InfoWorld Reviews Honey Pots and HoneyPoint

MicroSolved, Inc. was recently featured in InfoWorld’s article, “Intrusion detection honeypots simplify network security,” by Roger A. Grimes.

It’s a great review of MSI’s HoneyPoint technology, along with two other honey pot software solutions. The article is very thorough, testing everything from features and logging capability to ease-of-use and value. As Roger stated, intrusion detection is a complicated business, which is why we continue to strive to increase the visibility of the security team within an ever-increasingly insecure world. His use cases are very specific and the article presents a powerful argument for honey pots and their role in modern information security. We commend the author for his work and very much appreciate HoneyPoint’s inclusion in the solution set.

Some of HoneyPoint’s features, namely defensive fuzzing (HornetPoint behavior) and port mining appear to have been misunderstood by the reviewer. He mistakenly compares it to “tarpitting”, which is a technique used to slow down scans by tampering with the TCP packets in the 3 way handshake to delay connections. HornetPoints do not perform any actions at the packet layer, but instead, apply fuzzing routines within the specific emulated protocol (HTTP, SMTP, etc.) to attempt to cause the scanner or worm to fault on the attacking system, a form of self-defense. Port mining simply shoves a large binary file at attacker tools, again with the intent of crashing them, not simply slowing them down. These differences did not seem to be communicated well in the review when we read it.

We completely agree with the author that HoneyPoint has a large feature set and that our reporting and event tracking make it a powerful enterprise tool. We also appreciate his coverage of the plugin capability that allows users to extend and automate their alerting and response capabilities with HoneyPoint. We designed the product to be easy to use and most customers learn to install, configure and manage the product in a simple 2-4 hour virtual session included in every purchase. Our customer’s experience and rating for ease of use varies from what is presented in the review. Customers continually praise HoneyPoint as being one of the easiest enterprise products they have deployed and used.

Lastly, the author’s review makes the point that honey pot tools cannot bind to ports already in use, making them essentially blind to attack traffic on those services already installed on the hosts on which the tool is running. This is a valid truth and represents one of the core reasons why we felt it was important to design HoneyPoint to run across platforms. If a honey pot product can only run in Windows, it cannot bind to ports like 135-139 and 445, which are the common ports used for Windows CIFS. It also cannot bind to ports, and thus provide detection on Windows RPC ports that are in use. As such, a low interaction honey pot deployed only on a stock Windows workstation cannot perform detection of threats like Conficker and other traditional Windows-centric attacks. This leaves an organization using a Windows-constrained detection tool unable to emulate these services and detect these attacks. HoneyPoint, on the other hand, can just as easily be deployed on Linux as on Windows. Using a simple liveCD install (such as Puppy, DSL or the Ubuntu, etc.) you can deploy HoneyPoint on these ports, emulating Windows and thus gaining detection and visibility not available with a Windows-constrained product. We feel, as do many of our clients, that this is a powerful difference between our product and others and that it gives our clients the ability to stud their environment with detection decoys, even at the Windows protocol level, where others are blind.

We designed HoneyPoint not as an academic tool for laboratory use or for those folks wishing to capture packets of the attack tools and write papers about them, but as a real-life, deploy and forget, enterprise threat management system for businesses interested in breaking the attacker life cycle. We are quite proud that the tool is functional, flexible and simplistic. That was the goal from the beginning. We are as proud of the things that our product DOESN’T do to maintain that core focus as we are of the things it DOES do and how it accomplishes them.

Overall, we are in full agreement with InfoWorld: the impact of honey pots in the corporate environment is best understood by serving as an early-warning system. When honey pots are utilized in this way, they are economical and efficient, yet meet the need to identify threats in the network environment. We extend kudos to Roger for his review and for the hard and complex work he did reviewing and comparing the three products.

MSI welcomes this type of review, because our quest to make you safer is what drives us. Clients tell us that we’re good listeners and we love to hear feedback from the community. We will not stop improving our efforts to protect our clients because frankly, the attackers will not stop searching for vulnerabilities. As always, thanks for reading and stay safe out there!

MSI Partner Syhunt Brings Source Code Scanning to ASP & JSP

Syhunt has launched a very nice and powerful new edition of their Sandcat web application security tool. Sandcat is an extremely thorough and very capable assessment engine for web servers, web applications and web application source code. MSI has been using the tool for many years and we enjoy a very close relationship with the team behind the tool.

In addition to adding new features to the PHP source code scanning, this new release gives users the new capability to do white box testing on web applications for XSS vulnerabilities beyond PHP. The new version now includes cross site scripting checks for classic ASP, ASP.NET and JSP (JavaServer Pages) code modules. Syhunt even plans to further extend the classes of checks in those languages in the coming months. As with PHP source code assessment, this is a very powerful tool for increasing the quality and security of web applications, both new and legacy, around the enterprise.

Check out the new release at http://www.syhunt.com and let them know you heard it about from MSI. The Syhunt team are nice folks and they work very hard to bring you one of the most flexible, powerful and easy to use web application tools on the planet. Give it a shot, we think you’ll become a huge fan too!

HoneyPoint Wasp is Almost Ready to Leave the Nest

As many of you may know, the MSI team has been hard at work the last several months finishing the beta of our new compromised workstation detection product, HoneyPoint Wasp. It is a fully integrated component of HoneyPoint Security Server, capable of executing distributed detection and threat monitoring on Windows workstations across enterprises. The initial feedback by the beta group have been absolutely amazing. We are finding bots, malware and compromised hosts in a variety of locations, once thought to be “clean” and “safe”.

Wasp accomplishes this mission by being deployed as a service on workstations and by monitoring for the most common signs of compromise. It can watch for changes in the users, admins, port postures and such. It does white list detection of the running processes and it is even capable of detecting DNS tampering and changes to selected files on the operating system.

Even better, it does this work without the need for workstation event logs, signature updates or tuning. It “learns” about the workstation on which it is deployed and adapts its detection techniques to focus on important changes over the long run.

We designed Wasp to be easy to install, easy to manage and to be transparent to the end – user. As such, it is deployed as a 0-interface piece of software. There are no pop-ups, no GUI and no interaction at all with the user. All alerts are routed to the HoneyPoint console and the security team, eliminating any chance of increased help desk calls, user push back and confusion.

In the next couple of weeks, we will be making some announcements about the general availability of the Wasp product. I hope you will join me in my excitement when we announce this launch. In the meantime, think about what you are doing today to protect against initial stage compromises and congratulate the MSI development team and our beta testers on a job well done. I think you are going to be amazed at how easy, capable and advanced Wasp is, when it is released. I know I continue to be amazed at what it is detecting and how much stuff has evaded current detection techniques.

In the meantime, while we await the full release, check out this PDF for some more information about where we are going with Wasp and our HoneyPoint product line. I think you are going to like the diagrams and the explanations. If you would like to book a special sneak preview of Wasp and the rest of HoneyPoint, give your account executive a call. We will be happy to sit down and discuss it with you. As always, thanks for reading!

Splunk 4 Review

For this weeks tool review, we’re looking at Splunk. Splunk is a log collection engine at heart, but it’s really more than that. Think of it as search engine for your IT infrastructure. Splunk will actually collect and index anything you can throw at it, and this is what made me want to explore it.

Setting up your Splunk server is easy, there’s installers for every major OS. Run the installer and visit the web front end, and you are in business. Set up any collection sources you need, I started off with syslog. I started a listener in Splunk, and then forwarded my sources to Splunk (I used syslog-ng for this). Splunk will also easily do WMI polling, monitoring local files, change monitoring, or run scripts to generate any data you want. Some data sources require running Splunk as an agent, but it goes easy on system resources as the GUI is turned off. Installing agents is exactly the same process — you just disable the GUI when you’re finished setting up; however you can still control Splunk through the command line.

Splunk can also run addons, in the form of apps. These are plugins that are designed to take and display certain information. There are quite a few, provided both by the Splunk team and also some created by third parties. I found the system monitoring tools to be very helpful. There are scripts for both Windows and Unix. In this instance, it does require running clients on the system. There are also apps designed for Blue Coat, Cisco Security and more.

In my time using Splunk, I’ve found it to be a great tool for watching logs for security issues (brute forcing ssh accounts for example), it was also useful in fine tuning my egress filtering, as I could instantly see what was being blocked by the firewall, and of course the system monitoring aspects are useful. It could find a home in any organization, and it plays nice with other tools or could happily be your main log aggregation system.

Splunk comes in two flavors, free and professional. There’s not a great difference between them. The biggest difference is that with the free version Splunk is limited to 500MB of indexing per day, which proves to be more than enough for most small businesses, and testing for larger environments. Stepping up to the professional version is a lot easier on the pockets than might be expected, only about $3,000.

Review of darkjumper v5.7

In continuing our research and experimentation with PHP and the threat of Remote File Inclusion (RFI), our team has been seeking out and testing various tools that have been made available to help identify web sites that are vulnerable to RFI during our penetration tests. Because we’re constantly finding more tools to add to the list, we’ve started the evaluation this week with the release of darkjumper v5.7. This python tool prides itself on being cross platform, and at first glance, seems rather easy to use. After downloading the tarball and extracting the files, simply calling the script from the command line brings it to life.

Running again with the –help or -h switches will print the options to the menu. This tool has several helpful options that could help expedite the discovery of various attack vectors against the web site. The injection switch incorporates a full barrage of SQLi and blind SQLi attempts against every web site identified on the target server. We did not use this option for this evaluation but intend to thoroughly test it in the future.

Using the inclusion switch will test for both local file inclusion (LFI) and RFI, again on every website identified on the target. This is our main focus for the evaluation since we’ve seen an incredible number of RFI attacks in the recent HITME data from around the globe. Selection of the full switch will attack the target server with the previously mentioned checks, in addition to scanning cgi directories, user enumeration, port scanning, header snatching, and several other possibly useful options. While a full review of this tool will be written eventually, we’re focusing on the RFI capabilities this time, so we’re using this test only against our test target. The test appears quite comprehensive. Another seemingly useful function of this tool is its ability to discover virtual hosts the live on the target server. After a short wait, darkjumper works it’s magic and spits out several files with various information for us to review. After pouring through these files, our team was disappointed to realize that there were URLs that pointed to this server which seem to have been missed by the tools scans. Even more disappointing is the fact that of the 12 target sites identified by the tool, none were the target that we had suspected of being vulnerable to RFI.

File inclusion is a real threat in the wild today. We are seeing newly vulnerable and compromised hosts on a regular basis from the HITME data, and seeing that Apache ships with a default configuration that is vulnerable to these attacks and the fact that PHP is inherently insecure, makes the battle even more intense. It is absolutely critical in this environment that we are hardening our servers before bringing them online. Those of us developing our web applications are validating every bit of information that is submitted to us by our users! Allowing our servers to execute code from an unknown source is one of the most popular attack vectors today from SQL injection, to XSS and XSRF, to RFI. The Internet continues to be a digital equivalent to the wild, wild west, where outlaws abound. There is no guarantee that the users who interface with our sites are who they say they are or that they have the best of intentions. It is up to us to control how our applications and servers are handling this data.

SQL Injection Tools in the Field

As the Internet continues to morph, common attack vectors change. Info Sec professionals once had the ease of scanning a network and leveraging available vulnerabilities to gain a foothold; but now we’re seeing a paradigm shift toward web applications and the security that protects them. I’m sure this is nothing new to our readers! We all see the application as an emerging favorite to gain access to the network; just as we’re seeing the web browser gaining popularity in targeting the end user and workstation.

As our Team continues to provide top notch application assessment services, we’re seeing SQL Injection (SQLi) as one major vector of which to take advantage. Unfortunately, this attack is quite time-consuming, considering the various ways developers code their queries, utilize the architecture involved, and evaluate how the application handles interactions with the database. In an effort to be more efficient in the quest for vulnerable query strings, we have aggressively tested the plethora of SQLi tools that have been publicly released. Initially, the Team hoped to evaluate these tools and provide an extensive review on the performance of each. This tech is sad to report that from the three tools tested recently, not one was successful in the endeavor.

After some discussion, the Team concluded there are simply too many variables in play for one tool to serve as “the silver bullet.” The language and structure of the queries are just a few of the challenges these tools face when sniffing out vulnerable SQL strings. With so many variables for attackers and penetration testers to overcome, SQL injection testing has become extremely difficult to automate reliably! That being said, it appears as if these tools are created for use in such specific circumstances that they’re rendered useless for anything but that one, specialized scenario. So we’re continuing to find this to be a long, drawn out, manual process. This is not a complaint. Our Team loves the challenge! It’s just difficult to find a SQLi tool that can adapt to uses other than that for which the tool was specifically created – commonly a source of frustration when trying to expedite the process and finding little success.