Category Archives: General InfoSec

MSI Strategy & Tactics Talk Ep. 11: Managing Mobile Security

Posted on by
Reply

“We’re not seeing good reporting processes yet. Many organizations… do not know who has these mobile devices or where they are located and what they’re being used for.”  – Brent Huston, CEO, MicroSolved, Inc.

Samsung Galaxy, Google Android, Apple iPad — mobile devices are a hot item and consumers are bringing them to their workplaces. Along with the popularity are malware developers who would like nothing better than to steal sensitive information from them. How can you protect your organization’s data from mobile device usage? Discussion questions include:

  • Who is managing mobile devices?
  • There needs to be some reporting – who does this and who should be involved?
  • Who are the groups that should be included when talking about mobile security? How should an organization start their strategy?
  • Regarding the data layer: what controls can we wrap around the data itself?
Panelists:
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Yet Another Lesson on the Basics from DigiNotar

Posted on by
Reply

This time it was a Certificate Authority (again). Not just any CA, either, but an official CA that manages the “PKIOverheid” for the government of the Netherlands. In other words, a really important CA, even in a league where most, if not all, CA’s are important.

What happened? They got breached. They got breached in a way that allowed attackers to create at least 531 rogue certificates with their trust models. How did they get breached? It seems to stem from a combination of attackers exploiting basic issues to gain access, then leveraging more advanced custom skills to get the certificates generated and extrude them. I am basing that opinion on the Fox-IT report located here. (The report itself is well worth a read).

The critical issues identified?

  • Lack of a secure architecture for CA servers (1 Windows domain, connectivity from management network)
  • Missing patches
  • Lack of basic controls (AV, in this case) which allowed exploitation by basic attacker tools such as Cain/Abel
  • Poor password policies, logging and management of detective controls

If you follow our blog, attend our talks or listen to our podcasts, you should be seeing this as another reminder of just how critical it is to do the basics. Having powerful tools that no one watches, engaging vendors to do assessments that you ignore and spending money on controls that don’t matter won’t create an effective information security program. Getting the basic controls and processes in place might not protect you from breaches against resourced, skilled attackers completely, either, but it will go a long way toward giving you some protection from the most common threat models. In this case, it might have helped a CA know when they were under attack and take action against their threat sources to mitigate the breach before they got to the crown jewels or in this case, the crown certificates.

The attacker has been posting to Pastebin, (presumably the attacker), that they have access to other CA providers. If you are a CA or run a certificate system, now might be a good time to have someone take an independent third-party look around. It might be a good time to spend a few extra cycles on “just checking things out”.

If your organization is still stuck chasing vulnerabilities and hasn’t done a holistic review of their overall program, this would be a good impetus to do so. It should become an action item to look at your program through the lens of something like the SANS CAG or our 80/20 of Information Security lens and ensure that you have the basics covered in an effective manner. If you have questions or want to discuss the impacts or issues some of these recent breaches have against your organization, give us a call. As aways, thanks for reading and stay safe out there.

MSI Strategy & Tactics Talk Ep. 10: Security For Windows Consumers & Their Home System

Posted on by
Reply

“You can be doing all the right things and still get your home machine compromised. It becomes less about prevention and more about what we do when our machines become compromised.”  – Brent Huston, CEO, MicroSolved, Inc.

Are you “the computer guy” for your family? Listen in as our tech team discusses common problems of Windows users and steps they can take to help protect their data. Discussion questions include:

  • How do Windows users stay safe in a world of modern malware and online crime?
  • What do Windows users do when their box gets infected?
  • What do you do to secure the Windows boxes of your family members?
  • What tools does every Windows box need and how should windows security settings be configured?
  • What about the browser?
Panelists:
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MicroSolved Releases HoneyPoint Special Edition: Morto

Posted on by
1

We are pleased to announce the immediate availability of a special edition of HoneyPoint that is designed to help organizations identify hosts infected with the Morto worm that is currently circulating.

HPMorto works like this: It opens a TCP listener HoneyPoint on port 3389/TCP (check to make sure that port is NOT in use before running HPMorto). Once in place, the tool will report the source IP of any systems who attempt to connect to it. Identified sources should be investigated as possible infected hosts.

This version will only listen for 3389 connections and will only function through February 28, 2012.

Versions of HPMorto are available for FREE download for:
Windows 
Linux 
Mac OSX

Give it a try and we hope that this tool help folks manage the problems being caused by Morto around the world.

McAfee: 65 Million Malware Samples — And That’s Just the Tip of the Iceberg

Posted on by
Reply

I was fascinated by this article that came across my newsfeed earlier this week. In it, McAfee says that they have hit 65 million malware samples in the 2nd quarter of 2011. I have heard similar stories in my frequent conversations with other AV vendors this year. It seems, that the malware cat, truly is out of the bag. I don’t know about you, but it seems like someone forgot to warn the crimeware world about opening Pandora’s box.

One of the things that I think is still interesting about the number of signatures that AV vendors are creating are that they are still hitting only a small portion of the overall mountain of malware. For example, many of the AV vendors do not cover very many of the current PHP and ASP malware that is making the rounds. If you follow me on twitter (@LBHuston), then you have likely seen some of the examples I have been posting for the last year or so about this missing coverage. In addition, in many of the public talks I have been giving, many folks have had wide discussions about whether or not AV vendors should be including such coverage. Many people continue to be amazed at just how difficult the role of the AV vendor has become. With so much malware available, and so many kits on the market, the problem just continues to get worse and worse. Additionally, many vendors are still dealing with even the most simple evasion techniques. With all of that in mind, the role and work of AV vendors is truly becoming a nightmare.

Hopefully, this report will give some folks insight into the challenges that the AV teams are facing. AV is a good baseline solution. However, it is critical that administrators and network security teams understand the limitations of this solution. Simple heuristics will not do in a malware world where code entropy, encoding and new evasion techniques are running wild. AV vendors and the rest of us must begin to embrace the idea of anomaly detection. We must find new ways to identify code, and its behavior mechanisms that are potentially damaging. In our case, we have tried to take such steps forward in our HoneyPoint line of products and our WASP product in particular. While not a panacea, it is a new way of looking at the problem and it brings new visibility and new capability to security teams.

I enjoyed this article and I really hope it creates a new level of discussion around the complexities of malware and the controls that are required by most organizations to manage malware threats. If you still believe that simple AV or no malware controls at all are any kind of a solution, quite frankly, you’re simply doing it wrong. As always, thanks for reading and stay safe out there.

Press Release: MSI Launches HoneyPoint Console 3.50

Posted on by
Reply

MicroSolved, Inc. continues to make HoneyPoint Security Server more efficient. The new HoneyPoint Console 3.5 gives more capability to the security team to easily drill down for more data and export that data to a CSV file. A more powerful report functionality now means security teams get the results they need more quickly to secure their environment against intrusion.

HoneyPoint Console 3.5, software helps organizations detect true attacks on their system and has been upgraded with several new features. New interface enhancements have been added, making it easier to manage HoneyPoint data. A new data filtering engine has also been added, allowing the user to export data to a CSV file. Hash trusting for HoneyPoint Wasps has been added, bringing a new capability for Enterprise users to more easily manage accepted and trusted executables around their system populations. Wasp is now quieter and easier to use, further reducing data load. A round of general bug fixes and visual enhancements are also included.

“We’re proud of HoneyPointʼs ability to identify compromised systems that other tools
and techniques would have shown to be OK, leaving systems online and under attacker
control for a longer period than needed,” said Brent Huston, CEO and Security
Evangelist for MicroSolved. “With HoneyPoint Console 3.5, you can more quickly and
easily take compromised machines away from the attacker and significantly raise the
bar in what they have to do to compromise your environment, avoid detection and steal
your data.”

To learn more about HoneyPoint Console 3.5 and how it can help an organization
protect their network, please visit our website.

7 Security Areas of Concern With Cloud Computing

Posted on by
1

One of the government’s major initiatives is to promote the efficient use of information technology, including the federal use of cloud computing. So good, bad or indifferent, the government is now moving into the wild, world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.

At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.

All businesses, both large and small, are now investing resources in cloud computing. Here are seven problematic areas for which solutions need to be found:

  1. Vendor lock-in – Most service providers use proprietary software, so an app built for one cloud cannot be ported to another. Once people are locked into the infrastructure, what is to keep providers from upping the price?
  2. Lack of standards – National Institute of Standards and Technology (NIST) is getting involved and is still in development. This feeds the vendor lock-in problem since every provider uses a proprietary set of access protocols and programming interfaces for their cloud services. Think of the effect on security!
  3. Security and compliance – Limited security offerings for data at rest and in motion have not agreed on compliance methods for provider certification. (i.e., FISMA) or common criteria. Data must be protected while at rest, while in motion, while being processed and while awaiting or during disposal.
  4. Trust – Cloud providers offer limited visibility of their methods, which limits the opportunity to build trust. Complete transparency is needed, especially for government.
  5. Service Level Agreements – Enterprise class SLAs will be needed (99.99% availability). How is the data encrypted? What level of account access is present and how is access controlled?
  6. Personnel – Many of these companies span the globe – how can we trust sensitive data to those in other countries? There are legal concerns such as a limited ability to audit or prosecute.
  7. Integration – Much work is needed on integrating the cloud provider’s services with enterprise services and make them work together.

Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls. Keep alert as the standards develop and contribute, if possible.

MSI Security & Tactics Talk Ep. 8: Hacker & Security Conventions

Posted on by
Reply

“I spoke to some folks who are attending Blackhat and they’re all talking about Android and iPhone. iOS platform attacks. There’s a huge focus on insecurity and developing an attack tool for that model. Not just malware, but actual attack tools.  – Brent Huston, CEO, MicroSolved, Inc.

Listen in as our tech team discusses Blackhat 2011, DefCon, and B-Sides conferences. Discussion questions include:

  • DEFCON, B-Sides and Blackhat are this week in Vegas. With so many hacker and security conventions around now, what do organizations need to know about them?
  • What are you expecting to come from Blackhat and DEFCON this year? What do you find interesting?
  • What does the future of security conventions of hold and where are things likely to go from here?
  • Are the training at these shows worth it for the average IT admin, network engineer or security analyst?
  • Do you have any tips for getting the most out of these shows or for those interested in attending?
Panelists:
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Chris Lay, Account Executive

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Columbus OWASP Quarterly Meeting August 18 – We’ll See You There!

Posted on by
Reply

We’ve been involved with the Columbus, Ohio Chapter of OWASP and have met some great folks. If you’re involved with information security and haven’t visited yet, you’ll want to be at this meeting! Below are the details with a link to register. We look forward to seeing you there!

 

When? August 18, 2011, from 1PM to 4PM

Where? The Conference Center of BMW Financial

The Columbus OWASP chapter will be presenting its Third Quarter Meeting, specifically on the subject of Web Application Security Analysis. We are pleased to present two local speakers leading discussions on malware, and the OWASP Enterprise security framework.

Speaker: Brent Huston CEO & Security Evangelist of MicroSolved, Inc. (MSI)

This presentation will discuss PHP and ASP malware, discovery techniques, how the attackers are staging and processing malware-based attacks, as well as the relevance of anti-virus against these forms of malware. Drawn from real world attacks and compromises, examples will be displayed and discussed. Take aways will include the architecture of attacker cells, their targeting and use of compromised hosts and insight into how simple, basic controls can assist us in fighting these forms of assault.

Speaker: Kevin Wall – ESAPI Committer / Owner at OWASP & Staff Security Engineer at CenturyLink

OWASP Enterprise Security API (ESAPI) is one of the flagship projects at OWASP, but as of yet, not many application development teams have adopted it. This presentation will provide a brief history and overview of ESAPI, including its goals and all its language implementations, before taking a deeper dive into ESAPI for Java.

The ESAPI for Java portion will discuss major changes from ESAPI 1.4 to ESAPI 2.0 and how the various ESAPI 2.0 security controls map as mitigations for the OWASP Top Ten. We will also examine the relative maturity of each security control.

This will be followed by a few examples of how to use ESAPI, including an in-depth one of using ESAPI’s symmetric encryption. Finally, we will briefly describe how the OWASP AppSensor project has the ESAPI’s Intrustion Detection mechanism to provid an powerful intrustion detection system at the application layer and describe some of the advantanges of this versus an more traditional IDS.

Register today!

Methodology For System Trust State Management

Posted on by
Reply

A lot of folks have written in asking for a simple methodology overview of how to use the spreadsheet we published in a previous post. Here is a quick and dirty overview of the methodology we use to manage the security trust state of systems in our work. Check out the diagram and let us know if you have any questions or feedback.

Thanks for reading and we hope this helps your team in a meaningful way! Click to enlarge image. Click here to downlaod the PDF.