Tales From a Non-Security Professional, An End-User’s View

Posted on by
Reply

I’ve been working in the information security business for two years and have been amazed by what I’ve learned during this time. I remember when I thought, “Information security? Sure. A bunch of geeks patrolling their networks.” I had seen the movie Hackers, after all.

But I had no idea of the breadth and depth of information security. Basically, if you’re using technology, your data is at risk. Any piece of technology that you use that has sensitive data stored can be stolen. It is up to an individual to be proactive when it comes to information security instead of assuming “The IT Team” will take care of it.

Case in point: This morning I read an article from Dark Reading about Intel’s workers thwarting a malicious email virus. Pretty cool. Those workers took the initiative. They didn’t say to themselves, “Hmm. this email looks a little dicey, but I’m sure IT has it covered..”

Instead, each worker who recognized the malicious email immediately contacted the IT department. Because of such quick action, the IT department was able to contain the potential risk and take care of it. This type of response doesn’t happen overnight (And hopefully won’t take two years, either.) but was the result of consistent education.

For me, I’ve tightened up my own personal security posture as a result of hearing what happens when you don’t pay attention. Here are a few precautions I’ve taken:

1) Never leave a laptop in the front seat of your car.

      This may seem basic, but many workers who have a company-owned laptop will often put it on the passenger’s side of the car, or on the floor. It is easy to assume that when you stop to get gas and take a quick detour into the convenience store to grab a drink, that no one will bother your car. Don’t bet on it.

According to a CSI/FBI Computer Crime and Security Survey

      , data loss from laptop theft came in third and fourth behind virus attacks and unauthorized access. Make a habit of placing your laptop in your trunk, away from prying eyes. And if you really want to protect it, carry it around with you. I’ve been known to carry my laptop inside a CVS, and restaurants. I usually say to myself, “How inconvenient/annoying/scary would it be if this laptop was stolen?” Yep. It’s going with me.

2) Passwords, smashwords! We all belong to probably way too many websites that require a password to access it. That’s not even counting the passwords we need to remember for our work email, database, or access to the intranet. We’re also told by our friendly IT team that we need to change those passwords on a regular basis. If you have trouble remembering what you had to eat for breakfast yesterday, much less trying to remember a password you created three months ago, I have the solution: a password vault. I can’t tell you how much this has alleviated the stress of remembering and revising passwords. I use KeePassX, an open-source password vault application.

Whenever I change my password, I immediately open the app and update my entry. Whenever I join a new site that requires a password, I’ll add a new entry. It’s simple and quick, and will protect me from some joker trying to hack into my sites. Once you get into a habit of changing your passwords, it becomes easier. Believe me, this is a heckuva lot easier than scratching out various passwords and usernames on a scrap piece of paper, throwing it into your desk drawer and then trying to find it three months later.

3) Delete stupid emails. This goes back to the “Here You Have” virus that the Intel employees avoided opening. They immediately saw the risk and reported it. Don’t open emails from people or groups that you don’t recognize. In fact, I created a spam folder and just move those types of emails into it if the regular spam filter doesn’t catch them. I empty the folder on a regular basis. No matter how enticing an email header is, if you don’t recognize the sender, trash it. For those who are detail-oriented, you really don’t have to open every email you receive. Really. You probably didn’t win that lottery, anyway.

4) Be suspicious. This one is probably the most difficult for me. I’m a friendly person. I like people. I was raised by two very outgoing parents and hence, I have a soft spot for striking up conversations with perfect strangers. I find I’m a magnet for some of them, too. When you’re in your office, this can be used against you by a clever attacker. If you’re an IT staff person, you may get a call from someone who is in some type of a bad spot and needs access to “their” data at work and gosh, could we just skip the authentication process? Because most of us are wired to help others (thank you very much, customer service training), we obviously try to be of assistance. Meanwhile, the attacker is counting on this and will press an employee to give them information without checking their credentials. If anyone calls me and starts asking a bunch of nosy questions, I’ll start asking mine right back: “What company do you represent? What is your name? What is your phone number? Why do you need to know this information?”

Sometimes asking such questions may feel awkward, but remember, we’re protecting our company’s data. We’re on the front line and a little discomfort can go a long way in winning the battle of security.

These are a few things I’ve learned over time. Information security isn’t only the IT department’s job or the CISO/CTO/CIO’s. It’s a job that belongs to everyone. If I could sum it up, I’d say this: Be aware. Be aware of your surroundings, aware of your technology, aware of access points. Keeping your eyes and ears open will not only save you a bunch of headaches (and perhaps your job) but will save your company money. And in today’s economy, that is a very, very good thing.

SAMBA Vuln Could Be Dangerous

Posted on by
Reply

If you are not already looking at the newest SAMBA issue, you should be paying attention. It is a stack-based buffer overflow, exploitable remotely without credentials. The MetaSploit folks are already hard at work on an exploit and some versions are rumored to be floating about the underground.

The vulnerability exists in OS X, Linux and a variety of appliance platforms using the core SAMBA code. Updates are starting to roll into the primary distributions and OS images. Ubuntu, for example, already has a fixed version available.

You can read the SAMBA folks release here for more information.

Likely, wide scale exploitation is on the horizon and malware/worm development is also predicted for this particular issue.

In terms of actions, begin to understand where SAMBA is used in your environment, reduce your attack surfaces as much as possible, implement the patches where available and increase your vigilance on SAMBA utilizing systems/processes.

Keep your eyes on this one. With this also being a fairly heavy/serious Microsoft patch day, your security team and admins might be focused on other things. You don’t want this one to slip through the cracks.

HoneyPoint Wasp is Almost Ready to Leave the Nest

Posted on by
Reply

As many of you may know, the MSI team has been hard at work the last several months finishing the beta of our new compromised workstation detection product, HoneyPoint Wasp. It is a fully integrated component of HoneyPoint Security Server, capable of executing distributed detection and threat monitoring on Windows workstations across enterprises. The initial feedback by the beta group have been absolutely amazing. We are finding bots, malware and compromised hosts in a variety of locations, once thought to be “clean” and “safe”.

Wasp accomplishes this mission by being deployed as a service on workstations and by monitoring for the most common signs of compromise. It can watch for changes in the users, admins, port postures and such. It does white list detection of the running processes and it is even capable of detecting DNS tampering and changes to selected files on the operating system.

Even better, it does this work without the need for workstation event logs, signature updates or tuning. It “learns” about the workstation on which it is deployed and adapts its detection techniques to focus on important changes over the long run.

We designed Wasp to be easy to install, easy to manage and to be transparent to the end – user. As such, it is deployed as a 0-interface piece of software. There are no pop-ups, no GUI and no interaction at all with the user. All alerts are routed to the HoneyPoint console and the security team, eliminating any chance of increased help desk calls, user push back and confusion.

In the next couple of weeks, we will be making some announcements about the general availability of the Wasp product. I hope you will join me in my excitement when we announce this launch. In the meantime, think about what you are doing today to protect against initial stage compromises and congratulate the MSI development team and our beta testers on a job well done. I think you are going to be amazed at how easy, capable and advanced Wasp is, when it is released. I know I continue to be amazed at what it is detecting and how much stuff has evaded current detection techniques.

In the meantime, while we await the full release, check out this PDF for some more information about where we are going with Wasp and our HoneyPoint product line. I think you are going to like the diagrams and the explanations. If you would like to book a special sneak preview of Wasp and the rest of HoneyPoint, give your account executive a call. We will be happy to sit down and discuss it with you. As always, thanks for reading!

Excellent Source for Metrics on PHP RFI

Posted on by
1

My friend Eric has put up some excellent statistics and metrics on PHP RFI attacks against his honeynet. This is some excellent data. If you have read other stuff we have pointed to from Eric, then you know what to expect. But, if you are interested in a real world look at trends and metrics around PHP exposures, give this a few moments of your time.

You can find the interface and metrics set here.

Check it out, I think you’ll be impressed. Thanks, as always, to Eric and other folks in the honeypot community for all of their hard work, time and attention.

If you have some honeypot metrics to share, drop a comment below! As always, thanks for reading!

Stories of Hacking the Human #security

Posted on by
1

He stood before the receptionist, patiently waiting until she was finished with the phone call. He fiddled around with his fake badge while glancing at the security door that led into the main office area, waiting to see if someone would exit or enter soon.

Finally, two employees engaged in conversation exited the door while a small group headed toward it. He darted to join the group while the receptionist continued to look down at her list of R.S.V.P.’s, searching for the business’ name.

As the group entering the office area quickly glanced his way, he shot them an easy grin. “Phone lines,” he quipped as he showed them the badge. “Just upgraded on our end and we want to make sure you don’t miss your phone calls!”

As the group laughed and joked about not really missing calls if they had the opportunity, he scanned the cubicle areas to make a note of which ones were empty. In a few minutes, he’d double-back , slip into one, hack into the network and start snooping around.

In larger corporations, that is how social engineering can happen. Employees are trusting and often distracted by their own sense of security. They see the same people in the office but realize every once in awhile, there is “the new girl” or “new guy.” They trust this person has gone through the proper channels that authorized their presence. And that’s their mistake. Very few ask questions.

Many times, employees find that their desire to be helpful is exploited. What is usually portrayed as good customer service (“Is there anything else you need?”), can be cleverly manipulated by attackers. Often a hacker will appear to be IT staff who needs to verify an employee’s password. When the unsuspecting victim is presented with a plausible reason for taking shortcuts (“I’m so sorry, but it could really help me if you just gave me the password instead of having to bother my supervisor…”), they often comply.

How can employers prevent social engineering attacks? The quick answer is, they can’t. Hackers are becoming more resourceful as organizations initiate more complex security measures. But employers can still take precautions that will help employees recognize that a potential threat exists. Here are some tips:

  • Be aware of your surroundings. Know who is in charge of vetting outside service people so when a strange face appears, they know who to call. Tell employees that entering a secured area means using their badges to gain entry and to make sure everyone follows procedure.

  • Be suspicious. When callers ask for personal information, ask if there is a number you could return their call and then verify their credentials with an internal source.
  • Pay attention to the URL of a website. The page may look the same but the URL will expose it as a fake. Contact the company when in doubt.

    • Using these tips will help your organization avoid becoming a victim. Be alert and you’ll keep your data safe!

    Looking For More Info on SEIM Best Practices?

    Posted on by
    Reply

    I know we get a lot of questions on SEIM tools, their use and the best practices around their deployment and I have talked heavily to some of the folks involved in this SANS webcast tomorrow. If you have an interest in SEIM, I urge you to tune in.

    You can find the details here.

    They got some excellent folks to participate and the content should be quite strong. As always, if you have questions on SEIM deployments, products or use, drop me a line. Always happy to give my 2 cents.

    PS – Special thanks to Scott Gordon for putting this together. I am sorry I could’t personally participate, but it is a very cool thing to bring to the community!

    Passwords, Dinosaurs, and 8-Track Tapes

    Posted on by
    Reply

    What do passwords dinosaurs and 8 track tapes all have in common? Pretty soon they will all be in the same category: things of the past! It’s not just a matter of people using short, simple, “stupid” passwords any more. With advances in easily available and cheap computing power such as advanced graphics processors and solid state drives (SSDs), even long and complex passwords can be cracked in seconds! Not to mention the fact that if you get hacked and someone installs a keylogging Trojan on your machine, it doesn’t matter how long and complex a password you use; it’s game over!

    There are always big concerns about the “exploit du jour” in the information security field. SQL injection, application hacks, XSS, Bots – you name it! But ever since the start the number one way computers get hacked is because of password problems. It’s still going on today! No matter what system one tests, it seems someone has a password of “password” or “admin” or something dumb like that. Or someone forgets to change a blank SA password or forgets to change the default password in some application. Then, of course, there are the system admins who use the same passwords for their user and admin accounts. Instant privilege elevation is given to domain admin and, once again, game over! This is really just a problem of human nature. We all have ambitions to follow the password policies exactly, to use strong passwords all the time, use different passwords for every account, change them on a regular basis, and never reuse the same ones twice, etc. But we all get lazy, or complacent or busy or forget or just screw up! Like I say – human nature.

    What is the upshot of all this? Passwords alone as a security measure are hopelessly inadequate. And they always have been! So what is the answer? Well, obviously, we need to use something in addition to passwords. Ideally it would be preferable to use all three of the possible authentication techniques: something we know, something we have and something we are. But it’s hard enough to get people and organizations to consider even two of the three. There is TREMENDOUS resistance against insisting that everyone use tokens for example. And I can understand that. They cost money, you always have to remember to have them with you, they might break at the most awkward of moments, they can be stolen or they can be lost. Same thing with biometrics. They are expensive, they are not always reliable, they can be often be circumvented and they may leave you open to personal attack or even kidnapping! These are all real issues that need to be addressed and, what’s more, gotten used to. People are just going to eventually come to the realization that one or more of these techniques MUST be used. Until now, though, people have been willing to accept the consequences rather than bite the bullet and put up with the hassles and expense. The tipping point has yet to be reached. But, with identity theft, cyber crime and the increasing ease with which passwords can be stolen or broken that point is now very close indeed!

    In the mean time, we all should REALLY do a much better job in using strong passwords. The new MINIMUM standard for passwords should be 12 characters and they should use at least three of the four possible character types. And that’s just for normal folks. For system admins and other high value access passwords alone should never be enough. These folks should surely be using multi-part authentication techniques no matter what the expense or hassle. After all, they DO hold the keys to the kingdom for all of us!

    Another Good Reason to Increase Internal Security

    Posted on by
    Reply

    Well, the much anticipated 2010 Verizon Data Breach Investigations Report is out, and once again it is an eye-opener! Let me say what a boon these reports are to the infosec community! Verizon and their team are to be praised and congratulated for all their hard work. These reports really help us keep current so we can protect our information from the right threats in the right ways. I know it’s not a large scale study, but I do feel it gives us good indications of trends and threats in the industry.

    This particular threat report mainly gives us the data breach picture for 2009. It was compiled from nearly 900 actual incidents and includes a lot of input from the U. S. Secret Service this year. One of the surprising results of this particular report was the 26% increase in data breaches from insiders. It seems that organized cybercriminals are promising money to insiders with access to administrator level credentials. Unfortunately for these naïve inside individuals, it is proving very easy for the authorities to catch them. Also, it seems, the cybercriminals are usually not even paying them as promised! Despite these facts, it is evidently fairly easy to find plenty of insiders that are willing to sell their credentials. Go figure!

    There are several ways to help counter the insider threat. The easiest thing you can do right off the bat is to ensure that those with high level access to the system don’t use the same credentials for their administrator and user accounts. You’d be amazed at what a common practice this is! All cybercriminals have to do is bust a few user level accounts and there is a VERY good chance that they will then be able to gain administrator level access. Administrator level passwords should be long, strong and ONLY used for administration purposes.

    Another very effective method to counter the insider threat is to use true multi-part authentication mechanisms for administrative level access to the system; especially with very effective mechanisms such as tokens. Employing this practice means that cyber criminals not only have to steal credentials, they also have to get their hands on a token. And even if they do, it only gives them a short time to act; admin tokens are usually missed very quickly. There is also the option to employ biometrics. These can be problematic, but are improving all the time. And effective and reliable biometrics are even harder to overcome than token use.

    You might say that good passwords, biometrics, and tokens won’t keep actual system and database administrators from selling out to the bad guys, which is true. However, there are other mechanisms available that can prevent lone bad-actors from compromising the system. One effective practice is management monitoring of high level access. If, every day, managers are looking at who accesses what and when, then the difficulty of stealing or corrupting data goes WAY up! Also, there are applications out there that can send out alerts when high level access is underway.

    Another method, and a tried and true one, is the use of dual controls. If it takes two individuals to access systems, then cybercriminals have to corrupt two individuals and it becomes even easier for the authorities to figure out who the rats are. I don’t recommend this control except for very high value assets. The downside is that it’s a hassle to implement. There ALWAYS has to be at least two individuals available at all times or access becomes impossible. There are vacations, lunches and breaks to consider, and what happens in true emergencies such as floods, snow storms and the like? But this is a control that has been in use since long before computer systems were in place and it has proven to be very reliable.

    These certainly aren’t all of the controls available to help counter the inside threat. I’m sure that you can come up with some others if you give it a little thought. But used individually, or even better, in combinations, should go a long way in protecting your data from the bad guys within!

    Tips for Input Validation

    Posted on by
    2

    Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done incorrectly, they end up bringing little more than a false sense of security. The bad news is that input validation is difficult. “White listing,” or identifying all possible strings accepted as input, is nearly impossible for all but the simplest of applications. “Black listing,” that is parsing the input for bad characters (such as ‘, ;,–, etc.) and dangerous strings, can be challenging as well. Though this is the most common method, it is often the subject of a great deal of challenges as attackers work through various encoding mechanisms, translations and other avoidance tricks to bypass such filters.

    Over the last few years, a single source has emerged for best practices around input validation and other web security issues. The working group OWASP has some great techniques for various languages and server environments. Further, vendors such as Sun, Microsoft and others have created best practice articles and sample code for doing input validation for their servers and products. Check with their knowledge base or support teams for specific information about their platform and the security controls they recommend.

    While application frameworks and web application firewalls are evolving as tools to help with these security problems, proper developer education and ongoing training of your development team about input validation remains the best solution.