Gameframe Follow Up

Posted on January 8, 2013 by Brent Huston

This is a follow up to the original Gameframe scan post here. (**Note I have defanged the urls, edit them manually if you copy and paste)

Throughout the end of December, we saw just a few more probes in the public HITME that contained the Gameframe pattern. The ports shifted between port 80 and port 3128. The initial bursts of probes we observed were on port 3131, but they seem to now be occurring across the port spectrum.

The only host the public HITME caught these probes from was: 96.254.171.2 – WHOIS – US, Verizon

A Twitter user, (@benediktkr), also pointed out probes on port 8080 from a small batch of source IPs. He also observed the same source IP, which means the scanning is likely pretty wide, given that we have seen it from several of the HITME end points.

Here is a quick dump of the log for the few we saw at the end of December (Output from a HoneyPoint plugin):

2012-12-19 08:12:57|96.254.171.2|80|GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n
2012-12-19 12:30:38|96.254.171.2|3128|GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n
2012-12-28 12:46:42|96.254.171.2|3128GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n

We also picked up this probe, which is quite different from the others, which is interesting in general, note that the source host is also different – this time from 92.240.68.153 – WHOIS – Latvia

2012-12-27 10:29:27|92.240.68.153|80|GET hxxp://thumbs.ifood.tv/files/Salmonella_in_Vegetables.jpg HTTP/1.1 User-Agent: webcollage/1.135a Host: thumbs.ifood.tv headers HTTP/1.1\nUser-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.10\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n

It is likely that others are simply using the headers output of this page for other types of probes and scans, likely to identify open proxies and alternate paths to avoid censorship or to use in proxy chains to help hide their origins for other purposes.

If you run a black list of IPs as a part of your defense, or redirect bad IPs to a HoneyPoint, you should likely add these two sources to the list if you aren’t using the automated approach.

We will continue to observe these probes and let you know what else we see. Thanks for reading.

Watching the Watchers…

Posted on December 19, 2012 by Brent Huston

“Who watches the watchers?” is an often overheard question when we assess the information security program of clients. Way too often, the answer is either, “Huh?” or “No one, really.”. That’s a LOT of trust for an organization to place in an individual or small team.

At least in a small team, you hopefully have peers checking each other’s work. You do that right? You either rotate duties, have a peer review process or otherwise make sure that a second set of eyes from the team double checks critical work in a peer review methodology. That’s what mature teams do, and they do it both often and formally. This is a great control and an effective means to build cooperation between team members.

The problem gets harder when your security team (and/or IT team) is one person. Then it absolutely REQUIRES that someone, be it a manager, another department peer, an auditor or even a consultant checks their work periodically. After all, if they manage the servers, the firewall, the network, the intrusion detection and the logging, they essentially have complete control over the data and can do as they please without fear of getting caught. Now, that is not to say that folks in this role aren’t trustworthy. They usually are. The problem is that some are not and to further complicate the matter – it is often quite difficult to tell the difference between the honest and the dishonest humans. So, as we always say, “Trust, but verify…”. Implement an ongoing process for peer review, even if that peer is an auditor or consultant. Have them come in and double check the progress for this quarter. Ask them to spot check reports, logs and configurations. It’s not comprehensive, but it at least sends a message that someone is checking and just having someone checking different items often leads to interesting discoveries, usually not of a malicious nature, but often times something missed in the day to day.

How does your organization use peer review? What works and what hasn’t worked for you? Leave us a comment or drop us a line on Twitter (@lbhuston) and let us know.

Ensuring Security Team Coverage During the Holidays

Posted on December 17, 2012 by Brent Huston

Just a quick note to remind you that now is a good time to double check the on-call, vacation and coverage schedules for your infosec team members, all of the key members of your incident response team and the critical managers and department liaisons. It’s a good time to review and update your contact lists for these folks and to identify anyone who might be unavailable during the holidays double check that you have a secondary contact.

While we certainly hope that your team doesn’t have to respond to an incident during the holidays, it is not unheard of. So, a few moments of careful attention now, may save you some stress during an already stressful period.

Thanks for reading, have a great holiday season and stay safe out there!

What is HPSS? :: The Console

Posted on December 10, 2012 by Brent Huston

This article builds on the What is HPSS? Series. The original overview article is here.

The HoneyPoint Security Server Console is the “brain” of the HoneyPoint product platform. It is the central component responsible for getting alert data from the sensors, tracking and maintaining the alert data, presenting it to the user and safely passing the essential alert data on to the automated plugins or other systems in the security event chain.

HoneyPointConsoleRole

The Console is a GUI application that includes a built-in database engine for tracking Alert Data state and to empower reporting and analysis over time. Alert Data from the sensors are sent to the Console over TCP and the data is encrypted. The Console application runs on Windows, Linux and OS X.

Once the Console receives Alert Data from the sensors, it parses it to validate that the data is good and checks to see what actions it should take based on the alerting configuration, assigned admins list, ignored hosts lists, and other trust rules in place.

It then presents the alert data to the appropriate mechanisms, alerting users, passing the desired elements of the alert data to syslog/event log on the Console system for upstream processing by SEIMs or other event tools. The Console also passes certain event data as determined by the configuration into the “plugins mechanism”.

The plugins then execute the desired operations on the data, easily allowing the security team to further extend reporting to custom event handlers or perform automated responses. This flexible solution empowers the security team to integrate HoneyPoint Security Server fully into whatever technology platform/response process they desire or have in place.

Reporting from the Console is very simple. The included reporting engine can create a wide variety of canned reports in either CSV or HTML format, ensuing that the data in the HoneyPoint system is easy to use. Additionally, other reporting tools like Crystal Reports or the like, or even languages like PERL, Python or Ruby, can easily attach to the Console database to create whatever types of custom reports you desire.

All in all, HoneyPoint Security Server was designed to make it easy to use and yet flexible enough for the most demanding and mature infosec teams. The console interface is friendly, functional and easily understandable. Most teams require less than a 30 minute walk through before they are off and running with the basic detection power HoneyPoint provides. When they get comfortable with the system, they quickly master the plugins meta-language and are soon automating large groups of detection and response tasks.

To learn more about HoneyPoint Security Server or to get a demo, please contact us. We would be happy to walk you through the product and discuss how it might fit into your environment. There is even a free for personal use “Community Edition” available to get you started or to let you experience the power, ease and flexibility of the platform yourself. Just give us a call to learn more about HoneyPoint Security Server Console. You’ll be glad you did!

What is this HoneyPoint Thing Anyway?

Posted on December 6, 2012 by Brent Huston

Launched in 2006, initially as a distributed honey pot product, HoneyPoint Security Server (HPSS) has grown well beyond the initial concept. Today HPSS is a platform of components woven into a tightly integrated, fully capable, extremely flexible threat detection product. Organizations around the world are using it as a means of early detection of internal and external attackers, malware outbreaks and signs of users poking around where they shouldn’t be. Mature organizations have leveraged the product as a means of deterring attacks through automated black holing of scanning hosts on their perimeter, embedded detective controls inside their web applications to cut off users violating their terms of service and gather real world threat metrics to feed back into their mature risk management initiatives.

In the world of ICS/SCADA, HoneyPoint has found a quickly growing set of fans. HPSS can be deployed in a completely passive way that has no chance of interfering with critical operations, yet still brings incredible detection capability and vision into even the most sensitive of networks. ICS/SCADA environments have traditionally embraced the honeypot ideal, coining the term “canary” for these tools, but never before have they had such an easy to use, distributable, centrally monitored honeypot capability like HoneyPoint brings to the table.

Over the next few months, we will be deep diving into each of the HPSS components, but for now, as a high-level overview, here is a quick and dirty explanation of each of them:

HPSS Console – This is the central “brain” of the product. Designed as an easy to use GUI application, it receives the alerts detected by the sensor components and presents them to the user for analysis. It includes the “plugin” capability which allows for additional reporting and security automation based on the event data detected. The Console provides for “point and click” easy integration with SEIM products for clients who have deeper back-end data aggregation systems in place.
HoneyPoint Agent – This is the original HoneyPoint detection capability. Agent creates “fake services” on the network that have no real use other than detection. Since the services aren’t real, any interaction with them is “suspicious at best and malicious at worst”. Agent is capable of emulating a great variety of services and is completely user configurable. Agent runs on Windows, Linux and OS X.
Wasp – Wasp is HoneyPoint’s hybrid client for Windows systems. It offers many of the port dilation features of Agent, but layers on top of that a whitelisting detection mechanism, file change detection for key files and some simple heuristics to identify the most common signs of intrusion. Tiny footprint, immense flexibility, self tuning whitelisting and no interference with operations make it an excellent choice for critical infrastructure use.
HoneyPoint Web – This is a completely emulated web environment with a mock up of applications that the organization uses. The entire environment is “fake” and studded with detection mechanisms that capture and measure attacker behavior, intent and capability. It might seem to be a new version of a banking application “accidentally” exposed to the Internet, or a replica of an HMI or maybe a login portal for Sharepoint/VPN or some other mechanism. What it really is is a detection mechanism for the good guys. Completely customized, able to detect the difference between a human attacker and most malware, it offers organizations a deeper, sneakier way to detect illicit behavior and measure the attacker attention various attack surfaces receive.
HoneyElements – Embeddable HTML and Javascript objects that can be added to new or existing real web applications, these HoneyPoints extend detection into the layers of the application itself. Integrates well with automated response and attacker black holing defenses to stop attackers and those engaging in undesired behaviors in real time.
HoneyBees – These work with Agent to simulate users authenticating to emulated services with plain text credentials. Organizations use this combination of tools to detect sniffing attacks and other attempts to harvest credentials off the wire or from network monitoring systems.
HoneyPoint Trojans – Trojans are “fake” documents, applications or archives that appear to be real, but are actually detection mechanisms. For example, they might appear to be a PDF of some acquisition plans, while in reality they are armed with code to alert the security team when they have been opened or tampered with. Trojans use many of the same tactics as attackers, but instead of infection as a goal, they provide for detection and alerting.
HoneyPoint Handler – The Handler is a mechanism for getting external events into the HoneyPoint data ecosystem. Organizations often use the handler to receive events generated by custom nuance detection scripts. For example, a script might routinely check for new files in a directory or new files that contain the call base64decode(). When the script identifies a new file, the script can send an alert to the Handler, which will create a standard HoneyPoint alert from the script’s data and send it to the Console for easy and standardized security event management.
HoneyPoint Decoy Appliances – This is a set of hardened Linux powered devices that serve as an appliance for other components, usually Agent and Web. The appliances are available in three physical form factors (a rack mountable server, a mini-desktop, and a field deployable power substation solid state system) and/or a set of virtual appliances for most common virtualization platforms.
HoneyPoint Proxy – Lastly, this component is designed to act as an alerting data aggregator to simplify firewall ACLs that might be deployed between DMZ segments, enclaves or other network segments. The proxy can receive events from HoneyPoints and send them on to the Console without the need to expose the Console to each individual HoneyPoint. This makes managing global and highly distributed deployments significantly easier.

To learn more about these components and how they can be leveraged to give your organization new, flexible and deep detection capabilities, give us a call. Our engineers would be glad to discuss the technical capabilities and an account executive would be happy to work with you to create a HoneyPoint deployment that meets your needs AND your budget. At MicroSolved, we are passionate about information security and HoneyPoint Security Server is just another that way it shows!

Ask The Experts: Getting Started with Web App Security

Posted on December 3, 2012 by Brent Huston

Question from a reader: What should I be paying attention to the most with regards to web applications? My organization has a number of Internet facing web applications, but I don’t even know where to start to understand what the risks and exposures might be.

Adam Hostetler responds:

The first thing I would do is to identify what the applications are. Are they in house developed applications, or are they something like WordPress or another framework? What kind of information do they store (email addresses, PII, etc)? If they are in house or vendor applications, have they been assessed before? With a little knowledge of the applications, you can start building an understanding of what the risks might be. A great resource for web application risks is the OWASP project. https://www.owasp.org

Phil Grimes adds:

When it comes to web applications, I always promote a philosophy that I was raised on and continue to pound into my kid’s heads today: Trust but verify. When an organization launches an internet facing application there is an immediate loss of control on some level. The organization doesn’t know that the users accessing the application are who they say they are, or that their intentions are “normal”. Sure, most people who encounter the app will either use it as intended or if they access the app inadvertently, they may just mosey on about their merry way. But when a user starts poking around the application, we have to rely on the development team to have secured the application. Making sure identity management is handled properly will help us ensure our users are who they say they are, and validating all data that a user might pass to the application becomes an integral part of security to ensure possible attacks are recognized and thwarted.

John Davis comments:

I would say that the most important thing is to ensure that your Internet facing web applications are coded securely. For some time now, exploiting coding weaknesses in web applications has been one of the leading attack vectors exploited by cyber criminals to compromise computer networks. For example, poor coding can allow attackers to perform code injection and cross site scripting attacks against your applications. The Open Web Application Security Project (OWASP), which is accessible on the Internet, is a good place to learn more about secure web application coding techniques. Their website contains lots of free tools and information that will help your organization in this process. There are also professional information security organizations (such as MicroSolved) that can also provide your organization with comprehensive application security assessments.

As always, thanks for reading and let us know if you have questions for the experts.

HoneyPoint HoneyBees Help Catch Sniffers

Posted on November 28, 2012 by Brent Huston

GlobalDisplay Orig

HoneyPoint has a component called a HoneyBee that can help organizations detect sniffing on their networks. The tool works like this:

HoneyBees are configured to talk to HoneyPoint Agents with a set of known credentials for an Agent emulated service
HoneyPoint Agent knows where the HoneyBees will be connecting from and those hosts are added to the local ignore list for that Agent
HoneyBees randomly create emulated “conversations” with HoneyPoint Agent in plain text, transmitting their credentials across the network for sniffers to pick up
The attacker or sniffing malware grabs the credentials through their sniffed traffic
The attacker or malware attempts to use those same credentials to authenticate to the HoneyPoint Agent
HoneyPoint Agent flags the authentication attempt as tampered traffic and alerts the security team to take action

By properly configuring the setup, this approach makes for a very effective tool to catch sniffing malware and attackers. Backing the credentials up with other detection mechanisms, such as in web applications and on AD forests can extend the approach even further. Our team has helped organizations stand up these kinds of nuance detection schemes across a variety of platforms.

Even though the approach seems quite simple, it has proven to be quite adept at catching a variety of attacks. Customers continue to tell us that HoneyBees working with HoneyPoint Agent have been key indicators of compromise that have led them to otherwise undetected compromises.

HoneyBees are just another example of some of the ways that people are using the incredible flexibility of HoneyPoint to do nuance detection more easily than ever before. Gaining vision where they never had it has paid off, and HoneyPoints ability to turn vision into intelligence has proven itself over and over again.

To discuss HoneyPoint, HoneyBees or other forms of nuance detection, get in touch with MicroSolved. We would be happy to discuss how we can help your organization get more vision all around your enterprise.

Reminder: Today is #CMHSecLunch

Posted on November 12, 2012 by Brent Huston

Reminder – It’s TODAY 11:30 to 1pm.

We wanted to take a moment and send out a special announcement to our Columbus, Ohio area readers. Brent Huston is pulling together a monthly casual event for IT and InfoSec focused folks in our area. He posted this a few days ago to Twitter (@lbhuston):

#CMHSecLunch 1st attempt – Monday, Nov 12, 11:30 -1pm at Tuttle Mall food court. Informal lunch gathering of infosec geeks. Be There!

We invite all of our local readers to attend. Just have a casual lunch with infosec friends and great conversations. No sign up, no membership fees, no hassle, no fuss. If you can make it, cool, if not, also cool. So, if you have time, drop in and break bread. We hope to see you there.

Let us know on Twitter or in the comments if you have feedback.

Tool Review: Synalyze It! Pro for OS X

Posted on November 9, 2012 by Brent Huston

Rounding out this week with another tool review for the Mac under OS X. Earlier this week, we reviewed our favorite disassembler, Hopper for OS X. Synalyze It! Pro is another invaluable tool that we depend on. This tool is a hex editor with some very very useful features in the GUI. Namely, it lets you “lasso” different bits of text and highlight them in different colors. While this might sound basic, it is amazingly useful for performing reverse engineering of protocols and other deep-level analysis tasks of textual data.

Recently, we have been doing quite a bit of protocol testing in the lab and this tool has proven itself again and again as invaluable. My favorite feature of the tool is available by highlighting some piece of data and right clicking to bring up a menu, then selecting “compare code pages”. This brings up a window in which the highlighted data is run through a bunch of encoding/decoding schemes and presented to you both as ASCII and as hex. This makes reversing simple encoding on text as easy pie and as quick as swatting a fly. In my recent protocol work, this was a feature I used over and over again to identify various components of the data stream and figure out how each was encoded as a part of a bigger puzzle.

Another feature we have come to love is the “Show Checksums” feature. This feature displays a wide variety of checksums for the data that is highlighted and updates the checksums in realtime. This makes it pretty easy to figure out if different fields are included in the protocol’s checksum activities and leads to faster, cleaner reversing. However, I do have a couple of things I would like to see as future features for this capability. For one, I would like to see additional checksum mechanisms added and perhaps even an interface for creating your checksum scripts or equations. Additionally, I would really like it if you could get realtime updates, but with a mechanism for selecting multiple data elements and not just single strings. I really thought this would work, but could not seem to selections to “stick” so that I could add multiples.

The real power of the tool is in the creation of the “grammar files”. This is an easy to use, intuitive and powerful mechanism for reversing. I still need to practice a bit more with the grammar definition mechanisms, but I can see where this will grow the product’s usefulness rapidly. The grammar definition could lend itself to a better toolbox in the GUI. It might be easier for beginners to learn to master this capability if an set of quick and easy tools were easily available without a bunch of menu navigation. However, the feature is still excellent and the tool remains a very powerful addition to our toolbox.

The link to the App Store has a variety of screenshots of the product if you want to check it out. The product retails for $25 in the App Store and a non-Pro version is available for $5 – however, note that it lacks many features of the Pro version that make it such a useful tool.

PS – MSI has no affiliation or relationship with the product and/or the developers.

CMHSecLunch Announcement

Posted on November 5, 2012 by Brent Huston