Category Archives: General InfoSec

Ask The Experts: Favorite Tools

Posted on by
4

This question came in via Twitter:
“Hey Security Experts, what are your favorite 3 information security tools?” –@614techteam

John Davis responds:

I’m in the risk management area of information security; I don’t know enough about technical information security tools to give an informed opinion about them. However, my favorite information security ‘tool’ is the Consensus Audit Group’s Twenty Critical Security Controls for Effective Cyber Defense (which is very similar to MicroSolved’s own 80/20 Rule of Information Security). The ‘CAG’ as I call it gives me as a risk manager clearer, more proactive, and detailed information security guidance than any of the other standards such as the ISO or NIST. If you’re not familiar with it, you can find it on the SANS website. I highly recommend it, even (and especially) to technical IT personnel. It’s not terribly long and you’ll be surprised how much you get out of it.

Adam Hostetler adds:

I’ll do some that aren’t focused on “hacking”

OSSEC – Monitor all the logs. Use it as a SIEM, or use it as an IPS (or
any other number of ways). Easy to write rules for, very scalable and
it’s free.
Truecrypt – Encrypt your entire hard drive, partition, or just make an
encrypted “container” to hold files. Again, it’s free, but don’t be
afraid to donate.
OCLhashcat-plus – Chews through password hashes, cracking with GPU
accelerated speed. Dictionary based attacks, and also has a powerful
rule set to go after non-dictionary based passwords.

And Phil Grimes wrote:

NMap is probably one of my favorite tools of all time. It’s veristile and very good at what it does. Using some of the available scripts have also proven to be more than useful in the field.

NetCat – This tool is extremely well rounded. Some of my favorite features include tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel. While NMap is my go to port scanner, there is built-in port-scanning capabilities, with randomizer, and dvanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data. 

Wireshark – Sharking the wires is one of my favorite things to do. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need.

What’s your favorite tool? Let us know in the comments or via Twitter (@lbhuston). Thanks for reading! 

OWASP Talk Scheduled for Sept 13 in Columbus

Posted on by
2

I have finally announced my Columbus OWASP topic for the 13th of September (Thursday). I hope it turns out to be one of the most fun talks I have given in a long while. I am really excited about the chance to discuss some of this in public. Here’s the abstract:

Hey, You Broke My Web Thingee! :: Adventures in Tampering with Production

Abstract:
The speaker will tell a few real world stories about practical uses of his defensive fuzzing techniques in production web applications. Examples of fighting with things that go bump in the web to lower deployment costs, unexpected application errors and illicit behavior will be explained in some detail. Not for the “play by the book” web team, these techniques touch on unconventional approaches to defending web applications against common (and not so common) forms of waste, fraud and abuse. If the “new Web” is a thinking admin’s game, unconventional wisdom from the trenches might just be the game changer you need.

You can find out more about attending here. Hope to see you in the crowd!

PS – I’ll be sharing the stage with Jim Manico from White Hat Security, who is always completely awesome. So, come out and engage with us!

See you at the Central Ohio BBB Torch Awards

Posted on by
1

Today, our team will be pleased to accept the BBB Center for Character Ethics’ Torch Award! We first announced our selection by the committee back in June, and today we are thrilled to spend an afternoon with the fellow winners, our customers, our families and the Central Ohio Community. We are greatly humbled and excited by our selection for the award and we look forward to continuing to live by the same organizational ethics and dedication to customer service in the coming years.

Special thanks today to our families and mentors who taught us to “do the right thing, even when no one is looking” and to all of the customers and clients that have placed their faith in us over the last (soon to be) 20 years. Without all of you, none of this would be possible.

If you can join us for the luncheon today, we look forward to seeing you. If you can’t, we understand, and we’ll be back to work later today, once again laser focused on protecting you and our critical infrastructure. (We’re still leaving the ISOC in capable hands while we gather for the ceremony… :))

As always, thanks so much for reading and for supporting MicroSolved. We love helping you keep your business, your business… 🙂

[UPDATE] – Much love and thanks to those who attended. What a great event! The best part was meeting the young students who wrote essays about ethics, leadership and engagement. Congrats to all of the winners!

20120906-141351.jpg

20120906-141441.jpg

Quick & Dirty Plan for Critical Infrastructure Security Improvement

Posted on by
5

J0202190

I was recently engaged with some critical infrastructure experts on Twitter. We were discussing a quick and dirty set of basic tasks that could be used an approach methodology for helping better secure the power grid and other utilities.

There was a significant discussion and many views were exchanged. A lot of good points were made over the course of the next day or so.

Later, I was asked by a couple of folks in the power industry to share my top 10 list in a more concise and easy to use manner. So, per their request, here it is:

@LBHuston’s Top 10 Project List to Help Increase Critical Infrastructure “Cyber” Security

1. Identify the assets that critical infrastructure organizations have in play and map them for architecture, data flow and attack surfaces

2. Undertake an initiative to eliminate “low hanging fruit” vulnerabilities in these assets (fix out of date software/firmware, default configurations, default credentials, turn on crypto if available, etc.)

3. Identify attack surfaces that require more than basic hardening to minimize or mitigate vulnerabilities

4. Undertake a deeper hardening initiative against these surfaces where feasible

5. Catalog the surfaces that can’t be hardened effectively and perform fail state analysis and threat modeling for those surfaces

6. Implement detective controls to identify fail state conditions and threat actor campaigns against those surfaces

7. Train an incident investigation and response team to act when anomalous behaviors are detected

8. Socialize the changes in your organization and into the industry (including regulators)

9. Implement an ongoing lessons learned feedback loop that includes peer and regulator knowledge sharing

10. Improve entire process organically through iteration

The outcome would be a significant organic improvement of the safety, security and trust of our critical infrastructures. I know some of the steps are hard. I know some of them are expensive. I know we need to work on them, and we better do it SOON. You know all of that too. The question is – when will WE (as in society) demand that it be done? That’s the 7 billion people question, isn’t it?

Got additional items? Wanna discuss some of the projects? Drop me a line in the comments, give me a call at (614) 351-1237 or tweet with me (@lbhuston). Thanks for reading and until next time, stay safe out there!

PS – Special thanks to @chrisjager for supporting me in the discussion and for helping me get to a coherent top 10 list. Follow him on Twitter, because he rocks!

Terminal Services Attack Reductions Redux

Posted on by
3

Last week, we published a post about the high frequency of probes, scans and attacks against exposed Windows Terminal Services from the Internet. Many folks commented on Twitter to me about some of the things that can be done to minimize the risk of these exposures. As we indicated in the previous post, the best suggestions are to eliminate them altogether by placing Terminal Services exposures behind VPN connections or through the implementation of tokens/multi-factor authentication. 

Another idea is to implement specific firewall rules that block access to all but a specific set of IP addresses (such as the home IP address range of your admins or that of a specific jump host, etc.) This can go a long way to minimizing the frequency of interaction with the attack surfaces by random attacker tools, probes and scans. It also raises the bar slightly for more focused attackers by forcing them to target specific systems (where you can deploy increased monitoring).

In addition, a new tool for auditing the configuration of Terminal Services implementations came to our attention. This tool, called “rdp-sec-check”, was written by Portcullis Security and is available to the public. Our testing of the tool showed it to be quite useful in determining the configuration of exposed Terminal Services and in creating a path for hardening them wherever deployed. (Keep in mind, it is likely useful to harden the Terminal Services implementations internally to critical systems as well…)

Note that we particularly loved that the tool could be used REMOTELY. This makes it useful to audit multiple customer implementations, as well as to check RDP exposures during penetration testing engagements. 

Thanks to Portcullis for making this tool available. Hopefully between this tool to harden your deployments and our advice to minimize the exposures, we can all drive down some of the compromises and breaches that result from poor RDP implementations.

If you would like to create some threat metrics for what port 3389 Terminal Services exposures might look like for your organization, get in touch and we can discuss either metrics from the HITME or how to use HoneyPoint to gather such metrics for yourself

PS – Special thanks to @SecRunner for pointing out that many cloud hosting providers make Terminal Server available with default configurations when provisioning cloud systems in an ad-hoc manner. This is likely a HUGE cause for concern and may be what is keeping scans and probes for 3389/TCP so active, particularly amongst cloud-hosted HITME end points.

PSS – We also thought you might enjoy seeing a sample of the videos that show entry level attackers exactly how to crack weak passwords via Terminal Services using tools easily available on the Internet. These kinds of videos are common for low hanging fruit attack vectors. This video was randomly pulled from the Twitter stream with a search. We did not make it and are not responsible for its content. It may not be safe for work (NSFW), depending on your organization’s policies. 

 

Yandex.ru Indexing Crawler Issues

Posted on by
3

The yandex.ru crawler is an indexing application that spiders hosts and puts the results into the yandex.ru search engine. Like Google, Bing and other search engines, the system searches out new contents on the web continually and adds the content to the search engine database. Usually, these types of activities cause little issues for those whose sites are being indexed, and in fact, over the years an etiquette system based on rules placed in the robots.txt file of a web site has emerged.

Robots.txt files provide a rule set for search engine behaviors. They indicate what areas of a site a crawler may index and what sections of the site are to be avoided. Usually this is used to protect overly dynamic areas of the site where a crawler could encounter a variety of problems or inputs that can have either bandwidth or application issues for either the crawler, the web host or both. 

Sadly, many web crawlers and index bots do not honor the rules of robots.txt. Nor do attackers who are indexing your site for a variety of attack reasons. Given the impacts that some of these indexing tools can have on bandwidth, CPU use or database connectivity, other options for blocking them are sometimes sought. In particular, there are a lot of complaints about yandex.ru and their aggressive parsing, application interaction and deep site inspection techniques. They clearly have been identified as a search engine that does not seem to respect the honor system of robots.txt. A Google search for “yandex.ru ignores robots.txt” will show you a wide variety of complaints.

In our monitoring of the HITME traffic, we have observed many deep crawls by yandex.ru from a variety of IP ranges. In the majority of them, they either never requested the robots.txt file at all, or they simply ignored the contents of the file altogether. In fact, some of our HITME web applications have experienced the same high traffic cost concerns that other parts of the web community have been complaining about. In a couple of cases, the cost for supporting the scans of yandex.ru represent some 30+% of the total web traffic observed by the HITME end point. From our standpoint, that’s a pain in the pocketbook and in our attention span, to continually parse their alert traffic out of our metrics.

Techniques for blocking yandex.ru more forcibly than robots.txt have emerged. You can learn about some of them by searching “blocking yandex.ru”. The easiest and what has proven to be an effective way, is to use .htaccess rules. We’ve also had some more modest success with forcibly returning redirects to requests with known url parameters associated with yandex.ru, along with some level of success by blocking specific IPs associated with them via an ignore rule in HoneyPoint.

If you are battling yandex.ru crawling and want to get some additional help, drop us a comment or get in touch via Twitter (@lbhuston, @microsolved). You can also give an account representative a call to arrange for a more technical discussion. We hope this post helps some folks who are suffering increased bandwidth use or problems with their sites/apps due to this and other indexing crawler issues. Until next time, stay safe out there!

Exposed Terminal Services Remains High Frequency Threat

Posted on by
4

GlobalDisplay Orig

Quickly reviewing the HITME data gathered from our global deployment of HoneyPoint continues to show that exposed Terminal Services (RDP) on port 3389 remains a high frequency threat. In terms of general contact with the attack surface of an exposed Terminal Server connection, direct probes and attacker interaction is seen on an average approximately two times per hour. Given that metric, an organization who is using exposed Terminal Services for remote access or management/support, may be experiencing upwards of 48 attacks per day against their exposed remote access tool. In many cases, when we conduct penetration testing of organizations using Terminal Services in this manner, remote compromise of that service is found to lead to high levels of access to the organization’s data, if not complete control of their systems.

Many organizations continue to use Terminal Services without tokens or VPN technologies in play. These organizations are usually solely dependent on the security of login/password combinations (which history shows to be a critical mistake) and the overall security of the Terminal Services code (which despite a few critical issues, has a pretty fair record given its wide usage and intense scrutiny over the last decade). Clearly, deploying remote access and remote management tools is greatly preferred behind VPN implementations or other forms of access control. Additionally, upping Terminal Services authentication controls by requiring tokens or certificates is also highly suggested. Removing port 3389 exposures to the Internet will go a long way to increasing the security of organizations dependent on RDP technology.

If you would like to discuss the metrics around port 3389 attacks in more detail, drop us a line or reach out on Twitter (@microsolved). You can also see some real time metrics gathered from the HITME by following @honeypoint on Twitter. You’ll see lots of 3389 scan and probe sources in the data stream.

Thanks for reading and until next time, stay safe out there!

Raising Your Security Vision

Posted on by
4

 

 

 

 

 

 

If your security program is still focused on patching, responding to vulnerability scans and mitigating the monthly churn of product updates/hotfixes and the like, then you need to change.

Sure, patching is important, but that should truly NOT be the focus of your information security initiative.

Today, organizations need to raise their vision. They need to be moving to automate as much of prevention and baseline processes of detection, as possible. They need to be focused on doing the basics better. Hardening, nuance detection, incident investigation/isolation/mitigation — these are the things they should be getting better at. 
 
Their increased vision and maturity should let them move away from vulnerability-focused security and instead, concentrate their efforts on managing risk. They need to know where their assets are, what controls are in place and what can be done to mitigate issues quickly. They also should gain detection capability where needed and know how to respond when something bad happens. 
 
Check out tools like our 80/20 Rule for Information Security for tips on how to get there. Feel free to reach out and engage us in discussion as well. (@lbhuston) We would be happy to set up a call with our security experts to discuss your particular needs and how we can help you get farther faster.
 
As always, thanks for reading and stay safe out there!

Don’t Freak Out, It’s Only Defcon

Posted on by
4

It’s that time of year again. The time of year when the hype cycle gets its yearly injection of fear and hysteria from overheated, overstimulated, dehydrated journalists baking in the Las Vegas summer heat. It happens every year around this time, the journalists and bloggers flock to the desert to hear stories of emerging hacks, security researcher data, marketing spin and a ton of first person encounters with party goers and the followers of the chaos that has become Defcon.

It is, after all, one of the largest, oldest and most attended events in the hacker community. It mixes technology, business, hacking, marketing, drinking, oddity and a sprinkle of carnival into an extreme-flavored cocktail fed to the public in a biggie-sized martini glass that could only be made in the playground that is Las Vegas.

There are a ton of legitimate researchers there, to be sure. There are an army of folks who represent a large part of the core of the infosec hacker world brain trust. They will be consistently demonstrating their points throughout the events of BlackHat and Defcon. You can tell them apart from the crowd and scene mongers by the rational approaches they take. You can find them throughout the year, presenting, writing, coding and educating the world on information security, risk and other relevant topics. Extending from them, you can also find all of the extremes that such events attract. These are the “hackers” with green hair, destroying casino equipment, throwing dye and shampoo into the fountains, breaking glass in the pool and otherwise acting as if they have never been to outside of the jungle before. These are the ones that the journalists LOVE to talk about. Extreme views within the community, the irrational party goer who offers a single tech tidbit along with a smorgasbord of rhetoric. These interviews spin up the hype cycle. These interviews sell subscriptions, papers and advertising. Sadly, they also represent a tiny percentage of the truth and value of the gatherings in Vegas.
 
Over the next week or so, you’ll see many stories aimed at telling you how weak the security is on everything from hotel door locks to the power grid. The press will spin up a bunch of hype about the latest hacks, zero day exploits and other fearsome “cyber stuff”. Then, when the conference is over and the journalists and circus leave Las Vegas, everyone will come back and have to continue to make the same rational, risk based decisions about what to do about this issue and that issue. 
 
I mention this, not to disparage the events in Vegas or the participants. I think the world of them and call many my personal friends and partners. However, I do want to prep folks for the press cycle ahead. Take the over the top stories and breathless zero-day announcements in the coming weeks with a grain of salt. Disregard the tales of drunken hackers menacing Vegas hotels, changing signs and doing social engineering attacks in front of audiences as human interest stories. They are good for amusement and awareness, maybe even at piquing the interest of line management folks to get a first hand view, but they are NOT really useful as a lens for viewing your organization’s risk or the steps you should be taking to protect your data. Instead, stick to the basics. Do them well. Stay aware, but rational when the hype cycle spins up and hacks of all sorts are on the front page of papers and running as headlines at the bottom of TV screen news channels. Rational responses and analysis are your best defense against whatever comes out of the hacker gathering in the desert, or wherever they happen to meet up in the future.
 
Until next time, stay safe out there, and if you happen to be in Vegas, stay hydrated. The desert winds are like a furnace and they will bake you in no time!

3 Things Security Vendors Wished CIOs Knew

Posted on by
1

Brent Huston, CEO and Founder of MicroSolved, answered a few questions regarding CIO’s and information security. If Brent could speak to a room full of CIO’s, these are a few things he’d share:

1)  CIOs are often unaware of what assets their organization have and how are they protected.

One problem we continually run into is the CIO folks know what the assets are they have, what’s critical and what isn’t. Often, they don’t have a good feel for the lifecycle of that critical data. Knowing what they have and how they currently protect it is a huge step forward for a CIO.

Does that have to be the ability to whip out a map? In a perfect world, yes. It just means the CIO needs to be able to reiterate to the vendor particularly when we’re talking about nuanced protection. And if we’re talking about penetration testing, why not consider this: instead of talking about penetration testing the whole environment, let’s test the stuff that matters. CIOs need to effectively and clearly communicate where that stuff is that matters. The systems it interacts with and what controls are in place today is what we need to focus on for testing or leverage them to do detection.

2)  A lot of CIOs don’t have any idea of what their real threat profile looks like.

When you talk to a CIO about the threat, their image of a threat is either script kiddies sitting in the basement of their mom’s house, or they’re so deeply entrenched in the cyber-crime thing that they think of it as credit card theft. They haven’t reached the level where they have any measurement or understanding of the different levels of threats that are focused on them — and how their responses would vary. The problem is they then treat all threats as the same. 

You expend the resources at a continual burn rate, so you’re probably using more resources than what you need, and then, when something really bad happens (because they’re used to treating it like a minor thing), they don’t feel like they need to pay attention. I’d love to see a CIO grow their attention to the threat profile and be able to communicate that upwards and to us as a vendor. 

3)  Some CIOs don’t understand the organization’s appetite for risk.

This is probably the hardest one. I love to meet with CIOs who already know their organization’s appetite for risk.  It seems like many organizations, even those who should be far enough along and mature and understand an appetite for risk (I’m talking about critical infrastructures, here), don’t understand it.  They have no way to quantify or qualify risk and decide what is acceptable and what isn’t. There may be complex policies in place and there are exceptions, but many CIO’s don’t have a clear “line in the sand” to help them determine what to respond to.

These kinds of initiatives are growing, but that’s one of those things that separates a mature, security-focused organization, and a risk-focused organization from folks who haven’t moved into more of a risk and threat management interface. Many folks still are managing at a vulnerability layer, i.e. “If X vendor releases a Y patch, and I need the Z team to apply it, then I’ll do it.” They think that’s the extent of their security effort. 

 

To consider your security posture, why not take a look at our “80/20 Rule for Information Security” page? Did you know that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program? These 13 security projects will give your organization the most effective information security coverage for the least expenditure of time and resources.

Contact us if you have questions! We’ve seen how these projects have helped our clients and would love to help you!