Category Archives: General InfoSec

Thoughts on Increasing Security in the Smart Grid

Posted on by
Reply

There has been a lot of attention lately on the “smart grid” and the coming evolution of the US (and global) power grid into a more robust, information and data-centric environment. Much press has been generated around the security and insecurity of these changes.

Currently, NIST and various other concerned parties, are hard at work on formalizing the standards around this particular environment and the products that will eventually make up this public spectrum of life. In the MSI lab, we have researched and reviewed much of this data and would like to offer forth some general recommendations for both the consideration of the various standards bodies and the particular vendors developing products in this area. Here they are, in no particular order:

First, we would ask that you design your products and the underlying standards with industry standard best practices for information security in mind. The security practices for IT are well established, mature and offer a large amount of protection against common security issues. Please include them in your designs.

Next, we would offer the following bullet items for your consideration:

  • Please take steps to minimize the attack surfaces of all products throughout the system to reduce the chances that attackers have to interact with the system components. Many of the products we have looked at offer far too wide and too many attack surfaces. This should definitely include reducing the attack surfaces available to system processes and thus, by implication, malware.
  • Please ensure that your system includes the ability to update the components in a meaningful way. As the smart grid system evolves, security issues are bound to arise and being able to patch, upgrade and mitigate them where possible will be a powerful feature.
  • Please implement end-to-end detective controls that include the ability to monitor the components for fraud, tampering, etc. Please include not just operational detective controls, but also logging, reporting and support for forensic hashing and other incident analysis capabilities.
  • You MUST be prepared to implement these systems with strongly authenticated, role-based access controls. Implementations that rely solely on single factor authentication are not strong enough for banking applications, so they should not be considered strong enough for the power grid either.
  • Please take every opportunity to prevent and restrict data leaks. Reducing the information available to the casual attacker does help prevent casual compromise. While these reductions might not prevent the determined, focused attacker, the exposure of these attack surfaces to the casual attacker is much more probable and thus should be controlled for in your security equation.
  • When you implement encryption into your products and systems, please choose appropriate, strongly peer-reviewed encryption. Proprietary encryption is too large of a risk for the public infrastructure. Also, please ensure effective, yet low resource requirement key management. Complicated key managed approaches do not differentiate your product in a good way, nor do they usually enhance security in any meaningful way. Proper key management technologies and encryption exist, please use them.
  • The same goes for protocols as encryption. We have standard protocols defined that are mature, stable, understood and effective. Please leverage these protocols and standards wherever possible and reduce or eliminate proprietary protocols. Again, the risk is just too large for the world to take a chance on unproven, non-peer reviewed math and algorithms.
  • Please design these systems with defense in depth in mind. You must provide multiple controls for confidentiality, integrity and availability. Failure to do this at a meaningful level creates substantial risk for you, your clients and the public.
  • Please ensure that your allow for rational processes for risk assessment, risk management and mitigation. If systems require high complexity or resources to perform these tasks, they simply are not likely to get done in the longer term of the smart grid when the shiny newness rubs off.
  • Please apply the same care and attention to consumer privacy and protection as you do to managing waste, fraud and abuse. This helps you design more secure components and protects both you and the public in a myriad of ways.
  • Please ensure that your product or system includes appropriate training materials, documentation and ongoing support for handling security and operational issues. Very little of the smart grid technology is likely to be “fire and forget” over the long haul. Please make sure your organization continues to create appropriate materials to educate and inform your users.

Largely, the rewards of the smart grid are incredible. Energy savings and reduced ecological impact are both key components of why the smart grid is in the public eye and is achieving so much momentum. However, like all change, the public is right to fear some facets. If done right, this will become the largest, most technological network ever created. Done wrong, it represents a significant risk for privacy, safety and national security. At MSI, we believe that the project can and will be done right! Thus, we want to contribute as much as possible to the right outcome.

Thanks for reading and please, take some time and educate yourself about the smart grid technologies. Your voice is very important and we all need to lend a hand and mind to the effort!

MicroSolved’s CEO and Security Evangelist Interview With [IN]SECURE Magazine

Posted on by
Reply

issue-main-21

[IN]SECURE Magazine, the fresh and innovative online magazine from Help Net Security (HNS), interviewed Brent for their June issue. Mirko Zorz, Editor-In-Chief, caught up with Brent to pose some great questions that allow the readers a glimpse into a “different kind” of CEO. Brent shares his insights about his role within MSI, future security threats, and developments within the information security field.

You may download the interview here.

Help Net Security is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. For the entire June issue of [IN]SECURE Magazine, you can download it here. Great reading!

Interview with Syhunt CEO

Posted on by
Reply

This week I got a chance to ask a couple of questions about Syhunt SandCat and the future of web application security. Here is the exchange with some great insights into where the web and attackers are heading!

Quick Interview with Felipe Aragon, CEO of Syhunt.

Q: The 3.8 release represents a significant step forward in application security scanning, especially around Javascript. What are the key features that application testers should know about in the 3.8 product?

R: Browsers and the web evolved significantly over the past years. Sandcat has evolved together with the new advancements and now has a lot in common with modern web browsers. This is essential because if you want to seriously hunt security breaches in web 2.0 applications you have to emulate modern Web technologies. So, naturally Sandcat evolved to understand JavaScript, AJAX and PHP and is now what is known as a hybrid web application security scanner. We also implemented multi-thread sessions, making each host scan a different process (Google Chrome, for example, employ a similar technique, making each tab a different process). Other important features we got working in Sandcat is the ability to simulate user interaction and multi-layer defense evasion. Sometimes, after evading a WAF (web application firewall), the last layer of defense against exploitation is a regular expression filter, which can also be bypassed by using many different techniques, so we got this working in Sandcat. Unfortunately weak filters were popularized and today many websites are vulnerable to this attack.

Q: How are Javascript threats influencing the state of application security today?

R: Thanks to JavaScript, Web applications are becoming increasingly more sophisticated, so next-generation web applications must be handled like desktop applications. Browsers like Opera, Firefox, Safari, Chrome are now adding faster JavaScript VMs each release because this is where the Web is going. Increased usage of JavaScript changes everything. It changes the way web developers build web sites, and the way hackers search for vulnerabilities or take advantage of weak spots in web applications. It makes more difficult for web developers to build secure web applications and, of course, for pen-testers that are unskilled web programmers to fit in in this new world. JavaScript can be used to steal cookies, spread worms, launch XSRF attacks and many other malicious purposes. The attacks are limited only by the attacker’s imagination.

Q: Where do you see application security heading in the next 12 months? What types of attacks should we be paying attention to that are slipping below our radar right now?

R: Right now we are monitoring the emergence of new web platforms (such as the recently announced Google Wave) that will make the 3.0 version of the Web possible. I believe we are heading towards the end of an era for the Web, a Web OS is materializing. These web 3.0 platforms and extensions built for these platforms will be a major target for cybercriminals. We have a set of new vulnerability classes and combined attacks (using both old and new classes) on the horizon. It will take a lot of time for web developers to understand how certain lines of code, client-side or server-side, translate to some serious security issues and how to avoid them. It might actually never happen because the Web and attack methods will continue to evolve faster. Without innovation, there is no future for the web, but I hope organizations will do whatever they can to understand and minimize security risks within their Web systems and not allow the cyberspace to become more insecure than it is today.

Check out SandCat’s new release at http://www.syhunt.com.

PS – In fair disclosure, MSI has a business relationship with Syhunt.

New Web Scanner Patterns

Posted on by
Reply

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons from an Almost Lost Laptop

Posted on by
Reply

I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.

It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.

Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.

Check it out here.

A Basket Full of Caveats – The LimeWire Safety Page

Posted on by
Reply

I was taking a look at some P2P stuff for our Reputational Risk work when I bumped into the LimeWire safety page. This is a page that is (I suppose) intended to educate users on the risks associated with P2P file sharing networks and the use of LimeWire specifically. I really thought it was interesting.

The page is: http://www.limewire.com/legal/safety

Some of the items the page covers are: copyright infringement, careful shared content selection (to avoid leaking documents, spreadsheets, etc. and entire drives/folders), adult content, spyware/malware cautions and lots of language about default behaviors. Now to be sure, the authors of LimeWire have implemented new controls in their version 5 software to make it more difficult for users to make mistakes and share the wrong contents. Even given that, I still caution everyone to do their own risk/reward assessment before using such a tool.

The bottom line is this. Check out the page, because as infosec folks, we need to be aware of what topics we need to continue to talk about with others. Educating them in how to configure this type of tool, should they choose to use it, might be a powerful way to help them (and maybe your organization) remain safer online. At the very least, it seems that LimeWire has at least done a good job of trying to caution people about the problems with using their tool. That, at the very least, is quite admirable!

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Conficker: A serious threat or the world’s biggest Rick Roll?

Posted on by
Reply

The Conficker worm was touted with nearly as much danger and fear as was Y2K… I remember that New Year’s better than any other in my lifetime simply because we were all standing around the day after to realize “hey, that wasn’t so bad… my computer really could count to 2000!”

With the media’s sensationalism of Conficker/Downadup/Kido, people started to panic once again. Our machines would rise up against us and human kind would become slaves to the technology we’ve become so dependent upon. The best part was that this was all supposed to happen on April Fool’s Day, 2009. Really?

So our team sat back and watched the story unfurl. We infected a machine in our lab to monitor the traffic, or lack thereof. We waited and studied and watched the story unfold- or not. After days of non-activity, the P2P functionality of the worm kicked into effect. Conficker began what appeared to be an update process, as well as dropping an unidentified payload on infected machines. These updates are prime vehicles for changing the modus operandi of the infection as well as adding to the near endless list of methods for killing nearly two dozen security applications and update programs reportedly affected by the infection.

When the P2P traffic trailed off, there was some speculation of a “cease fire” on or around 3 May, 2009 but this may not necessarily be the case. Reports have come from India this week where systems have been observed to have installed a second infection referred to as Waladec, which is known to send spam without the user’s knowledge. Shantanu Ghosh, VP, India Product Operations, Symantec India has been cited to say research has shown that widespread use of peer-to-peer file-sharing programs, low awareness of the need to update anti-virus software regularly and rampant use of pirated software have contributed to India’s high rank among countries affected by Conficker.

Well we may not be out of the woods yet, but this takes me to the moral of our story. Updates are not optional. These things are necessary in order to ensure proper functionality and security within a network. This infection is certainly containable and should not be the end of the Internet as we know it, but if something as simple as an update could stop this thing in it’s tracks, why doesn’t everyone do it?

Domestic Defense: 3 Steps to Hardening Home PCs

Posted on by
Reply

As we wander the information superhighway it’s no secret there is an abundance of thieves, pirates, and stalkers out there just looking for low hanging fruit to make a quick buck and move on to the next mark. We’ve all heard horror stories of hacker-ish ways good people have fallen prey to the black hats out there, this is encouragement for those who’d like to take as much power back into their own hands as possible; to make thyself a harder target.

Microsoft’s Windows operating system is the market leader in terms of home computer users  and there is an entire subculture of people out there who pretty much work to break it by any means for fun and profit! Taking the following countermeasures makes you a little less susceptible to the threats on the Internet.

Windows Automatic Updates

This is a necessary evil of using the Windows operating system. Microsoft launches updates weekly as well as periodic urgent updates that are designed to keep your computer patched against the latest threats. While some prefer to have control over when these updates are applied, it is strongly encouraged to take advantage of the automatic feature- a sort of “set it and forget it” tool that allows one to not continually worry whether they’re up to date or not. Enable or modify your update settings as follows:

Click on Start, open the Control Panel and select Security Center. At the bottom, open Automatic Updates.

automatic-updates

By selecting the automatic option, windows will phone home at the time specified by you. Some prefer to set this for a time when the machine is not in use to prevent the updates from interfering with normal use, such as overnight. Once the desired settings are chosen, click “Apply”, then “OK” and close up shop.

Anti Virus Solutions

Anti Virus and Firewall programs are essential to the protection of any windows computer that is connected to a network. These programs work together to monitor the flow of data through your machine and to give warnings or indications of what might not be “quite right”. While there are premium options available on the market, there is also a set of free tools that do a fine job of protecting the average user.

AVG Anti Virus offers a free solution that offers extensive virus protection with live updates and a nice user interface that allows at-a-glance confirmation that the program is functioning. While there are more features in the subscription version of this product, there is a very comprehensive program in the Free Edition:

avg-free-edition_1

The update menu also has an automatic feature that allows for the “set it and forget it” freedom. Updating immediately will allow AVG to “phone home” and get the latest virus definitions before the first scan of your system. Once these updates are complete (a restart may be required), you’re ready to spend time in the Computer scanner menu setting up preferences and then scanning your system to ensure it’s clean.

avg_free_com_scanner

It’s important to first set a scan schedule. Once you’ve got that done, scan the whole computer. This will take some time. Grab a cup of coffee (or my preference, a Monster Drink) and find something to kill some time with. If your Windows partition has any chance of infection (ie, this is NOT a fresh install) then you’ll want to check in periodically to ensure you’re not prompted to address any juicy discoveries. After the initial scan of your machine, you’ll have FREE, real time protection against a good portion of the software threats facing home users today.

Comodo Firewall

Yes, it’s true Comodo offers an “all in one” solution which is a firewall AND an anti virus in one package, but I’ve always been of the mind that my proctologist shouldn’t be doing my mechanic’s work and vice versa. AVG has been my go-to anti virus for some time and it out performs the other freebies while still offering a very easy to use program, and Comodo makes for a great firewall- so I recommend exactly that in Comodo’s Personal Firewall Free Edition. This means it will be important NOT to install the anti virus that comes with the Comodo package:

comodo_uncheck_install_antivirus

This is VERY important because having more than one anti virus program running at once can cause them to conflict each other and might not protect you to their fullest potential.

Once installed, spend some time learning the interface. Again you’ll want to allow it to update (which is an option under the MISCELLENEOUS menu). When the update is complete, the firewall will want to scan your system. This again sets a baseline by which Comodo can assess future changes to alert you and get permission before taking place.

After the initial scan, you’ll want to spend some time doing typical tasks to let the firewall learn from you. Comodo pops up alerts from the system tray with an outline of a detected action. When you’re teaching it something new, you’ll want to allow the action and usually to “Remember my answer”. It’s a good idea to read these alerts and thoroughly understand this interface to ensure your firewall is functioning properly. This learning period tends to be tedious, but is necessary for the full benefit of “educating” the firewall. Notice the “Treat this application as” option. This puts the firewall into an “installation mode” which will let software be updated or installed without asking permission for every single change.

comodo_alert

Once Comodo learns your typical activities, you’ll rarely hear from it. The updater will ask permission to phone home and it will alert you of any odd looking traffic, but in reading the alert you should get a good understanding of whether you want to allow it or not. I actually use the Firefox addon “Malware Search”; which adds right click menus that link you to Process Library, &System Lookup, and Google where I’ll search down anything I don’t recognize. If it’s unidentifiable, it doesn’t get through.

Secunia Personal Software Inspector

Secunia PSI is an invaluable tool to the home user. In a nutshell, this program will monitor your system for any available updates and let you know. It’s like a central command and control center for all your software. PSI will advise you of new updates, and re-evaluate to ensure you’re fully covered.

secunia_scan

After scanning the computer, PSI will ensure all programs are up to date and will set the process in motion to address any that might not be.

psi_scan_complete

These free tools will set a solid security foundation on any home computer. These things are necessary today in a cyber world where identity theft, spam, and botnets are rampant. It’s us against them and we shouldn’t allow ourselves to be easier targets than absolutely necessary. The MSI team will continue to search out ways of protecting and educating the good guys while thwarting the bad guys.