Category Archives: End-user Focused

25% off HoneyPoint Security Server, Plus 0% Financing For April

Posted on by
Reply

This is no joke, or at least if it is, then the joke is on us. 🙂

For the entire month of April, we are offering a 25% discount off the retail prices for HoneyPoint Security Server for new customers. In addition to that, you can extend our 0% financing option to pay in monthly payments over the life of your support agreement up to 3 years! Plus, as promised in earlier posts, anyone who purchases HPSS by the end of April will receive 3 free licenses for HoneyBees once they are released!

The product is now licensed per server, in anticipation of the 3.0 release which is in lab testing as I write this announcement. All licenses include one console license on the platform of your choice (Linux, Windows, OS X). Licenses include one year of our acclaimed support and HoneyPoint upgrades. Maintenance year 2 and beyond is 20% of purchase price.

Here are some pricing examples for you to consider:

The base entry point is a 5 server license pack. The retail price for this pack is $4,995.00. During April, you can purchase the pack for just $3,746.25. Additional years of maintenance (up to 2 for a total of 3 years of support and maintenance) are just $749.25 per year. That means that if you buy a 5 server license with two years of maintenance, you can purchase it in April for $5,244.75. Furthermore, you could apply our 0% financing program and spread that amount over 36 months for a monthly payment of just $145.69!

For less than $150 per month, you can achieve incredible security visibility, additional protections against malware and the insider threat and enjoy the power of HoneyPoint’s “deploy and forget” (sm) approach to reducing the workload of your security team!

Here is another example. Our most popular HPSS package is our 25 server protection pack. The pack retail price is $15,975.00 and includes the same one year of support and upgrades. During the month of April, you can purchase this pack for just $11,981.25, while additional years of support/upgrades will run $2,396.25 per year. Using the same 0% financing approach as above you could purchase protection for 25 servers along with 2 additional years of support/upgrades for a total of $16,773.75 or $465.94 per month for 36 months!

In this common case, less than $500 per month can bring you the flexibility of HoneyPoint plugins, the self-defending mechanisms of HornetPoints and the insight that can only be achieved by knowing attacker frequency, capability and motivation.

And, of course, if you are an enterprise, we have the same deal for you too. You can leverage the power that we bring to integrate into existing security architectures and see the 90% savings we have brought to clients in terms of security resources as well. Give us a call and we would be happy to discuss your specific network size, implementations and HoneyPoint needs.

So, check out HoneyPoint. Give us a call to arrange a demo, or better yet, try out our HoneyPoint Personal Edition to see the technology in action. (Take a look at the included HPPE/HPSS document for ideas on how to test the product with HPSS in mind.) Then, give us a call or drop us a line and get the power of the Hive on your side. With HoneyPoint, attackers get stung instead of you.

Note: Purchase orders must be received by April 30, 2009 to qualify for this special offer.

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

On Vendors Offering Discounts on VA/PT Services “Due to Financial Crisis”

Posted on by
1

I have a bone to pick with the idea of vendors suddenly offering price drops on their assessments and such “in response to the financial crisis.” In my opinion, this is nothing more than a gimmick. A cheap come-on to win more business while the times are tough and the chips are down. If you can offer these discounts today without it impacting your margins at a serious level or making it tough on you to do business, then why couldn’t you do it last week, last month or last year? I’ll tell you why, because you were caught up in that extra margin and extra charge to your clients and in making that extra profit.

At MicroSolved, I have refused to play these games with our customers for 20 years. I strive every day to keep our prices as low as possible for the work we do, to pay our team fairly and to keep us in business. We contribute to the community, support the Credit Union movement, engage with companies and organizations all around the world that are dedicated to “doing the right thing.” We continually strive to focus on increasing our value to clients and keeping our costs as low as possible. Here are a few examples of some of the steps we have taken and are taking to do so:

Consultant presence. Years ago, our onsite presence for assessments and pen-testing was a high cost item for clients. Travel, lodging and per diem were and are high ticket items. Several years ago, in an effort to lessen the financial impact on our clients and staff, we began using VPN connectivity and shipping appliance computers instead of people. The cost of shipping this hardware remains expensive today, but nothing like airfare and hotels for a security team. In 2009, our team is moving to create and deploy stable, trustworthy virtual machine images that we can move over the Internet to bring these costs to near zero. Developing these tools and testing them takes time, resources and money, but we are dedicated to continuing to bring the most value to our clients for the least amount of dollars possible. This is just one more way we can work with clients to improve their security and reduce their cost to minimize risk.

Simplified reporting for VA/PT. Our clients tell us all of the time that our reports are the best they have seen and are provided in the most useable format they can imagine. We long ago (several years) stopped shipping HTML reports and the like. Today, our typical reporting is an easy to read executive summary with a one page dashboard for the engagement findings, a technical manager report that identifies and ranks root causes of the security issues we identify and a technical details report that is provided as a detailed Excel spreadsheet so you can change, sort, import or manage the data as you see fit. Our reports have received positive comments from auditors, regulators and clients from around the world. This year, we will again be undertaking a special project to continue to refine our reporting structures. For us, leading the industry is not enough, we want to establish even more value for our clients and help them manage the reporting data in ways that reduce their heavy lifting. As always, if you have ideas on this, let us know.

Real humans to talk to. We don’t have a web portal for your reports. We don’t have an automated system for requesting assessments or the like. We do have a technical project manager that is assigned to your account. They have access to the actual engineers doing your assessments and pen-testing, and so do you. We don’t believe that dealing with some complicated web application that also might have exposures to vulnerabilities and other issues makes our clients more productive OR more secure. MSI clients talk to real humans. We talk to clients routinely during their engagements and keep them up to date as they desire on the testing and work as it moves forward. You can communicate with your technical project manager on the phone, via email or via SMS if you like. You can have a call with the engineers to clarify issues or to get answers to technical questions about the engagement. We even support our engagements for one year, allowing you to ask questions, interact with the security team and get answers up to 12 months after the engagement!

Approaches like HoneyPoint. HoneyPoint is our leading-edge software for managing the insider threat. It was designed from the ground up with the idea of “deploy and forget” (SM) in mind. We created it so you could have security visibility around your environment in a powerful way that eliminates false positives, signature updates and tuning. Long before the current “financial crisis” we wanted to help organizations get better security with less resources, and we have. Today, organizations are using HoneyPoint along with tools like OSSEC to replace IDS/IPS systems and finding the total cost of ownership to be 1/2 and the total resource costs to manage the solutions to be 1/10 of their older, less evolved solutions. In fact, many small and home-based organizations have begun using our “scattersensing” approach with HoneyPoint Personal Edition to identify bot-net infections and malware breakouts, as well as suspicious insider activities for a total software cost of ~$30.00 US!

There you have it. I have “put my money where my mouth is”. At MSI, we know the financial stress is real. We know you have significant security AND budget challenges. We are striving to help you with both, BUT, NOT JUST TODAY and NOT JUST FOR A WIN FOR US. We can’t just knock arbitrary costs out of our prices because we spend EVERY DAY focused on keeping those prices low and our value high for our clients. That has been our focus for 20 years and as long as I am the CEO, it will continue to be our focus. We believe that our engineers, sales and marketing teams and other employees support our efforts. They have shown time and time again to be committed to VALUE for our clients. We may not always be the cheapest security vendor. I know our services cost more in some cases than the “scan and forget” vendors out there. I am OK with that. For 20 years I have enjoyed doing business with clients who appreciate honesty, trust, better communication and the MSI work ethic. Our clients love the work we do for them and many tell me repeatedly how much value we bring. That, in the end, I believe, is the measure of true success.

So, if you are looking for a security vendor to help you find the most value for your security budget, give us a call. We will be happy to talk to you about your needs and how MSI may be able to help. We will put together flexible payment plans, menus of services and subscriptions for engagements if you desire. We hope to talk to you soon about how we can help you be more secure with less time and money. That’s our commitment today and long after the current “financial crisis” has passed.

MicroSolved, Inc. (614) 351-1237 x206

info < at > microsolved <dot> com for more information via email

So, You Wanna Be in InfoSec?

Posted on by
3

One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

Get Serious, Quick!

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

Are there Shortcuts?

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

What About Certifications?

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 🙂


Twitter Smurfing or Amplified Twitter Spamming

Posted on by
2

Last night, @mubix pointed out a certain phrase that would result in a re-tweet of the attached content on Twitter. The interesting thing that got me going on this was that the folks in question had established an application to watch the Twitter stream and forward any content that mentioned the phrase to their followers.

Tweet-bots are not new, and I have written about code that could be adapted for this purpose in the past. Bots exist on Twitter for a variety of actions, but thus far, seem to have been relegated to auto-following folks or sending simple data streams to the service.

However, this new type of bot (which there may be others, some even older, of which I was unaware) opens Twitter and its users to a new type of spam. The obvious issue is that you could bait spam content with bot-friendly phrases and get your message sent to a MUCH BROADER coverage of followers than your own. Malicious and rowdy behavior could follow and lot of harassment and criminal activity could be shared by all. Sure, as @mubix said, “this is the open relay of Web 2.0”. I agree, it is just a matter of moments before this is a widely used abuse pattern made all the more powerful by the underlying architecture of trust that is Twitter.

But, while new forms of spam mildly interesting to me, what was interesting was that as I toyed with the bot, I would get MULTIPLE COPIES OF MY MESSAGE RETWEETED. That’s right, sometimes it would take my single message and retweet it multiple times. I could not determine if this was a bug in their implementation or a desired behavior, but it happened. That led me to the idea that you could use these bots as amplifiers. You could, essentially, identify a list of retweeting bots and cascade them to create the modern day version of the smurf attack!

Scanning the Twitter stream for these bots could be pretty easy. You could quickly script and API-enabled tool to tweet dictionary terms or brute force character groups into you found a catalog of retweet terms, then cascade them to cause a “retweet storm” of some sort. Some controls over the process are implicit due to the 140 character max for tweets, but it is likely an interesting experiment. Properly tuned, it might also be a denial of service style attack or a way to spread very small spam messages far and wide.

It should be noted that much of this is theoretical. I did not, nor do I intend, to engage in this type behavior. But, to me, it certainly seems possible. I can see it being used as a platform for spam and social engineering. I also don’t see a lot of controls that could be put in place to stop it.

Let me know your thoughts on this possibility and feel free to leave a comment and disagree or explain why I am wrong. I think there will be some interesting and dangerous times ahead for all social networks and I don’t think Twitter will be an exception.

Thanks to @mubix of Hak5 for the pointer and discussion!

Operation Anaconda: Putting the Squeeze on the Insider Threat

Posted on by
Reply

Organizations today are facing increased pressure to combat the “insider threat”. More and more compromises are occurring from “inside the secure perimeter”. The financial crisis, exploding use of mobile technologies, surges in bot-net infections and capabilities plus a myriad of other conditions are only making the problem more urgent. This condition exists across market verticals and it doesn’t matter whether you are charged with protecting national secrets, bank account information, credit card data or whatever, the insider is still the most dangerous threat of all.

At MicroSolved, we know that this is the most serious issue facing organizations today. We know that the threat is real, that budgets are tightening and that all of us will have to do more with less. We also know that as the economy worsens, data thieves, bot-herders and industrial espionage attacks will become more common.

Today, we have begun a special project – called Operation Anaconda. The purpose of this project is to study the problem of insider threats, identify rational approaches to reducing the risk of insider attacks and develop additional products, services, knowledge-based documents, methodologies and public information to help all of us better protect our businesses, data and assets from threats that originate inside our organizations. We don’t claim to have all of the answers, and we know that the risk can never reach zero, but we dedicate ourselves to finding better solutions to the problem than those that are common today.

“Normally, these kinds of press releases and articles are done in conjunction with new products or service offerings,” said Brent Huston, Security Evangelist (and CEO) of MicroSolved, Inc. “but we wanted to let customers and organizations know that we have heard them when they told us what was hurting them. We heard them and we are committed to doing our part to making that pain go away!”

“Over the next several months, you will see a plethora of articles, tools, techniques, products, services and approaches targeted at solving this problem. Our company will lead the way in identifying what works, what doesn’t and how to reduce the insider risk AND the security budget at the same time. Solutions have to be out there, and together, we will find them.” vowed Huston.

MicroSolved is currently building a project plan and forming study groups around facets of the problem. If you or your team would like to participate in one of the public study groups or discussions, please feel free to contact us. We will make more logistics known as the groups firm up their agendas. Stay tuned to http://www.stateofsecurity.com for more information and please feel free to comment on Operation Anaconda or responses to the insider threat. Thanks for reading and feel free to spread the word!

The New Version of HPPE OR Whoop, Here It Is!

Posted on by
Reply

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.

Prepping for Release of HoneyPoint Personal Edition 2.00

Posted on by
Reply

Great news!

We are currently prepping for the public release of HoneyPoint Personal Edition 2.00 on Monday. The product has been through two closed Beta’s and a great period of pre-release testing. Thanks to all who helped with the testing and for all who contributed to our cause with product feedback. A special thanks to “DA” from a local organization who really held my feet to the fire on changes and interface updates. Hopefully, everyone will be pleased with the interface and features! (BTW – D – we kept the “lights”…<grin>)

Here is a screen shot of the new main interface on the Mac.

Snapz Pro X001.png

New features include:

HornetPoint defensive fuzzing (patent pending)

Plugins capability from HPSS

Public support for Linux and OS X in addition to Windows

and a few other goodies….

Also, this represents the beginning of the new line for HPPE. Development will remain ongoing on it and we have few more tricks up our sleeves. We are also working on HPSS 3.00 and will begin alpha testing of that new architecture very soon.

Stay tuned for the launch and for more details as they become public!

3 Links for Securing USB Drives

Posted on by
Reply

This project caught my eye. It is includes crypto and ease of use. It is called geek.menu and is based from the portableapps project. Installed and configured right, it makes an encrypted file system to protect your data if you lose the drive. It also allows you to easily configure some pretty powerful options around the apps you install. Check it out if you are a big thumb drive user.

This article is a great overview of risks from thumb drives. It should be a basic requirement for any user in the organization that gets provisioned one.

Lastly, for those of you want to make the most of security through obscurity to protect your precious USB thumb drive from discovery, check this article out about hiding your drive in the wall.

If you are both a thumb drive (USB drive) and a Windows user, you should probably read about the Conflicker malware. It is currently spreading wildly and can transit itself on USB drives. (Oooops, that was 4….)

Application Fuzzing Can Be Fun

Posted on by
1

One of the things my mother always said I was good at was breaking things. Apparently, as a young Evangelist, I chose to be an agent of entropy. I guess I always have been a huge fan of how things are continually breaking down and according to my mother at least, I did a lot to help them along the way. My mother just loves to tell stories about me taking things apart (clocks, radios, tv sets, lamps, my sister….) but I will save you from those, unless you choose to have coffee with my mother some day… 🙂

Today though, breaking software applications and studying how they fail has become a huge part of my work. I study how they fail, what causes the underlying issues, how those bad decisions could be exploited and what makes applications, devices and other things, tick. I am truly a student and professor of entropy.

You too can participate in these exercises. Tons of new tools are available to fuzz a variety of things, or you could choose to write your own fuzzers (this was a very worthwhile thing for me and led me to create “Defensive Fuzzing” which is the core of the HornetPoint defensive tools). (Patent Pending)

Here is a quick list of some books, papers and tools that you might want to explore if you are interested in playing with and learning from these techniques:

Fuzz testing – Wikipedia, the free encyclopedia

Ethical Hacking and Penetration Testing: Fuzzers – The ultimate list

Fuzzing – OWASP

Amazon.com: Fuzzing: Brute Force Vulnerability Discovery: Michael …

22C3: Fuzzing

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications | Darknet …

These links should give you plenty of materials and links to tools. I would highly encourage any security folks to set up a small lab, try the tools and just learn a bit about breaking applications. You will be surprised at how easy it is and how much insight it will give you into information security. Give it a shot and let me know how it goes!