The job of the venerable TSA agent seems to be nearly impossible to me. I am just back in the office from a couple of weeks of travel and man, there are just so many issues with airport security I am just amazed that there have been no repeat airline attacks.

In Charlotte, a man made it through the security screening a couple of weeks ago and got on board an aircraft! To make matters worse, the TSA response was to create a process of “Reverse Screening” where the passengers would be screened as they came OFF of the aircraft. Huh? What? Off of the aircraft? Isn’t it likely to be a little too late by then?

Meanwhile, it also came to light while I was traveling that another US airport shut down their security posts at night and that anyone with an official badge was allowed through unscreened. Apparently this had been going on for years, but had only become an issue when a local newsperson penetrated the area in this manner on video. I guess this security team had never heard of social engineering or counterfeiting of badges. Hey, it’s only airline security, right?

The problem is just so large, and the variables so very complex. Add to that the pressure from the American public to get it right – but without inconvenience or delays and you have a patented recipe for failure. I truly believe that the TSA issues are so bad and that the system is so broken that we may need to step back and rethink the entire approach to the solution. What we have now clearly is not working and it seems to me that we have been very “lucky” that there have been no further incidents. The problem with luck though, is that it often runs out…

What do you think about airline security? How much are you willing to tolerate in the name of safety? What do you think we should do to make it better? Drop us a line and let us know your thoughts!

Are spammers getting desperate? Recently we’ve seen spammers switch from text based spam, with random paragraphs to images, and then to pdf, which seemed like the new hot spam format. But this morning I had a couple interesting spams get through the spam filter.

One of them looked like this:

H,E_R’E WE GO AGAIN.!

T.H_E B*I-G O.N+E BE_FORE T*H+E SEPTEMBER.R ALLY’!

T*H-E MAR KET IS ABO,UT TO P*O_P’, A’N+D SO IS E X,M’T+!

T ick: —-

5-d+ay po.tentia.l: 0.. 4’0

Firm : EXCHA*NG,E ——- (Ot+her O.T-C*: —–.P K)

A+s+k_: 0..+1+0 (+.25.0.0%) UP TO 2*5.% in 1 day

N*o.t o,n,l*y d’o e+s t,h,i_s f i*r’m h-a v’e gr*eat fu-ndamen’tals,

b u t getti*ng t-h.i s opp+ortunit,y at t,h e righ,t t-i.m e-,

righ_t bef.ore t_h e ra*lly is w+h-a-t m,akes t.h i s d.e a l so sw*eet!

T+h-i.s a gr eat o.,pportunity to at leas,t do’uble up!

I can barely make out what that says, it’s harder to read than 1337 5p34k mxd w/ AOL spk. The PDF spam, while effective at getting through, required the end user to actually open the pdf and read it, but it was actually, you know, readable. I would really like to know who is still making sending out spam like this worthwhile. Do people sit around and decipher it because they think they’re going to get some secret thing nobody else does? Is it still cost effective for spammers to buy email lists from the black market? Ah, If only I had the time to do research on spam. Maybe somebody already did it for me.

So, if you watch any of the vulnerability lists that are out there, you may have noticed a recent spike in vulnerabilities that have been identified in various VoIP implementations from various vendors. If you’re not sure what I’m talking about, you might think about heading on over to http://www.microsolved.com and downloading our free threat intelligence tool, Watchdog.

If you’re already a Watchdog user, you may have noticed that MSI decided to go from green to yellow earlier this week. That decision was based upon the release of several vulnerabilities that have been identified in Cisco’s implementation of various VoIP protocols (oh yeah, and it’s patch Tuesday). Those issues ranged in vulnerabilities that could allow remote code execution to denial of service. We’ve also seen several problems arise in Avaya’s implementation of VoIP protocols over the past couple of months as well.

MSI has been saying that VoIP vulnerabilities were going to start popping up, for some time now. If I remember correctly, we started addressing this in our State of the Threat presentations about a year and a half ago. Over that time we’ve seen significant progress in the tools that have been developed to assist in managing VoIP deployments. While those tools have helped a lot of companies with their VoIP implementations, we’ve also seen them introduce unintended risks into their environments. We’ve also seen many more much more nefarious tools that are allowing attackers to gain access to the VoIP system. And if you consider how useful fuzzing has become at identifying unknown problems in network traffic and applications, the sky is the limit when trying to determine where VoIP vulnerability research is going to end up. That is why MSI is ecstatic to have been approached by several different entities to perform VoIP Risk Assessments on their VoIP systems.

While a VoIP specific Risk Assessment may be a fairly new thing, the premise is not. It’s simply a way of applying a proven methodology to assess whether the new (or old) VoIP system hasn’t introduced unknown risks into the environment. The methodology that we use is very similar to our normal Risk Assessment of an Information Security Program, though there are some minor steps that had to be added and tweaked. The primary goal of these responsible organizations is to ensure that they are performing their due diligence by having a third party assess their VoIP implementations, and we applaud them for their initiative.

Yesterday I followed up on some HoneyPoint traffic signatures that have been floating around for a while. I have been seeing a pretty steady increase in various scans for several types of PHP vulnerabilities over the last few months, so I started looking around at some of the script kiddie PHP scanners that were out there.

Interestingly, I found a couple of scanners on a forum that were pretty advanced. They each include 250 – 300 signatures for PHP vulnerabilities, several modes of “IDS evasion” that are minimally successful, at best, but do have options to adjust scanning speeds, manage scan target lists and other useful stuff. Overall, I was actually impressed with the depth, stability and capabilities that these script kiddy style tools possessed.

I will continue to troll through some more lower end tools and check them out for how their coding has improved. I think it is likely that compared with the many of the script kiddy tools of yesteryear, I will find that even the basic development and coding skills in the lower end of the attacker pool has improved. The attackers who develop basic tools and feed the script kiddy crowd seem to be becoming more and more capable of in-depth coding and development. While far from a shock to infosec folks, it does represent a phase shift that we should be aware of. Likely, their tools will continue to grow in stability and sophistication – all of which makes for more formidable opponents.

Just something to think about….

So, here I am working on a vulnerability I discovered in OS X. I am deep into doing the final work of making sure it is exploitable and writing proof of concept code. My fuzzers had identified the issue a week or so ago, but with my busy schedule I just had not had time to pursue what was looking to be a local exploit with a little capability for malicious activity – like perhaps exposing the contents of file vault or other things that are based on user context.

But, low and behold, along comes an update from Apple that patches the vulnerability. Upon deeper research, it appears that they also discovered the issue (or blindly mitigated the hole) while they were repairing another problem included in this patch cycle! Congrats to Apple for fixing what appears to have been an unrelated issue and for seeming to actually be doing the right thing of performing additional testing or mitigation on code they are working on. To me it looks like they may actually have implemented a process where as one issue is found with a piece of code and addressed, the whole piece of code is more deeply inspected, tested and assessed. That’s FANTASTIC news!

So, while I am doing the “poor me” shuffle for spending cycles on an issue that has become NOT AN ISSUE, I am also bouncing around with joy that the right approach to securing code seems to be spreading. That alone, is worth a smile. I really like it when the right thing happens and some part of the world gets a little more secure!

That’s just another part of life as a security researcher. Things continue to break in new and exciting ways, but sometimes, even while you are working on the rabbit hole, someone comes along and fills it in….

CNet reviewers gave HPPE four out of five stars!

They loved the useability of the product, the interface and the idea surrounding it.

You can read more about it here.

Apparently, it would have gotten 5 stars, but they did not like the fact that connections from 127.0.0.1 (localhost) are ignored and that this feature is not in the documentation. We will add it into the docs in the future, but 4 out 5 stars is a wonderful response. Thanks CNet!

Recently, at a local coffee house meeting with one of my clients, I quickly realized I was under attack. As we were going through a power point presentation, all of a sudden my HP:NTA alerted me by a simple traffic light. First going to yellow, letting me know someone was probing my machine with a message to me…..make sure your firewall is running and that your anti-virus is up-to-date. Then seconds later turning to red, letting me know that I needed to unplug immediately and to notify my security team. The alerting system gave me real time alerting capability to let me know someone was doing something they shouldn’t be.

A few things that I think are important to point out.

1. If I didn’t have NTA on my lap top I would have never known someone had launched a web browser attack on my computer.

2. More important they could have taken control of my computer without having any knowledge of the occurrence.

3. Neither my firewall nor antivirus caught the probe/attack

4. Forensics – I took the incident back to my security team and they were able to see what type of attack occurred, where did the attack originate, and etc.

5. Continues to show the importance of how layering security is vital to protecting our assets. Layering is crucial in safe computing both personally and professionally.

6. How easy NTA is to comprehend and understand what my next immediate steps needed to be.

With all that being said an incident where someone could have easily hacked into my computer was stopped by installing NTA. At $10 per license doesn’t it makes sense that everyone should have this installed on their computer?

One of the unexpected side effects of HoneyPoint deployments has been the discovery of misconfigured applications and hardware in the network. Many customers have identified several applications and devices that were either not configured properly or were acting in unexpected and undocumented ways. HoneyPoint clients have been giving us great feedback that this has helped them reign in this wrongful behavior and that they would likely have never known about it if they had not deployed HoneyPoint.

Some of the items they have discovered have included web-applications that open return sessions to port 80 or 443 on the host – often for no apparent reason, illicit web-requests to domain servers due to misconfigured SQL and LDAP controls and even a couple of applications that performed simplistic host port scans in odd attempts to identify the originating host or use as a “host fingerprint” – neither of which are effective mechanisms for access control.

Clients have also told us that HoneyPoint has helped them find hosts that are not obeying the standard rules of their environment. For example, one client moved their DNS server from the DNS location assigned by DHCP and then changed the DHCP server. A few days later, he stood up a port 53 HoneyPoint to capture hosts that had set their DNS as static instead of using the established DHCP method. Doing so helped him clean up some hosts that remained in older configurations and even identify a help desk technician that was not configuring systems accordance with their standards. They claim that HoneyPoint was an incredible tool in helping them find the hosts that were just not up to par.

As the product matures, we continually get more and more feedback from clients about innovative uses for the tools. If your organization has leveraged HoneyPoint in new ways, please let us know so we can share them with others who may be able to benefit from the idea. As always, thanks for the attention to the product, we truly love the feedback and the incredibly warm response it continues to receive from people and organizations around the world!

MicroSolved, Inc. is pleased to announce that its SecureAssure vulnerability assessment solution has successfully completed the PCI Scanning Vendor Compliance Testing. This process allows MicroSolved to serve as an ASV for organizations concerned with PCI compliance.

“More organizations can now benefit from working with MicroSolved as their information security partner. Companies with compliance needs centering on payment cards can now leverage our exceptional methodologies and world class reporting. In addition, our process of manual vulner- ability verification eliminates much of the overhead and complexity of compliance by removing false positives and keeping your resources focused on the real problems.” stated Brent Huston, CEO of MicroSolved.

For more information, or to schedule assessments of your organization, please contact your account executive via phone or click here for email.

MSI attended the latest CUISPA event in Boston last week and it was a fantastic show. Credit union security folks were in attendance from all around the US and the speakers did a fine job of knowledge transfer.

Many thanks to all who stopped by the booth and showed their appreciation for our State of the Threat updates to CUISPA members. We have made arrangements with CUISPA to keep them coming each quarter!

I am not allowed to “spill the beans”, but in appreciation of our warm reception, we will soon be making a very special offer to all CUISPA members. Stay tuned to both CUISPA and our site to learn about this special offer that just might make your future workload quite a bit lighter!    😉

Thanks again for the warm welcome in Boston. Special thanks to Kelly at CUISPA for the awesome event!