Microsoft IIS 6.0 WebDav Vulnerability – Urgent

Posted on May 18, 2009 by Nathan Grandbois

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

Flu: Facts and Advice

Posted on April 27, 2009 by John Davis

The 2009 version of the Swine Flu has already hit the U.S., and it looks like it could be a bad outbreak. There have already been more than 300 deaths among the 1,600 reported cases in Mexico, and cases of the Flu will undoubtedly turn up in more U.S. States over the next several days. Here are some facts about the Flu, pandemics and contagious diseases in general that may help you and your business better prepare for a serious outbreak:

Pandemics are defined as epidemics or outbreaks in humans of infectious diseases that have the ability to spread rapidly over large areas, possibly worldwide. Several pandemics have occurred throughout history and experts predict that we will experience at least one pandemic outbreak in this century. Although avian flu viruses are currently the most likely disease vector to cause a pandemic, in reality any highly infectious drug resistant disease could lead to a pandemic outbreak.

So how can Flu viruses spread? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?

The best thing you can do, even though it is a pain, is wash your hands. I mean wash your hands each time before you touch anything and put it in your mouth, or before you rub your eyes. Also, I wouldn’t eat food that has been sitting uncovered around where people have been coughing or sneezing.

Another thing you can do that really helps is wear a face mask. Even though individual viruses are small enough to go right through the pores in a normal face mask, it is not true that you get the flu from individual viruses; you get the flu from droplets of moisture that contain and protect thousands of virus cells. So if you want to keep from getting the flu, wear a mask. If you have the flu and don’t want to give it to others, wear a mask and cover your face when you cough or sneeze.

There are also a number of different things that can kill microorganisms like flu viruses. Ultra violet radiation, such as direct sunlight, kills microorganisms almost instantly. Also, Microorganisms die quickly when they come in contact with hard, smooth, dry surfaces. For example, counter tops or glass surfaces or plastic objects won’t support microorganisms as long as there is no moisture or grease on the surfaces to protect the cells. Microorganisms also cannot exist in freely flowing water. And finally, microorganisms can be killed or removed by the use of soaps and other chemical cleaners such as hand sanitizing lotions or disinfectant sprays.

So how do you protect your business from the flu? One way is to implement the advice above. When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. You should also remember that you can be infectious 24 hours before symptoms appear and you will continue to be contagious for about seven days after symptoms do appear. So if you know you have been in contact with someone with the Flu, or if you are feeling ill yourself, stay away from other people as much as you possibly can. Have your employees do any work remotely that they can. If they can VPN into the network securely or use the telephone and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. No matter how important an employee is to the business, find some way to work around them or use their services remotely. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism.

Change the Way You Use (and Pay For) Penetration Testing

Posted on March 10, 2009 by Brent Huston

For a couple of years now, we have been offering our managed service and menu-based service clients flat rate options for all kinds of penetration testing, assessments and application security. By far, though, the best received and most popular service is our focal point penetration testing service. Let me share with you a situation I had with a client we’ll call “Joe”.

Joe is a 38 year old IT manager for a financial services company. He has been with the organization for more than 6 years and is a hard worker who is known around the company as a “get things done” kind of guy. Joe, like all IT managers today, is facing a cutback in his security staff and is struggling to keep up with the ever-changing threats, vulnerabilities and regulatory landscape that his company faces. He has been a MicroSolved client for several years and we have great rapport.

Joe’s problem is that his once a year penetration testing is just not working. The huge snapshot of his environment doesn’t maintain relevance for long as his staff struggles to respond to the findings and attack the problems that are identified in an overall manner. That’s when Joe comes to me to discuss his issues.

Joe and I spend a couple of hours talking about the problems he is facing and we quickly find a HUGE solution to his problem. Joe and the MSI team break up his IT environment into 4 functional slices. Instead of doing one big penetration test, once per year, we begin to test 1/4 of his environment every quarter. That allows his team to focus on a specific set of his environment for improvement during a given quarter and makes it very easy for him to create measurable security improvements in those targets. This gives him the ammunition he needs to provide continual improvement metrics to his upper management. From the MSI side, it makes the task smaller and faster for our team, and while the human engineer factor is slightly higher since we have to do setup and manual parts 4x, the difference is not really large. We extend terms to Joe’s company that allows him to pay for this service in low monthly payments over the term of the agreement. This makes the security bill from MSI easy to plan for and manage.

This was a couple of years ago. Joe is now approaching the big 4-0 and has been with his company more than 8 years. When we talked last week, Joe renewed his agreement with MSI for FIVE YEARS! He could not say enough about the work that we do with them, how the subscription approach to penetration testing has helped him and how grateful his board is for us letting them create a menu of services (including subscriptions for assessments and pen-testing) and split the cost INTEREST FREE over the five year term!

Joe is one happy client and at MSI that is exactly what we are all about. I love that our team has worked with clients to “get creative” about security problems. We deliver quality reports, do a lot of the heavy lifting for our clients and are always looking for new ways to help them be more successful with our services. Joe has learned just what that can mean to an organization and how my team can even “think outside the box” when it comes to payment terms and contracts. All around, Joe and MSI both have found a win-win relationship doing business together.

Subscription-based, line of business or segment of IT environment, focused penetration testing. It truly, in my opinion, is the future of security assessments. If you would like to discuss just such a solution, drop me a comment, email or tweet (@lbhuston) or feel free to call 614-351-1237 and talk to one of our account managers. We would love to help you get more from your security budget and find creative ways to make security better and more affordable for your organization too!

MSI is Currently Seeking Resellers for Services and HoneyPoint

Posted on February 23, 2009 by Brent Huston

We are currently seeking resellers for our HoneyPoint line of products and our professional services. We are open to discussing this with any firms interested in creating a virtual security practice and helping us present our HoneyPoint products to their markets.

We have a strong interest in working with partners in South America, Europe and Asia.

If your firm is interested in joining a reseller program that has been performing well for more than a decade and has members from the Fortune 100 to regional specialists, then please read more about the program here and contact us to arrange a discussion.

Our recent expansion of technical staff has created a limited opportunity to bring on new partner relationships. Does your organization have the will and capability to be among the group that leverages our two decades of excellence?

The Economics of Insecurity

Posted on February 16, 2009 by Brent Huston

Wanna be bad at information security? Can you afford it?

Various sources, metrics and industry studies put a variety of numbers to data loss, but the general range is around $200-$250 per compromised customer/client/credit card, etc.

How many pieces of identity data does you company protect? How many clients do you have? How many employees are in your payroll and HR systems?

Information security is expensive. Software, services, assessments, policies, awareness and a myriad of other things all cost money. But, the next time you are asking yourself or upper management about your security budget, remember that $250 number. It may just give you, or someone else, some perspective on just what it all means.

Major Breach at Heartland Payment Systems

Posted on January 21, 2009 by Brent Huston

You’ve heard this story before. A major credit card company has experienced a massive breach. Tons and tons of data was stolen during the incident. They think they have it under control and are working with law enforcement. You should check your statements. Blah, blah, blah…

Once again, though, in this case, the company was certified as PCI compliant by their PCI auditors. If they were all compliant and filled to the brim with “fluffy, compliant goodness” then the attackers must have used some uber-hacking technique, right? Some bleeding edge tool or 0-day exploit that cut right through their defenses and rendered their compliant protections useless? Ummm…. NO…. The mighty technique that caused the damage? A sniffer!!!! (Some of the best technology that the late 80’s/early 90’s had to offer…)

How did I reach this conclusion? From their own press release:

“Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.” — sounds like a sniffer to me….(and a lot of other infosec folks…)

That’s right, the mighty sniffer strikes again. In the last couple of years, this same attack footprint has occurred over and over again. It has been largely successful. Why? Because companies don’t encrypt credit card data in transit across networks. Sure, many of them encrypt the database (not all, but many.) and some use various forms of endpoint protection, but many (way too many apparently) don’t encrypt the credit card data in transit across their networks.

Even worse, the PCI DSS DOES NOT REQUIRE THIS. That is how they can be compliant with PCI and still have this issue. What a cruel joke for consumers.

The DSS requires that organizations encrypt credit card data when it flows across “open, public” networks. Well, guess what, when your network gets compromised, even your “internal, private LAN”, it becomes “public” at least for the attackers. Misconfigure a firewall rule, get a workstation popped, allow a social engineer into the environment and that “private network” is not so private anymore, is it?

But, that never happens, right? Except when it does.

In my opinion, it is high time that organizations realize that compliance is not security. Compliance is a false goal set in sand. The real goal is risk management and data protection. In order to accomplish these goals, you have to make rational decisions and account for real threats, not just checklists compiled by some nebulous group of people in a “one size fits all fashion”. That is a fool’s errand.

As I have been saying for a while now, we have to start thinking differently about security. We have to forget the baselines and look at our risk from the view of a threat agent (a hacker, cyber-criminal, attacker, whatever!). We have to make rational choices that really do protect that which needs to be protected. We have to hope for the best and architect for abject failure. Anything less than that, and this is a story you we will just get to keep on telling….

Interested in learning more about “sniffing”? Click here for a great FAQ.

I also did an interview with Secure Computing Magazine about this. You can read that here.

PHP Threats Continue to Rise But More Work & Education Could Help

Posted on January 13, 2009 by Brent Huston

Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing threat activities allows our vulnerability management and professional services clients to know that they are better protected, even against bleeding edge threats.

PHP security issues are so common that the folks at BreakingPoint Labs call it “one of the most commonly attacked pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to abound, maybe even beyond that if the attacker underground has anything to say about it.

PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008. Syhunt, the makers of Sandcat Pro, a web application vulnerability scanner and partner to MSI, has even created Sandcat4PHP, a special source code scanner to help organizations proactively secure their PHP applications during development. Recently, Syhunt created these images that show the impact that PHP vulnerabilities are having on their work. PHP security issues represent an overwhelming margin of their work for the year.

All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great language for learning development, but we, as a community, need to help even those budding developers among us learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and role-based access controls need to be a core part of our outreach teaching to developers.

In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the future of the web!

** Have feedback on this post? Please feel free to leave a comment, drop me a line via email or send me a tweet to @lbhuston on twitter. Thanks for reading! **

Hackers Hate HoneyPoint

Posted on December 4, 2008 by Brent Huston

We have been getting so much great feedback and positive response to our HoneyPoint products that Mary Rose, our marketing person, crafted this logo and is putting together a small campaign based on the idea.

We are continuing to work on new capabilities and uses for HoneyPoint. We have several new tricks up our sleeve and several new ways to use our very own “security swiss army knife”. The capabilities, insights and knowledge that the product brings us is quickly and easily being integrated into our core service offerings. Our assessments and penetration testing brings this “bleeding edge” attack knowledge, threat analysis and risk insight to our work. We are routinely integrating the attack patterns and risk data from our deployed HoneyPoints back into the knowledge mix. We are adding new tools, techniques and risk rating adjustments based on the clear vision we are obtaining from HoneyPoint.

This is just one of the many ways that HoneyPoint and the experience, methodology and dedication of MSI separate us from our competitors. Clients continue to love our rapport, reporting formats, flexibility and deep knowledge – but now, thanks to HoneyPoint, they also enjoy our ability to work with them to create rational defenses to bleeding edge threats.

You can bet that you will see more about HoneyPoint in the future. After all, hackers hate HoneyPoint, and in this case, being hated is fine with us!

Why Replacing Internal NIDS with HoneyPoint is Critical to Your Organization

Posted on October 14, 2008 by Brent Huston

We are in a new age of information security. The primary threats to our critical data assets are well within the firewalls and layered architectures of the degenerative “perimeter”. Attackers can and will leap your firewalls, tunnel through your DMZs and trick your users into being the gateway to attack. The idea of the walled castle as a form of defense is destroyed and no longer serves anyone well.

With 55% of all attacks that cause financial damages to organizations originating internally, it makes sense that organizations change their focus to internal prevention, detection and response. But using a “false positive generator” like Snort!, Proventia or other NIDS approach is just madness. These mechanisms are so fraught with bad data when focused on the typical internal network that applying any attention to them at all is a huge waste of resources. Of course, the vendors will respond with their magic phrases – “tuning” and “managed service” both of which are just marketing speak for “spend more time and resources that you already don’t have on making our tool actually useful”. Don’t believe me, just ask them about applying their tool to a complex internal environment. Our polls, interviews and questions to users of these technology showed immense amounts of time, money and human resources being applied to keeping signatures up to date, tweaking filters and rules to eliminate false positives and spending HUGE amounts of security team time to chase ghosts and sort out useful events from the noise.

Our initial metrics, as we discussed previously showed that we could cut those resource requirements by 60-90% using a different approach. By leveraging the power of HoneyPoints, their deploy and forget architecture and their lack of false positives your organization can reap the reward of better security with less time, money and work. By combining HoneyPoint Security Server and an appropriate log monitoring tool (like OSSEC), organizations have been able to greatly simplify their deployments, reduce their costs and increase their abilities to focus on the security events that matter. Many have relegated their NIDS deployments at the perimeters to being another source of forensic data to be used along with syslog server data, file system analysis and other data sources compiled to provide evidence when a true incident occurs. NIDS at the perimeters have their value here and being a part of solution as a forensic tool makes them effective when needed, but prevents the “attention overload” that they require when used as a data source on a daily basis.

Detection of attackers in your environment IS CRITICAL. But the way you go about it has to make sense from both a security and manageability standpoint. NIDS has proven to be an ineffective solution in terms of allowing organizations with average resources to succeed. There is a way forward. That way is to change the way we think about information security. HoneyPoint Security Server and MicroSolved can help your organization do just that!

Check out http://www.microsolved.com/honeypoint/ for more information, or give us a call and we will be happy to explain how it works!

Please note: Snort! and Proventia are trademarks of their respective companies. They are great tools when applied to appropriate problems, but in the case of internal network security – we just have a better way! 🙂

Myriad of Ways to Trigger Internal DNS Recursion – Please Patch Now!

Posted on July 24, 2008 by Brent Huston

For those organizations who have decided not to patch their DNS servers because they feel protected by implemented controls that only allow recursion from internal systems, we just wanted to point out that there a number of ways that an attacker can cause a recursive query to be performed by an “internal” host.

Here is just a short list of things that an attacker could do to cause internal DNS recursion to occur:

Send an email with an embedded graphic from the site that they want to poison your cache for, which will cause your DNS to do a lookup for that domain if it is not already known by your DNS

Send an email to a mail server that does reverse lookups on the sender domain (would moving your reverse lookup rule down in the rule stack of email filters help minimize this possibility???)

Embed web content on pages that your users visit that would trigger a lookup

Trick users through social engineering into visiting a web site or the like

Use a bot-net (or other malware) controlled system in your environment to do the lookup themselves (they could also use this mechanism to perform “internal” cache poisoning attacks)

The key point here is that many organizations believe that the fact that they don’t allow recursion from external hosts makes them invulnerable to the exploits now circulating in the wild for the DNS issue at hand. While they may be resilient to the “click and drool” hacks, they are far more vulnerable than they believe to a knowledgeable, focused, resourced attacker who might be focused on their environment.

The bottom line solution, in case you are not aware, is to PATCH YOUR DNS SYSTEMS NOW IF THEY ARE NOT PATCHED ALREADY.

Please, do not wait, active and wide scale exploitation is very likely in the very near future, if it is not underway right now!

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Risk Management