Mobile Application Security Podcast with Brent Huston

Posted on February 7, 2011 by Brent Huston

Are you working with mobile applications? Trying to figure out security? In this helpful informative podcast, Brent covers 3 tips that will give you the tools you need to move forward. Often a developer isn’t certain what questions to start asking. Brent shares some common areas that include foundational practices:

Here is what you’ll learn:

1) What you should be doing to encrypt your application

2) Almost 50% of the apps we tested missed this powerful avenue toward leveraging knowledge that is readily available

3) How are you storing your data? And where? Brent shares insights on data storage

Click to access the entire audio file

Opinion: Warez More Dangerous Than P0rn

Posted on January 28, 2011 by Brent Huston

A couple of vendors have been talking about how prevalent malware is in online porn these days, but during our testing of HoneyPoint Wasp, we found pirated software (or “warez”) to be among the most concerning. Pornography is still a dangerous segment for infection, but it seems that grabbing so called “cracks” and “keygens”, along with pirated programs from the web and peer to peer networks is even more dangerous.

In our testing, it took us around 1/8 of the time to find infected warez that it took to find infected pornographic sites. In fact, our estimates are that less than 10% of the pornography files we tested (excluding “codecs”, obvious Trojan Horses) were infected, while nearly 90% of the cracking and keygen tools were, in fact, malware. In many cases, the warez would appear to work, but contained a background dropper that would install one or more pieces of adware, spyware or other malicious software. Even worse, in a clear majority of our testing cases, several of these malicious programs were missed by the consumer-grade anti-virus applications we had installed on the test bed. We used the white listing capability of HoneyPoint Wasp as the control and indeed identified a large number of malicious programs that traditional AV missed.

The key point of this topic though, is that pirated software remains a significant threat to businesses without proper license controls. Particularly, small and mid-size businesses where piracy often runs rampant, present a very wide target for attackers. Good policies against pirated software, user awareness and the use of license enforcement/asset inventory tools are useful controls in ramping up protection against this attack vector.

How has your organization fared against pirated software? What controls do you have in place to reduce both the legal liability and the malware threat that warez represents?

Touchdown Task #2: Detection: How Much Malware Do You Have? #security

Posted on December 6, 2010 by John Davis

Our last Touchdown task was “Identify and Remove All Network, System and Application Access that does not Require Secure Authentication Credentials or Mechanisms”. This time, it is “Detection”.

When we say “detection” we are talking about detecting attackers and malware on your network.

The best and least expensive method for detecting attackers on your network is system monitoring. This is also the most labor intensive method of detection. If you are a home user or just have a small network to manage, then this is not much of a problem. However, if your network has even a dozen servers and is complex at all, monitoring can become a daunting task. There are tools and techniques available to help in this task, though. There are log aggregators and parsers, for example. These tools take logging information from all of the entities on your system and combine them and/or perform primary analysis of system logs. But they do cost money, so on a large network some expense does creep in.

And then there are signature-based intruder detection, intruder prevention and anti-virus systems. Signature-based means that these systems work by recognizing the code patterns or “signatures” of malware types that have been seen before and are included in their databases. But there are problems with these systems. First, they have to be constantly updated with new malware patterns that emerge literally every day. Secondly, a truly new or “zero day” bit of Malware code goes unrecognized by these systems. Finally, with intruder detection and prevention systems, there are always lots of “false positives”. These systems typically produce so many “hits” that people get tired of monitoring them. And if you don’t go through their results and winnow out the grain from the chaff, they are pretty much useless.

Finally there are anomaly detection systems. Some of these are SEIM or security event and incident management systems. These systems can work very well, but they must be tuned to your network and can be difficult to implement. Another type of anomaly detection system uses “honey pots”. A honey pot is a fake system that sits on your network and appears to be real. An attacker “foot printing” your system or running an exploit cannot tell them from the real thing. Honey pots can emulate file servers, web servers, desk tops or any other system on your network. These are particularly effective because there are virtually no false positives associated with these systems. If someone is messing with a honey pot, you know you have an attacker! Which is exactly what our HoneyPoint Security Server does: identify real threats!

Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack. Give us a call if you’d like us to partner with you for intrusion detection!

3 Changes in Crimeware You Can Count On

Posted on November 22, 2010 by Brent Huston

Crimeware is becoming a significant threat to most organizations. The capability and dependence on crimeware as an attack model is growing. With that in mind, here are 3 things that the folks at MSI think you will see in the next year or two with crimeware:

1. Cross platform crimeware will grow. Attackers will continue to embrace the model of malware that runs everywhere. They will focus on developing tools capable of attacking systems regardless of operating system and will likely include mobile device platform capability as well. They have embraced modern development capabilities and will extend their performance even further in the coming years.

2. Specialized crimeware will continue to evolve. Organized criminals will continue to develop malware capable of focusing in on specific business processes, keying on specific types of data and attacking specific hardware that they know are used in areas they wish to compromise. Whether their targets are general data, ATM hardware, check scanners or the smart grid, the days of crimeware being confined to desktop user PCs are over. The new breed knows how ACH works, can alter firmware and is capable of deeper comprise of specific processes.

3. Crimeware will get better at displacing the attack timeline. Many folks consider malware to be symetric with time. That is, they see it as being operational continually across the event horizon of a security incident. However, this is not always true and attackers are likely to grow their capability in this area in the coming years. Modern malware will be very capable of making its initial compromise, then sitting and waiting to avoid detection or waiting for the right vulnerability/exploit to be discovered, etc. The attacks from the next generations will have a much longer tail and will come in a series of waves and lulls, making detection more difficult and extending the time window of control for the attackers.

MSI believes that organizations need to be aware of these threats and ideas. They must get better at detecting initial stage compromises and begin to focus on closing the window of opportunity attackers now have, once they get a foothold (in most cases days-months). Prevention is becoming increasingly difficult, and while it should not be abandoned, more resources should be shifted into developing the capability to detect incidents and respond to them.

InfoWorld Reviews Honey Pots and HoneyPoint

Posted on November 19, 2010 by Brent Huston

MicroSolved, Inc. was recently featured in InfoWorld’s article, “Intrusion detection honeypots simplify network security,” by Roger A. Grimes.

It’s a great review of MSI’s HoneyPoint technology, along with two other honey pot software solutions. The article is very thorough, testing everything from features and logging capability to ease-of-use and value. As Roger stated, intrusion detection is a complicated business, which is why we continue to strive to increase the visibility of the security team within an ever-increasingly insecure world. His use cases are very specific and the article presents a powerful argument for honey pots and their role in modern information security. We commend the author for his work and very much appreciate HoneyPoint’s inclusion in the solution set.

Some of HoneyPoint’s features, namely defensive fuzzing (HornetPoint behavior) and port mining appear to have been misunderstood by the reviewer. He mistakenly compares it to “tarpitting”, which is a technique used to slow down scans by tampering with the TCP packets in the 3 way handshake to delay connections. HornetPoints do not perform any actions at the packet layer, but instead, apply fuzzing routines within the specific emulated protocol (HTTP, SMTP, etc.) to attempt to cause the scanner or worm to fault on the attacking system, a form of self-defense. Port mining simply shoves a large binary file at attacker tools, again with the intent of crashing them, not simply slowing them down. These differences did not seem to be communicated well in the review when we read it.

We completely agree with the author that HoneyPoint has a large feature set and that our reporting and event tracking make it a powerful enterprise tool. We also appreciate his coverage of the plugin capability that allows users to extend and automate their alerting and response capabilities with HoneyPoint. We designed the product to be easy to use and most customers learn to install, configure and manage the product in a simple 2-4 hour virtual session included in every purchase. Our customer’s experience and rating for ease of use varies from what is presented in the review. Customers continually praise HoneyPoint as being one of the easiest enterprise products they have deployed and used.

Lastly, the author’s review makes the point that honey pot tools cannot bind to ports already in use, making them essentially blind to attack traffic on those services already installed on the hosts on which the tool is running. This is a valid truth and represents one of the core reasons why we felt it was important to design HoneyPoint to run across platforms. If a honey pot product can only run in Windows, it cannot bind to ports like 135-139 and 445, which are the common ports used for Windows CIFS. It also cannot bind to ports, and thus provide detection on Windows RPC ports that are in use. As such, a low interaction honey pot deployed only on a stock Windows workstation cannot perform detection of threats like Conficker and other traditional Windows-centric attacks. This leaves an organization using a Windows-constrained detection tool unable to emulate these services and detect these attacks. HoneyPoint, on the other hand, can just as easily be deployed on Linux as on Windows. Using a simple liveCD install (such as Puppy, DSL or the Ubuntu, etc.) you can deploy HoneyPoint on these ports, emulating Windows and thus gaining detection and visibility not available with a Windows-constrained product. We feel, as do many of our clients, that this is a powerful difference between our product and others and that it gives our clients the ability to stud their environment with detection decoys, even at the Windows protocol level, where others are blind.

We designed HoneyPoint not as an academic tool for laboratory use or for those folks wishing to capture packets of the attack tools and write papers about them, but as a real-life, deploy and forget, enterprise threat management system for businesses interested in breaking the attacker life cycle. We are quite proud that the tool is functional, flexible and simplistic. That was the goal from the beginning. We are as proud of the things that our product DOESN’T do to maintain that core focus as we are of the things it DOES do and how it accomplishes them.

Overall, we are in full agreement with InfoWorld: the impact of honey pots in the corporate environment is best understood by serving as an early-warning system. When honey pots are utilized in this way, they are economical and efficient, yet meet the need to identify threats in the network environment. We extend kudos to Roger for his review and for the hard and complex work he did reviewing and comparing the three products.

MSI welcomes this type of review, because our quest to make you safer is what drives us. Clients tell us that we’re good listeners and we love to hear feedback from the community. We will not stop improving our efforts to protect our clients because frankly, the attackers will not stop searching for vulnerabilities. As always, thanks for reading and stay safe out there!

OpenSSL Vulnerability

Posted on November 17, 2010 by Brent Huston

A new security issue in OpenSSL should be on the radar of your security team. While Stunnel and Apache are NOT affected, many many other packages appear to be. The issue allows denial of service and possibly remote code execution.

Patches for OpenSSL and many packages that use it are starting to roll in. Check with your favorite vendor on the issue for more information. The CVE is: CVE-2010-3864

HoneyPoint users who leverage black hole defenses should ensure that they have exposed port 443/tcp honeypoints and have dilated other common ports for their applications that might be vulnerable. Internal HoneyPoint users should already have these ports deployed, but if not, now is a good time to ensure that you have HoneyPoint coverage for any internal applications that might be using OpenSSL. Detecting scans and probes across the environment for this issue is highly suggested given the high number of impacted applications and platforms.

If you have any questions about this issue or the proper HoneyPoint deployment to detect probes and scans for it, please give us a call or drop us a line. We will be happy to discuss it and assist you.

Using ProFTPd for Core Processing Anywhere?

Posted on November 2, 2010 by Brent Huston

If so, you might want to pay attention to this announcement of a critical remote vulnerability in the daemon. You can read the alert here. A patch is now available and should be applied quickly if you have core processes using this application.

No authentication is required and it is a pretty straight forward buffer overflow, so exploit code should be easy to design and use. Common framework exploits are expected shortly.

Usually ProFTPd is used as a part of core processing, data warehousing and other heavy data processing solutions across a variety of platforms and industries. You can find installations remotely using nmap -sV scans on your network. Nmap is pretty good at identifying ProFTPd installs.

HoneyPoint users might want to consider deploying port 21/tcp (ftp) listeners to watch for scans for vulnerable servers by attackers. Detected scanning IPs should be investigated on internal networks and black holed on Internet facing segments.

Great article on File Crypto Tools

Posted on November 1, 2010 by Brent Huston

I saw this excellent article this morning that covers 5 basic tools for doing file cryptography across platforms. Many of these tools are great solutions and we use them frequently with clients. In particular, we find True Crypt to be a very powerful and useful tool. Many client have embraced this solution for laptop encryption, leveraging the free price and benefit for compliance.

You can read more about these tools here.

Check them out and use the ones that fit your needs in your organization. They are great tools for keeping your business, your business.

MSI Partner Syhunt Brings Source Code Scanning to ASP & JSP

Posted on October 14, 2010 by Brent Huston

Syhunt has launched a very nice and powerful new edition of their Sandcat web application security tool. Sandcat is an extremely thorough and very capable assessment engine for web servers, web applications and web application source code. MSI has been using the tool for many years and we enjoy a very close relationship with the team behind the tool.

In addition to adding new features to the PHP source code scanning, this new release gives users the new capability to do white box testing on web applications for XSS vulnerabilities beyond PHP. The new version now includes cross site scripting checks for classic ASP, ASP.NET and JSP (JavaServer Pages) code modules. Syhunt even plans to further extend the classes of checks in those languages in the coming months. As with PHP source code assessment, this is a very powerful tool for increasing the quality and security of web applications, both new and legacy, around the enterprise.

Check out the new release at http://www.syhunt.com and let them know you heard it about from MSI. The Syhunt team are nice folks and they work very hard to bring you one of the most flexible, powerful and easy to use web application tools on the planet. Give it a shot, we think you’ll become a huge fan too!

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec