The Changing World of Information Security Compromises

Posted on by
2

Because of the evolving nature of the attacker populace and their adoption of social media and open source mechanisms for crime ware tool development; new threat models are being applied across the board to sites that either had no attention on threat management or were woefully unprepared for the threat models that got focused against them. Hacktivism is indeed an extended threat for information security.

You can be targeted for your business partnerships, role in the supply chain, political leanings, or public position — OR simply to steal CPU cycles/storage from your systems because of your valuable data or simply because you have a common vulnerability. There are a myriad of reasons from the directly criminal to the abstract.

Social media and the traditional media cycles are simply amplifying the damage and drawing attention to the compromises that would not have made the news a few years ago. Web site defacements get linked to conspiracy groups. Large attacker movements get CNN headlines whereas they were basically ignored by most just a short while ago.

However, the principles of what you can do about insecurity and compromises remains the same. Do the basics of information security and do them well. Know what you have and its posture. Take the basic steps to understand its life cycle and provide protections for the important data and systems. 
 
Implement vulnerability management, reduce your vulnerabilities, increase your detection/visibility capabilities and have a PLAN for when something goes wrong. Practice your plan and accept that failure is going to occur. Adopt that as a point of your engineering. It may sound simplistic, but doing the basics and doing them well, pays off time and time again. Apart from seeking whiz-bang, silver bullets; the basic controls established by The 80/20 Rule of Information Security, the SANS CAG and the other common baselines that are threat focused continues to provide stable, measurable, effective safety for many organizations.
 
That’s it. Do those things and you are doing all you can do. If an attacker focuses their attention on you, they will likely get some form of compromise. How much they get, how long they have access, and how bad it hurts is up to you.
 
Just my 2 cents. Thanks for reading!

MSI Strategy & Tactics Talk Ep. 24: When Outsourcing Security Tasks Goes Wrong

Posted on by
1

Outsourcing security tasks can be beneficial to a busy organization. But is there a possible downside? What questions should that organization ask when outsourcing part of their information security tasks?  In this episode of MSI Strategy & Tactics, the techs discuss an incident that happened when an organization outsourced a part of their system administration tasks to an outside consulting firm.  If you are considering outsourcing part of your security tasks, you’ll want to listen! Discussion questions include:

  • How important is it for vendors to vet employees before sending them into the field?
  • How important is it for organizations to be able to see that the vendors have thoroughly done this?
 
Panelists:
Brent Huston, CEO and Security Evangelist
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator
 

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Stealth Code for New Mutation of PHP Bot Infector

Posted on by
5

Recently, I found another new mutation of a PHP bot infector, with zero percent detection by anti-virus software. There was an anti-security tool code included, as well. 

For those interested, you can view this link to see that the total number of anti-virus detections was 0.

However, when I decoded the PHP backdoor, I got 17 anti-virus hits on it. It seems they locked into the c99 backdoor code remnants, which is a pretty old backdoor PHP trojan. This leads to the question about evasion techniques and how effective anti-virus applications are at doing code de-obfuscation. For example, if you want a currently effective AV evasion technique in PHP, it comes down to this simple line of code: (gzinflate(str_rot13(base64_decode($code)))); – There’s the cash money key in terms of evading most, if not all, current anti-virus tools.

However, if you have a process that runs grep against your files  looking for base64_decode and alerts you to new ones, you’ll get visibility to it and many, many others like it. Base64 encoding is still quite a popular call in PHP attack and compromise tools.

Here are some examples of this specific trivial control — here, and here. Now you have a real life example of how it pays off. So simple, yet so effective at detecting these slippery backdoors.

Finding specific nuance controls that pay off against specific threats to your assets is a key way to better security. It’s a win, all around!

Deeper Than X-Ray Vision: Device Configuration Reviews

Posted on by
1

Many of our assessment customers have benefitted in the last several years from having their important network devices and critical systems undergo a configuration review as a part of their assessments. However, a few customers have begun having this work performed as a subscription, with our team performing ongoing device reviews of one to three devices deeply per month, and then working with them to mitigate specific findings and bring the devices into a more trusted and deeply hardened state.

From credit unions to boards of elections and from e-commerce to ICS/SCADA teams, this deep and focused approach is becoming a powerful tool in helping organizations align better with best practices, the 80/20 Rule of Information Security, the SANS CAG and a myriad of other guidance and baselines.

The process works like this:
  1. The organization defines a set of systems to be reviewed based on importance, criticality or findings from vulnerability assessments.
  2. The MSI team works with the organization to either get the configurations delivered to MSI for testing or to access the systems for local assessments in the case of robust systems like servers, etc.
  3. The MSI team performs a deep-level configuration assessment of the system, identifying gaps and suggested mitigations.
  4. The MSI team provides a technical level detail report to the organization and answers questions as they mitigate the findings.
  5. Often, the organization has the systems re-checked to ensure mitigations are completed, and MSI provides a memo of our assertions that the system is now hardened.
  6. Lather, rinse and repeat as needed to continually provide hardening, trust and threat resistance to core systems.
Our customers are also finding this helpful as a separate service. Some smaller credit unions and IT departments may simply want to identify their critical assets and have this deep-level review performed against them in advance of a regulatory audit, to prepare for the handling of new sensitive data or important business process or simply to harden their environment overall.
 
Deep-dive device configuration reviews are affordable, easy to manage, and effective security engagements. When MSI works with your team to harden what matters most, it benefits your team and your customers. If you want to hear more about these reviews, engage with MSI to perform them; or to hear more about device/application or process focused assessments, simply drop us a line or give us a call. We would be happy to discuss them with you and see how we can help your organization get clarity with a laser-focus on testing the systems, devices and processes that you value most.
 
As always, thanks for reading and stay safe out there! 

Speed Bumps and Information Security

Posted on by
2

On Twitter, Brent Huston (@lbhuston), CEO and Security Evangelist, posed this question: Does the introduction of speed bumps into a neighborhood reduce overall burglaries and  petty crime?

There was some speculation that it may not impact burglaries but could impact violent crime. An Oakland study showed that bumps decrease the casual traffic pattern by 33%. As it turns out, speed bumps decrease speeding by 85%. Less casual traffic means less scouting for break-ins. So, speed bumps make you more secure. A study done by the Portland Bureau of Transportation shows a full examination of the impact of speed bumps.

Although speed bumps may deter criminal traffic, there’s a good possibility that the criminals just head toward an area that doesn’t have speed bumps. The same can be true with hardening your home security. If you take precautions and make your home more difficult to enter, the burglar may instead target one of your neighbor’s homes.

Although there may be instances where criminal activity increased due to speed bumps, those are not common and serve as the exception rather than the rule. Still, logic dictates that with more controls comes a decrease in crime. (Less speeding, less petty crime.)

And if you do find yourself in a neighborhood with speed bumps, slow down. They can sometimes break the cars of speeders

This leads us to the next question: What do speed bumps tell us about information security?

Can minor annoyances to attackers increase our overall security? What kind of speed bumps can you think of that might help?
 
Of course, honeypots, especially those that do misdirection and black holing are good cyber speed bumps. Curious about using honeypots as your deterrent against attacks? Give us a call and we’ll show you how to put a few of these “speed bumps” into your network. We promise they won’t damage your alignment!

 

Apple’s PC Free Feature: Insecure But Maybe That’s a Good Thing?

Posted on by
4

At least in the case of stolen devices.

The fervor for the newest iOS for Apple was building throughout 2011, and those who utilized the Apple iPhone and iPad felt a great sense of anticipation for Apple’s Worldwide Developers Conference (WWDC). Feature speculation floated around the Internet, leading to the launch date of iOS 5. What latest and greatest features and functionality would be announced?

Rumors were laid to rest at WWDC in June 2011 as the late Steve Jobs made one of his last public appearances to promote the launch of the newest mobile iOS, available October 12, 2011. New features included iMessage and numerous integration points with Twitter, the ability to hold your iPhone like a camera and “click” with the volume button, and the ability to sync your device with iCloud. The PC Free feature finally freed iOS users from the cord, no longer requiring them to connect their device to their Mac or PC to sync photos, music and software updates.  

As long as the user was sharing the same Apple ID, a photo, for example, would be uploaded to the cloud and pushed to each device running the newest iOS.  

During the WWDC keynote, MicroSolved, Inc’s CEO, Brent Huston, spent considerable time on Twitter discussing the lack of built-in security for the new iOS. He made the point that each unique identifier (in this case, the Apple ID) on numerous devices would allow possibly unwanted users to see information they shouldn’t see. He used the example of a parent downloading and viewing patient medical data (such as an MRI scan) on their Apple device. Instantly, the image would upload to the cloud and be pushed to any user sharing the same Apple ID. In theory, the images would be shared with the spouse’s iPad and the daughter’s iPhone or iPod. In the case of medical data, this would pose serious HIPAA/HIPAA HITECH violations.

He shared other examples of syncing photos meant “for your eyes only,” which would be shared into the photo stream. I shuddered when I imagined how many conversations of  “Where were you last night?” would happen as a result. 

While the “doom and gloom” scenarios will surely play out (And they did in the case of the gentleman who used “Find my Friend” to catch a cheating spouse.), this newest feature has actually helped victims of stolen Apple devices catch kleptomaniacs.

Recently, the seamless sync feature led authorities in Hilliard, Ohio directly to thieves.  During a home burglary, they stole an iPad among other items. The homeowner suddenly noticed a number of new photos in his Photo Stream — pictures of people he didn’t know or recognize.  As it turned out, the iPad thieves were taking photos of themselves and unknowingly sharing their identity with the users who shared the Apple ID — including the dad who notified local police.

While this is great news in the case of the photogenic iPad snatcher, it does appear Dad didn’t have the lock feature on; which if he had, would have prevented the iPad from uploading photos to the cloud. We at MSI encourage device users to take advantage of all security features, but in this case, the father’s actions (or lack thereof)  worked in his favor.

Moral of the story: educate yourself regarding your device’s safety features and utilize the GPS function when needed.

Stay safe out there! 

MSI Strategy & Tactics Talk Ep. 22: 3 Tasks a Security Administrator Hates To Do (But Needs To Do)

Posted on by
3

It’s an understatement to say a security administrator is busy. In the quest to achieve POLA (Principle of Least Access), it’s easy to overlook other tasks that can make a huge difference in your overall security strategy.  In this episode of MSI Strategy & Tactics, the techs discuss three tasks that if consistently put on hold, will eventually cause havoc in your world. If you’re a security administrator, take a listen! Discussion questions include:

  • Password Management: Why is this an issue and what can a security administrator do that will make it easier?
  • Log Reviews: How can this task be better organized?
  • Why is documentation often overlooked and what can a security administrator do to change it?
Tools mentioned:
 
Panelists:
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Know Who’s Out to Hack Your Credit Union

Posted on by
1
 
 
 
 
 
 
 
 
 
 
 
 
One of the biggest questions we get when we talk to Credit Unions is about threats. They often want to know who might be targeting Credit Unions and how they might get attacked. Based on these questions and how often we hear them, we have come up with a way for you to actually get some metrics and intelligence around your own threat postures.
 
I am proud to introduce a new short-term service for Credit Unions that leverages our patent-pending HoneyPoint technology in a useful, powerful, easy and affordable way.  The MSI Threat Posture Analysis is a new service that does just that. The service is comprised of the following phases:
 
1. Initial consultation – our teams work together to plan for a quick, safe and easy deployment of our HoneyPoint technology; this initial discussion helps us decide if we are going to leverage a HoneyPoint hardware, software or combined deployment and exactly what we want to emulate for metrics gathering; the length of the metrics gathering mission is also determined (usually 90 days).
 
2. Pricing and contracts – based on our work together, fixed bid pricing is provided for the analysis and monitoring.
 
3. Delivery of technology – our teams work together to deliver and install the technology; MSI monitors the deployment remotely back at our NOC.
 
4. Analysis – MSI performs analysis of the data gathered; generating a set of reports that details sources of attacks, general estimated capabilities, attack frequency and other metrics designed to feed real world threat data into the Credit Union’s information security program.
 
5. Decommission and return of the technology – our teams work together to uninstall the technology and return any hardware to MSI. 
 
6. Follow on Q&A – for 3 months, MSI will continue to be available to answer questions or discuss the data and metrics identified in the analysis.
 
It’s that easy. You can quickly, easily, safely and affordably, move from blunt estimations of threats to real world data and intelligence. If you would like that intelligence as an ongoing basis, give us a call and we can discuss our managed services with you as well. 
 
So, if you’re tired of doing risk assessments without real numbers to back up your data or if your team has hit the maturity point where they can use real world metrics and threat source data to create firewall rules, black holes and other dynamic defenses, this approach can give them the data they are hungry for.
 
If you would like to discuss the analysis or hear more about it, give your account executive a call or reach out to me on Twitter (@lbhuston). I look forward to talking with you about the successes we are seeing.
 
As always, thanks for reading and stay safe out there!

Sample ICS/SCADA Maps

Posted on by
4

After I published the blog posts about the sample IT maps a few weeks back, questions started to come in about how those maps could be created for ICS/SCADA deployments.

I thought I would take a few minutes and create quick sample maps for folks to visualize what that might look like. In this case, I built a set of compound maps that show first, the basics of the process. Then I added data flow, trust mechanisms and eventually attack surfaces with the smallest bit of vulnerability insight thrown in. Click the links below to download the PDFs:
 
 
The goal would be to create a set of maps like this for each process or deployment, eventually leading to a master map that showed high level relationships between your deployments. 
 
Imagine how helpful these maps would be in an assessment or audit. Being able to show an auditor a strong set of diagrams of your controls and what your team knows about your environment is a powerful thing. Imagine the usefulness of this data in an incident. You could quickly, easily and effectively estimate the width and depth of compromise, understand what is potentially in play and even get a rough idea of what and where to look for evidence.
 
It might not be easy, since there is a lot of up front work to building these maps. But, every time we work through the project of creating them with clients, they learn a lot they didn’t know about their environment and their teams emerge stronger than before.
 
That said, give it a shot. If you want assistance or someone to do the heavy lifting, give us a call. If you want to discuss the process, reach out to me on Twitter (@lbhuston). I love to talk about this stuff, so I’m happy to help you.
 
As always, thanks for reading, and stay safe out there! 

MicroSolved, Inc. Releases Free Tool To Expose Phishing

Posted on by
4

MSI’s new tool helps organizations run their own phishing tests from the inside.

We’re excited to release a new, free tool that provides a simple, safe and effective mechanism for security teams and administrators to run their own phishing tests inside their organization. They simply install the application on a server or workstation and create a url email/sms/etc. campaign to entice users to visit the site. They can encode the URLs, mask them, or shorten them to obfuscate the structures if they like. 

The application is a fully self contained web mechanism, so no additional applications are required. There is no need to install and configure IIS, Apache and a database to manage the logs. All of the tools needed are built into the simple executable, which is capable of being run on virtually any Microsoft Windows workstation or server.

If a user visits the tool’s site, their session will create a log entry as a “bite”, with their IP address in the log. Visitors who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and the first 3 characters of the password they used.

Only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged.

“Organizations can now easily, quickly and safely run their own ongoing phishing campaigns. Instead of worrying about the safety of gathering passwords or the budget impacts of hiring a vendor to do it for them, they can simply ‘click and phish’ their way to higher security awareness.”, said Brent Huston, CEO & Security Evangelist of MicroSolved. “After all, give someone a phish and they’re secure for a day, but teach someone to phish and they might be secure for a lifetime…”, Mr. Huston laughed.

The tool can be downloaded by visiting this link or by visiting MSI’s website.