Category Archives: End-user Focused

President of Colombia Has Swine Flu and So Might Other Leaders

Posted on by
3

This article pointed out the recent diagnosis of President Alvaro Uribe, of Colombia, with swine flu. Even worse, the leaders of Colombia have alerted the other leaders that were involved in a regional South American summit last week. While President Uribe is not considered high risk for death from the disease, this is a new turn in the pandemic and public awareness. To date, Colombia has reported 621 cases with 34 deaths, making the mortality rate .05%.

Meanwhile, in the US and UK, school has just resumed and health officials are closely monitoring schools. Plans for handling outbreaks in the schools vary by district, but several are known to be testing plans for tele-education and remote teaching.

Once again, organizations are urged to undertake some form of pandemic planning and testing, as a “just in case” measure for H1N1 and the possibility of a strong flu season this year. SANS has just launched a site dedicated to pandemic planning and news. Check it out for more information, or give us a call and arrange a time to chat.

Your Next Security Threat May Not Involve Attackers

Posted on by
Reply

I was astounded when I read this article that includes a 2 BILLION estimate on the number of H1N1 cases that the WHO is expecting. Even worse, at 30% of human population on the planet, many are calling that number conservative. Some members of the medical community say that 45-50% may be likely!

In either case, the good news is that SOME vaccine is likely to be available to those in the Northern Hemisphere before Autumn arrives. The bad news is that there will likely not be an abundance of it, and that means some will not have access.

This is where the DR/BC planning comes in. By now, you probably have heard a little bit about pandemic planning and hopefully have created processes for remote working, containing illness and ensuring that you can operate with reduced staff. If you haven’t done this yet, NOW IS THE TIME to get this started.

If you do already have a plan, now might be a good time to do some rudimentary testing. Maybe declare a couple of reduced staff days, test the load on the VPN and remote access servers and such. This testing effort will likely reveal a few holes in these plans, but it is much better to learn about them and mitigate them now than when the real thing is going on.

Clearly, from the evidence presented by the WHO, this is something we should be paying attention to. Those who lack the focus or resources to take it seriously may well find themselves in troubling times when the weather turns colder and folks in the office begin to sneeze….

Book About PERL for Problem Solving

Posted on by
Reply

One of the essential tech skills I am always on the prowl for is a way to use technology to solve a complicated problem. Of course, one of the most useful ways to do this is to learn and apply simple programming skills. PERL is one of those scripting languages that is easy to get on a basic level, but it offers so much additional capability and complexity that it would take a literal lifetime to truly “master”.

But, the wonderful thing about PERL is its amazing capability in simplicity. You can take a few basic PERL legos and really make some wonderful things to increase the ease of your life and work. This book, <a href=”http://www.secguru.com/books/wicked_cool_perl_scripts_useful_perl_scripts_solve_difficult_problems” target=”_blank”>Wicked Cool Perl Scripts</a>, is chocked full of examples of just how to apply some basic PERL to real world problems. Check it out if you are a fan of PERL and want to automate things from work, to your news and RSS feeds to your World of Warcraft gaming. PERL is not only easy and cool, but also fun!

HoneyPoint Cracks with a Hidden Cost

Posted on by
Reply

OK, so we have been aware of a couple of cracked versions of HoneyPoint Personal Edition for a while now. The older version was cracked just before the 2.00 release and made its way around the torrent sites. We did not pay much attention to it, since we believe that most people are honest and deserve to be trusted. We also feel like people who value our work will pay the small cost for the software and those that just want to play with it and are willing to risk the issues of the “warez” scene would not likely buy it anyway….

However, today, someone sent me a link to a site that was offering a crack for HoneyPoint Personal Edition. The site was not one I had seen before, so I went to explore it. I fired up a virtual lab throw away machine and grabbed a copy of the crack application.

As one might expect, the result was a nice piece of malware. Just for grins, I uploaded it to Virus Total and here is the result:

http://hurl.ws/432e

Now, two things are interesting here. First, the crack is not even real and does not work. Second, once again, the performance of significant anti-virus tools are just beyond poor. 6 out of 41 products detected the malware in this file. That’s an unbelievably low 14.6% detection rate!

The bottom line on this one is that if you choose to dabble in the pirate world, it goes without saying that, sometimes you will get more than you bargained for. In this case, trying to get HoneyPoint Personal Edition for free would likely get you 0wned! Ahh, the hidden costs of things…..

If you are interested in a legitimate version of HPPE, check it out here.

In the meantime, true believers, take a deep breath the next time your management team says something along the lines of “…but, we have anti-virus, right…” and then start to educate them about how AV is just one control in defense in depth, and not a very significant one at that…

Lessons from an Almost Lost Laptop

Posted on by
Reply

I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.

It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.

Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.

Check it out here.

A Basket Full of Caveats – The LimeWire Safety Page

Posted on by
Reply

I was taking a look at some P2P stuff for our Reputational Risk work when I bumped into the LimeWire safety page. This is a page that is (I suppose) intended to educate users on the risks associated with P2P file sharing networks and the use of LimeWire specifically. I really thought it was interesting.

The page is: http://www.limewire.com/legal/safety

Some of the items the page covers are: copyright infringement, careful shared content selection (to avoid leaking documents, spreadsheets, etc. and entire drives/folders), adult content, spyware/malware cautions and lots of language about default behaviors. Now to be sure, the authors of LimeWire have implemented new controls in their version 5 software to make it more difficult for users to make mistakes and share the wrong contents. Even given that, I still caution everyone to do their own risk/reward assessment before using such a tool.

The bottom line is this. Check out the page, because as infosec folks, we need to be aware of what topics we need to continue to talk about with others. Educating them in how to configure this type of tool, should they choose to use it, might be a powerful way to help them (and maybe your organization) remain safer online. At the very least, it seems that LimeWire has at least done a good job of trying to caution people about the problems with using their tool. That, at the very least, is quite admirable!

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

Posted on by
Reply

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

Picture with a Bee Contest – Win FREE HoneyPoint!

Posted on by
Reply

That’s right! Send us your picture taken in a “security-related pose” with a stuffed, bee costume or bee-related item and we will pick the winner of a FREE license for HoneyPoint Security Server!

BuzzbyMSI.jpg

Just like in life, style counts, so get your ideas together and send us those pictures! Our judges will pick the winner on April 30th, so get your pics in before then. Imagination, security details and fun will be the key to your success. Three runners up will receive FREE licenses for HoneyPoint Personal Edition!

You can send your pictures via email to: hppics@microsolved.com

Remember, we reserve the right to publish all submissions, so make sure you are OK with that before you submit. 🙂 Contest closes and winners picked at noon on April 30th, 2009. Enter as often as you wish, odds of winning depends on number of people entering. Have fun!

Insider SQL Injection

Posted on by
Reply

While much improvement and awareness of SQL injections as an attack vector has been applied to Internet-facing applications, there remains a large set of vulnerable applications on internal networks. Our technical team often identifies large amounts of serious and easy to exploit SQL injection vulnerabilities on our internal assessments and penetration tests. While many organizations have begun to focus on network and OS threats for their business networks, application layer attacks remain unattended to in many cases.

“Our success level in obtaining customer sensitive data during internal tests remain very high.”, said Adam, penetration testing team leader of MSI. “Even as people have begun to patch their systems, finally, injections prove to be a critical weakness. To make matters worse, these internals web-apps often hold the keys to kingdom, so to speak, so they are a very attractive target for our testing team.”, Adam added.

“If it seems like a client is patched to current levels, then we know to check for injections.” claimed Nathan, penetration tester for MSI. “Throw a simple tick into forms and the vulnerable ones ‘shine like a crazy diamond’. From there, we are a few quick steps from compromise!”, Nathan exclaimed.

Adam and Nathan both agree that organizations really need to pay attention to injections and other web application vulnerabilities on their internal networks. Given the threats of insider attacks, this remains a significant risk. “Even applying the basic techniques that they have achieved success with outside on the Internet would help. They just have to teach developers that internal apps matter as much, if not more, than Internet apps.” added Adam.

At MSI, our teams go well beyond the “scan and report” that so many vendors call a “penetration test”. We perform active exploitation and leverage those vulnerabilities to identify the true depth of the security issues we find, in addition to the width that comes from vulnerability assessment. Our approach, experience and methodology create the clearest and most realistic view of your security issues available. From normal OS exploits to SQL injections and bleeding edge threat vectors, our team brings unique capabilities to the table and our award-winning reporting ensures that the clarity carries through to the board room.

To learn more about internal network assessments, or to receive some free technical training tools about SQL injections, please give us a call or drop us a line/comment. We look forward to helping your team better secure your own internal web apps and other attack targets against compromise.