OpenSSL Problem is HUGE – PAY ATTENTION

Posted on April 9, 2014 by Brent Huston

If you use OpenSSL anywhere, or use a product that does (and that’s a LOT of products), you need to understand that a critical vulnerability has been released, along with a variety of tools and exploit code to take advantage of the issue.

The attack allows an attacker to remotely tamper with OpenSSL implementations to dump PLAIN TEXT secrets, passwords, encryption keys, certificates, etc. They can then use this information against you.

THIS IS A SERIOUS ISSUE. Literally, and without exaggeration, the early estimates on this issue are that 90%+ of major web sites and software packages using OpenSSL as a base are vulnerable. This includes HTTPS implementations, many mail server implementations, chat systems, ICS/SCADA devices, SSL VPNs, many embedded devices, etc. The lifetime of this issue is likely to be long and miserable.

Those things that can be patched and upgraded should be done as quickly as possible. Vendors are working on patching their implementations and products, so a lot of updates and patches will be forthcoming in the next few days to weeks. For many sites, patching has already begun, and you might notice a lot of new certificates for sites around the web.

Our best advice at this point is to patch your stuff as quickly as possible. It is also advisable to change any passwords, certificates or credentials that may have been impacted – including on personal sites like banking, forums, Twitter, Facebook, etc. If you aren’t using unique passwords for every site along with a password vault, now is the time to step up. Additionally, this is a good time to implement or enable multi-factor authentication for all accounts where it is possible. These steps will help minimize future attacks and compromises, including fall out from this vulnerability.

Please, socialize this message. All Internet users need to be aware of the problem and the mitigations needed, even for personal safety online.

As always, thanks for reading, and if you have any questions about the issues, please let us know. We are here to help!

Podcast Release: Threats From the Net Feb 2014

Posted on March 11, 2014 by Brent Huston

The Kluniac is back! This month, the ElderGeek covers more emerging issues in infosec that came calling in February.

Give it a listen, and touch base with him on Twitter (@pophop) to tell him what you’d like to hear on upcoming episodes. He loves the chatter and really digs listener feedback.

You can get this month’s episode by clicking here.

Learn More About TigerTrax Services in Our Webinar

Posted on March 5, 2014 by Brent Huston

After the powerful launch of TigerTrax last week, we have put together a webinar for those folks looking to learn more about our TigerTrax™ services and offerings. If you want to hear more about social media code of conduct monitoring, passive analysis and assessments, investigation/forensics and threat intelligence enabled by the new platform, please RSVP.

Our webinar will cover why we built TigerTrax, what it does and how it can help you organization. We will discuss real life engagements using the TigerTrax platform across a variety of verticals and looking at social, technological and trust issues. From data mining threat actors to researching supply chain business partners and from helping pro-sports players defend themselves against accusations to monitoring social media content of key executives, the capabilities and examples are wide ranging and deeply compelling.

Register for the webinar by clicking here. Our team will get you registered and on the way to leveraging a new, exciting, powerful tool in understanding and managing reputational risk on a global scale.

The webinar will be held Wednesday, March 12, 2014 at 3 PM Eastern time. Please RSVP for an invitation. Spots are limited, so please RSVP early.

As always, thanks for reading. And, if you would prefer a private briefing or discussion about TigerTrax, give us a call at (614) 351-1237 x206 and we will get a specialist together with you to help identify how MSI can help your organization.

MSI Announces TigerTrax Reputational Threat Services

Posted on February 24, 2014 by Brent Huston

TigerTrax™ is MSI’s proprietary platform for gathering and analyzing data from the social media sphere and the overall web. This sophisticated platform, originally developed for threat intelligence purposes, provides the team with a unique capability to rapidly and effectively monitor the world’s data streams for potential points of interest.

The uses of the capability include social media code of conduct monitoring, rapid “deep dive” content gathering and analysis, social media investigations & forensics, organizational monitoring/research/profiling and, of course, threat intelligence.

The system is modular in nature, which allows MSI to create a number of “on demand” and managed services around the platform. Today the platform is in use in some of the following ways:

Sports teams are using the services to monitor professional athletes for potential code of conduct and brand damaging behaviors
Sports teams are also using the forensics aspects of the service to help defend their athletes against false behavior-related claims
Additionally, sports teams have begun to use the service for reputational analysis around trades/drafts, etc.
Financial organizations are using the service to monitor social media content for signs of illicit behavior or potential legal/regulatory violations
Talent agencies are monitoring their talent pools for content that could impact their public brands
Law firms are leveraging the service to identify potential issues with a given case and for investigation/forensics
Companies have begun to depend on the service for content monitoring during mergers and acquisitions activities, including quiet period monitoring and pre-offer intelligence
Many, many more uses of the platform are emerging every day

If your organization has a need to understand or monitor the social media sphere and deep web content around an issue, a reputational concern or a code of conduct, discuss how TigerTrax from MSI can help meet your needs with an account executive today.

At a glance call outs:

Social media investigation/forensics and monitoring services
Customized to your specific concerns or code of conduct
Can provide deep dive background information or ongoing monitoring
Actionable reporting with direct support from MSI Analysts
Several pricing plans available

Key Differentiators:

Powerful, customizable, proprietary platform
Automated engines, bleeding edge analytics & human analysts to provide valuable insights
No web portal to learn or analytics software to configure and maintain
No heavy lifting on customers, MSI does the hard work, you get the results
Flexible reporting to meet your business needs

HoneyPoint IP Protection Methodology

Posted on February 13, 2014 by Brent Huston

Here’s another use case scenario for HoneyPoint Security Server. This time, we show the methodology we use to scope a HoneyPoint implementation around protecting a specific set of Intellectual Property (IP).

If you would like an in-depth discussion of our process or our capability, please feel free to reach out to us and schedule a call with our team. No commitment and no hard sale, guaranteed.

If the graphic below is blurry on your device, you can download a PDF version here.

HoneyPoint Trojans Overview

Posted on February 11, 2014 by Brent Huston

Here’s another quick overview graphic of how HoneyPoint Trojans work. We have been using these techniques since around 2008 and they are very powerful.

We have incorporated them into phishing exercises, piracy studies, incident response, intrusion detection, intelligence gathering, marketing analysis and even privacy research. To hear more about HoneyPoint Trojans, give us a call.

If the graphic below is blurry on your device, you can download a PDF version here.

HPTrojanOverview

HoneyPoint in a Point of Sale Network

Posted on February 6, 2014 by Brent Huston

We have been getting a LOT of questions lately about how HoneyPoint Security Server (HPSS) fits into a Point of Sale (POS) network.

To make it pretty easy and as a high level overview, below is a use case diagram we use to discuss the solution. If you would like a walkthrough of our technology, or to discuss how it might fit into your specific use cases, please let us know.

As always, thanks for reading and for partnering with MicroSolved, Inc.

PS – If the graphic below is difficult to read on your device, you can grab a PDF version here.

HP POSNetworks

Touchdown Task for January: Audit Your News Feeds

Posted on January 20, 2014 by Brent Huston

This month, our suggested Touchdown Task is for the security team to do an “audit” of their news/RSS feeds and the other mechanisms by which you get advisories, patch and upgrade alerts, breakout information and details about emerging threats.

Since RSS feeds and account names and such can change, it’s a good idea to review these sources occasionally. Are the feeds you depend on timely and accurate? Have you added new technology to your organization since you last reviewed your advisory feeds? Maybe you might need to add a vendor or regulator feed.

Have a discussion with all of your team members and understand who monitors what. Make sure you have good cross communication, but aren’t struggling with a lot of duplicated efforts.

Once you get your news and threat feeds in order, trace how the information is shared and make sure it is getting to the system and network admins who might need it. Do you have the right people getting the right information? If not, adjust.

Most teams can do this review in less than an hour. So focus, communicate and create a robust way to handle the flow of information.

As always, thanks for reading and stay safe out there!

How Risky is the Endpoint?

Posted on December 26, 2013 by Brent Huston

I found this article quite interesting, as it gives you a heads up about the state of endpoint security, at least according to Ponemon. For those who want to skim, here is a quick summary:

“Maintaining endpoint security is tougher than ever, security professionals say, thanks largely to the huge influx of mobile devices.

According to the annual State of the Endpoint study, conducted by the Ponemon Institute and sponsored by Lumension, 71 percent of security professionals believe that endpoint security threats have become more difficult to stop or mitigate over the past two years.

…More than 75 percent said mobile devices pose the biggest threat in 2014, up from just 9 percent in 2010, according to Ponemon. Some 68 percent say their mobile devices have been targeted by malware in the past 12 months, yet 46 percent of respondents say they do not manage employee-owned mobile devices.

…And unfortunately, 46 percent of our respondents report no efforts are in place to secure them.”

…While 40 percent report they were a victim of a targeted attack in the past year, another 25 percent say they aren’t sure if they have been, which suggests that many organizations don’t have security mechanisms in place to detect such an attack, the study says. For those that have experienced such an attack, spear-phishing emails sent to employees were identified as the No. 1 attack entry point.

…The survey found that 41 percent say they experience more than 50 malware attacks a month, up 15 percent from those that reported that amount three years ago. And malware attacks are costly, with 50 percent saying their operating expenses are increasing and 67 percent saying malware attacks significantly contributed to that rising expense.

…While 65 percent say they prioritize endpoint security, just 29 percent say their budgets have increased in the past 24 months.” — Dark Reading

There are a couple of things I take away from this:

Organizations are still struggling with secure architectures and enclaving, and since that is true, BYOD and visiblility/prevention efforts on end-points are a growing area of frustration.

Organizations that focus on secure architectures and enclaving will have quicker wins
Organizations with the ability to do nuance detection for enclaved systems will have quicker wins

Organizations are still focusing on prevention as a primary control, many of them are seriously neglecting detection and response as control families

Organizations that embrace a balance of prevention/detection/response control families will have quicker wins

Organizations are still struggling in communicating to management and the user population why end-point security is critical to long term success

Many organizations continue to struggle with creating marketing-based messaging for socialization of their security mission

If you would like to discuss some or all of these ideas, feel free to ping me on Twitter (@lbhuston) or drop me an email. MSI is working with a variety of companies on solutions to these problems and we can certainly share what we have learned with your organization as well.

Blast From the Past: D-Link Probes in the HITME

Posted on October 9, 2013 by Brent Huston

We got a few scans for an old D-Link router vulnerability that dates back to 2009. It’s interesting to me how long scanning signatures live in online malware and scanning tools. This has lived for quite a while.

Here are the catches from a HoneyPoint Personal Edition I have deployed at home and exposed to the Internet. Mostly, this is just to give folks looking at the scans in their logs an idea of what is going on. (xxx) replaces the IP address…

2013-10-02 02:46:13 – HoneyPoint received a probe from 71.103.222.99 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46dWA+NXhZQlU1d2VR Connection: keep-alive

2013-10-02 03:22:13 – HoneyPoint received a probe from 71.224.194.47 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Opera/6.x (Linux 2.4.8-26mdk i686; U) [en] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46InkwYi4qMF5wL05G Connection: keep-alive

This probe is often associated with vulnerable D-Link routers, usually older ones, those made between 2006 and mid-2010. The original release and proof of concept exploit tool is here. The scan has also been embedded into several scanning tools and a couple of pieces of malware, so it continues to thrive.

Obviously, if you are using these older D-Link routers at home or in a business, make sure they are updated to the latest firmware, and they may still be vulnerable, depending on their age. You should replace older routers with this vulnerability if they can not be upgraded.

The proof of concept exploit also contains an excellent doc that explains the HNAP protocol in detail. Give it a read. It’s dated, but remains very interesting.

PS – As an aside, I also ran the exploit through VirusTotal to see what kind of detection rate it gets. 0% was the answer, at least for that basic exploit PoC.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Threat-Centric