RE: SANS Are We Doomed?

Posted on by
Reply

This kind of stuff is, in my opinion, exactly why management and consumers grow sick of hearing about information security and cyber-risk in general. For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, the cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.

SANS at least asks for good things too that represent hope, but the list is always small. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. That’s human nature, to point to the short comings.

My point is that just as many real world risk pundits have said, we have to look at things through a higher level lens. We have to create RATIONAL security. Yes, we have to protect against increases in risk, black swans, 0 day exploits, huge bot-nets and all of the other examples of “bleeding edge threats”, but we have to realize that we have only so many resources to bring to bear and that risk will NEVER approach ZERO!

Here is a real world example:

I recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.

Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “Nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again. So would connecting the newly built “secure” network to the Internet. If 1 minute after the network went live a user clicked on the “dancing gnome” from a malicious email, then the network is in a risk state again. Not to mention or even dive into the idea that an internal attacker or rogue admin could exist inside the environment, even as it was being rebuilt.

Thus, the decision was made to focus not on mitigation of the risk, but on MINIMIZING it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed. Today, this IT environment remains in a semi-trusted state, but they are quickly implementing a phased approach to restore full trust to the environment and bring it into compliance with security best practices.

Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely less than if they had taken the “turn and burn” approach. They still have risk. They still have threats. They still have vulnerabilities, BUT they are moving to deal with them in a RATIONAL fashion.

RATIONAL response to risk is what we need, NOT gloom, doom and FUD. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have RATIONAL approaches to solving the security problems are they likely to start listening again. After all, who does anything different when the Internet security level moves from “mochachino” to “dirty martini” or vice versa???

HoneyPoint Event Stats

Posted on by
Reply

I have gotten a few inquiries about the average number of events per day that HoneyPoint Security Server deployments catch on average networks. While this question is pretty hard to answer in a general sense, since most networks differ by size, deployment security, policies and processes, we can talk about averages across multiple client networks and our own HoneyPoint sensor networks.

On average, Internet visible HoneyPoint deployments usually experience around 4 events per HoneyPoint deployed per day. This can vary depending on services emulated, but in general, adding smtp and web (the two largest receivers by far) against those deployed on rarely scanned ports yields this average over time. Those are amazing statistics when you consider that each of those is a genuine probe/scan event or attack! Many clients use Internet facing sensors as a means of populating black hole lists, web application address filters and other prevention focused mechanisms. Less often, clients use this information as means to perform risk assessment and response, meaning that they actively track this data and the sources and take a manual action. Usually clients use Internet exposed HoneyPoints as a source of threat intelligence, trend tracking for frequency and source variations and automated blocking configurations.

Internally, most clients experience 3-4 events per month on average. These events are usually treated very seriously, since any HoneyPoint traffic internally is suspicious at best and malicious at worst. Most security teams leveraging HoneyPoint use these events as triggers for true security incidents. They launch full investigations and either mitigate or minimize the discovered issues. They are able to do this and focus on these critical events due to the low number of them they experience, the lack of false positive events they see and the placement of the HoneyPoints close to the actual assets they are tasked with protecting. Many clients have moved away from using NIDS as any type of action item at all, and refer to their NIDS deployments only as forensic and correlation data for incidents triggered from HoneyPoints and log analysis/log management solutions.

While HoneyPoint Security Server is not a panacea for information security, it is a very strong addition to a security program. Clients are continually discovering new uses, new capabilities and new ways to leverage the system to further reduce their resource requirements. HPSS has proven to be a low noise, high signal, effective, traditional approach to providing threat management, security intelligence and detective capabilities for organizations of any size.

If you are interested in hearing more about the averages and what you can expect from a HoneyPoint deployment, just let us know. Give us a call or drop us a line and we will be happy to share the metrics we have with you!

Spam Bots

Posted on by
Reply

We are continuing to see more and more spam bots. Spammers are not letting up and are still actively researching and breaking “captchas”. We have seen several of them broken within the past few weeks. It seems it’s about time to adopt a new system of anti-bot measures for registration forms, or increase the complexity of the captcha (while also increasing user frustration).

That reminds me of a study I was reading about spam though. The researchers in this study found that only about 1 in 12.5 million spams result in a sale of whatever was being spammed about. However, even with this atrocious rate, the spammers are estimated to be generating around $7,000 a day!

Port Mining with HoneyPoints

Posted on by
Reply

Myself and a client have been playing around with a new technique that we are calling port mining. In this approach, we use HoneyPoint Security Server and HoneyPoints deployed in key locations to mess with worms, scans and tools.

The process is very very basic. We basically configure a simple HoneyPoint so that instead of sending the various text files it usually sends down the connection it sends a large binary file like an MP3, ISO or other binary data. Then we deploy the HoneyPoint and have it listen on a port for incoming traffic.

When the HoneyPoint gets a completed TCP connection, it immediately shoves the binary content down the pipe. It then waits for a response and sends either the same file again or another file. Very basic, right? Yes, indeed. However, we have seen three effects from this process:

1. In many cases, the file transfer of the first huge file completes and the connection dies with a timeout. In our lab testing, this was due to the unexpected input size and content of the data sent from the HoneyPoint, which has caused multiple forms of tools and malware to simply crash.

2. In other cases, we have seen the file transfer complete and the tool or malware respond only to get the file again down the pipe. We have watched this process act like a LaBrea scenario where the tool, scan or malware is significantly slowed by the data (of course, we are also using a lot of our own bandwidth) and in some cases we were able to cause the MS08-067 scans we were seeing to wait up to 50 mins for each 8 MB MP3 we sent and do this hundreds of times! Effectively, we slowed down that system from further scans while it kept playing with our HoneyPoint.

3. In very few cases, we see the connection terminate upon partial sending of the binary data. In about half of these cases, the connection terminates properly (so likely we had no effect) but in the other half, we see odd disconnections (unknown, but possible crash of the malware). In the lab, we have seen this happen with a few tools due to unexpected inputs causing exceptions in the code.

Now, it should be said, that we are just “playing” with this approach. We are not sure how or if this will be beneficial to anyone, but it was a fun idea to mess with scanners and such in such an easy way. Give it a try and let us know what you think!

PS – Extra points (and fun) can be had for finding the worst MP3 of the most horrible songs that have the largest effective use as a port mine defensive component. So, bust out your one hit wonders MP3 collection and see how your milage varies. 🙂

Book Review: Hacking Exposed: Linux Third Edition

Posted on by
Reply

ISECOM, the renowned research organization for security, has again “made sense” of securing a Linux network against attacks. The book is a thorough guide to understanding how to “separate the asset from the threat” and block hackers from playing in the ultimate playground of Linux.  The authors take you from the elements of security, to hacking the system, to hacking the users. 

What is particularly helpful are the case studies. If you or your company’s employees need to travel and access your company’s website via wireless connection, you’ll be especially interested in the case study in Chapter Eight, where a hacker tracks a signal to a hotel’s access point and creates legit-looking error pages in order to obtain the account information of the user. Also helpful are their usual attack and countermeasure icons, which further define how to pinpoint areas of risk.

Security teams looking to evaluate their areas of vulnerability within Linux will be forearmed with the powerful arsenal of preventative approaches covered in this edition. All of the material is new, based upon the most recent and thorough security research. The hacking and countermeasure are based on the OSSTMM, the security testing standard, and cover all known attacks on Linux as well as how to prepare the system to repel unknown attacks. A pretty good buy for the $49.95 cost.

MS08-067 – The Worm That Wasn’t – Wait… Might Be?

Posted on by
Reply

So, the worm based on MS08-067 was rumored last week and now SANS confirms that the worm is spreading from at least one host. SANS is blaming 61.218.147.66. We also have seen scans from 208.23.24.52, 66.100.224.113, 97.89.26.99, 219.158.0.96, 88.178.18.41, 91.142.209.26, 189.20.48.210, 212.122.95.217, 131.118.74.244, 84.3.125.99, 81.57.69.99 and a ton more. Those started to increase dramatically starting this morning around 9:25 am Eastern and have continued throughout the day.

HoneyPoints on consumer bandwidth networks and commercial ISP’s alike are picking up a spike in 445 scans and traffic.

Obviously, given the metasploit framework’s improvement of the exploit in the last week or so and the myriad of proof of concept tools that have been filtering around the underground, the threat of a worm is a reality. Worm code was first announced several days ago, but seemed to fail to propagate likely due to the lack of port 445 being available on most Internet connections. However, it appears that some victims have been found and have been slowly accumulating.

While we are not yet seeing the massive scans and probes associated with the worms of the past, we are beginning to see traffic levels that indicate increasing worm behaviors.

Obviously, if you have not yet ensured that port 445 is blocked at your Internet connection, you should immediately do so. HoneyPoint users can also setup TCP listeners or basic TCP HornetPoints to discover and attempt to “defensive fuzz” the worm code. Mixed results of causing termination have been shown so far, but our lab is working on a HornetPoint configuration to cause exceptions in the worm code in a stable manner.

HoneyPoint TCP listeners can be deployed on Linux boxes and other platforms where port 445 is undialated and used to identify hosts performing 445 scans and probes. This is an excellent approach to finding laptops and portable devices that might be infected on the internal network.

Prep for Election Day

Posted on by
Reply

With election day on tomorrow’s dawn, now might be a good time to prep yourself for the coming tasks.

1) Make sure you have your ID, driver’s license or other documentation that may be required to vote in your state.

2) Take the time to prepare and familiarize yourself with the issues. There are several sites sorted by states that cover the various issues. Use a search engine to locate your specific issues and races.

3) Be prepared for weather issues, traffic, long lines and other significant problems. Take enough time to allow for the task and any snafus that might arise. Bring a book, a bottle of water and your patience.

4) Forget “testing the security” if that is your deal. It will only cause problems for you, others and the board of elections. Play around in the voting booth and you might end up spending some time as a guest of your state. Forget the e-voting media and press and just make your voice heard with a proper vote. Let the voting officials handle the rest.

Most of all, just vote. It is the single most important duty we have as an American. So, make your choices, select your candidate and do your patriotic duty. Using your voice is the finest way to honor the memory and sacrifice of all those who made it possible!

The Flu Season is Upon Us Again!

Posted on by
Reply

Officially, the flu season begins on the first of October and runs until spring. Even though the CDC says that this year’s flu is starting out a little bit milder than the two previous years, I know several people that are suffering through a nasty type of flu already this year. This stuff starts out with the usual fever and aches, and then turns into “cold” symptoms that hang on for weeks! We all know how nasty this is on a personal level, but a virulent long lasting flu like this can also really stress your business as well. So, let’s take a look at how the flu really works and what we can do about it.

First off, there are few real defenses against the flu if you are going to interact with other people. “Flu’s” are viruses that can infect you in several different ways and that mutate often and rapidly. The flu vaccine that is produced every year is really only devised to have some effect on the top three dominant flu strains of the year. The amount of effect they really have also depends on just how and how much each virus strain has mutated by the time you get the flu shot. So, although it is liable to help, don’t put too much faith in the flu vaccine.

So how can flu infect you? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?

The best thing you can do, even though it is a pain, is wash your hands. I mean wash your hands each time before you touch anything and put it in your mouth, or before you rub your eyes. Also, I wouldn’t eat food that has been sitting uncovered around where people have been coughing or sneezing.

There are also a number of different things that can kill microorganisms like flu viruses. Ultra violet radiation, such as direct sunlight, kills microorganisms almost instantly. Also, Microorganisms die quickly when they come in contact with hard, smooth, dry surfaces. And, microorganisms can be killed or removed by the use of soaps and other chemical cleaners such as hand sanitizing lotions or disinfectant sprays.

So how do you protect your business from the flu? When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. Have your workers do any work remotely that they can. If they can VPN into the network securely and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism. Expect the best, but plan for the worst – the height of the flu season is just two or three months away!

Web Application Targeting on the Rise

Posted on by
Reply

Recently, attacks on web applications have been on the rise, and there is good evidence that exploitation through SQL injection of web applications has brought about the tremendous surge in botnet infected machines. The focus of such attacks should result in us asking ourselves if we are at risk. If you have a web application it is quite possible that you are, and could likely be a target.

One of the fundamental best practices for being sure you don’t get compromised through a web application is to have strict input validation. What do I mean by “strict input validation?” Essentially, this means filtering the input to ensure the data presented by the user to the page does not contain characters that the application could mistake for code to be executed. Using input validation protects your site from executing arbitrary and malicious code that compromises your system.

Another big thing to consider is error control, often times SQL errors are displayed out in the open, or a directory listing is shown. A simple Google search for these error codes represent low-hanging fruit for a malicious attacker, allowing them to identify your website as a target. I would encourage everyone to take a close look at your web applications and make sure you are protected against this increased attacker focus.