Category Archives: General InfoSec

HoneyPoint Used to Confirm Skype URL Indexing

Posted on by
4

Last week, several sources were talking about the indexing of URLs that happen inside supposedly secure and private Skype sessions. There was a bit of press about it and we thought it would be fun to test it out and easy to do with HoneyPoint Personal Edition. Here’s how we did it:

  • First, we stood up a HoneyPoint Personal Edition and dilated port 80 with a web listener. We configured it to look like a default under construction page on an IIS box. We then exposed it to the Internet.
  • In order to cut down on noise from scanning while we were testing, we decided we would use a target page in our test URL of vixennixie.htm, since scanners aren’t generally looking for that page, if we get scanned while we are testing, it won’t interfere with our data gathering and analysis.
  • Next, we created a Skype chat between to members of the team and made sure each of us was configured for full security.
  • Once this was confirmed, we passed the URL: http://target_ip/vixennixe.htm between us. The time was 1:13pm Eastern.
  • Then, we waited.
  • Lo and behold, we got this nearly 12 hours later:

                     2013-05-22 01:09:45 – HoneyPoint received a probe from 65.52.100.214 on port 80 Input: HEAD /vixennixie.htm HTTP/1.1 Host: target_ip Connection: Keep-Alive

A whois of 65.52.100.214 shows:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

#
# Query terms are ambiguous. The query is assumed to be:
# “n 65.52.100.214”
#
# Use “?” to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=65.52.100.214?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 65.52.0.0 – 65.55.255.255
CIDR: 65.52.0.0/14
OriginAS:
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
RegDate: 2001-02-14
Updated: 2012-03-20
Ref: http://whois.arin.net/rest/net/NET-65-52-0-0-1

OrgName: Microsoft Corp
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2011-04-26
Ref: http://whois.arin.net/rest/org/MSFT

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc@microsoft.com
OrgNOCRef: http://whois.arin.net/rest/poc/ZM23-ARIN

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com
OrgTechRef: http://whois.arin.net/rest/poc/MSFTP-ARIN

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@hotmail.com
OrgAbuseRef: http://whois.arin.net/rest/poc/HOTMA-ARIN

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@hotmail.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@msn.com
OrgAbuseRef: http://whois.arin.net/rest/poc/MSNAB-ARIN

RTechHandle: ZM23-ARIN
RTechName: Microsoft Corporation
RTechPhone: +1-425-882-8080
RTechEmail: noc@microsoft.com
RTechRef: http://whois.arin.net/rest/poc/ZM23-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

I’ll leave it to the reader to decide what they think about the data. You can draw your own conclusions. We just appreciated yet another use for HoneyPoint and a quick and dirty project to play with. Thanks for reading!

Save The Date: June 10 is CMHSecLunch

Posted on by
8

Save the date of June 10th for the next CMHSecLunch. This month’s event is at the Polaris Mall food court. It’s 11:30 to 1pm.

As usual, you can sign up here. You can also talk to @cahnee about it on Twitter if you would prefer. She can help you find folks wherever we meet.

The event is FREE, open to anyone interested in IT and InfoSec. You can brown bag it, or get food from the vendors. But, the conversations are amazing. You get to see old friends and make some new ones. Check it out! 

Cyber News Today from Homeland Security Middle East – Abu Dhabi, UAE

Posted on by
3

Happy Memorial Day Readers;

The Red Dragon and MicroSolved are at the Homeland Security Summit- Middle East taking place in Abu Dhabi, United Arab Emirates…

Latest World Cyber News you should be maintaining cyber situational awareness on comes to you today after 6 different flights across 4 different continents and a total of 30,000 airmiles…oh yes 5 hours of sleep –

Nonetheless – here are some developing stories out of the International Cyber World….

General Alexander – Four-star general in eye of U.S. cyber storm… Read more @ http://newsle.com/article/0/76523525/

The covert battle over Beijing’s defence policy heats up…People’s Republic of China gets into the business of making friends

Read more @ http://www.smh.com.au/world/china-gets-into-the-business-of-making-friends-20130524-2k6q3.html#ixzz2UTeO2Fht

People’s Republic of China’s Huawei a victim of its success

Read more @: http://www.chinadaily.com.cn/cndy/2013-05/25/content_16530834.htm &
http://wanderingchina.org/2013/05/26/huawei-a-victim-of-its-success-china-daily-risingchina-trade/

All for now from the Middle East…more to come as the world wakes to a new day…

Semper Fi,

謝謝

紅龍

What YOU Can Do About International Threats

Posted on by
4

Binary eye

With the addition of RedDragon Rising (@RedDragon1949) to the blog, we are now pushing forth a new stream of threat data and insights about the growing problem of international threats. Since we added that content to the site, many of you have written in or asked me on Twitter, what is it that YOU can do about these threats? I wanted to take a few minutes and expand on my responses.

First of all, you can remain aware and vigilant. Much of the information we post here isn’t directly actionable. It isn’t designed to be a roadmap of actions for you to take. It’s designed to be a continual source of data that slowly helps you see a clearer picture of the threat, the actors and their capability. It’s designed to keep you AWAKE. It’s custom made to help you understand your adversary. Knowledge is power and insight is key. We make this content to give you both!

Second, you can communicate the threat and knowledge to your management. This helps them remain aware. It also presents to them that you are monitoring the threats and keeping your eye on the rising tides, even as you help them steer the ship through safe waters. You can use this information to build rapport with them, to give them new insights into your decisions when you explain to them various risks and to help them understand the changing nature of the interconnected world.

You can use the information here as an impetus to get the basics of information security right. While there aren’t any panaceas to fight off the threat and there isn’t a single thing you can buy to make it better ~ we do know that focusing on the basics of infosec and getting them done efficiently, effectively and well is the best defense against a variety of threats. That said, consider doing a quick and dirty review of your security initiatives against our 80/20 Rule for Information Security. This is a set of simple projects that represent the basics of information security and map easily to other standards and baselines. Simply judging your maturity in these areas and following the roadmap to improvement will go a long way to getting the basics done right in your organization. 

Invest in detection and response. If your organization is doing the basics of prevention, that is you have hardening in place and are performing ongoing assessment and mitigation of your attack surfaces, then the next thing to do is invest in detection and response capabilities. Today, one of the largest advantages that attackers enjoy is the lack of visibility and effective response capabilities in our organizations. You should have some visibility into every segment and at every layer of your environment. You should be able to identify compromises in a timely manner and move to isolate, investigate and recover from any breaches LONG BEFORE they have become widespread and heavily leveraged against you. If you can’t do that today, make it your next major infosec goal. Need help?Ask us about it.

Lastly, share information with your peers. The bad guys are good at information sharing. They have excellent metrics. They openly share their experiences, successes, failures and new techniques. Much of crime and espionage (not all, but MUCH) is “open source” in nature. The cells of attackers free float in conglomerations of opportunity.  They barter with experience, tools, data and money. They share. The more we begin to share and emulate their “open source” approaches, the better off we can be at defending. If knowledge is power, more brains with more knowledge and experience equals MORE POWER. Be a part of the solution.

That’s it for now. Just remain calm, get better at the basics, improve your visibility and stay vigilant. As always, thanks  for reading State of Security and for choosing MicroSolved as your information security partner. We are striving to dig deeper, to think differently and to give you truly actionable intelligence and threat data that is personalized, relevant to your organization and meaningful. If you’d like to hear more about our approach and what it can mean for your organization, get in touch via Twitter (@lbhuston), email (info(at)microsolved/dot/com) or phone (614-351-1237 ext 250). 

Latests News from AusCERT 2013 & the People’s Republic of Hacking…

Posted on by
2

G’day from Gold Coast, Australia and AusCERT 2013!

The persistent nature about the People’s Republic of Hacking, er, umm, sorry, China, is ceaseless…

People’s Republic of China’s Huawei Vows Revenge On U.S. Competitors Who Drag Its Name Through The Mud

http://au.businessinsider.com/huawei-fighting-back-against-cisco-hp-and-dell-2013-5?

Hackers Find People’s Republic of China Is Land of Opportunity ** AWESOME ARTICLE **

http://www.nytimes.com/2013/05/23/world/asia/in-china-hacking-has-widespread-acceptance.html?&pagewanted=all

Google hackers wanted intel on People’s Republic of Chinese spook monitoring

http://www.scmagazine.com.au/News/344069,google-hackers-wanted-intel-on-chinese-spook-monitoring.aspx?

Chinese hackers said to have accessed law enforcement targets
Cyber marauders sought more than just information on activists — they wanted access to FBI, DOJ investigations on spies in the U.S.

http://www.computerworld.com/s/article/9239440/Chinese_hackers_said_to_have_accessed_law_enforcement_targets?

3 N.Y.U. Scientists Accepted Bribes From People’s Republic of China, U.S. Says

http://www.nytimes.com/2013/05/21/nyregion/us-says-3-nyu-scientists-took-bribes-to-reveal-work-to-china.html?

All for now from Down Under…

Semper Fi,

紅龍

May’s Touchdown Task: Egress Audit

Posted on by
4

The touchdown task for May is a quick and dirty egress filtering audit. Take a look at your firewalls and make sure they are performing egress filtering (you do this, right? If not, make it happen now ~ it’s the single most effective defense against bot-nets). Once you know egress is in place, give a once over to the firewall rules that enforce it. Make sure they are effective at blocking arbitrary ports, outbound SSH, outbound VPN connections, etc. Verify that any exposed egress ports are to specific IPs or ranges. If you find any short comings, fix them.

Also take a look and make sure that violations of the firewall rules are being alerted on, so your team can investigate those alerts as potential infection sites. 

Lastly, check to make sure that you have egress controls for outbound web traffic. You should be using an egress proxy for all HTTP and HTTPS traffic. Yes, you should be terminating SSL and watching that traffic for signs of infection or exfiltration of sensitive data. Take a few moments and make sure you have visibility into the web traffic of your users. If not, take that as an immediate project. 

That’s it. This review should take a couple of hours or so to complete. But, the insights and security enhancements it can bring are HUGE. 

Until next month, thanks for reading and run for the goal line!

Most Recent Cyber Conflict Information ~ People’s Republic of China

Posted on by
3

Good day from AusCERT –

Here are some of the Most Recent Cyber Conflict Information ~ People’s Republic of China:

The People’s Republic of China’s culture of hacking cost the United States $873 million in 2011

http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/20/chinas-culture-of-hacking-cost-the-country-873-billion-in-2011/?

How The Great Firewall of China Shapes Chinese Surfing Habits

http://www.technologyreview.com/view/515056/how-the-great-firewall-of-china-shapes-chinese-surfing-habits/

Goldman exits China’s ICBC, seven years and billions later

http://uk.reuters.com/article/2013/05/21/uk-goldman-icbc-idUKBRE94K07120130521

Semper Fi,

Bill

Aaron Bedra on Building Security Culture

Posted on by
9

Our good friend, Aaron Bedra, posted a fantastic piece at the Braintree Blog this morning about building a security culture. I thought the piece was so well done that I wanted to share it with you.

Click here to go to the post.

The best part of the article, for me, was the content about finding creative ways to say yes. IMHO, all too often, infosec folks get caught up in saying no. We are the nay sayers, the paranoid brethren and the net cops. But, it doesn’t have to be that way. It might take a little (or even a LOT) of extra work, but in many cases ~ a yes is possible ~ IF you can work on it and negotiate to a win/win point with the stakeholders.

Take a few minutes and think about that. Think about how you might be able to get creative with controls, dig deeper into detection, build better isolation for risky processes or even make entirely new architectures to contain risk ~ even as you enable business in new ways.

In the future, this had better be the way we think about working with and protecting businesses. If not, we could find ourselves on the sideline, well outside of the mainstream (if you aren’t there already in some orgs). 

Great work Aaron and thanks for the insights.

Cyberattacks on Rise Against U.S. Corporations

Posted on by
2

See on Scoop.itChinese Cyber Code Conflict

Officials said the aim in a new wave of attacks was not espionage but sabotage, and that the source seemed to be in the Middle East.

Red-DragonRising‘s insight:

ICS-CERT issued this alert that cyber attacks are now trending towards sabaotage instead of cyber espionage…combine cyber jihaist activity, e.g.; Shamoon, with cyber criminality and you have a very potent and violatile mix   directly impacting and affecting both commercial enterprises and the United States critical infrastructure…

 

Standby to standby…

 

Semper Fi,

 

謝謝您

紅龍

See on www.nytimes.com

Top U.S. admiral, Chief of Naval Optimism (CNO), puts cyber security on the Navy’s radar | Reuters

Posted on by
1

See on Scoop.itChinese Cyber Code Conflict

SINGAPORE (Reuters) – Cyber security and warfare are on par with a credible nuclear deterrent in the defense priorities of the United States, the U.S.

Red-DragonRising‘s insight:

Wait a second…didn’t the US Navy CNO say the People’s Republic of China (中華人民共和國) was not a threat according to the defensetech report just a few days ago… "Chief of Naval Operations (CNO) Admiral Jonathan Greenert told the House Appropriations Defense Subcommittee yesterday that the Asia Pivot Policy is working and China’s Military is NOT a threat…" and that the United States shuodl send in the Marines…albeit on US Navy Amphibs…

 

Today, 13 MAY, the same US Navy General Officer and Chief of Naval Optimism (CNO)….say Chinese cyber espionage is a THREAT…can we please make up our minds…Admiral Greenert, hello?? LOL…

Semper Fi;

謝謝您

紅龍

See on uk.reuters.com