Ohio Voting Systems Review (EVEREST)

Posted on December 14, 2007 by Brent Huston

MicroSolved, Inc. announced today that it has completed its assessment of the security of Ohio’s electronic voting systems. The testing, a part of project EVEREST, was lead by the Ohio Secretary of State’s office and was designed to seek a comprehensive, independent and objective assessment of the risks to elections integrity associated with Ohio’s voting systems. The project leveraged MicroSolved’s advanced methodologies and in-depth experience to perform “red team” penetration testing of the voting systems. MicroSolved emulated various attacks against the voting systems and analyzed the impact of these attacks on the confidentiality, integrity and availability of the voting systems and their elections data.

While the study revealed several critical security issues in the various elections systems, MicroSolved also identified specific strategies for mitigating or managing these risks. “By applying the identified mitigation strategies, all of the administrative stakeholders in the elections process have an opportunity to demonstrate their commitment to the integrity of Ohio’s elections.”, said Brent Huston, CEO of MicroSolved. “While these strategies require hard work, significant investment in resources and continued vigilance, they represent the best approach to creating truly secure mechanisms for electronic voting in Ohio.”

“We appreciate the opportunity to participate in the EVEREST project and to help the Secretary of State further her goal of restoring trust in Ohio’s elections.”, Huston added.

For information about the specifics of the project, MicroSolved’s role and findings, please see http://www.microsolved.com/everest/.

Bad News in Trends of 2007

Posted on December 11, 2007 by Brent Huston

The infosec community got some bad news today in the first release of trends for 2007. Overall, things are not going as well as we would like. Attacks continue to rise and successful compromises that end in data compromise are up.

Attackers seems to have fully embraced client-side attacks and bot-nets for performing illicit activity and laptop theft is also seen as rising. As expected, identity theft is rapidly becoming a huge criminal enterprise with an entire underground economy emerging to support it.

Reports came out today that showed that malware attacks have doubled in 2007 and that data theft rates have TRIPLED!

From our standpoint, this validates that existing traditional security controls based around the perimeter simply are NOT WORKING. We must establish defense in depth. We must embrace enclaving, encryption of sensitive data and portable systems and establish proactive security mechanisms that can raise the bar of compromise out of the reach of the common attacker. Until we begin to think differently about security, data protection and privacy – these trends remain likely to increase even further.

Evolution, Maturity and Rethinking the Problems…

Posted on December 7, 2007 by Brent Huston

I have been following a number of attacker trends and I see a potential point of convergence just over the horizon.

Most especially, I think that an intersection is likely to occur between bot development/virtual machines/rootkits and man-in-the-browser. My guess is that a hybrid juggernaut of these technologies is likely to emerge as an eventual all-in-one attack platform.

The use of these technologies alone are already present in many attack platforms. There are already a ton of examples of bot/rootkit integration. We know that man-in-the-browser has already been combined with rootkit technologies to make it more insidious and more powerful. If we add things like installation of illicit virtual machines, evil hypervisors and other emerging threats to the mix, the outcome is a pretty interesting crime/cyber-war tool.

If all of these problems would come together and get united into a super tool, many organizations would quickly learn that their existing defenses and detection mechanisms are not up to the challenge. Rootkit detection, egress traffic analysis, honeypot deployments and a high level of awareness are just beginning to be adopted in many organizations whose infosec teams lack the budgets, maturity and technical skills needed to get beyond the reactive patch/scan/patch cycle.

Vendors are already picking up on these new hybrid threats, much like they did with worms – by offering their products wrapped with new marketing buzzwords and hype. We have heard everything from IPS to NAC and hardened browsers (that mysteriously resemble Lynx) to special network crypto widgets that provide mysterious checksums of web transactions with other users of the special widgets… I don’t think any of these thigs are going to really solve the problems that are coming, though some might be interesting as point solutions or defense in depth components. My guess is that more than a few of the currently hyped vendor solutions are likely to be practically useless in the near future.

The real problem is this – security team maturity needs to be quickly addressed. Attackers are nearing another evolutionary leap in their capabilities (just as worms were a leap, bots were a leap, etc…) and we are still having issues dealing with the current levels of threats. It is becoming increasingly clear that we need to have infosec folks start to think differently about the problems, learn more about their adversaries and embrace a new pragmatic approach to defending data, systems and networks.

Maybe we need less whiz bang technology and more Sun Tzu?

Cisco’s PCI Ultimatum Movie was a Big Hit!

Posted on December 5, 2007 by Brent Huston

The movie premiered in Columbus yesterday and seemed to be a great way to learn about PCI requirements.

It was hilarious to see people you know on the big screen.

Check it out when it comes to a city near you. You can check out the trailers and such at http://www.businessofsecurity.com.

We have put up a separate blog site to follow the movie as it tours and to give follow up info. You can check it out at http://pcimovie.blogspot.com!

Respond in comments and let us know what you thought of it!

Added Note: It is our CEO who gets killed in the opening scene, persistent isn’t he… 😉

Also, the movie premier followed our State of the Threat presentation yesterday morning, adding even more info to what has quickly become one of the leading edge security presentations around!

More QuickTime Exploits

Posted on November 30, 2007 by Adam Hostetler

It seems the recent QuickTime vulnerabilities are receiving a lot of attention. Exploits are popping up fast, and there are now working exploit frameworks to attack both Windows and OSX. Since the exploit can be embedded in websites, it’s harder to avoid it. Even the practice of avoiding untrusted websites may not be 100% effective. Other things that may be tried include blocking the rstp:// protocol at the firewall if you have the capability, or better yet uninstall the QuickTime browser controls, or disable file associations for QuickTime files. Apple is still working on an patch for this issue.

Inside an Average PHP Scan

Posted on November 20, 2007 by Brent Huston

I have been talking about PHP scans for a while now. They are so common that we get them on our HoneyPoint deployments all the time, often several times per day, depending on our location.

These scans follow traditional scanner patterns in that they grind through a list of specific urls that are known to have issues looking for a 200 response from the server.

Here is a quick list of a recent scan against one of our HoneyPoints:

/+webvpn+/index.html: 1 Time(s)
/PMA/main.php: 1 Time(s)
/admin/database/main.php: 1 Time(s)
/admin/datenbank/main.php: 1 Time(s)
/admin/db/main.php: 1 Time(s)
/admin/main.php: 2 Time(s)
/admin/myadmin/main.php: 1 Time(s)
/admin/mysql-admin/main.php: 1 Time(s)
/admin/mysql/main.php: 1 Time(s)
/admin/mysqladmin/main.php: 1 Time(s)
/admin/pMA/main.php: 1 Time(s)
/admin/padmin/main.php: 1 Time(s)
/admin/php-my-admin/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/admin/phpMyAdmin/main.php: 1 Time(s)
/admin/phpmyadmin/main.php: 1 Time(s)
/admin/phpmyadmin2/main.php: 1 Time(s)
/admin/sqladmin/main.php: 1 Time(s)
/admin/sqlweb/main.php: 1 Time(s)
/admin/sysadmin/main.php: 1 Time(s)
/admin/web/main.php: 1 Time(s)
/admin/webadmin/main.php: 1 Time(s)
/admin/webdb/main.php: 1 Time(s)
/admin/websql/main.php: 1 Time(s)
/board/index.php: 4 Time(s)
/database/main.php: 1 Time(s)
/datenbank/main.php: 1 Time(s)
/db/main.php: 1 Time(s)
/favicon.ico: 1 Time(s)
/forum/index.php: 4 Time(s)
/forums/index.php: 4 Time(s)
/myadmin/main.php: 1 Time(s)
/mysql-admin/main.php: 1 Time(s)
/mysql/main.php: 1 Time(s)
/mysqladmin/main.php: 1 Time(s)
/padmin/main.php: 1 Time(s)
/php-my-admin/main.php: 1 Time(s)
/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/phpMyAdmin/main.php: 1 Time(s)
/phpbb/index.php: 4 Time(s)
/phpbb2/index.php: 4 Time(s)
/phpmyadmin/main.php: 1 Time(s)
/phpmyadmin2/main.php: 1 Time(s)
/robots.txt: 15 Time(s)
/sqlweb/main.php: 1 Time(s)
/web/main.php: 1 Time(s)
/webadmin/main.php: 1 Time(s)
/webdb/main.php: 1 Time(s)
/websql/main.php: 1 Time(s)
As you can see, the scanner requests some of the pages many times, usually with subtle differences in the method or url termination scheme. When we have faked the 200 responses for these pages, it simply catalogs the success and continues. Thus far, we have been unable to identify when/if the real human attacker returns to test and play with the finds, since there are just so many scans for these issues going on all the time. But, we continue to monitor and analyze, so hopefully soon we can identify a pattern of scans followed by verification and exploit.

Note that some/many of these scans will immediately exploit the vulnerability in PHP and use it to drop a bot-net client onto the machine. Of course, this immediately compromises the system and adds it to the scanning army. In those cases, the waiting for the return of the human attacker would not apply.

So, what does all of this mean? We wanted to give you some more insight into the wide scale PHP scans and what they look like. If you have not checked your own web site for these known vulnerabilities, it would likely be very wise to do so. It can be done quite easily by hand, using a simple Perl script or any of the publicly available web scanner tools.

Cisco Movie!!!

Posted on November 9, 2007 by Brent Huston

I also got to work with the folks at Cisco, Trend and RSA on a movie this week! I got to shoot a quick info session about Man in the Browser (MitB) attacks and then got to do a little play acting. The trailer should be available soon here.

If you want to see the whole thing come out to this event. I think you will dig it!

Hats off to Radigan, Flanagan and the others who hooked me up with this. It was very cool to be involved and I look forward to our big premier! 😉

Data Visualization Tools in Security

Posted on November 9, 2007 by Brent Huston

I have been playing with a few data visualization tools and doing some on the fly firewall log analysis. Mostly just basic plots and stuff so far.

These tools make analysis a pretty cool process. I can see where it would be useful with a very large data set.

I have been reading a new book about it, stay tuned for a review. In the meantime, there are a lot of data visualization tools out there, but I have been playing with the InspireData from Inspiration Software. Check them out if you want to see what I am talking about.

Have you tried using visualization tools for log analysis? If so, leave me a comment about your experiences and the tools you use.

Book Review: Security Power Tools

Posted on November 5, 2007 by Brent Huston

Authors: Burns, Granick, Manzuik, Guersch, Killion, Beauchesne, Moret, Sobrier, Lynn, Markham, Iezzoni, Biondi

Publisher: O’Reilly

$59.99

Rating: 4 out of 5 stars (****)

If you are tired of reading some Harry Potter or some such thing, and decide to devour 780+ pages of information security how-to, this is a pretty good candidate.

The book covers everything from legal and ethical issues to pretty deep knowledge of the tools and techniques used to do infosec work. It won’t make you an expert, but it is a much friendlier manual than the included docs for a whole lot of tools.

My favorite section is chapter 10, which covers the art and science of shell code, custom exploits and some great tools for making this often tough job a whole lot easier. The diagrams and code examples in this chapter alone make the book worth the money for the reference shelf, and you would get all of the rest too!

All in all, the book is easy to read, the examples are clear and easily understood. The graphics are clean and crisp, which makes it much simpler to follow along on your own systems. Basically, as with most O’Reilly books, the layout and design is excellent.

Check it out if you are getting tired of wizards and such. The ROI is likely higher and you might even learn a new skill or two to help you in the day. In the end, that should be the measure of a good security book – right?

Noel Brings Reminder to Review DR/BC Plans

Posted on November 2, 2007 by Brent Huston

For those folks on the east coast, Hurricane Noel should probably figure into your weekend plans. The storm is looking like a near miss for much of the eastern seaboard, but should be a strong reminder for folks to review their Disaster Recovery and Business Continuity plans for currency.

If you look in your policies folders and don’t see a DR/BC plan, now might be a good time to form a task group for making them. Given the wacky weather patterns lately, they might prove to be handy in the future. At the very least, you can rest a little easier just knowing they are there.

For those folks wondering what I am talking about, click here for more info on the storm.

If you want to do more reading on DR/BC policies, check out this wikipedia article.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec