Horrible Ideas, Modeled & Profiled

Posted on by
Reply

Just a quick note this time about the HITME (HoneyPoint Internet Threat Monitoring Environment). One of the best uses for having the kind of global honeynet that we have deployed in the incarnation of the software is that you can create actual working models for a mistake or a horrible security idea.

Want to know what happens if you accidentally expose an internal system to the public Internet for 24 hours? We can quickly (in less than 30 mins) build an emulation for it and use a decoy dropped into place on your network to measure and model that risk over a period of time. You can get a real life set of metrics for how many probes it receives, from where and for what the attackers are looking. You can find out how long the average time is before the issue is identified by an attacker. You can even work up a profile of what sources, their locale and their capability to add to your risk assessments. These kinds of metrics, tied to a strong mathematical model (like FAIR) make for fantastic real world analysis.

You can do the same with web applications. Want to know what kind of attacks you can expect if you put in a new VPN portal at your managed hosting provider? No problem. We create an emulation and drop a decoy into their ESX(i) infrastrcuture, monitor it for 30 days and work up the data into a report for you. Now you can take that data and feed into a risk assessment, work out compensating controls and even get a budget idea for what it will take to secure such an infrastructure. We can also do this in multiple places and then work with the reporting you get from several vendors, using this mock up as a bake off data point to help you determine if your exposures and risks are higher from one hosting provider to another, what kinds of reporting you get from each, how effective their prevention and detection programs are, etc. We’ve even had a couple of organizations drop in temporary HoneyPoint decoys while being audited or undergoing penetration testing to get a third party view of how effective and capable their assessment and testing process has been.

The coolest thing to me about HoneyPoint is not the bleeding-edge attacks you can capture, nor the insights into attacker behavior it brings. Instead it’s the wide array of business problems that it can lend real world insight to inside the security world. It truly makes it easy to model and measure some of the most horrible ideas that an admin or developer can have. Wanna know more about the mistakes you make or might make in the future? Wanna measure attack interactions or generate metrics to feed a better risk assessment? Give us a call, we’ll be glad to discuss how you can take the next step in threat-centric information security with HoneyPoint!

Think You Can’t Afford Code/App Testing? Think Again!

Posted on by
Reply

According to this article, most companies skimp on third-party code checks.

Over the years, in our application testing services, we have found a variety of reasons why people skip code review and even application testing from a blackbox standpoint. The main objection we hear is cost. The cost of code review is often quite a bit higher than they expect. In some cases, we have seen where code review quotes from some vendors have been as much as 40% of the total development costs!

Now, that said, things are shifting. Today, you have a plethora of code review automation tools and source code scanners. These tools make an easy way to pick the low hanging (and sometimes higher, depending on language/complexity & tool variables) vulnerabilities out of your code long before it is exposed to malicious outsider/insider contact. (You do have a DEV and QA environment, now, right? Hint, Hint!) A quick list of code scanning tools is here.  Even more are available.

For example our favorite PHP scanner, SandCat Hybrid is not on the list yet, but is widely available and used today. Pricing for some of these tools varies from FREE (like beer AND like speech) to hundreds of thousands of dollars per year. With a little research work, you can likely find a tool to meet your needs. Need help picking a tool? Just drop us a line, we would be happy to help.

Having a tool is one thing, using it and applying what you learn is another. You will need to create processes to make use of the tool. You will need to define where in your development and product purchasing processes the assessments should take place. You will need someone to run the tool and analyze the results. You will need someone to help work with the developers to make sure that any identified weaknesses are mitigated or that compensating controls are employed appropriately to minimize any defects not cost effectively fixed. This takes time, skill, knowledge and talent. However, if you want this skill ad-hoc or via a subscription, both are available from MicroSolved. Just drop us a line or give us a call and we can work together to design a toolset and skill set appropriate to your needs.

Using this approach, you don’t have to be one of the firms ignoring code review and application testing. You CAN afford to perform testing prior to product launch, deployment or upgrades. We can help you design a solution that fits your business needs and your risk tolerance. Rise above your competitors (who are likely in that 65% of companies NOT doing testing) and began offering software and products that have been assured to protect their privacy. We can help and together, we can make it safer for all of us online.

From the Tweetstream: What HITME Caught: Ongoing Defacement Campaign

Posted on by
Reply

Recently, we noticed our @HoneyPoint account, (HoneyPoint Internet Threat Monitoring Environment or HITME) was getting pinged. What we found is explained below:

 

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67954775886544896″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67955056300920832″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67955546187243520″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67973785218859008″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67974149250879489″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67984136337498113″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67985250583715840″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67985707125325824″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/67990169353068544″]

 

Calling Central Ohio CIOs, CTOs, and IT Warriors: InfoSec Summit Next Week!

Posted on by
Reply

We’re getting excited about the upcoming Central Ohio InfoSec Summit, held at the Hyatt Regency in Columbus next week on Thursday, May 12 and Friday, May 13.

Our CEO, Brent Huston will be speaking and also Phil Grimes, Security Analyst.

I’ll be floating around, helping Constance Matthews, our Account Executive, with registration and other fun activities, which you’ll learn about during Brent’s presentation, so don’t miss out!

If you’re not registered yet, here’s the link. Each year this summit gets better and better. The speakers are top notch, and incredibly generous with their expertise. And the food is fabulous, as well as the reception Thursday evening.

We hope to see you there!

Tales from the Tweetstream: Are You Trusting AV Software Alone to Detect Malware?

Posted on by
Reply

(To read more interesting discoveries, follow Brent Huston on Twitter.)

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61498319142260737″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61499509645127680″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61499751950069760″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61513076557615104″]

AV software is not a “deploy and forget” solution to detect malware. More surveillance is needed, such as checking the logs to see if there are any occurrences of strange activity. Too often, attackers can drop files in the PHP servers and AV software will rarely detect it.

As I said, the moral of the story is that if you’re depending upon an AV detection mechanism for compromised PHP servers, you’re mistaken. Protect your servers by analyzing your logs. And using our HoneyPoint Wasp would help greatly by giving you more visibility and alerts when malware has entered into your system.

The Holy Grail of Information Security

Posted on by
1

Have you ever heard of the list of most needed inventions?

These are the sorts of inventions that, if realized, would overcome technological hurdles that are preventing mankind from reaching our most cherished dreams. Room temperature super conductors, advanced nanotechnology and practical fusion power are just a few. There are a number of inventions like this that are needed to make information security a reliable, efficient and low cost process. And chief among them is the Holy Grail of information security: an un-spoofable identity authentication mechanism.

Just think of it! A way for people and machines to know with a certainty that it is you and only you that they are communicating with. No more worries that someone will steal your identity and empty your bank accounts. No problems with cyber criminals impersonating IT personnel and stealing information or crashing systems. Think of the money and time you could save on complex intrusion detection and prevention systems and complicated processes. It is fun to contemplate. But, unfortunately, it is all just wishful thinking. Despite years of concentrated thought and effort, nobody has a clue how to make it work!

There are just three ways known to authenticate identity:

  • Using something you know
  • Using something you have or
  • Using something you are

When talking about authenticating yourself to a computer system, something you know is typically a user name, a password or an encryption key. I think all of us know that despite all efforts to keep these mechanisms secret and secure, it doesn’t prevent intruders from getting them. The problem is that people have to know them, they need to store them and they need to use them, and that makes them vulnerable. So something you know isn’t the answer.

Let’s go to the second mechanism: something you have. In the computer world this is usually a smart card, token or the like. Combined with a user name and password, this mechanism provides another layer of security that can be very effective. But it is far from perfect. Smart cards and tokens can be stolen or misplaced. Perhaps a certificate authority or token provider’s servers are compromised. Some mechanisms can be reverse engineered. So, the upshot is, you can add something you have, to something you know and get better, albeit far from perfect, identity authentication. But the cost you pay in dollars and personnel hours has just gone way up.

So let’s go to the final possible authentication mechanism: something you are. For computer systems this is presently typically finger prints or retinal scans, although other possible mechanisms include facial recognition, voice recognition, heuristics (behavior matching) and DNA matching. This mechanism, once again, provides added security to the identity authentication process, but still is not perfect. For one thing, this kind of authentication mechanism works best in person. If a fingerprint, for example, is transmitted it really travels as a series of electromagnetic signals and these can be spoofed. But even in person, this type of mechanism can possibly be spoofed. So adding something you are to something you have and something you know once again makes it much more difficult to spoof identity, but still doesn’t render it impossible. And imagine the added burden in money and inconvenience using all three mechanisms would mean to your organization! Seems like way too much just to protect some financial data or health information, huh?

So, please, let’s all of us spend some thought trying to find the perfect identity authentication mechanism. It may be like trying to come up with perpetual motion, but if you do manage it, I guarantee you the rewards will keep you and yours in clover for the rest of your lives!

HoneyPoint Wasp Now Monitors Domain User and Admin Accounts

Posted on by
Reply


Do you:

  • Need a quick and easy way to provide monitoring of when new user accounts are created in your AD forest and domains?

    •  

  • Need an easy way to know when a user becomes a member of the administrator groups?

    •  

  • Want a powerful, flexible and effective tool for knowing what is running on your AD servers and when new code gets executed on these critical devices?

    •  

If you answered yes to any of these questions, read on.

HoneyPoint Wasp, a bleeding edge tool for anomaly detection on Windows Desktops and Servers has just been enhanced with the current release to extend these types of coverage (and more) to Windows 2003 & 2008 servers running an AD context of Primary Domain Controller & Backup Domain Controller. Yes, our customers have been asking for it, and we listened. Now, with a simple, no signature/no tuning/0-interface deployment, you can get centralized monitoring and visibility over your critical AD identity store. You can know what is running on these essential servers all of the time and when new users are created or promoted to administrative status.

Attackers commonly infect AD components as they move through the enterprise, often adding and promoting users as they go. In most incidents we have worked over the last several years, these changes have usually gone unnoticed until it was too late. That’s exactly why we built HoneyPoint in general and Wasp in particular, to answer this dire need and to help turn the tide against malware-based compromises.

Want to discuss how Wasp fits in your organization? Simply drop us a line at: (1info2@3microsolved4.5com6) (remove the numbers/spam protection), or give us a call at 614-351-1237 to discuss it with your account rep. Wasp is powerful, yet easy to use, detection and with it in your corner, “Attackers Get Stung, Instead of YOU.”

Thanks for reading and stay safe out there!

All Your Creds Are Belong To Us? How To Harden Your Passwords and Protect Your ‘Base.’

Posted on by
Reply

In an article published some time ago, a project led by a computer science professor at Columbia University had done some preliminary scanning of some of the largest Internet Service Providers (ISPs) in North America, Europe, and Asia and uncovered thousands of embedded devices susceptible to attack, thanks to default credentials and remote administration panels being available to the Internet.

This is amazing to us here at MSI. It is astounding that such a number of people (and possibly organizations) who don’t take into account the security implications of not changing these credentials on outward facing devices, exists! This goes beyond patching systems and having strong password policies. It’s highly unlikely you’re developing strong passwords internally if you’re not even changing what attackers know is true externally.

The fact that these devices are available is quite scary. It becomes trivial for an attacker to take over control of what is likely the only gateway in a residential network. The average user has little need to access these devices on a regular basis, so hardening the password and recording it on paper or even using a password vault like TrueCrypt is a good option for reducing the threat level. More importantly, how many home users need outside access to their gateway?

This all goes back to the common theme of being an easy target. If you let attackers see you as the low hanging fruit, you’re just asking to become a statistic. This is the digital equivalent to walking down a dangerous street at night with your head down, shoulders slumped, avoiding eye contact, and having hundred dollar bills popping out of your pockets! We can’t make it easy for them. It’s important that we make them think twice about attacking us- and simple things like changing default passwords or patching our machines (automatic updates, anyone?) allow us to take advantage of that 80% result with only 20% effort!

Martin McKeay Interview: Verizon Data Breach Investigations Report

Posted on by
Reply

I just listened to Martin McKeay’s interview with Alex Hutton and Chris Porter on the latest Verizon Data Breach Investigations Report.

It’s a good interview, with Hutton and Porter both outlining how the report compared with last year’s and what surprised them. Here’s a link to the report.

Check out the podcast, which is about 30 minutes in length. And if you can figure out what the “secret code” is on the report’s cover, let us know. We like mysteries!

Massachusetts Getting Tough On Data Breach Law

Posted on by
Reply

From Slashdot:

“A Massachusetts restaurant chain was the first company fined under the state’s toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons’ personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley.”

Full Story

This is exactly why we developed our latest addition to our HoneyPoint family of products: HoneyPoint Wasp. It is a great way to monitor Windows-based desktops with minimal fuss, decreasing help desk calls while allowing the IT department to quickly take action when malware is detected. Learn more about HoneyPoint Wasp.