Application security is all the rage these days. As such, vendors, open source projects and individual developers are flooding the market with tools for scanning, pen testing, application firewalls and all kinds of other stuff.

With so much “stuff” available, we though we should ask you, the users about what your favorite application security tools are. So, drop us a line or a comment and let us know about your coolest appsec toy. We will aggregate and post the best in an upcoming blog post.

Please share the name, the basic functionality and the reasons you like the tool so well.

Thanks for contributing!

Do you check file integrity when you download open source software? This is normally accomplished by the software developer providing MD5 sums for the files. An MD5 sum is a computed signature for the chosen file. By providing you this signature, you are able to verify the integrity of the file by computing the signature on your own system and comparing it against the sum that was downloaded with the file. Many developers have recently started including GPG signed sums, which is even better, and prevents creating fake sum files in the event that the system that contains the software and sum files is compromised.

The reason I bring this up is that a popular open source application was recently compromised. An attacker was able to access a server that contained the downloadable distribution and changed some of the files to contain malicious code that could be exploited remotely. The altered files were found by a user that had downloaded the files and found a discrepancy in the sums, potentially saving many that had downloaded the altered software.

Doing this may sound like an inconvenience, but it is really easy to do, and helps ensure that you are getting software that was not tampered with. To do your part, you just need to acquire an MD5 digest generating program. Many distributions of Linux include one, and you can download them for virtually any OS. You could even create one, if you want. Now you just need to run the MD5 generating program against the files you downloaded. Compare your output against the MD5 sum provided by the developer.

If you have GPG and the developer provides signed MD5 sums, you can check that the MD5 sums were actually created by the developer.

Over the past year, MSI has performed so many information security assessments that I have lost count. As the Senior Security Engineer and quasi-Project Manager, I get to read each and every report that comes out of our technical team, before it gets shipped off to the client. While we occasionally see things that can only be described as “interesting”, there is usually one constant theme amongst the overwhelming majority of our clients that continues to surprise us AND them….and that’s the use of Microsoft’s Terminal Services.

For those of you that don’t know, Terminal Services is a solution that is designed to allow remote access to the graphical user interface (GUI) of the machine on which it is installed. Terminal Services is probably one of the most convenient solutions around for allowing remote access to a particular system. What continually surprises our clients is the fact that we, as the proverbial attacker, are just as capable of taking advantage of that “convenience” as the administrators who regularly use them are.

For an attacker, Terminal Services does not only provide access to a system’s GUI, given the correct credentials, it also provides a way to verify whether those credentials are legitimate. Here’s the deal, when an individual (or attacker) connects to a Terminal Services login portal, they are authenticating to the local machine OR the domain…dependent only upon their current mood or desire. You see, Terminal Services gives you the option to choose where you wish to authenticate, assuming the target host is configured as part of the domain.

While it might be useful to discuss exactly how an attacker can use Terminal Services against you, I think it’s more useful to discuss how we have seen Terminal Services deployed and what some of the better solutions might be.

We primarily see Terminal Services deployed on an internal network, which is where it was designed to be deployed.  On some rare occasions (much to our delight, our clients dismay) we see Terminal Services deployed on Internet-facing systems. This should be considered an absolute no-no. If an attacker were able to get their hands on legitimate credentials (any credentials that are valid on the target machine or domain, if configured) there is nothing stopping them from gaining access to the GUI on that Internet-facing system.  No need to scan the host for vulnerabilities.  No need to run any exploit code.  No need to set up any netcat shells.  No need to maneuver around the system via the command line.  The attacker can log into the host just as if he were sitting at the keyboard.

The problem with allowing Terminal Services on an internal network is that it simply makes an attackers job much easier than it should be. Again, given legitimate credentials, it becomes trivial for an attacker to move from host to host that has Terminal Services installed.  You can use your imagination to figure out what the attacker does once logged into the hosts.  The big question here is…which systems usually have Terminal Services installed, on an internal network?  In our experience, it’s usually the critical systems that administrators need to work with on a regular basis.  That’s right…domain controllers, mail servers, web servers, database servers, etc.  Many of those systems are usually showered with extra attention to ensure that their patches are current, anti-virus is up to date and logs are analyzed.

If you, the administrator, are dedicating so much time towards keeping those critical systems up-to-date, why keep an authentication portal available that offers no encryption, is vulnerable to man-in-the-middle attacks and grants remote access to the GUI of your most critical systems…all while allowing every single user on the domain to authenticate to the system?

On Internet-facing systems, we would much rather see a VPN solution being used to allow remote access. If a VPN solution cannot be used, we would prefer to see people using some sort of Virtual Network Connection (VNC) or Secure Shell (SSH) solution that encrypts the communication tunnel and authenticates to the service and not the local system or domain.

In both VNC and SSH, a username and password is set when the service is installed and configured.  Those credentials are specific only to the actual remote access service and not the sytem or domain as a whole. So, if an attacker compromises those credentials, they don’t automatically have access to the local system or domain…they are still stuck inside the sandbox of the remote access service.

On internal systems, there is really a couple of ways around the Terminal Services problems. If you are dead set on using Terminal Services, MSI would recommend that you disable the service until use is needed.  At that time, it is possible to start the Terminal Services service, remotely.  Once use has expired, disable the service again. In addition to disabling the service, it is imperative that Terminal Services be configured to only allow administrator accounts to connect and requires a multi-factor authentication token to authenticate. In doing so, you have created a service that is only available when needed and then only to individuals who are administrators AND possess a legitimate token.

The second option would be to use VNC, again.  As mentioned, using VNC instead of Terminal Services allows for credentials to be used that aren’t related to the local system or the domain…only the VNC service.

These are just a couple of ways around using Terminal Services.  A lot of our clients say that they use Terminal Services because it is convenient.  Our answer…yes we know…thank you for the assistance. A lot of times organizations have to try to balance security and convenience in order to allow for functionality. In this particular case, MSI believes that the individuals that normally use the Terminal Services should be technically savvy enough that security can be increased and convenience can be reduced, especially on critical systems.

Then again, if you think your convenience isn’t that big of a security problem, you could always ask us to help validate that theory.  Probably much easier AND cheaper than if a real attacker validates the theory for you.

Recently, I had requested bank account numbers and bank routing numbers from a few companies with whom we have just begun doing business. I needed to get these companies set up for on line payments since all of our corporate banking is conducted electronically.

I made my request to accountants, chief financial officers and the like. I got the information I needed but what surprised me about receiving this data was that each person emailed the information to me in plain text with no encryption.

Employees with responsibility for corporate financial data have some of the most sensitive company information at their fingertips every day. Often, I think we neglect to recognize the potential for damage if this data got into the wrong hands. Of course, measures are in place within our office environments and on our computer networks, but security for email is often forgotten.

Although my financial counterparts may not use encryption every day, I would encourage them to adopt a method and learn to use it. If your primary responsibilities focus on accounting in your organization, I urge you to inquire with your technical support staff about an encryption method and then use it whenever you transmit sensitive data through email. If your IT department does not have an accepted encryption method, you can begin to research some common options by reviewing PGP, GPG or the encryption built into Win Zip (just make sure you use strong passwords).

Then you will be doing your part in maintaining your company’s confidential data whenever it travels over the Internet!

Business continuity is subject to many unexpected events, one of which is the weather. When New York got covered by 9 feet of snow, practically everyone had to stay home until the roads were clear. But the productivity of some businesses was virtually unphased by the tons of snow because they use secure VPN access to log into their corporate network from the comfort of their own home. VPN, meaning virtual private network, lets packets traverse the Internet encrypted so they cannot be read by malicious entities. The end result is that using a VPN is virtually equivalent to plugging your ethernet cable into the wall.

Of course one wouldn’t want to use one-factor authentication on a resource as valuable to attackers as a VPN, so anyone who accesses the VPN should be required to use multiple-factor authentication. Some businesses implement this with SecurID tokens that change numbers in a pseudorandom fashion, others use certificates that require passwords to unlock them, and some businesses also limit access to the VPN so that only certain whitelisted IP addresses can get in. No matter how you configure it, VPN can save your business big bucks by allowing your workers to be productive from home on snow days.

The US military and CERT have released some interesting data on the insider threat to organizations. You can find a media write up of it here.

Of most interest were some of the numbers. I was pretty amazed by the fact that 86% of the insider threat originates in IT and that some 90% of incidents involved people who already had Administrator/root privileges on the network!

It makes sense that IT would be a large source of cyber threats, but I really had always thought that we were doing a better job of teaching ethics to IT staff. The percentages seem to disagree with that and I think it makes a clear statement that we need to improve on developing not just technical skills in our teams, but also ethical behaviors and insight.

That 64% of incidents involved remote access systems like terminal servers, VPN and such combined with non-terminated password accounts or known accounts that did not change their passwords is NOT amazing to me. This remains one of the most serious threats that organizations face today – especially if they are larger than a small company.

Quite simply, password management has become a nightmare, and passwords remain the largest threat to the security of any organization. Password changes are too difficult in most environments, too many applications require administrative access to operate and there are little true technical solutions to the problem. Hopefully in the future, some real and functional technology will arrive to replace passwords – but most of the current solutions seem to fall far short in terms of cost, reliability and ease of management. (Bonus to vendors and developers: Make something to fill this niche that meets those three requirements and get rich!)

I don’t think anything in the article is rocket science, but it is nice to get firm numbers that confirm what security pundits (myself included) have been saying for close to a decade. Insiders matter. Ethics matter. Passwords just have to go.

In the meantime, while we wait for maturity of technical solutions on the password front, we can certainly begin to identify ways to increase cyber ethics and to help educate people and companies about the insider threat. Truly, as with most cases, education seems to be the key to affecting change. Maybe, if we begin to strengthen the ethical training of tomorrow’s network and system admins, we can lower those percentages and the risks for future generations.

With the release of our HoneyPoint:Network Trust Agent (HP:NTA) product this week, we have completed our promise to develop HoneyPoint technologies that are deployable throughout the entire organization. For more than two years, our clients and other security folks have been telling us that Intrusion Detection technologies were just not cutting it when it came to defending the internal network and the systems that you depend on to run your businesses. I personally and publically promised, last year, that I would find a better way forward and I now feel that we have lived up to that promise.

HP:NTA, along with the rest of the HoneyPoint product family, gives organizations a platform to deploy host-based intrusion detection built on an entirely new paradigm. The products require no signature updates, have no false positives to contend with, run on existing hardware and are based on the idea of “deploy and forget”. When you combine these factors, you get the highest ROI in the market today, the easiest solution to deploy and manage AND what I believe to be the best security mechanism you can buy.

One of the leading factors in HoneyPoint’s importance is that the technology detects intrusion earlier than most other technologies. By that, I mean that the idea of HoneyPoints tend to capture attackers, focused attackers, when they are still in their targeting mode. If you look at other dectective technologies like signature based tools, NIDS and such – they detect the attacker in the act of EXPLOITING a target. One of the key reasons that HoneyPoint has been so successful at capturing intruders and allowing their threats to be mitigated, is that HoneyPoints key in on the attacker methodology. They capture attackers while the attacker is performing their initial probes – even as they attempt to identify potentially vulnerable services and systems to exploit.

That simple difference, of capturing the attacker earlier in their approach, may well allow organizations to save themselves immense amounts of financial damages, regulatory exposures and loss of confidence. That alone, makes all of our work developing the HoneyPoint product family worth the effort. If we can help one organization better protect one consumer, then all of our work was worth it!

Now, with the release of HP:NTA, HoneyPoint Personal Edition and the flagship, revolutionary HoneyPoint Security Server we have created the tools that organizations deploy on their servers, their administrative workstations and even the systems of everyday users and road warriors. Each product is geared to the appropriate skill level of the user, and in each case – we made every attempt to keep the interfaces easy to use, easy to manage and easy to understand. The tools are all deployable en masse, upgradable with little more than file exchanges and include personalized support from our simply amazing staff of security engineers. In short, these products represent the completetion and embodyment of our promise to our clients and the world. We said we would find a better way, and we did. We said we would make it possible for you to better protect yourselves, more easily than ever before. We have lived up to our word.

Looking forward, as we complete the development of HoneyPoint Security Server 2.00, we are about to again revolutionize the industry. The 2.00 release promises to bring more power, more flexibility and even more customization to enable our clients and the world to achieve yet another security plateau. Our commitment to you is to listen to your needs, continue to develop HoneyPoint technologies and work together to find new solutions.

As the 2.00 release draws near, stay tuned for more information, sneak peeks and discussions about what other changes to the product line are being planned. As always, please feel free to send us your thoughts, questions or input.

Thanks for making MSI your security partner. We appreciate working with each and every one of you!

I was doing some research recently on the various platforms available for hosting virtual machines. I found this great comparison matrix at Wikipedia.

There are now a ton of platforms available for just about every OS out there. Some are certainly friendlier than others, but this is a great place to narrow things down to a short list.

Combining VM capabilies, the availability of LiveCDs and the low cost of memory and hard disk space these days, there is little reason that just about anyone could not easily and cheaply make their own very functional virtual lab for research, training and/or development. Security teams should rush to embrace this technology, as they could really use VM labs for experimentation, application analysis, tool evaluation, forensics and ongoing training.

VM has come a long way, and with solutions starting at FREE, they make enconomical sense for a ton of situations ranging from disaster recovery to prototyping. Maybe there will even be a new line of consulting services on the horizon where experts at virtualization will make small fortunes helping organizations port their complex apps and environments over to VM platforms for reduction of hardware footprints and ease of management.

The bottom line is this – if you haven’t played with VMs in a while, now might be a good time to look at them again. Things in this space are maturing nicely….

MSI is pleased to announce the general availability of HoneyPoint Security Server version 1.50.

The new release, an update of the HoneyPoints themselves, adds the much requested capability to ignore specific hosts such as network scanners and other known sources of network traffic that in the past would trigger unneeded events.

“Customers were so excited about the ignore capability that we have been demonstrating for them in the coming 2.00 product release, that we decided to back port that capability to the 1.XX series of HoneyPoints. This is a large advance for further reducing false positives and maintaining our industry-leading position as the simplest, more powerful way to secure network deployments.” said Brent Huston, CEO and Security Evangelist of MicroSolved. “Clearly, with the coming 2.00 release, we will further establish our emergence as a dominant security technology and easily demonstrate what customers have been telling us – that this is simply a better way to do organizational intrusion detection and security.”

For details on obtaining the 1.50 upgrades and/or to discuss the coming 2.00 release, please contact your account executive.

The CUISPA meeting for Credit Union security team members is looking to be very big event this year. The annual meeting, held in Austin, is expanding both in terms of attendees and in the overall content.

Last year was a fanstastic event, and MSI looks forward to seeing everyone at the meeting again this year. With the many challenges CUs face this year surrounding changes to the regulations, application security requirements and normal stress of the threats they deal with every day, CUISPA is an excellent chance for security teams to get some input from their peers and to learn about strategies and techniques that others are using to achieve success.

Check out our booth this year at the show, and stop by and chat with Connie. She is eager to help and to discuss our service offerings, HoneyPoint and just how easy we can make compliance with NCUA regulations. We hope to see you there!