So, here I am working on a vulnerability I discovered in OS X. I am deep into doing the final work of making sure it is exploitable and writing proof of concept code. My fuzzers had identified the issue a week or so ago, but with my busy schedule I just had not had time to pursue what was looking to be a local exploit with a little capability for malicious activity – like perhaps exposing the contents of file vault or other things that are based on user context.

But, low and behold, along comes an update from Apple that patches the vulnerability. Upon deeper research, it appears that they also discovered the issue (or blindly mitigated the hole) while they were repairing another problem included in this patch cycle! Congrats to Apple for fixing what appears to have been an unrelated issue and for seeming to actually be doing the right thing of performing additional testing or mitigation on code they are working on. To me it looks like they may actually have implemented a process where as one issue is found with a piece of code and addressed, the whole piece of code is more deeply inspected, tested and assessed. That’s FANTASTIC news!

So, while I am doing the “poor me” shuffle for spending cycles on an issue that has become NOT AN ISSUE, I am also bouncing around with joy that the right approach to securing code seems to be spreading. That alone, is worth a smile. I really like it when the right thing happens and some part of the world gets a little more secure!

That’s just another part of life as a security researcher. Things continue to break in new and exciting ways, but sometimes, even while you are working on the rabbit hole, someone comes along and fills it in….

CNet reviewers gave HPPE four out of five stars!

They loved the useability of the product, the interface and the idea surrounding it.

You can read more about it here.

Apparently, it would have gotten 5 stars, but they did not like the fact that connections from 127.0.0.1 (localhost) are ignored and that this feature is not in the documentation. We will add it into the docs in the future, but 4 out 5 stars is a wonderful response. Thanks CNet!

Recently, at a local coffee house meeting with one of my clients, I quickly realized I was under attack. As we were going through a power point presentation, all of a sudden my HP:NTA alerted me by a simple traffic light. First going to yellow, letting me know someone was probing my machine with a message to me…..make sure your firewall is running and that your anti-virus is up-to-date. Then seconds later turning to red, letting me know that I needed to unplug immediately and to notify my security team. The alerting system gave me real time alerting capability to let me know someone was doing something they shouldn’t be.

A few things that I think are important to point out.

1. If I didn’t have NTA on my lap top I would have never known someone had launched a web browser attack on my computer.

2. More important they could have taken control of my computer without having any knowledge of the occurrence.

3. Neither my firewall nor antivirus caught the probe/attack

4. Forensics – I took the incident back to my security team and they were able to see what type of attack occurred, where did the attack originate, and etc.

5. Continues to show the importance of how layering security is vital to protecting our assets. Layering is crucial in safe computing both personally and professionally.

6. How easy NTA is to comprehend and understand what my next immediate steps needed to be.

With all that being said an incident where someone could have easily hacked into my computer was stopped by installing NTA. At $10 per license doesn’t it makes sense that everyone should have this installed on their computer?

One of the unexpected side effects of HoneyPoint deployments has been the discovery of misconfigured applications and hardware in the network. Many customers have identified several applications and devices that were either not configured properly or were acting in unexpected and undocumented ways. HoneyPoint clients have been giving us great feedback that this has helped them reign in this wrongful behavior and that they would likely have never known about it if they had not deployed HoneyPoint.

Some of the items they have discovered have included web-applications that open return sessions to port 80 or 443 on the host – often for no apparent reason, illicit web-requests to domain servers due to misconfigured SQL and LDAP controls and even a couple of applications that performed simplistic host port scans in odd attempts to identify the originating host or use as a “host fingerprint” – neither of which are effective mechanisms for access control.

Clients have also told us that HoneyPoint has helped them find hosts that are not obeying the standard rules of their environment. For example, one client moved their DNS server from the DNS location assigned by DHCP and then changed the DHCP server. A few days later, he stood up a port 53 HoneyPoint to capture hosts that had set their DNS as static instead of using the established DHCP method. Doing so helped him clean up some hosts that remained in older configurations and even identify a help desk technician that was not configuring systems accordance with their standards. They claim that HoneyPoint was an incredible tool in helping them find the hosts that were just not up to par.

As the product matures, we continually get more and more feedback from clients about innovative uses for the tools. If your organization has leveraged HoneyPoint in new ways, please let us know so we can share them with others who may be able to benefit from the idea. As always, thanks for the attention to the product, we truly love the feedback and the incredibly warm response it continues to receive from people and organizations around the world!

MicroSolved, Inc. is pleased to announce that its SecureAssure vulnerability assessment solution has successfully completed the PCI Scanning Vendor Compliance Testing. This process allows MicroSolved to serve as an ASV for organizations concerned with PCI compliance.

“More organizations can now benefit from working with MicroSolved as their information security partner. Companies with compliance needs centering on payment cards can now leverage our exceptional methodologies and world class reporting. In addition, our process of manual vulner- ability verification eliminates much of the overhead and complexity of compliance by removing false positives and keeping your resources focused on the real problems.” stated Brent Huston, CEO of MicroSolved.

For more information, or to schedule assessments of your organization, please contact your account executive via phone or click here for email.

MSI attended the latest CUISPA event in Boston last week and it was a fantastic show. Credit union security folks were in attendance from all around the US and the speakers did a fine job of knowledge transfer.

Many thanks to all who stopped by the booth and showed their appreciation for our State of the Threat updates to CUISPA members. We have made arrangements with CUISPA to keep them coming each quarter!

I am not allowed to “spill the beans”, but in appreciation of our warm reception, we will soon be making a very special offer to all CUISPA members. Stay tuned to both CUISPA and our site to learn about this special offer that just might make your future workload quite a bit lighter!    😉

Thanks again for the warm welcome in Boston. Special thanks to Kelly at CUISPA for the awesome event!

Code Craft

By: Pete Goodliffe

Publisher: No Starch Press

Price: $44.95

Rating (out of 5): *****

This is an excellent book about moving from average software development to professional-grade software development. The book basically covers the topics needed to teach developers how to make better software in a more effective manner than may be happening in many organizations today. Topics covered include: effective commenting and documentation, industry standards for software testing (including security), interface design standards, group development practices, mechanisms for spec development and code review and even insights into managing programmers more effectively.

If you are a developer or manage a group of developers, this book will teach you the softer skills to complement the technical skills you have already mastered. Given the complexity of today’s software, it is these softer skills that often make all the difference between career success and remaining “one of the code jockeys”.

My favorite thing about this book is the insightful tone it uses to get its point across. It truly reflects wisdom and experience from the author without getting the “preachy tone” some technical books seem to take on. Be prepared though, the book is big, some 500+ pages of actual content – so if you just finished that huge Harry Potter book everyone is reading, this may seem a little longer than you like for reading in your easy chair. But, unlike Harry Potter, this book’s payoff is long term career growth and skills improvement!

Practical Packet Analysis

By: Chris Sanders

Publisher: No Starch Press

Price: $39.95

Rating (out of 5): ****

This book is an excellent introduction to the basics of packet analysis. It gives good introductions to the basics of protocols, use of Wireshark, sniffer deployment and the other skills needed to perform packet capture and inspection.

Packet analysis is a vital skill for network technicians and security folks. This book takes users through a variety of scenarios including wireless network sniffing, protocol debugging and even attack inspection. In addition to Wireshark, it also covers getting dumps from Cain and other common sources.

The book is easy to read, easy to follow and the graphics are very readable. The scenarios are very detailed and reality based. All in all, if you need to get the basics of packet analysis down pat, this is a very good place to start.

Last month, I posted a list of indicators that you may experience if there were computer Viruses infecting your system (see the blog from June 1, 2007). This was just the first in a series of articles on indicators of various types of Malware. This month, our Malware topic is the Trojan Horse, or just plain “Trojan”.

Trojans are self-contained programs that are designed to look like (and be mistaken for) useful or necessary programs on your computer you would never look twice at. There are several ways a Trojan might make its way onto your system. All you have to do is open or even just read emails that contain a Trojan and suddenly you have it too! A Trojan can be hiding in documents that contain Macros such as a regular Word document. You can download or upload a program or even just click links displayed on Web pages, and guess what? You can get a Trojan that way too! Trojans can also be the payload of a classic Virus, or they can be implanted by an attacker that has already compromised your system.

So when you get a Trojan, what can it do? Typically, Trojans contain backdoor remote administration tools that allow attackers to access your system undetected. There are all sorts of things that can be done from there. Often attackers will implant keystroke loggers or leverage password extraction and cracking techniques that will allow them to then thoroughly compromise your system.

So what are some indicators that you do have a Trojan on your system? Here are some that may show up:

·         Registry updating: Startup messages may appear that say new software has been (or is being) installed

·         You may see new or strange processes running in the Windows Task Manager

·         You may see anti-Virus software and/or personal firewall software terminate suddenly or unexpectedly. This can occur at startup or when loading these programs

·         Applications may suddenly and inexplicably become unresponsive to normal commands

·         You may see unexplained remote login prompts occurring at unusual times

·         You may see an unfamiliar login screen pop up

·         You may see unexpected or unscheduled Internet connection activity

·         You may see unusual redirection of normal Web requests to unknown sites

If you see things like this happening on your computer, it is really a good idea to check them out instead of just assuming they are more inexplicable computer activities. Remember, if you get a Trojan on your home computer and you also use that computer for business purposes, you might just be handing an attacker the keys to the kingdom!

So, we now know that “hackers” have been doing a ton of vulnerability research on the new iPhone since it was released. That research has turned up a couple of interesting vulnerabilities. The first is a flaw in the Safari web browser that could allow an attacker to take complete control over the phone by tricking the phone’s owner into following a link to a malicious website that would exploit a buffer overflow in the browser. The attacker could then listen to the room’s audio or steal SMS logs, the address book, email passwords, and much more. The other interesting issue that was found is the possibility of crashing the phone by doing some bluetooth fuzzing against it.

None of the revelations are new to security professionals or penetration testers. This is all just normal, run of the mill stuff that we see and deal with every day. What’s interesting to us is how quickly these issues were found and what it could mean, in the grand scheme of things. I’m not really interested in what will become of the iPhone. Mostly because I don’t have any plans on paying $600 for a phone. What does interest me is the consideration of how this is just one more piece of the “perfect storm” that mobile technology is going to bring to our lives.

For several months, maybe even a couple of years, MSI has been telling our clients and our friends how we believe mobile technology is going to lead to major problems for companies and individuals, alike. We all love the convenience that our newly acquired mobile devices provide. In some countries (look for it to make its way here soon) it’s not even necessary to carry plastic or cash anymore. Take for example, in some parts of Europe and Asia, its now possible to pay for your McDonald’s, or your soda from a vending machine, or buy your clothes at the retail store with a bluetooth enabled phone and a PayPal account. How about using that same bluetooth enabled phone and PayPal account that can be used to associate with the nearest pay day loan boutique, while you sit in the bar, for a quick loan to continue your happy hour. Or consider that certain cell phone companies are now making it possible to pay all your bills from your cell phone. Not to mention the accepted risk of laptops coming in and out of an enterprise. Or how about unnoticed wireless access points in your enterprise?

What many people don’t understand is what attackers are already doing to take advantage of the lack of security of these convenient technologies. People were going gaga over the iPhone before it came out. People in this country will LOVE the idea of being able to pay for things with their cell phone. What the consumer won’t be told is that there are already attackers setting up fake bluetooth ID’s for your phone to associate with. Imagine that Coke machine that has a bluetooth ID of “Coke”. Now imagine my laptop that is sitting on top of the Coke machine with a bluetooth ID of “CokeMachine”. How are you going to know which one to associate with? Will your phone even give you the option of choosing? What if it chooses the first one it sees. Ok, so I get your 75 cents and you don’t get the coke. What I also get is your PayPal account information. This is just one of the many examples that we could give.

The point of this post is not to discuss stealing 75 cents from a thirsty consumer. What we are concerned about is how the lack of security in these devices is being completely ignored because of the convenience they bring to the consumer. There will always be people out there that try to take advantage of the unsuspecting consumer. Occasionally, they will be successful. A little bit of education could go a long way towards teaching these same consumers how to remain vigilant and protect their identity, as well as their bank accounts. At the same time, the same educational programs need to be put into place in the corporate enterprise to ensure that these insecure mobile devices are not being brought into the enterprise, increasing the risk of compromise. We’d like to see much more information being distributed to consumers about the technologies they are using and how they could be inadvertently endangering their financial future.