:

Keep in mind what kind of current security policies you have, and try to apply that to the mobile sphere. Users need to understand that they are connecting an additional computer to the network, and not just a “phone”. Keep in mind also what kind of deployment you are using. Is it bring your own device, or is it company provided? There will be different policies and procedures for each method and possible user backlash depending on how you are doing this.

As always, thanks to the experts for weighing in, and to the readers for the questions. Keep them coming!

Recovering Data from Dead Hard Drives

Posted on by
Reply

We caught this post on Lifehacker a few days ago and thought they did a pretty good job of handling a pretty frequent question. How many times have you been asked about data recovery? For us, we always ask “You have that backed up, right?”, in return. 

Sadly, few people seem to backup their data, even though that is one of the basic foundations of protecting information. 

If you are or know someone who gets into this predicament, we hope this approach helps.

In the meantime, where did you put your backup disk? You have one, right??? 🙂

Ask The Experts: Insights on Facebook Friends

Posted on by
4

This time around, the experts tackle this question:

Q: “Hey Security Experts, should I be friends with everyone that asks on Facebook? What’s the risk of friending people I don’t really know? Can we be friends on Facebook?” –Scott918

Adam Hostetler weighed in with:

I wouldn’t recommend accepting friends request for anyone on Facebook, unless you actually know them. This especially goes for somebody that claims they work at the same company as you, as it really could be somebody building a network of targets to social engineer.

Take advantage of Facebook privacy settings also. Don’t make your information public, and only make it viewable by friends. I would even recommend against putting too much personal information on there, even if it is only among friends. There have been security issues in the past that allow people to get around privacy controls, and Facebook really doesn’t need a lot of information from you anyway.

John Davis added:

The short answer is NO! I’m a big believer in the tenet the you DON’T want the whole world to know everything about you. Posting lots of personal facts, even to your known friends on Facebook, is akin to the ripples you get from tossing a pebble into still water – tidbits of info about you radiate out from your friends like waves. You never know who may access it and you can never get it back! There are lots of different people out there that you really don’t want as your friend – I’m talking about everything from annoying marketers to thieves to child molesters. People like that are trying to find out information about you all the time. Why make it easy for them?

Finally, Phil Grimes chimed in:

Facebook is a ripe playground for attackers. This is something I speak about regularly and the short answer is NO, absolutely not. If you don’t know someone, what is the benefit of “friending” them? There is no benefit. On the contrary, this opens a can of worms few of us are prepared to handle. By having friends who aren’t really friends one risks being attacked directly, in the case of the unknown friend sending malicious links or the like. There is also the risk of indirect attack. If an attacker is stalking Facebook pages, there is a lot of information that can be viewed, even if you think your privacy settings are properly set. Stranger danger applies even more on the Internet.

So, while they may not be your friends on Facebook, you can follow the Experts on Twitter (@microsolved) or keep an eye on the blog at http://www.stateofsecurity.com. Until next time, stay safe out there! 

MicroSolved Lab Services: A Secret from Behind the Locked Doors

Posted on by
1

One of the oddest, most fun and most secretive parts of MSI is our testing lab services. You don’t hear a lot about what happens back there, behind the locked doors, but that is because of our responsible disclosure commitments. We don’t often talk publicly about the testing we do in the lab, but it varies from testing unreleased operating systems, applications, hardware devices, voting mechanisms, ICS/SCADA equipment, etc. We also do a small amount of custom controls and application development for specific niche solutions. 

Mostly though, the lab breaks things. We break things using a variety of electronic tools, custom hardware, bus/interface tampering, software hacking, and even some more fun (think fire, water & electric shock) kinds of scenarios. Basically, whatever the threat model your devices or systems face, most of them can be modeled, examined, tested, simulated or otherwise tampered into place in the MSI labs.

Our labs have several segments, with a wide array of emulated environments. Some of the lab segments are virtualized environments, some are filled with discreet equipment, including many historical devices for cross testing and regression assessments, etc. Our electronics equipment also brings a set of capabilities for tampering with devices beyond the usual network focus. We often tamper with and find security issues, well below the network stack of a device. We can test a wide range of inputs, outputs and attack surfaces using state of the art techniques and creatively devious approaches.

Our labs also include the ability to leverage HoneyPoint technology to project lab tested equipment and software into parts of the Internet in very controlled simulations. Our models and HoneyPoint tools can be used to put forth fake attack surfaces into the crimestream on a global basis and identify novel attacks, model attack sources and truly provide deep threat metrics for entire systems, specific attack surfaces or components of systems. This data and the capabilities and techniques they are based upon are entirely proprietary and unique to MicroSolved.

If you would like to discuss how our lab services could assist your organization or if you have some stuff you want tested, get in touch. We would love to talk with you about some of the things we are doing, can do and some of the more creatively devious ideas we have for the future. 🙂

Drop us a line or give us a call today.  We look forward to engaging with you and as always, thanks for reading! 

Ask The Experts: Advice to New InfoSec Folks

Posted on by
Reply

This time our question came from a follow up on our last advice article to new infosec folks (here). Readers might also want to roll back the clock and check out our historic post “So You Wanna Be in InfoSec” from a few years ago. 

Question: “I really want to know what advice the Experts would give to someone looking to get into the information security business. What should they do to get up to speed and what should they do to participate in the infosec community?”

Adam Hostetler replied:

To get up to speed, I think you should start with a good foundation of knowledge. Already working in IT will help, you should then already have a good idea of networking knowledge, protocols, and architecture, as well as good OS administrative skills. Having this knowledge already helped me a lot at the beginning. Then I would move into the infosec world, read and listen to everything you can related to infosec.  There’s much much more security related knowledge online than ever before, so use it to your advantage. You also now have the opportunity to take info sec programs in colleges, which weren’t really available 10 years ago. Social Networking is very important too, and how you would likely land a job in infosec. Go to events, conferences or local infosec meetings. Some of the local infosec meetings here in Columbus are ISSA, OWASP, and Security MBA. Find some in your area, and attend something like Security B-Sides, if you can. Get to know people at these places, let them know you’re interested, and you might just end up with your dream job.

John Davis chimed in:

If you want to get into the risk management side of the information security business, first and above all I recommend that you read, read, read! Read the NIST 800 series,  ISO 27001 & 27002, the PCI DSS, CobiT, the CAG, information security books, magazine articles, and anything else you can find about information security. Risk assessment, ERM, business continuity planning, incident response and other risk management functions are the milieu of the generalist; the broader your knowledge base, the more effective you are going to be. To participate in the infosec community, there are several things you can do. Probably the best and quickest way to get started is to attend (and participate in) meetings of information security professional organizations such as ISSA, ISACA and OWASP. Talk to the attendees, ask questions, see if they know of any entry level positions or internships you might be able to get into. There are also infosec webinars, summits and conferences that you can participate in. Once you get your foot in the door someplace, stick with it! It takes time to get ahead in this business. For example, you need four years of professional infosec experience or three years experience and a pertinent college degree before you can even test for your CISSP certification.

As always, thanks for reading! Drop us line in the comments or tweet us (@lbhuston or @microsolved) with other questions for the Security Experts.

Three Ways to Engage with the InfoSec Community

Posted on by
7

J0289893

Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen.

1) Join Twitter and engage with people who are also interested in infosec. Talk directly to researchers, security visionaries and leadership. Engage with them personally and professionally to build relationships. Add value to the discussions by researching topics or presenting material that you are familiar with.

2) Join an open source software project. Even if you aren’t a coder, join the project and help with testing, documentation or reviews of some kind. Open source projects (they don’t have to be security projects) can benefit from the help, an extra set of eyes and the energy of new folks contributing to their work. You’ll learn new stuff and build great relationships in the development and likely infosec communities along the way. 

3) The way that most folks go about it works as well. Go to events. Network. Meet infosec people and engage them in discussions about technical and non-technical subjects. Groups like ISSA, ISACA, ISC2, OWASP and other regional security events are good places to meet people, learn stuff and develop relationships with folks working on hard problems. Cons can be good for this too, but often have less chances for building rapport due to the inherent sensory overload of most con environments. Cons are a good place to grow relationships, but may not be the best events for starting them.

That’s my advice. All 3 items are hard work. They offer a chance for you to learn and engage. BUT, you have to work to earn respect and rapport in this community. You have to contribute. You must add value. 

As always, thanks for reading and until next time, stay safe out there!