Category Archives: End-user Focused

Toata Moves On To Additional Targets

Posted on by
Reply

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

Win7, Linux and the Future of the Desktop OS

Posted on by
Reply

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.

Three Things You Can Do To Improve Home PC Security “Beyond the Basics”

Posted on by
Reply

Just about everyone knows that home networks and machines need a firewall. Most home PC users also know they need to run anti-virus and anti-spyware tools. Heck, most systems come with these things pre-installed these days. Saavy users even know how to enable the Windows or Linux auto-update feature and go a long way towards to making their machines more protected against attacks.

But, I wanted to remind home users of three “Beyond the Basics” they could do to really help improve home system security. Ready? Here is the list:

1. Install a software update tool like Personal Software Inspector from Secunia. This tool checks your system for various software packages that you may have installed. Have an old version of Java runtime or an out of date version of Flash Player? If so, this tool will not only find it and alert you to it, but in most cases, give you a direct download link to the update. Since many of today’s exploits are against ancillary software packages, this step will help take you well beyond the basic security of most users!

2. Make sure that your home wireless network is secure. If you can, make sure you are using something more than WEP for wireless encryption. If our router or access point doesn’t support more than WEP, or worse yet, doesn’t have any wireless security enabled at all, then you have a serious problem. Take a few minutes and check out this site for more steps on securing your home wireless network.

3. Change from IE to a different browser. Internet Explorer (IE) if a MAJOR TARGET and a source for a myriad of compromises. You can help protect yourself by switching to Chrome, Opera, Firefox, Safari or some other alternative browser. While each of these browsers may also have their share of security issues, none of them represent as a wide and large of a target as IE. Google “alternative browser” for a plethora of browsers for your operating system.

There you have it. 3 fairly easy ways for home users to go “Beyond the Basics” to increase the security of their computing environments. There are a ton more ways to tune the user experience and reduce risk. A bit of Google searching and staying current on various security topics is a great way to start. Be safe out there!

Correction: Twitter API Does Have SSL Support!

Posted on by
Reply

Previously, I wrote about the supposed lack of SSL/HTTPS support in the Twitter API. However, thanks to Tony for pointing me in the right direction. I DID find support for HTTPS in the API and I have since updated my own tool (released by me as freeware and not associated with MSI) to use it.

For those of you who are interested, you can find the new release of TweetCLI 1.10 that supports updates via HTTPS here:

Windows, Linux, OS X versions.

Thanks to everyone that uses it and feel free to let me know your thoughts and feelings on twitter @lbhuston.

The new version should work as a simple replacement in the previously released HPSS plugin.

You can also subscribe to a “bad touches” feed from some of our Internet exposed HoneyPoints around the world. We are publishing source IP and destination ports only currently, as we work on ways to publish the payloads we get in some manner as well. More on that in the future. The current “bad touches” feed is @honeypoint.

Apologies to twitter for the SSL issue. Additions to the API documentation to show HTTPS examples as the default would be much appreciated.

Hope everyone is having a wonderful holiday season. Thanks for reading and we look forward to more infosec news and research in the future.

Giving for the Holidays

Posted on by
Reply

Now is the time when many folks open their hearts and their wallets to help others. At MSI, I am proud to say that we do this all year. This year alone we have worked on gathering and donating old cell phones for the Central Ohio Choices program, made donations to the One Laptop Per Child organization, donated our services to a group of non-profits and charities working to make the world a better place and performed various other functions. I am so very proud to lead a team of individuals who are fully committed to the goals of many of these organizations and who routinely work to improve the lives of others, the environment and our future.

Information security and technology aside, I wanted to take a few moments and give links to some very deserving organizations in my book. Of course, there are a ton of organizations out there, many are very very dedicated and do wonderful work. Organizations like the Red Cross/Red Crescent and so many others are deserving of your support year round, but here is a quick list of special organizations I hope you will support this year and in the future.

(RED) – This organization is fighting desperately to overcome the tragedy of HIV/AIDS. You can help by buying products with their logo, which will donate an amount of the sale to the cause.

Heifer – They provide animals and other micro-farming capabilities to emerging nations. Their tradition of passing new born animals back into the program is one of the greatest ideas ever!

Of course, One Laptop Per Child, who is taking measures to educate the youth of the world. Their “give one, get one” program is simply amazing. Try this, give one to the program and take the get one to a local school or pre-school and donate it too. Or, choose a neighbor or someone with children who could benefit from the technology. It is a great way to help.

Then there is Charity:Water , who is fighting to bring clean, safe drinking water to the world. Believe me, we will all need this in the future. The world could be a very different place in the future.

There are tons more I wish I could cover: dog shelters, Animal Rights Aruba, various anti-poverty and disease research groups, etc. The nice thing about charity today is that there are so many ways to give and so many organizations to support that everyone can find the right one to fit their own moral, religious and social compass. Just picking one is the first step. Hopefully, this quick list will get you started, or at least thinking about it.

We will now resume our regularly scheduled security banter. Thanks for reading, not just today, but all year long and everyone at MSI wishes you and yours a safe, peaceful and wonderful holiday season!

Security of Secondary Financial Service Systems

Posted on by
Reply

In the US several “secondary financial services” exist. They range from check cashing/money transfer to short-term lenders and various other financial services. Many of these organizations also offer additional services like payroll check loans, check “floats”, tax preparation and a variety of services. In many cases these organizations aim their marketing for immigrant workers, people sending money to foreign countries and the economically challenged.

Unlike traditional banks and credit unions, these organizations are loosely regulated, if at all. In many states few rules for their operation exist and certainly they do not face the security and regulatory requirements of traditional financial services organizations. Several cases have been made about the predatory, aggressive and border-line criminal activities that seem to abound in this industry.

Recently, Panda, an anti-virus vendor, completed a study of the check cashing centric businesses associated with this tier of financial services. Their study found that thousands of machines in these businesses were running out of date security software, including anti-virus trial versions. They observed more than 1500 machines running these out of date basic security tools. Of those, they found more than 60 percent to be actively infected by some form of malware. 80 percent of the machines studied were actively being used to process financial transactions.

Basically, this demonstrates a true lack of concern for information security in this sector. By not providing for even the most basic of security functions, anti-virus, they leave the identity and financial data of their clients vulnerable to theft and tampering.

To make matters worse, in many locations in our state, Ohio, the check cashing organizations require a lot of information about you to obtain their services. Normal contact information, plus social security number, driver’s license and other identity details are often maintained in their databases. In more than one case of calling around various locales near us, several of the companies asked for a “client number” and when pressed, we were told this was the same as our social security number and could be found on our “membership card”. Needless to say, this very fact that SSN is being used so carelessly, gave us more than a chill. We truly hope that those consumers choosing to use these organizations for financial services take note of the insecurity and risks to which they may be exposing themselves.

Ohio has just passed new laws to regulate the practices of these organizations and to prevent some of their more abusive tactics. Let’s hope that additional regulatory oversight and attention to information security is also coming for these businesses. Until then, they and the consumers who choose them, remain in the low hanging fruit category for cyber-criminals and identity thieves.

Be Aware: Twitter API Uses Basic Authentication and a Twitter Toy

Posted on by
3

For those of you who have embraced the web movement that has become known as Twitter, be aware that the widely used Twitter API employs only web-based Basic Authentication. The credentials (login and password) are sent to the web API with only a simple HTTP POST and are unencrypted. I could not locate a means of even using HTTPS when sending tweets to the API.

The credentials are sent over the web in the standard form of “login:email”. They are base64 encoded first, so they are not exactly in plain sight, but base64 is far from cryptography and is beyond trivial to identify. Any attacker with a sniffer or sitting at a proxy in the stream can easily capture and decode those credentials.

The moral of the story is, if you use Twitter, make sure you use a password uniquely created for that service, since it will be trivial for an attacker to expose. Be aware that most, if not all, existing clients and twitter extensions use this same mechanism.

While twitter is proving to be a popular and useful mechanism for micro-blogging, it also comes with some inherent risks that include exposure of information that could lead to social engineering attacks and password exposure issues. Use twitter with some caution and all should be well, but without common security sense, twitter (like many other things) may be sharper than expected.

You can find a ton of information about the Twitter API here.

You can follow me on twitter here.

You can download the tool, twittercli, that I was writing when I saw this from the following locations (Not endorsed by MicroSolved, Inc. — Just a personal project!):

TwitterCLI will let you send tweets from a command line, schedule them with at/cron/iCal or call them from scripts, etc. Freeware from L. Brent Huston (NOT MSI!)

Windows

Linux

OS X

Thanks for reading!

Hackers Hate HoneyPoint

Posted on by
Reply

HackersHateHPlogoed200.jpg

We have been getting so much great feedback and positive response to our HoneyPoint products that Mary Rose, our marketing person, crafted this logo and is putting together a small campaign based on the idea.

We are continuing to work on new capabilities and uses for HoneyPoint. We have several new tricks up our sleeve and several new ways to use our very own “security swiss army knife”. The capabilities, insights and knowledge that the product brings us is quickly and easily being integrated into our core service offerings. Our assessments and penetration testing brings this “bleeding edge” attack knowledge, threat analysis and risk insight to our work. We are routinely integrating the attack patterns and risk data from our deployed HoneyPoints back into the knowledge mix. We are adding new tools, techniques and risk rating adjustments based on the clear vision we are obtaining from HoneyPoint.

This is just one of the many ways that HoneyPoint and the experience, methodology and dedication of MSI separate us from our competitors. Clients continue to love our rapport, reporting formats, flexibility and deep knowledge – but now, thanks to HoneyPoint, they also enjoy our ability to work with them to create rational defenses to bleeding edge threats.

You can bet that you will see more about HoneyPoint in the future. After all, hackers hate HoneyPoint, and in this case, being hated is fine with us!

A Web Application Cheat Sheet & More

Posted on by
Reply

I got a lot of response from folks about my last cheat sheet post. Here is another one that many folks might find useful.

This one, from Microsoft, describes quick references for the Microsoft Web App Security Framework. This is a pretty useful sheet and one that our techs use a lot.

I also find this one for Nessus and Nmap to be pretty useful.

I found this one for you CISSP study folk.

This one for PMP study folk.

And, lastly, for all the new waxers of armchair economics, this one about sub-prime mortgages…

OK,OK, I could not resist this one, THE INTERACTIVE SIX DEGREES OF KEVIN BACON CHEAT SHEET!

Hope you enjoy these, and now back to your regularly scheduled infosec blogs… 🙂

3 Improvements for Financial Applications

Posted on by
Reply

Our tech lab reviews several financial applications every year from a variety of vendors that are focused on the financial institution market space. The majority of these applications perform poorly to some extent in either security and/or usability. Here are three key tips for vendors to keep in mind when they or their clients ask us to do an assessment of their application.

1. Make sure the application actually works as it would in a production environment. Make sure it is reasonable in terms of performance. The idea of performing our lab assessment is to model risks in a real world simulation. Thus, if the system is not configured and working as it would in a real deployment, then the validity of the test is poor. Many of the applications we test simply do not function as expected. Many times, their performance is so slow and horrible that it impacts the availability metric. Basically, by the time it is submitted for the complete application assessment or risk assessment, it should work and be installed in a QA environment just as it would be in production. If there are any variances, be prepared with a document that explains them and their anticipated effects. Be ready to discuss and defend your assertions with a team of deeply technical engineers.

2. Do the basics. Make sure you meet an established baseline like PCI, ISO or some other basic security measure. That means ensuring that controls are in use to provide for confidentiality, integrity and availability. That means that you are protecting the data properly during transit, storage and processing. That means that you and/or your client have an idea about how to provide preventative, detective and responsive capabilities around your product. Make sure your documentation clearly explains any security assumptions or add-on products required.

3. Be ready to handle issues. If/When we find a security issue, be it overflows, input problems, and/or best practice variances, be ready to mitigate the issue and submit a fix. Many times it takes months for vendors to handle the issues we find and this is certainly NOT good for their relationship with the client. Almost every full assessment our lab conducts involves some kind of deployment timeline and crunch from the customer. Nothing seems to go worse for vendors whose products we test as when an issue is found and they become unresponsive to us and/or their client. Seriously, JUST DON’T DO THIS. Be prepared to apply resources to fix issues when we test the application. Very few applications (less than 2%) pass through the lab process without some sort of issue. This is NOT a basic process, it is a seriously deep, complex and heavily leveraged process for finding holes and measuring impact. Be prepared.

I hope this post helps both clients and vendors be better prepared for their testing. I think it gives the basic ideas for the approaches that we know do not work. We really want your applications to be secure, thus the level of detail we apply. Let us know if you have any questions. We are also about to open the lab registration window for 1Q09, so if you have applications you would like tested, let us know and we will try and get them on the schedule.