Category Archives: HoneyPoint

Picture with a Bee Contest – Win FREE HoneyPoint!

Posted on by
Reply

That’s right! Send us your picture taken in a “security-related pose” with a stuffed, bee costume or bee-related item and we will pick the winner of a FREE license for HoneyPoint Security Server!

BuzzbyMSI.jpg

Just like in life, style counts, so get your ideas together and send us those pictures! Our judges will pick the winner on April 30th, so get your pics in before then. Imagination, security details and fun will be the key to your success. Three runners up will receive FREE licenses for HoneyPoint Personal Edition!

You can send your pictures via email to: hppics@microsolved.com

Remember, we reserve the right to publish all submissions, so make sure you are OK with that before you submit. 🙂 Contest closes and winners picked at noon on April 30th, 2009. Enter as often as you wish, odds of winning depends on number of people entering. Have fun!

25% off HoneyPoint Security Server, Plus 0% Financing For April

Posted on by
Reply

This is no joke, or at least if it is, then the joke is on us. 🙂

For the entire month of April, we are offering a 25% discount off the retail prices for HoneyPoint Security Server for new customers. In addition to that, you can extend our 0% financing option to pay in monthly payments over the life of your support agreement up to 3 years! Plus, as promised in earlier posts, anyone who purchases HPSS by the end of April will receive 3 free licenses for HoneyBees once they are released!

The product is now licensed per server, in anticipation of the 3.0 release which is in lab testing as I write this announcement. All licenses include one console license on the platform of your choice (Linux, Windows, OS X). Licenses include one year of our acclaimed support and HoneyPoint upgrades. Maintenance year 2 and beyond is 20% of purchase price.

Here are some pricing examples for you to consider:

The base entry point is a 5 server license pack. The retail price for this pack is $4,995.00. During April, you can purchase the pack for just $3,746.25. Additional years of maintenance (up to 2 for a total of 3 years of support and maintenance) are just $749.25 per year. That means that if you buy a 5 server license with two years of maintenance, you can purchase it in April for $5,244.75. Furthermore, you could apply our 0% financing program and spread that amount over 36 months for a monthly payment of just $145.69!

For less than $150 per month, you can achieve incredible security visibility, additional protections against malware and the insider threat and enjoy the power of HoneyPoint’s “deploy and forget” (sm) approach to reducing the workload of your security team!

Here is another example. Our most popular HPSS package is our 25 server protection pack. The pack retail price is $15,975.00 and includes the same one year of support and upgrades. During the month of April, you can purchase this pack for just $11,981.25, while additional years of support/upgrades will run $2,396.25 per year. Using the same 0% financing approach as above you could purchase protection for 25 servers along with 2 additional years of support/upgrades for a total of $16,773.75 or $465.94 per month for 36 months!

In this common case, less than $500 per month can bring you the flexibility of HoneyPoint plugins, the self-defending mechanisms of HornetPoints and the insight that can only be achieved by knowing attacker frequency, capability and motivation.

And, of course, if you are an enterprise, we have the same deal for you too. You can leverage the power that we bring to integrate into existing security architectures and see the 90% savings we have brought to clients in terms of security resources as well. Give us a call and we would be happy to discuss your specific network size, implementations and HoneyPoint needs.

So, check out HoneyPoint. Give us a call to arrange a demo, or better yet, try out our HoneyPoint Personal Edition to see the technology in action. (Take a look at the included HPPE/HPSS document for ideas on how to test the product with HPSS in mind.) Then, give us a call or drop us a line and get the power of the Hive on your side. With HoneyPoint, attackers get stung instead of you.

Note: Purchase orders must be received by April 30, 2009 to qualify for this special offer.

New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

Posted on by
Reply

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

Posted on by
7

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.

Toata Update: Smaller Target List for Now

Posted on by
Reply

We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.

The scanning targets list is much smaller this time around, which should increase their speed and efficiency.

Current Toata scanning pattern 03/19/09:

GET HTTP/1.1 HTTP/1.1

GET /mantis/login_page.php HTTP/1.1

GET /misc/mantis/login_page.php HTTP/1.1

GET /php/mantis/login_page.php HTTP/1.1

GET /tracker/login_page.php HTTP/1.1

GET /bug/login_page.php HTTP/1.1

GET /bugs/login_page.php HTTP/1.1

Of course, the scans also contain the string:

“Toata dragostea mea pentru diavola”

You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

HoneyPoint Helps You Do More With Less

Posted on by
Reply

audit-advice

We all know the economy is struggling right now. Budgets are tighter than ever and many companies are forced to find ways to do more with less. Even though cybercrime is on the rise, it doesn’t mean your organization has to suffer. Here are two ways HoneyPoint Products can help you increase efficiency in an economical way.

1) Avoid heavy customization tools – HoneyPoint comes “ready-to-go.” It can be customized but it isn’t necessary for it to work. It’s a great “plug-and-play” product. Once the HoneyPoint Security Server is deployed, attacks are tracked. The HoneyPoint strategy is simple, yet powerfully effective. HoneyPoints are flexible pseudo-server applications that are able to emulate thousands of real services such as web, email, database systems and others. Since these pseudo-services are not real applications, there is no reason for anyone to interact with them in any way. Thus, once deployed, any activity to a HoneyPoint is, by default, suspicious. Since attackers do their work by scanning for and examining services looking for vulnerabilities, the HoneyPoints lie in wait, trapping the attacker in the act of doing the exact thing that attackers seek to do – find vulnerable services!

2) Allow others to do the heavy lifting – Certain security tasks can be outsourced or automated. Sometimes an organization can decrease the total cost of ownership by having someone else do it. Why not allow MicroSolved, Inc. handle some of these security functions such as vulnerability assessment and penetration testing? Our experts can assess your policies, processes and network infrastructure against a variety of baselines including PCI DSS, FFIEC/NCUA/FDIC, NIST, ISO and other industry standard best practices. We routinely provide deep level penetration testing for clients who wish to get a real world view of their IT, network and physical security mechanisms. From blue team assessments to red team testing leveraging the latest techniques in social engineering and simulated attack, MSI’s experience and capabilities clearly separate us from our competition.

With a little creativity, we can all work smarter to not just survive, but thrive during these challenging days!

MSI is Currently Seeking Resellers for Services and HoneyPoint

Posted on by
Reply

We are currently seeking resellers for our HoneyPoint line of products and our professional services. We are open to discussing this with any firms interested in creating a virtual security practice and helping us present our HoneyPoint products to their markets.

We have a strong interest in working with partners in South America, Europe and Asia.

If your firm is interested in joining a reseller program that has been performing well for more than a decade and has members from the Fortune 100 to regional specialists, then please read more about the program here and contact us to arrange a discussion.

Our recent expansion of technical staff has created a limited opportunity to bring on new partner relationships. Does your organization have the will and capability to be among the group that leverages our two decades of excellence?

DShield Launches Web Honeypot to Gather Attack Pattern Data

Posted on by
Reply

SANS and Dshield today announced the public availability of a new honeypot project for gathering web application attack patterns and trends. The tool is available at no charge and will feed into the ongoing DShield project data stream.

This is a great project and I am very happy to hear that more public attention will be on the use of honeypots to gather real metrics for attacks. This is something I have long stressed as a strength of our HoneyPoint products. I love the fact that they are doing it on a widely distributed basis. I know what kind of data we get from our HITME and I really hope they have much success in gathering that level of insight from a global view. I think the community as a whole will benefit.

Have we entered the age of the honeypot? Are we finally ready to accept the idea that “fake stuff can make us more secure”? I am not sure the public is there yet, but I think this another step closer. What do you think?

“Scattersensing” on the Cheap for Insider Threats

Posted on by
Reply

I have been working with several clients to create a new process for combating insider threats. This new approach we have been calling “scattersensing”. Using this technique (or a variation of it), you can cheaply, effectively and efficiently identify overt insider threats that may be occurring around your organization’s network.

Scattersensing, when done with this method, costs less than $130 per scattersensor! Here’s what you need to do one scattersensing point of security visibility:

One older laptop or desktop system with a CDRom and a network card:

I use an old Gateway Solo like the ones found on this EBay page. None of the laptops on this page cost $100 and many are under $50. My scattersensor laptop that I use in the lab is a Pentium II 300 MHz with a small amount of RAM. The CD drive is built into the machine. The battery is long dead, but the rest of the hardware works. I bought the 100 Mbit PCMCIA card at a garage sale for $5, but they are also available on the cheap from EBay and a lot of other places. We don’t even really care about the hard disk, since we can run the entire system from a LiveCD if we need to, or if you have a working hard drive, you can do a hard disk install and make it even easier to use as you move it from place to place. You could also do this with just about any standard desktop, workstation or old PC you have laying around anywhere or can obtain at a garage sale or thrift store.

Now that you have the hardware, you need the operating system. For our approach, we suggest Puppy Linux. It has been tested to work as desired and can be easily hardened with a password change. You can read more about it and download the ISO image from here. Download it and burn it to a CD. You can then do the optional hard disk install if you like, simply follow the directions from the Puppy Linux site and/or from the included installer. (You may need to wipe the disk first if an NTFS partition is present). Cost of the operating system: FREE

Next, we need a copy of HoneyPoint Personal Edition from MicroSolved. You can get the zip file from here for Linux. To have the application run longer than 15 minutes at a time, you need to purchase a license for $29.95 from the online store here. Digital River will send you a license key via email. Use that license key when you first start HPPE and it will unlock the application for that system. You can use the license key over and over again on the same system if you are using a LiveCD (so keep it handy) or it will be maintained by HPPE if you did a hard disk install. Now, install, start, configure and license HPPE on your scattersensor.

Here is a picture of a scattersensor I use routinely in the lab and in the field for training/exercises. It is the Gateway Solo I referred to above.

IMG_0253.JPG

OK, so now that you have a scattersensor built, what next? Next you deploy it. You place it in your network environment, using it to detect overt insider threats like scanning, malware probes, bot-net activity and anyone looking around the environment. Since the services that are being offered by the HPPE deployment aren’t real, there is absolutely NO REASON you should see any activity at all. Any activity you do see, should be treated as suspicious at best and malicious at worst. Investigate any activity you see, period. Many organizations find things like misconfigured software, holes in ACL’s or the like and of course, the variety of attacks previously described.

Using scattersensor(s), you can easily move them from network segment to network segment on a semi-random schedule. Move them to the DMZ for a week or so, then on to the server network segment, then to a partner network, then to workstation segments. Build more than one and cover a lot of areas easily. For small to mid-size organizations, a couple of scattersensors with HPPE may be more than enough to give you good security visibility and coverage. Many organizations have used the scattersensing approach for a while and then moved up to use the full blown HoneyPoint Security Server enterprise product.

There you go, a first light touch on the subject from Operation Anaconda. A way to easily (and incredibly cheaply!) get security visibility in a powerful and evolutionary way. Give it a try and let us know how you fair. You can report your updates and progress in the comments or via the #anaconda hash tag on Twitter. Good luck out there!