Tip: Pre-loading Wasp Configuration Databases

Posted on by
Reply

Thanks to a couple of users who have provided this excellent tip for reducing the initial number of alerts that come in when you first deploy HoneyPoint Wasp as it learns it’s environment.

The tip is to load an initial copy of Wasp on a trusted, fresh desktop workstation image and then execute all of the applications your organization generally supports. Then, let the Wasp run for about 48 hours and populate its database with the accepted applications and the like from the default image.

Once complete, use copies of this database in your installation across the enterprise. You will then get delta alerts instead of the base alerts for things you already know and trust. This eliminates the initial set of alerts from each Wasp workstation you deploy and greatly reduces the management load of the initial roll out.

Thanks to the two folks who really worked out this method, tested it and wrote up notes for us to share the idea with you. Much appreciated!

To learn more about using Wasp to extend your malware protection, gain security visibility easily to the workstation layer and create anomaly detection techniques for your security program, give us a call or drop us a line. We look forward to sharing tips like these and success stories with you as they come in from users.

Using ProFTPd for Core Processing Anywhere?

Posted on by
Reply

If so, you might want to pay attention to this announcement of a critical remote vulnerability in the daemon. You can read the alert here. A patch is now available and should be applied quickly if you have core processes using this application.

No authentication is required and it is a pretty straight forward buffer overflow, so exploit code should be easy to design and use. Common framework exploits are expected shortly.

Usually ProFTPd is used as a part of core processing, data warehousing and other heavy data processing solutions across a variety of platforms and industries. You can find installations remotely using nmap -sV scans on your network. Nmap is pretty good at identifying ProFTPd installs.

HoneyPoint users might want to consider deploying port 21/tcp (ftp) listeners to watch for scans for vulnerable servers by attackers. Detected scanning IPs should be investigated on internal networks and black holed on Internet facing segments.

Great article on File Crypto Tools

Posted on by
Reply

I saw this excellent article this morning that covers 5 basic tools for doing file cryptography across platforms. Many of these tools are great solutions and we use them frequently with clients. In particular, we find True Crypt to be a very powerful and useful tool. Many client have embraced this solution for laptop encryption, leveraging the free price and benefit for compliance.

You can read more about these tools here.

Check them out and use the ones that fit your needs in your organization. They are great tools for keeping your business, your business.

Keep Your Eyes on This Adobe 0-Day

Posted on by
Reply

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

MSI Partner Syhunt Brings Source Code Scanning to ASP & JSP

Posted on by
Reply

Syhunt has launched a very nice and powerful new edition of their Sandcat web application security tool. Sandcat is an extremely thorough and very capable assessment engine for web servers, web applications and web application source code. MSI has been using the tool for many years and we enjoy a very close relationship with the team behind the tool.

In addition to adding new features to the PHP source code scanning, this new release gives users the new capability to do white box testing on web applications for XSS vulnerabilities beyond PHP. The new version now includes cross site scripting checks for classic ASP, ASP.NET and JSP (JavaServer Pages) code modules. Syhunt even plans to further extend the classes of checks in those languages in the coming months. As with PHP source code assessment, this is a very powerful tool for increasing the quality and security of web applications, both new and legacy, around the enterprise.

Check out the new release at http://www.syhunt.com and let them know you heard it about from MSI. The Syhunt team are nice folks and they work very hard to bring you one of the most flexible, powerful and easy to use web application tools on the planet. Give it a shot, we think you’ll become a huge fan too!

Wasp’s 0-Interface Design

Posted on by
Reply

A few people have asked me to elaborate on HoneyPoint Wasp’s (and HoneyPoint Agent’s) zero interface design. I’ll take a moment to explain what it is and how it works. Both Wasp and Agent are designed to be run on Windows systems as a “service”. Windows services run in the background on the system and usually do not have a graphical user interface.

With Wasp and Agent, we extended that concept to make them further transparent to the user by ensuring that no communication with the user of the system takes place. Unlike personal firewalls and most other information security, HoneyPoint does not have pop-up windows, user alerts or the like that occur on the Windows system. Instead, all alerts, security events and data are sent from the monitored system to the centralized Console. The Console then alerts the security team to incidents and security threats, without bothering the user at all.

The nicest thing about this design is that end users are never bothered with alerts and pop-ups that impact their work, cause help desk calls or interfere with their use of the system. In our experience, users usually don’t read the alerts or respond to the pop-ups anyway, so we spare them the noise. Instead, the security team can centrally monitor the Console and make decisions about when to act, contact the user or remove the computer from service based on what they see. This leads to better security choices overall, higher user productivity and vastly improved visibility for the security team.

The 0-interface design is a fantastic strength of HoneyPoint. It allows for the easy installation of a security tool that is all but invisible to the end-users of the system. It has no impact on user productivity, causes no spikes in help desk calls and requires no end-user training to deploy. Security teams get all of the positives of stronger visibility into the workstation world without any of these negatives, long associated with more traditional approaches.

Give HoneyPoint Wasp a try on your workstations and we think you’ll agree that 0-interface is the best way to go. Give us a call to discuss demo, schedule a pilot or to schedule a technical briefing. We look forward to showing you how HoneyPoint can help your organization have better security with far less hassle!

Better Detection on the Desktops is Now Available!

Posted on by
Reply

Gang, as we have been talking about for several months, MicroSolved is proud to announce the immediate availability of HoneyPoint Wasp. Version 1.00 of this new tool focused on detecting compromised workstations and Windows servers is now running full speed ahead. Clients and participants in the beta program have had some great things to say about the product, like:

“It’s a no-brainer!”, “…deeply extends visibility into the desktop world…” and “Immensely helpful!”

For more information about how Wasp can help you defend your desktops and workstations, plus play a critical role in identifying attacks against Windows servers, check out the press release, web page or give us a call at (614) 351-1237 to set up a briefing!

New Feature, Just In Time for Fall! Introducing Touchdown Tasks! #security

Posted on by
Reply

We started a new feature in our newsletter called “Touchdown Task.” Each month, we focus on a specific, measurable task you can use to firm up your own security strategy. This “Touchdown Task” focuses on authentication credentials. Here we go!

Goal: To identify and remove all network, system and application access that does not require secure authentication credentials or mechanisms.

What this task entails is finding all those systems and applications on your network that can be accessed without having to enter a user name or password; or that can be entered using a widely known default password. This is a very important task indeed! Our techs are often able to compromise the systems we test because of blank or poor passwords. This is especially dangerous since attackers of any skill level or even just the curious can take advantage of these blank or poor user credentials to poke around, access private information or even elevate their privileges and take control of the system!

There are a number of very common services and applications that come from the vendor with blank or well known default passwords. One of the most dangerous of these, and one we see all the time, is the SQL database. This software installs a blank SA administrator password and it is very easy to forget to change once the software is installed.

How do you find the blank and common vendor default passwords that may be present on your network? The best way is to perform an internal network vulnerability assessment (or have one performed for you by your security partner). There are a number of assessment tools available to carry out this task. Your organization most likely already has one in place. You can configure your assessment tool to perform these tests; isolating the data needed for this task from a more general security finding. Also make sure to check your FTP sites and file shares to ensure that they cannot be accessed anonymously.

To remedy the situation once suspicious access credentials have been found, simply change or install passwords that comply with your site’s information security password policy. Generally speaking, passwords should never be blank, widely known (default) or easily guessable. For example, your password should never be “password”, “admin”, “1234567”, “qwerty”, etc.

Passwords should also never be the same as the account name, the name of the organization, the name of the software package or other easily guessable possibilities. Good passwords should contain at least three of the four possible character types (upper and lower case letters, numbers, and special characters).
Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack! Give us a call if you’d like us to partner with you for security assessments.

Tales From a Non-Security Professional, An End-User’s View

Posted on by
Reply

I’ve been working in the information security business for two years and have been amazed by what I’ve learned during this time. I remember when I thought, “Information security? Sure. A bunch of geeks patrolling their networks.” I had seen the movie Hackers, after all.

But I had no idea of the breadth and depth of information security. Basically, if you’re using technology, your data is at risk. Any piece of technology that you use that has sensitive data stored can be stolen. It is up to an individual to be proactive when it comes to information security instead of assuming “The IT Team” will take care of it.

Case in point: This morning I read an article from Dark Reading about Intel’s workers thwarting a malicious email virus. Pretty cool. Those workers took the initiative. They didn’t say to themselves, “Hmm. this email looks a little dicey, but I’m sure IT has it covered..”

Instead, each worker who recognized the malicious email immediately contacted the IT department. Because of such quick action, the IT department was able to contain the potential risk and take care of it. This type of response doesn’t happen overnight (And hopefully won’t take two years, either.) but was the result of consistent education.

For me, I’ve tightened up my own personal security posture as a result of hearing what happens when you don’t pay attention. Here are a few precautions I’ve taken:

1) Never leave a laptop in the front seat of your car.

      This may seem basic, but many workers who have a company-owned laptop will often put it on the passenger’s side of the car, or on the floor. It is easy to assume that when you stop to get gas and take a quick detour into the convenience store to grab a drink, that no one will bother your car. Don’t bet on it.

According to a CSI/FBI Computer Crime and Security Survey

      , data loss from laptop theft came in third and fourth behind virus attacks and unauthorized access. Make a habit of placing your laptop in your trunk, away from prying eyes. And if you really want to protect it, carry it around with you. I’ve been known to carry my laptop inside a CVS, and restaurants. I usually say to myself, “How inconvenient/annoying/scary would it be if this laptop was stolen?” Yep. It’s going with me.

2) Passwords, smashwords! We all belong to probably way too many websites that require a password to access it. That’s not even counting the passwords we need to remember for our work email, database, or access to the intranet. We’re also told by our friendly IT team that we need to change those passwords on a regular basis. If you have trouble remembering what you had to eat for breakfast yesterday, much less trying to remember a password you created three months ago, I have the solution: a password vault. I can’t tell you how much this has alleviated the stress of remembering and revising passwords. I use KeePassX, an open-source password vault application.

Whenever I change my password, I immediately open the app and update my entry. Whenever I join a new site that requires a password, I’ll add a new entry. It’s simple and quick, and will protect me from some joker trying to hack into my sites. Once you get into a habit of changing your passwords, it becomes easier. Believe me, this is a heckuva lot easier than scratching out various passwords and usernames on a scrap piece of paper, throwing it into your desk drawer and then trying to find it three months later.

3) Delete stupid emails. This goes back to the “Here You Have” virus that the Intel employees avoided opening. They immediately saw the risk and reported it. Don’t open emails from people or groups that you don’t recognize. In fact, I created a spam folder and just move those types of emails into it if the regular spam filter doesn’t catch them. I empty the folder on a regular basis. No matter how enticing an email header is, if you don’t recognize the sender, trash it. For those who are detail-oriented, you really don’t have to open every email you receive. Really. You probably didn’t win that lottery, anyway.

4) Be suspicious. This one is probably the most difficult for me. I’m a friendly person. I like people. I was raised by two very outgoing parents and hence, I have a soft spot for striking up conversations with perfect strangers. I find I’m a magnet for some of them, too. When you’re in your office, this can be used against you by a clever attacker. If you’re an IT staff person, you may get a call from someone who is in some type of a bad spot and needs access to “their” data at work and gosh, could we just skip the authentication process? Because most of us are wired to help others (thank you very much, customer service training), we obviously try to be of assistance. Meanwhile, the attacker is counting on this and will press an employee to give them information without checking their credentials. If anyone calls me and starts asking a bunch of nosy questions, I’ll start asking mine right back: “What company do you represent? What is your name? What is your phone number? Why do you need to know this information?”

Sometimes asking such questions may feel awkward, but remember, we’re protecting our company’s data. We’re on the front line and a little discomfort can go a long way in winning the battle of security.

These are a few things I’ve learned over time. Information security isn’t only the IT department’s job or the CISO/CTO/CIO’s. It’s a job that belongs to everyone. If I could sum it up, I’d say this: Be aware. Be aware of your surroundings, aware of your technology, aware of access points. Keeping your eyes and ears open will not only save you a bunch of headaches (and perhaps your job) but will save your company money. And in today’s economy, that is a very, very good thing.