It’s that time of the month again, it’s release day for the Microsoft patch cycle. This month there were 11 new updates. Six of those eleven carry ratings of “critical”. The updates patch several things, and finally include an update for IE that corrects six vulnerabilities. Some of the other critical updates fix vulernabilities in Microsoft Office. As usual, test these updates and roll them out as soon as possible.
Now your organization can have a 24/7 guard dog to monitor key DNS resolutions and protect against the effects of DNS cache poisoning, DNS tampering and other resolution attacks. Our tool is an easy to use, yet quite flexible and powerful solution to monitoring for attacks that have modified your (or your upstream ISPs’) resolutions for sites such as search engines, software updates, key business partners, etc.
DNS Doberman is configured with a set of trusted host names and IP address combinations (yes, you can have more than one IP per host…) which are then checked on a timed basis. If any of your monitored hosts returns an IP that the DNS Doberman doesn’t trust – then it alerts you and your security team. It supports a variety of alerting methods to support every environment from home users to enterprises.
You can learn more about the tool and download the FREE version from the link below. The FREE version is completely useable and if it suits your needs, you are welcome to continue to use it indefinitely. The FREE version is restricted to 5 hosts and only checks each host once per hour. Registered users ($99.95) will receive support, minor version upgrades and the ability to check an unlimited number of hosts every 15 minutes!
To learn more or get your copy today, please visit the MSI main web site, here.
Another company gets a laptop stolen with customer data on it. Fortunately this time it appears that all of the sensitive data was encrypted. They’re not sure of the number of customers but affected, but said it was “a very small number”. This is just another incident in a long list of stolen and lost customer information. This time they were prepared, and it’s probably going to save people some grief. If one of your company’s laptops get stolen, will you be just as prepared?
Several vulnerabilities have been identified and subsequently patched in the newest version of Ruby. If you are a Ruby developer, make sure you download this as it contains an important update. A fix for the DNS logic within the resolv.rb script. The update implements randomized source ports, in order to help protect from spoofing attacks. Upgrade to 1.8.6-p286, or 1.8.7-p71, to mitigate this and other issues identified.
Researchers at this years DEFCON event have demonstrated an attack that causes access points to turn against legitimate users. The attack works by utilizing the built in DDoS protection mechanisms and turning it against the users. By sending a specially crafted packet to the AP, an attacker could cause the AP to assume that the legitimate clients are the ones performing the DoS attack, and cause them to be locked out. Eight examples were demonstrated at DEFCON 16.
There’s a couple malware emails making the rounds right now. One claims to be from the UPS, and the other said to come from CNN.com. The UPS email claims that they tried to deliver a package but the recipient address was wrong. The email contains an attachment invoice which it explains you need to print out and take it to their office. The CNN email contains a subject of “CNN.com Daily Top 10” and includes links that attempt to entice a user to click on them. If you follow the link, you’re redirected to a site and prompted to install an updated flash player. In both cases, of course, the executables are not what they say they are. Usually these emails are fairly easy to pick out due to grammatical and spelling errors. It’s also a good idea to not open any unexpected attachments, even if you believe they’re from a reputable source.
We have been having quite a struggle finding infosec VARs to resell our HoneyPoint products. The problem seems to be that HoneyPoint and the idea of a Next Generation Distributed Honeypot product are such a radical concept to most organizations that they require evangelism and education for the customers to understand the value of the product and why it is a better solution that they are using now. It usually takes a while for them to understand that they can free themselves from false positives and the overhead of many of the detective tools they are using today if they simply embrace the idea of thinking differently about the problem.
VARs today seem to be focused solely on the products that are demand driven. They want to sell the Cisco products, the copies of anti-virus and the stuff that clients are already used to asking for. The days of VARs looking for ways to shake up the markets, establish value with fresh approaches and build their businesses by leveraging rapport with their customers by solving their deeper problems seem to be all but gone. Sure, you can find VARs to resell your widget or appliance if you have a model that requires little work, even if it has a small margin. But, it seems like finding evangelical VARs is nearly impossible in today’s market. If they are out there, we don’t seem to be able to find them.
I really feel like that is a bad thing for the market and for the clients. In the early days of MSI and the security industry, there was a lot to be gained by being a VAR that was able to bring bleeding edge solutions to customers. I can remember working with clients to help them understand new protective technologies like the Sidewinder firewall from Secure Computing, Real Secure from ISS and spending a lot of time traveling, talking to clients and listening to them explain the things that hurt them – then digging into the net and our brains for REAL, DEEP solutions that addressed the root problems that they were experiencing. For me, at least, that was the exciting thing about being a VAR – finding that next breakthrough that could really empower some of my clients in a way that they may not even have known that they needed until we showed them that a better way was available. That was exciting, fun and really gained us the trust of organizations who have been clients for nearly two decades now.
If there are any VARs out there that you think fit this model, I would like to hear about them. I would love to find a few folks who are willing to help evangelize what is clearly a better solution to the insider threat and to securing virtual environments. I would like to work with someone who shares that energy, passion and willingness to help solve deeper problems than traditional “network gear” resellers will ever be able to uncover. If you’re out there, give me a call – I think we have something to talk about…
Attackers are apparently zigging when we thought they would be zagging again. An article posted yesterday talks about how attackers have passed on using the exploits published by the common frameworks and instead, have been pretty widely using a more advanced, capable and less known tool to exploit the DNS vulnerabilities that have been in the news for the last few weeks.
In the article, HD Moore, a well known security professional (and author of Metasploit), discusses how the attackers seem to be bypassing the exploit that he and his team published and instead have been using another exploit to perform illicit attacks. In fact, the attackers used their own private exploit to attack the Breakingpoint company that Moore works for during the day. I was very interested in this approach by the attackers, and it seems almost ironic somehow, that they have bypassed the popular Metasploit tool exploits for one of their own choosing.
This is interesting to me because when an exploit appears in Metasploit, one would assume that it will be widely used by attackers. Metasploit, after all, makes advanced attacks and compromise techniques pretty much “click and drool” for even basic attackers. Thus, when an exploit appears there, many in the security community see that as a turning point in the exploitability of an attack – meaning that it becomes widely available for mischief. However, in this case, the availability of the Metasploit exploit was not a major factor in the attacks. Widespread attacks are still not common, even as targeted attacks using a different exploit has begun. Does this mean that the attacker community has turned its back on Metasploit?
The answer is probably no. A significant number of attackers are likely to continue to use Metasploit to target their victims. Our HoneyPoint deployments see plenty of activity that can be traced back to the popular exploit engine. Maybe, in this case, the attackers who were seriously interested had a better mechanism available to them. Among our team there is speculation that some of the private, “black market” exploit frameworks may be stepping up their quality and effectiveness. These “exploits for sale” authors may be increasing their skills and abilities in order to ensure that their work retains value as more and more open source or FREE exploit frameworks emerge into the market place. After all, they face the same issues as any other software company – they have to have high value in order to compete effectively with low cost. For exploit sellers this means more zero-day exploits, more types of evasion, more options for post-exploitation and higher quality of the code they generate.
In some ways, tools like Metasploit help the security community by giving security teams exploitation capabilities on par with basic attackers. In other ways, perhaps they also hurt the security effort by enabling more basic attackers to do complex work and by driving up the quality and speed of exploit availability on the black market. It is hard to argue that such black market efforts would not be present anyway as the attackers strive to compete amongst themselves, but you have to wonder if Metasploit and tools like it serve to speed up the pace.
There will always be tools available to attackers. If they aren’t widely available, then they will be available to a specific few. The skills to create attack tools are no longer the arcane knowledge known to a small circle of security mystics that they were a decade ago. Vendors and training companies have sliced and diced the skills into a myriad of books, classes, training sessions, conventions and other mechanisms in order to “monetize” their dissemination. As such, there are many many many more folks with the skills needed to develop attack tools, code exploits and create malware that has ever increasing capability.
This all comes back to the idea that in today’s environment, keeping anything secret, is nearly impossible. The details of the DNS vulnerability were doomed to be known even as they were being initially discovered. There are just too many smart people with skills to keep security issues private when there is any sort of disclosure to the public. There are too many parties interested in making a name, gaining some fame or turning a buck to have any chance at keeping vulnerabilities secret. I am certainly not a fan of total non-disclosure, but we have to assume that even some level of basic public knowledge will eventually equal full disclosure. We also have to remember, in the future, that the attacker pool is wider and deeper than ever before and that given those capabilities, they may well find mechanisms and tools that are beyond what we expect. They may reject the popular wisdom of “security pundits from the blogosphere” and surprise us all. After all, that is what they do – surf the edges and perform in unexpected ways – it just seems that some of us security folks may have forgotten it….
We are proud to announce the immediate availability of a complimentary site that is dedicated to the offering clients of MSI a source for quality information security materials.
The site is located at http://awareness.microsolved.com and requires a login and password for access. The accounts, which are free or charge, are available to those organizations who have been customers of MSI in the last 12 months and will remain valid as long as the organization is a client within 12 months. Simply sign up at the site for an account and you should be validated shortly.
Once you have activated your login, the site offers an online forum for the discussion of information security awareness topics and the relevant strategies that can be used to build security awareness. The account also allows you to download PDF posters, articles, podcasts and other materials produced by MSI for use in supporting your security awareness efforts.
The materials, which may be reproduced and used at no charge, are branded with the MSI logo and such, but can also be customized and branded to your organization for a small additional fee.
New content will be added to the site regularly. The content is already divided into end user, consumer, developer, executive and technical audience targets. A variety of formats, designs and materials are planned for the coming months on the site.
Brent Huston, our CEO had this to say about the new site: “I truly believe that security awareness is a critical part of any security program. The general user populace must be educated about making better decisions concerning online risk and even IT practitioners can benefit from ongoing security education. I really think this is a way that MSI can give back to our clients for all of their trust and belief in our firm over the years! ”
Constance Matthews, Account Executive with MSI added “Clients have been asking me about awareness solutions for their company for a long time, but we were really committed to finding a strong solution for our customers and to finding an inventive approach that really increased the value of our work. I’m confident that these multi-media tools will help our clients achieve meaningful growth in their security awareness initiatives.”
Sign up today for an account on the site and we look forward to hearing from you on the forum. Please give us any feedback and as always, thanks for choosing MSI as your information security partner!
Oracle has released a patch out of cycle in response to an exploit going public yesterday. The flaw allows remote code execution without being authenticated in WebLogic Server and WebLogic Express. Every version of WebLogic from version 6.1 to 10 are vulnerable. This is a critical vulnerability and the patch needs to be rolled out immediately. If for some reason that is not possible, Oracle believes there are two workarounds. The first is using the Apache LimitRequestLine Parameter, or you man also use the Apache mod_security module. Full details of the vulnerability and the workarounds are available here.