How to Safely Use a PC and the Internet: Fear Them No More!

Posted on December 16, 2010 by Phil Grimes

As the MicroSolved team strives to bring quality service to our clients, we also make every effort to educate the masses and try to contribute not only to the Info Sec community, but to the “average Joe” out there trying to bank online, check email, or use Facebook without sacrificing their digital security or personal identity.

It’s human nature to fear the unknown. We don’t like to deal with things we don’t understand. Once upon a time, it might have been ok to just avoid what we didn’t know. But today’s world is becoming more and more reliant on machines, computers, and the Internet. Before, a person used be able to go through life without knowing how to work with technology. Today this is becoming more difficult. People use computers at work, at home, and at the store. Children are required to do papers, reports, and projects on a computer- it’s not something that can be easily circumvented any longer.

This being said, it is time to STOP fearing these things. The only way to do is it to face the fear. Realize the machines only do what they’re told- you just need to know how to give the proper orders. Computers are dumb. They’re basically a digital filing cabinet which holds files with digital instructions on them. They can be manipulated to the will of the user, and can be helpful tools once the apprehension subsides. Take a basic course on how to use a PC and the Internet- they’re not costly and should be readily available. If you have trouble finding one, ask around. Many libraries and community centers offer basic introduction courses either for free or at low cost. You don’t need to be a Windows Jedi or a Linux Guru to operate these machines.

The Internet is a staggering creation of man. Nearly everything in the world can be accessed in some form online. Learn what a web browser is, what it does, how to operate it, and how it should behave. Learn to pay attention to how your browser acts when surfing and how commonly visited pages act. When something changes don’t dismiss it! These changes can indicate unsafe conditions and should not be ignored. Using the Internet is a responsibility and users need to be aware when they’re online.

Over the coming weeks, the MicroSolved team will be working to create blog and video content focused on educating end users to keep them safe while surfing the web. If you have a topic you’d like to see covered, contact us! We’re always excited to hear from you.

Touchdown Task #2: Detection: How Much Malware Do You Have? #security

Posted on December 6, 2010 by John Davis

Our last Touchdown task was “Identify and Remove All Network, System and Application Access that does not Require Secure Authentication Credentials or Mechanisms”. This time, it is “Detection”.

When we say “detection” we are talking about detecting attackers and malware on your network.

The best and least expensive method for detecting attackers on your network is system monitoring. This is also the most labor intensive method of detection. If you are a home user or just have a small network to manage, then this is not much of a problem. However, if your network has even a dozen servers and is complex at all, monitoring can become a daunting task. There are tools and techniques available to help in this task, though. There are log aggregators and parsers, for example. These tools take logging information from all of the entities on your system and combine them and/or perform primary analysis of system logs. But they do cost money, so on a large network some expense does creep in.

And then there are signature-based intruder detection, intruder prevention and anti-virus systems. Signature-based means that these systems work by recognizing the code patterns or “signatures” of malware types that have been seen before and are included in their databases. But there are problems with these systems. First, they have to be constantly updated with new malware patterns that emerge literally every day. Secondly, a truly new or “zero day” bit of Malware code goes unrecognized by these systems. Finally, with intruder detection and prevention systems, there are always lots of “false positives”. These systems typically produce so many “hits” that people get tired of monitoring them. And if you don’t go through their results and winnow out the grain from the chaff, they are pretty much useless.

Finally there are anomaly detection systems. Some of these are SEIM or security event and incident management systems. These systems can work very well, but they must be tuned to your network and can be difficult to implement. Another type of anomaly detection system uses “honey pots”. A honey pot is a fake system that sits on your network and appears to be real. An attacker “foot printing” your system or running an exploit cannot tell them from the real thing. Honey pots can emulate file servers, web servers, desk tops or any other system on your network. These are particularly effective because there are virtually no false positives associated with these systems. If someone is messing with a honey pot, you know you have an attacker! Which is exactly what our HoneyPoint Security Server does: identify real threats!

Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack. Give us a call if you’d like us to partner with you for intrusion detection!

3 Changes in Crimeware You Can Count On

Posted on November 22, 2010 by Brent Huston

Crimeware is becoming a significant threat to most organizations. The capability and dependence on crimeware as an attack model is growing. With that in mind, here are 3 things that the folks at MSI think you will see in the next year or two with crimeware:

1. Cross platform crimeware will grow. Attackers will continue to embrace the model of malware that runs everywhere. They will focus on developing tools capable of attacking systems regardless of operating system and will likely include mobile device platform capability as well. They have embraced modern development capabilities and will extend their performance even further in the coming years.

2. Specialized crimeware will continue to evolve. Organized criminals will continue to develop malware capable of focusing in on specific business processes, keying on specific types of data and attacking specific hardware that they know are used in areas they wish to compromise. Whether their targets are general data, ATM hardware, check scanners or the smart grid, the days of crimeware being confined to desktop user PCs are over. The new breed knows how ACH works, can alter firmware and is capable of deeper comprise of specific processes.

3. Crimeware will get better at displacing the attack timeline. Many folks consider malware to be symetric with time. That is, they see it as being operational continually across the event horizon of a security incident. However, this is not always true and attackers are likely to grow their capability in this area in the coming years. Modern malware will be very capable of making its initial compromise, then sitting and waiting to avoid detection or waiting for the right vulnerability/exploit to be discovered, etc. The attacks from the next generations will have a much longer tail and will come in a series of waves and lulls, making detection more difficult and extending the time window of control for the attackers.

MSI believes that organizations need to be aware of these threats and ideas. They must get better at detecting initial stage compromises and begin to focus on closing the window of opportunity attackers now have, once they get a foothold (in most cases days-months). Prevention is becoming increasingly difficult, and while it should not be abandoned, more resources should be shifted into developing the capability to detect incidents and respond to them.

InfoWorld Reviews Honey Pots and HoneyPoint

Posted on November 19, 2010 by Brent Huston

MicroSolved, Inc. was recently featured in InfoWorld’s article, “Intrusion detection honeypots simplify network security,” by Roger A. Grimes.

It’s a great review of MSI’s HoneyPoint technology, along with two other honey pot software solutions. The article is very thorough, testing everything from features and logging capability to ease-of-use and value. As Roger stated, intrusion detection is a complicated business, which is why we continue to strive to increase the visibility of the security team within an ever-increasingly insecure world. His use cases are very specific and the article presents a powerful argument for honey pots and their role in modern information security. We commend the author for his work and very much appreciate HoneyPoint’s inclusion in the solution set.

Some of HoneyPoint’s features, namely defensive fuzzing (HornetPoint behavior) and port mining appear to have been misunderstood by the reviewer. He mistakenly compares it to “tarpitting”, which is a technique used to slow down scans by tampering with the TCP packets in the 3 way handshake to delay connections. HornetPoints do not perform any actions at the packet layer, but instead, apply fuzzing routines within the specific emulated protocol (HTTP, SMTP, etc.) to attempt to cause the scanner or worm to fault on the attacking system, a form of self-defense. Port mining simply shoves a large binary file at attacker tools, again with the intent of crashing them, not simply slowing them down. These differences did not seem to be communicated well in the review when we read it.

We completely agree with the author that HoneyPoint has a large feature set and that our reporting and event tracking make it a powerful enterprise tool. We also appreciate his coverage of the plugin capability that allows users to extend and automate their alerting and response capabilities with HoneyPoint. We designed the product to be easy to use and most customers learn to install, configure and manage the product in a simple 2-4 hour virtual session included in every purchase. Our customer’s experience and rating for ease of use varies from what is presented in the review. Customers continually praise HoneyPoint as being one of the easiest enterprise products they have deployed and used.

Lastly, the author’s review makes the point that honey pot tools cannot bind to ports already in use, making them essentially blind to attack traffic on those services already installed on the hosts on which the tool is running. This is a valid truth and represents one of the core reasons why we felt it was important to design HoneyPoint to run across platforms. If a honey pot product can only run in Windows, it cannot bind to ports like 135-139 and 445, which are the common ports used for Windows CIFS. It also cannot bind to ports, and thus provide detection on Windows RPC ports that are in use. As such, a low interaction honey pot deployed only on a stock Windows workstation cannot perform detection of threats like Conficker and other traditional Windows-centric attacks. This leaves an organization using a Windows-constrained detection tool unable to emulate these services and detect these attacks. HoneyPoint, on the other hand, can just as easily be deployed on Linux as on Windows. Using a simple liveCD install (such as Puppy, DSL or the Ubuntu, etc.) you can deploy HoneyPoint on these ports, emulating Windows and thus gaining detection and visibility not available with a Windows-constrained product. We feel, as do many of our clients, that this is a powerful difference between our product and others and that it gives our clients the ability to stud their environment with detection decoys, even at the Windows protocol level, where others are blind.

We designed HoneyPoint not as an academic tool for laboratory use or for those folks wishing to capture packets of the attack tools and write papers about them, but as a real-life, deploy and forget, enterprise threat management system for businesses interested in breaking the attacker life cycle. We are quite proud that the tool is functional, flexible and simplistic. That was the goal from the beginning. We are as proud of the things that our product DOESN’T do to maintain that core focus as we are of the things it DOES do and how it accomplishes them.

Overall, we are in full agreement with InfoWorld: the impact of honey pots in the corporate environment is best understood by serving as an early-warning system. When honey pots are utilized in this way, they are economical and efficient, yet meet the need to identify threats in the network environment. We extend kudos to Roger for his review and for the hard and complex work he did reviewing and comparing the three products.

MSI welcomes this type of review, because our quest to make you safer is what drives us. Clients tell us that we’re good listeners and we love to hear feedback from the community. We will not stop improving our efforts to protect our clients because frankly, the attackers will not stop searching for vulnerabilities. As always, thanks for reading and stay safe out there!

OpenSSL Vulnerability

Posted on November 17, 2010 by Brent Huston

A new security issue in OpenSSL should be on the radar of your security team. While Stunnel and Apache are NOT affected, many many other packages appear to be. The issue allows denial of service and possibly remote code execution.

Patches for OpenSSL and many packages that use it are starting to roll in. Check with your favorite vendor on the issue for more information. The CVE is: CVE-2010-3864

HoneyPoint users who leverage black hole defenses should ensure that they have exposed port 443/tcp honeypoints and have dilated other common ports for their applications that might be vulnerable. Internal HoneyPoint users should already have these ports deployed, but if not, now is a good time to ensure that you have HoneyPoint coverage for any internal applications that might be using OpenSSL. Detecting scans and probes across the environment for this issue is highly suggested given the high number of impacted applications and platforms.

If you have any questions about this issue or the proper HoneyPoint deployment to detect probes and scans for it, please give us a call or drop us a line. We will be happy to discuss it and assist you.

Tip: Pre-loading Wasp Configuration Databases

Posted on November 8, 2010 by Brent Huston

Thanks to a couple of users who have provided this excellent tip for reducing the initial number of alerts that come in when you first deploy HoneyPoint Wasp as it learns it’s environment.

The tip is to load an initial copy of Wasp on a trusted, fresh desktop workstation image and then execute all of the applications your organization generally supports. Then, let the Wasp run for about 48 hours and populate its database with the accepted applications and the like from the default image.

Once complete, use copies of this database in your installation across the enterprise. You will then get delta alerts instead of the base alerts for things you already know and trust. This eliminates the initial set of alerts from each Wasp workstation you deploy and greatly reduces the management load of the initial roll out.

Thanks to the two folks who really worked out this method, tested it and wrote up notes for us to share the idea with you. Much appreciated!

To learn more about using Wasp to extend your malware protection, gain security visibility easily to the workstation layer and create anomaly detection techniques for your security program, give us a call or drop us a line. We look forward to sharing tips like these and success stories with you as they come in from users.

Using ProFTPd for Core Processing Anywhere?

Posted on November 2, 2010 by Brent Huston

If so, you might want to pay attention to this announcement of a critical remote vulnerability in the daemon. You can read the alert here. A patch is now available and should be applied quickly if you have core processes using this application.

No authentication is required and it is a pretty straight forward buffer overflow, so exploit code should be easy to design and use. Common framework exploits are expected shortly.

Usually ProFTPd is used as a part of core processing, data warehousing and other heavy data processing solutions across a variety of platforms and industries. You can find installations remotely using nmap -sV scans on your network. Nmap is pretty good at identifying ProFTPd installs.

HoneyPoint users might want to consider deploying port 21/tcp (ftp) listeners to watch for scans for vulnerable servers by attackers. Detected scanning IPs should be investigated on internal networks and black holed on Internet facing segments.

Great article on File Crypto Tools

Posted on November 1, 2010 by Brent Huston

I saw this excellent article this morning that covers 5 basic tools for doing file cryptography across platforms. Many of these tools are great solutions and we use them frequently with clients. In particular, we find True Crypt to be a very powerful and useful tool. Many client have embraced this solution for laptop encryption, leveraging the free price and benefit for compliance.

You can read more about these tools here.

Check them out and use the ones that fit your needs in your organization. They are great tools for keeping your business, your business.

Keep Your Eyes on This Adobe 0-Day

Posted on October 29, 2010 by Brent Huston

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

MSI :: State of Security

Insight from the Information Security Experts