What’s On Your Key?

Posted on March 6, 2008 by Brent Huston

As a follow up to yesterday’s post about the Windows management tool, several people have asked me about what Windows tools I use most often. I, like many technical folks, carry a simple USB key in my pocket and it is packed with the core critical tools I use whenever I run into a support-type issue.

This led me to ask – what’s on your key?

USBKey graphic

Mine has some pretty interesting stuff. Here is a sample of the contents focused on Windows tools.

I keep an installs directory with some of the basic tools that I need, like to use and would want people to use. It has stuff like:

Cain and Able – you never know when you may need to recover or crack a basic password

Comodo Firewall – I try to never leave a home system without a firewall installed and configured, this one is free, easy to manage and with a quick 5 minute lesson – even basic Windows users can keep it going safely…

Filezilla – a pretty great Win32 FTP GUI

FoxitReader – a quick replacement for the bloated Adobe PDF reader

Genius – an old swiss army knife tool for Win32 that has a ton of Internet and network clients, plus some basic power tools for users

and of course the ubiquitous FireFox, WinZip, freeware Anti-virus and SpyBot Search & Destroy installers!

I also keep some basic tools for troubleshooting, security and analysis:

BinText – a GUI “strings” for Win32

Filealyze – a file analyzer, great for looking at unknown pieces of software and doing potential malware analysis on the fly

FPipe – Foundstone’s port redirector

Scanline – a quick and dirty command line port scanner for Win32 from Foundstone

Various Windows resource kit elements – kill, netdom, sysinternals tools, shutdown, etc.

Of course, netcat, the do it all with sockets tool 😉

winvi – easy to use text editor

whosip and whoiscl – two whois emulators for Windows

a tools simply called Startup – a really easy to use GUI for managing what is starting up each time the system starts and the various users login

Those are really the essentials… I carry a bunch of normal stuff around too, but the basics are here for those quick fix scenarios that invariably start with something like “My computer is acting kinda funny ever since I …”

So, I have shown you some of mine. Now you do the same, let us know what’s on your key that you carry in your own pocket. Use the comment system to tell us all about your own set of indispensable tools!

A Great Windows Maintenance Find for FREE

Posted on March 5, 2008 by Brent Huston

A few days ago I stumbled onto a pretty decent Windows maintenance tool I wanted to share. It is called Advanced WindowsCare Personal and is available from snapfiles.com here.

Overall, this is a pretty great tool. It is very easy to use and does a lot of tuning and preventative maintenance for Windows systems – especially home and end-user systems that might not have a corporate IT person to take care of them. It does a good bit of clean up around the system, helps to protect it against spyware and some malware. While not a full anti-malware solution, it does make some basic registry changes to help prevent installation of the most common spyware and other bad stuff.

It did a very nice job of helping me tune a Windows system that I was messing with and in running basic management functions and maintenance tasks. I am not sure I would upgrade to the “Pro” version, but for a free utility, this one is pretty good.

If you still have Windows systems to manage, especially for family members and the like, this may be worth the time to install for them and spend 15 minutes teaching them to use it. Likely, they can repair most of their own problems using the tool, instead of calling you over to Aunt Millie’s for tech support. 😉

Ohio Votes Today

Posted on March 4, 2008 by Brent Huston

The day for the Ohio primary is here. With a ton of media attention focused on our state, a new voting process in place and the removal of the touch-screen systems our primary is certain to have its ups and downs today.

When we reviewed the security of the Ohio voting system, we did find some serious issues. However, the optical scanning systems from our review were less prone to problems under normal voting use than the touch screens. Therefore, we agree that the optical scanners are a more secure choice, especially in the way that our Secretary of State has outlined their use.

Voters in Ohio today should expect some lines and a small amount of confusion and hype. But, careful review of your ballot, care marking of your selections and following the published procedures should make the process easy, reliable and interesting. Our only words of caution are to ask for another ballot if you make a mistake and refrain from marking anywhere except in the square of your chosen candidate. Again, take a few moments and review the ballot before you turn it in.

The Secretary of State has taken great measures to ensure oversight and accountability for all votes and voters around our state. The various boards of election and other officials have also taken great steps toward improving the security of the process. They are all to be commended for achieving the progress we have made thus far, in such a short amount of time.

While there is still quite a bit of work to be done around electronic voting and elections security; today is a good day to look at the work we have done so far. Together, citizens, politicians and government can work to find a useful, reliable and secure way to continue the wonderful democracy that we, as Americans, enjoy.

Do your part. Vote. Stay engaged in the debate about electronic voting and don’t be afraid to let others know what you think…

More Chinese Scans for Web Bugs

Posted on February 29, 2008 by Brent Huston

This morning I was checking through my usual HoneyPoint deployments and it was a normal day. As usual, the last 24 hours brought a large number of web application bug scans from hosts in China. They are the normal PHP discovery probes, some basic malware dropper probes against known web vulnerabilities and a ton of web server fingerprinting probes from various Chinese hosts.

China has now surpassed the US as the source of most global probes and attacks, a least according to Arbor. Check out the China profile here.

One of my close friends, JK, claims that there is a massive initiative underway in China to map the Internet on a global scale and to have a fairly up to date global vulnerability matrix for the world’s systems. While this could be true, and is certainly possible, with a large enough set of bot-infected hosts that dropped data back to a centralized database, it is an interesting thought.

For sure, these probes and scans exist on a global basis. Our international HoneyPoints pick up much of the same Chinese traffic as our US ones. Perhaps a quick check of some of your logs will show the same. Much discussion of pro-active blocks against Chinese address space is underway in several organizations. Perhaps this is something we should all think about?

Hardware Security Testing Presentation & MP3 Available

Posted on February 28, 2008 by Brent Huston

The pdf of the slides and the audio from yesterday’s presentation on Hardware Security Testing is now available.

You can get the files from this page on the main MicroSolved site.

Thanks to the many who attended and who sent me the great feedback this morning. I am really glad everyone liked the content so much!

Check out the next virtual event scheduled for March 25th at 4 PM Eastern. The topic will be 3 Application Security “Must-Do’s”.

Here is the abstract:

This presentation will cover three specific examples of application security best practices. Developers, security team members and technical management will discover how these three key processes will help them mitigate, manage and eliminate risks at the application layer. The presenter will cover the importance of application security, detail the three key components to success and provide strategic insight into how organizations can maximize their application security while minimizing the resources required.

We look forward to your attendance. Email info@microsolved.com to sign up!

Underground Cyber-Crime Economy Continues to Grow

Posted on February 28, 2008 by Brent Huston

I read two interesting articles today that reinforced how the underground economy associated with cyber-crime is still growing. The first, an article from Breech Security, talked about their analysis of web-hacking from 2007. Not surprisingly, they found that the majority of web hacking incidents they worked last year were geared towards theft of confidential information.

This has been true for the majority of incident response cases MSI has worked for a number of years now. The majority are aimed at gaining access to the underlying database structures and other corporate data stores of the organization. Clearly, the target is usually client identity information, credit card info or the like.

Then, I also read on darknet this morning that Finjin is saying they have been observing a group that has released a small P2P application for trading/sale of compromised FTP accounts and other credentials. Often, MSI has observed trading and sale of such information on IRC and underground mailing lists/web sites. Prices for the information are pretty affordable, but attackers with a mass amount of the data can make very good incomes from the sale. Often, the information is sold to multiple buyers – making the attacker even more money from their efforts.

Underground economies have been around since the dawn of capitalism. They exist for almost every type of contraband and law enforcement is usually quite unsuccessful at stamping them out. Obviously, they have now become more common around cyber-crime and these events that have “bubbled to the surface” are only glimpses of the real markets.

It is critical that information security teams understand these motivations and the way attackers think, target victims and operate. Without this understanding, they are not likely to succeed in defending their organizations from the modern attacker. If your organization still spends a great deal of time worrying about web page defacements and malware infections or if your security team is primarily focused around being “net cops”, it is pretty likely that they will miss the real threat from today’s cyber-criminals and tomorrow’s versions of organized crime.

Laying the Trap with HoneyPoint Personal Edition & Puppy Linux Live CD

Posted on February 27, 2008 by Brent Huston

Recently, I have been capturing quite a bit of attacker probes and malware signatures using a very simple (and cheap) combination of HoneyPoint Personal Edition (HPPE) and a Puppy Linux Live CD. My current setup is using an old Gateway 333MHz Pentium Laptop from the late 90’s!

The beauty of this installation is that it lets me leverage all of the ease of a Live CD with the power and flexibility of HPPE. It also breathes new usefulness into old machines from our grave yard.

So, here is how it works. I first boot the machine from the Puppy Live CD and configure the network card. From my FTP server (or a USB key) I download the binary for HPPE Linux (available to licensed HPPE users by request), the license and my existing config file. That’s it – run the binary and click Start. Now I am set to trap attack probes and malware to my heart’s content!

It really is pretty easy and the new email alerting now built into HPPE allows me to remotely monitor them as well from my iPhone email. This makes a nice, easy, quick way to throw up HoneyPoints without needing a separate console or a centralized monitoring point.

This setup is very useful to me and has even got me thinking about adding a plugin interface to HPPE in future releases. That would essentially give you the power to write custom alerting mechanisms and even fingerprinting tools for attacking systems.

Give this setup a try and be sure to let me know your thoughts on HPPE. As always, MSI really wants to hear your ideas, input and feedback on our work.

Thanks for reading and have fun capturing attack data. Some of this stuff is pretty darn cool! 😉

Incident Reporting & Handling WorkFlows

Posted on February 26, 2008 by Brent Huston

I had an interesting conversation with a client today and they are planning to implement a web site that would give their internal employees a centralized resource for looking up how to report security incidents, building/facilities issues, HR problems, policy violations, etc.

They picture this as a web page with a list of phone numbers, intranet applications and other contact mechanisms for their staff to use to report issues. The conversation was around attempting to create a workflow or flowchart for decision making about how to report an issue and how to decide which contact method to use.

I know a few other organizations have created formal incident reporting and such for their employees. Would anyone care to share their decision trees or the like for incident handling and user training around this topic (sanitized, of course!)?

Thanks, in advance, for any insight on this. The client will be monitoring the thread and it may help others as well.

Risk Increase in Laptop Loss with Encryption?

Posted on February 26, 2008 by Brent Huston

There has been a bunch of buzz in the last few days about researchers who figured out how to retrieve crypto keys from RAM on stolen laptops. Several analysts have talked about this raising the risk for data loss from laptop theft and some are even questioning the effectiveness of crypto as a control. I think that much of this is hype and will prove to be overblown in the coming months.

First, the attack has some difficulty and knowledge requirements. This essentially makes it equivalent to a forensic technique and as such is well beyond the capabilities of basic attackers. It requires knowledge deeper than an average computer user or power user would possess. While this does not eliminate the risk, it does significantly reduce the pool of attackers capable of exploiting the vulnerability. Further risk reductions could be gained by understanding that the attackers must gain access to the device (what controls are in place for this?, what training have you done on laptop loss control?) and the device must be in a sleep state or recently powered down (have you taught users to power down laptops completely when removing them from the office or other controlled areas?). Each step in training and additional controls further serves to reduce the risks from this vulnerability.

Vendors are also reacting to the problem. Many are identifying the key management processes in their products and moving to change them in such a way as to make them more effective with this attack in mind. Their results and effectiveness are likely to vary, but at least many of them are trying.

So, while laptop loss remains a potential data theft risk, even with crypto in place, it is likely to remain a manageable and acceptable risk if proper awareness controls are in place. So before you put too much stock in some of the “near panic” FUD levels some security analysts are shouting, step back, take a look at it from a rational risk standpoint and then identify what you can do about it.

This issue again reinforces that there aren’t any silver bullets in security. Nothing is “absolute protection”, even high level math. The only real way to do security is through proper, rational risk management…

Security Team Leadership Matters

Posted on February 21, 2008 by Brent Huston

Leading a team of security technicians can be a tough job, but in most corporations the manager of the team must also be an evangelist. The task of leading a security team often requires that the leader have a vision of the goals of the team and is capable of “selling” that vision both to upper management and the user base of the entire organization. Since many teams are led by technicians who have ascended through the ranks, they often have limited understanding of management needs and marketing approaches.

If you are such a security manager, here are a few tips to help you get started. The first one is a quick list of required reading. Leading the team means being a management consultant and an evangelist. To help strengthen or develop these skills, check out a couple of these titles:

The Macintosh Way by Guy Kawasaki – this is the Bible of evangelism from one of the greatest evangelists of the silicon age

The Idea Virus by Seth Godin – this book’s insight is the basis for viral marketing and can be a powerful tool for selling ideas inside of an organization, all of Seth’s work is great and could be helpful

A book about corporate structure and management goals – these are easy to come by and can vary by industry and organization type but a quick Amazon.com search is likely to reveal several that fit the needs

It is essential and critical that security team managers and leaders come up to speed on the needs and goals of management. It should be an immediate goal to learn the style and language of your management team. Only when you can act as a liaison and converse with them on their own terms can you begin the process of “selling” them on the security plan and process. Only when you understand them and have earned their trust can you begin to align security operations with the various lines of business and move further towards adding perceived value to their bottom line.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec