Book Review: Ghost in the Wires

Posted on October 7, 2014 by Brent Huston

I just finished reading Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker and I would have to say that I was impressed. There is a lot of good history and information in the book about Kevin’s exploits, his life on the run and what it was like to live on the razor’s edge of hacking.

The technical content is enough to keep a techie reading, while the story, in general is a real life thrill ride. I found the reading to be easily digestible and the tone to be spellbinding.

If you have any interest in information security, or the history of hacking, then give Ghost in the Wires a read. You won’t be disappointed!

Home Depot Data Breach; a Good Argument for Best Practices-Based Infosec

Posted on September 29, 2014 by Brent Huston

There are two big philosophies of how to implement information security at organizations; “standards – based” and “best practices-based” infosec programs. The vast majority of America’s companies and agencies follow a standards-based approach, and most of these only strive to achieve a baseline level of standards adherence.

When you hear the word “baseline” you should think of the words “at least” or “at a minimum”. For example, you should “at least” implement physical and logical access controls. Or, you should at “at a minimum” employ a firewall at your network perimeter. That sort of thing. Because that is what “baseline” standards are. They are the minimum level of controls recommended by standards organizations such as NIST and ISO. They were never meant to be ideals. They are only intended to function as starting points.

The problem is that a large number of commercial and public organizations are having trouble reaching even a baseline level of information security. They complain that complying with baseline standards is too expensive; that it takes too much dedicated manpower and interferes with customer service and other business processes. And what they are saying is true in its way; information security is expensive and it does take the cooperation of everyone in the business. But what they are really saying is that infosec is just not a priority and they truly don’t care much about it. This seems to me to be what was behind the Home Depot data breach.

Former company employees have stated that Home Depot had told them to only go for a “C” level of information security. They weren’t to concern themselves with implementing “B” or “A” level security at the organization. And Home Depot keeps credit card information! The Payment Card Industry Data Security Standard (PCI DSS) demands about the strongest level of baseline security out there. And Home Depot reputably was handling unencrypted credit card information on their computer networks?! How did they pass their PCI security assessments? I don’t understand the particulars here. But however this situation came about, the fact is that once again the private financial information of millions of citizens has been compromised. Shouldn’t we be outraged and demanding a higher standard of security for our private information?

That is why everyone should be urging their government agencies and the retailers they do business with to implement information security at the best practices level. Industry standard best practices for information security are just that; they are the best means currently known for protecting IT systems and the information they process. Examples of best practices guidance are the MSI 80/20rule for information security and the Top 20 Critical Controls for Effective Cyber-Security. Sure, it may add 10 cents to the cost of a package of light bulbs to implement best practices, but isn’t worth it? I don’t hear people complaining about the banks buying a bunch of new physical security systems all the time to better protect their money. And really, what is the difference between the two?

This blog post was contributed by John Davis.

Computer Security is Your Own Responsibility

Posted on September 19, 2014 by Brent Huston

All of us know that our homes may be burglarized, and we take steps to help keep that from happening. We lock our doors and windows, we install motion detector lights outside, we put in alarm systems and some of us even install cameras. The same goes for the other stuff we do and own. We lock our cars, we put our valuables in safe deposit boxes and we avoid dangerous areas of the city late at night. We even watch what we say when we are talking on the phone, because we worry someone might be listening in. We all know that we ourselves are responsible for looking after these things. So why do we all seem to think that it is somebody else’s job to make sure we are safe while we are using our computers to surf the net or catch up on Facebook? We do, though. I’ve seen it happen and I’ve been guilty of it myself, I’m sorry to say.

For some reason, we don’t think a thing about using our kid’s name and age as our email password. It doesn’t enter our minds that it may not be a good idea to do our home banking while we are sipping a latte at Starbucks. And it doesn’t bother us a whit that our home wireless network doesn’t require a password – they’re a lot of trouble, after all! But when we get hacked, the first thing we do is blame everybody from our ISPs to the companies that built our devices. I think part of the reason is that we think the whole computer thing is too technical and there is really nothing that we can do ourselves. But that simply isn’t true. The biggest part of computer security is just mundane, common sense stuff.

The most important thing is to understand what is really going on when you are on the Internet, and it can be summed up in on phrase; you are communicating in public. You might as well be standing in the town square shouting back and forth at each other. One of the only real differences is that a lot of what you’re doing is not only public, it’s being recorded as well! So, thinking with that mindset, how would you go about keeping your privacy?

First, you wouldn’t trust anyone to keep quiet and protect your secrets for you, would you? So, when you are on the Internet, always be suspicious. Make sure that that email from your bank or your co-worker is legit, don’t just click on the link. Be very suspicious of anything with attachments, and don’t just blithely open any document that is sent to you unsolicited. And if you get an urge to go to that neat looking gambling site or you hanker to click on that link that says they will show you your favorite celebrity with their pants down, suppress it! Also, take a look every once and awhile and see what has really been happening on your computer. Your machines are usually keeping really good logs. Look them over and see if anything seems funny to you. You don’t have to be an expert, just curious.

Next, be leery if your machine starts acting funny. Maybe it gets really slow once in a while. Perhaps you turn it on and a message says “Download Complete”, but you don’t remember downloading anything. Lots of different things like that can occur. But when they do, and then your computer starts acting normally again, don’t just blow it off; check into it!

And change your passwords! It’s easy and fast, and it can save your bacon. If you have been at a hotel or have connected to the Internet from a coffee shop or airport, change your passwords as soon as you get home. If something funny happens or you think you may have done the wrong thing while you were web surfing, change your passwords. Use a password vault so you only have to remember one password. Then if something funny happens, you simply reset all your passwords and change the main one. And make it a good password, too. Make sure that nobody can guess your passwords or security questions just by reading your Facebook page.

Also, if you were out in public and wanted to keep what you are saying private, you could use a code couldn’t you? Then, even if you were overheard, what you said wouldn’t make any sense to anyone but you and the person you are trying to communicate with. Why not apply that to your computer, as well? Use cryptography to store your private stuff in memory and for sending private communications whenever possible. You don’t have to be any kind of computer expert. Disc encryption tools are free and easy to use, and you can buy email certificates very inexpensively. The main thing is, though, take responsibility for your own computer safety like you would anything else you own. I’ll bet you can think of plenty of other common sense ways to protect yourselves that I haven’t touched on here.

This post by John Davis.

The Big Three Part 4: Awareness

Posted on September 17, 2014 by Brent Huston

Cyber-attacks are a simply a part of reality now, and are very much like home burglaries. We can install locks and lights, cameras and alarm systems, and despite our best efforts at protection and prevention, a certain number of robberies are still bound to happen. That is the reason we need to steel ourselves to this fact and prepare ourselves to resist cyber-attacks the best way that we can. And the Big Three; incident detection, incident response and user security education and awareness are some of our best tools for meeting this problem.

The importance of user education and awareness to information security cannot be over emphasized. Of all the firewalls, IPS systems and other security sensors available, none can compare to human beings in their ability to detect cyber-attacks and security risks. But to take advantage of this resource, it is necessary that users know how to recognize security problems and it is necessary that they want to be engaged in the security process. To accomplish this, companies need to do several things.

First, they should provide all of their personnel with information security training both as new hires, and then periodically thereafter. This training should include the company information security policies that apply to all, plus information security training that is specific to each user’s particular role in the organization. Providing extra information security training for individuals such as code developers, system administrators and help desk personnel is particularly beneficial.

Next, it is also very important to provide all company personnel with information security awareness reminders. These serve two purposes. First, they help keep the need for good security practices fresh in users’ minds. But more importantly than that, good security awareness tips let your personnel know exactly what kind of attacks are out there and how they take place. That’s why it is important to base your awareness reminders on cutting-edge, real-world information security threats. For example, perhaps your employees gets a perfectly legitimate-looking email message from one of their co-workers that solicit them to check out a certain website and give an opinion on it. So they innocently click on the embedded link and wham! Suddenly their machines have been infected with malware and they don’t have a clue that anything is wrong. Awareness reminders can help keep such things from happening.

On top of good information security training and awareness, we think that there is one more element that is needed to really make the process pay off. It is important to engage the interest of your employees and make them feel that they are an essential part of the information security effort. This

isn’t really hard or expensive to do either. Explain their importance in the program to your personnel and ask for their help. Most everyone really likes to help out, and it makes them feel good inside. In addition, recognize those that have contributed to the information security cause and give them some kind of reward. This can be as simple as a little praise at the weekly staff meeting, or can include things like days off or preferred parking spaces. It doesn’t have to be big, just visible. One thing is sure, it makes better business sense to utilize this free and effective security resource to the hilt than spend a million dollars on a vaunted new IDS/IPS system!

This post by John Davis.

The Big Three Part 3: Incident Response

Posted on September 15, 2014 by Brent Huston

It’s been a couple of busy months since we posted parts one and two of this series, so I’ll recap briefly here. Part one talked about the failure of information security programs to protect private data and systems from compromise. It showed that despite tighter controls and better security applications, there are more data security compromises now than ever. This was the basis for suggesting an increased emphasis on incident detection, incident response and user education and awareness; the Big Three.

Part two in the series discussed information security incident detection and how difficult it is to implement effectively. It related the sad statistic that less than one out of five serious data breaches is detected by the organization affected, and that a disturbing number of breaches go undetected for months before finally being uncovered. Part two also touted a combination of well configured security tools coupled with human monitoring and analysis as one of the best solutions to the problem. In this installment, we’ll discuss the importance of accompanying incident detection with an effective, well-practiced incident response plan.

Say that an ongoing malware attack on your systems is detected, would your staff know just what to do to stop it in its tracks? If they don’t do everything quickly, correctly and in the right order, what could happen? I can think of a number of possibilities right off the bat. Perhaps all of your private customer information is compromised instead of just a portion of it. Maybe your customer facing systems will become inoperable instead of just running slow for a while. Possibly your company will face legal and regulatory sanctions instead of just having to clean up and reimage the system. Maybe evidence of the event is not collected and preserved correctly and the perpetrator can’t be sued or punished. Horrible consequences like these are the reason effective incident response is increasingly important in today’s dangerous computing environment.

Developing and implementing an incident response plan is very much like the fire drills that schools carry out or the lifeboat drills everyone has to go through as part of a holiday cruise. It is really just a way to prepare in case some adverse event occurs. It is deconstructing all the pieces-parts that make up security incidents and making sure you have a way to deal with each one of them.

When constructing your own incident response plan, it is wise to go about it systematically and to tailor it to your own organization and situation. First, consider the threats your business is menaced by. If you have been conducting risk assessments, those threats should already be listed for you. Then pick the threats that seem the most realistic and think about the types of information security incidents they could cause at your organization. These will be the events that you plan for.

Next, look over incident response plans that similar organizations employ and read the guidance that is readily available our there (just plug “information security incident response guidelines” into a web browser and see what you get – templates and implementation advice just jump off the page at you!). Once you have a good idea of what a proper incident response plan looks like, pick the parts that fit your situation best and start writing. This process produces the incident response policies needed for your plan.

After your policies are set, the next step I like to tackle is putting together the incident response team. These individuals are the ones that will have most of the responsibility for developing, updating and practicing the incident response procedures that are the meat of any incident response plan. Armed with the written policies that were developed, they should be an integral part of deciding who does what, when it gets done, where they will meet, how evidence is stored, etc. Typically, an incident response team is made up of management personnel, security personnel, IT personnel, representative business unit personnel, legal representatives and sometimes expert consultants (such as computer forensics specialists).

Once all the policies, personnel and procedures are in place, the next (and most overlooked part of the plan) is regular practice sessions. Just like the fire drills mentioned above, if you don’t actually practice the plan you have put together and learn from the results, it will never work right when you actually need it. In all my time doing this sort of work, I have never seen an incident response practice exercise that didn’t expose flaws in the plan. We recommend picking real-world scenarios when planning your practice exercises and surprising the team with the exercise just as they would be in an actual event.

In the fourth and final installment of this series, we will discuss user education and awareness – another vital component in recognizing and fighting data breaches and system security compromises.

Thanks to John Davis for this post.

Three Security People You Should Be Following on Twitter

Posted on August 13, 2014 by Brent Huston

There are a lot of security people on Twitter. There are a lot of people people on Twitter. That said, finding great people to follow on Twitter is often a difficult task, especially around something as noisy as Information Security.

That said, I wanted to take a quick moment and post three people I think you should be following on Twitter in the Infosec space and might not be.

Here they are, in no particular order:

@sempf – A great person (and a personal friend), his posts rock the mic with content ranging from locksport (lock picking as a sport/hobby), deep coding tips, application security and even parenting advice. It’s fun!

@abedra – Deep knowledge, deep code advice (ask him about Clojure…we’ll wait…). The inventor of RepSheet and whole bunch of other cool tools. His day gig is pretty fun and he is widely known for embracing the idea of tampering with attackers and their expectations. Check him out for a unique view. Do remind him to change hats occasionally, he often forgets… 🙂

@NocturnalCM – Hidden deep in the brain of the person behind this account is an incredible wealth of knowledge about cellular infrastructures, mobile code, security, devops and whole lot more. Don’t let the “Code Monkey” name fool you, there’s a LOT of grey matter behind the keyboard. If nothing else, the occasional humor, comic strips and geek culture references make them a worthwhile follow!

So, there you go. 3 amazing people to follow on Twitter. PS – they also know some stuff about infosec. Of course, you can always follow me (@lbhuston) and our team (@microsolved) on Twitter as well. As always, thanks for reading and get back to keeping the inter-tubes safe for all mankind!

Are You Using STIX?

Posted on August 8, 2014 by Brent Huston

In the last several weeks, we have been working on a new iteration of our threat intelligence offering for some of our clients. In many of the cases, we expected to hear that folks have embraced the STIX project from MITRE as the basis for sharing such data.

Sadly, however, many customers don’t seem to be aware of the STIX project. As such, can you please take a moment and review it, via the link and then let us know via email, Twitter of comments if you or your chosen security products currently support it?

Thanks for your help and insight! As always, we appreciate the feedback.

Email: info <at> microsolved [dot] com

Twitter: @microsolved or @lbhuston

Thanks again!

Guest Post: More on BYOD

Posted on July 23, 2014 by Brent Huston

As the world of computers, mobile devices, and technology in general, continue to exponentially evolve, so too must our need and desire to secure our communications, our data, and to that end our privacy. There is hardly a day that goes by anymore that we don’t hear of some major security breach of a large corporation, but this also directly impacts the individual. We have to make a concerted effort to protect our information – particularly on our mobile devices. Our mobile devices are inherently difficult to secure because they send their data over WiFi, which is susceptible to man-in-the middle attacks. We must pursue the security of our data on our mobile devices passionately. People nowadays carry so much private and more importantly valuable information on them that we just absolutely have to protect it. Particularly in this age of BYOD (bring your own device) to work. An even more difficult realm for the infosecurity folks trying to protect their networks. How does one protect a device on a network from malicious intent? How does one keep viruses, Trojans and worms off of the networks when everyone seems to be plugged in to their devices? This article intends to describe some steps that one can take to protect their mobile device both locally by encrypting the mobile device itself and also by utilizing apps that help to secure their email and telemobile device conversations from malevolence.

As noted on the previous article on State of Security released on June 17, 2014, Brent recently discussed 3 tips for BYOD, which were to get these devices off of the production networks, teach people about mobile device security, and finally use what you already have to your advantage when it comes to your own architecture when developing BYOD policies and processes.

There are numerous steps that the IT folks can take to help secure their networks in this age of BYOD as mentioned in our previous article, but there are also some very simple and usefultips that we can all follow that will help us in protecting our mobile devices too.

Every company should have policies in place regarding the use and misuse of BYOD devices. This must include encryption of the data and remote wiping of the data if the device is lost or stolen, (such as Find my iMobile device, Android Lost, Mobile Security, and Autowipe,). Assuming the BYOD device is under the company’s control. If not then as mentioned in the previous article getting these devices off of the production network is a must. Every company should at least require authentication and hopefully two-factor authentication of the device. This would allow the organization some degree of control when it comes to resetting passwords, locking the device when it’s not in use, logging, etc. If it’s not, then asking employees to adhere and sign a code of conduct with regard to their device is a must, as well as periodic employee education. A quick Google search will reveal apps that can help with two-factor authentication too. Such as RSA Secure Alternative, SMS passcode, and Duosecurity.

The next step is to encrypt the mobile device itself upon ending your session. Thereby protecting your information from even the apps that you currently having running on the mobile device itself. All apps go through an approval process where they are tested, validated and checked for security, but there have been times where an app passed through such a process and still contained malicious code that sent back stolen personal information to the attacker. This is a particular issue in the Android market. Companies such as Cryptanium and Arxan offer integrity protection, jailbreak detection, anti-debug detection and reverse engineering protection. So if a attacker does manage to get ahold of your device it makes it much more tamper resistant.

Apps that offer encrypted communication such as voice, video, text and/or file transfers are also a consideration. Silent Circle, Redmobile device and Whisper Systems offer such encrypted communication for a fee. Wickr and Cryptocat do this too, but are free. If you are just interested in encrypted text messages (SMS) then perhaps Babel, Whisper, or Akario is for you.

In today’s mobile device market there are a plethora of apps many of which do what they describe when it comes to helping to protect our information. Yet as with anything else if there is a will, there is a way, this is particularly true for those that mean to steal our information. If they have a desire to acquire your information they will make a concerted effort to try to extract it from your device. It is up to us to make it as difficult as possible for them to ever get it. For now there does’t seem to be a lot of apps that actually encrypt all of your information locally to the mobile device. Or if it does offer some degree of encryption then it does so over a potentially vulnerable, networked platform. In short there is no single magic bullet that will encrypt all of your mobile devices data and communications for free, but there are some out there for a fee will offer to do so. The other issue that arises is if you use said company do they have access to the information that you were trying to protect in the first place. What’s to keep a rogue employee from accessing your data? All of this can make your head spin. The moral of the story is to make good choices, use your common sense and don’t put anything on a mobile device that you aren’t willing to share with others. Be safe out there.

About Preston:

Preston Kershner is new to the info-security family, where he has a variety of lateral interests in topics such as cybersecurity, information security, incident handling and response, computer forensics and malware analysis. Preston has been in the medical field for over 20 years and is currently transitioning into the infosec community. When not being an information junkie, Preston enoys spending time with his family. He also enjoys learning everything he can about astrobiology (the search for exoplanets that have a potential to habour life). You can follow Preston as he continues to expand his knowledge and experience in these realms at http://www.linkedin.com/pub/preston-kershner/3a/493/965/ & follow him on Twitter (@redman7373).

About Brent:

Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. He spends a LOT of time breaking things, including the tools/techniques and actors of crime. When he is not focusing his energies on chaos & entropy, he sets his mind to the order side of the universe where he helps organizations create better security processes, policies and technologies. He is a well recognized author, surfer, inventor, sailor, trickster, entrepreneur and international speaker. He has spent the last 20+ years dedicated to information security on a global scale. He likes honeypots, obscure vulnerabilities, a touch of code & a wealth of data. He also does a lot of things that start with the letter “s”. You can learn more about his professional background here: http://www.linkedin.com/in/lbhuston & follow him on Twitter (@lbhuston).

Disclaimer:

It should be noted that some of the apps are free, some apps are cloud-based, some are open source and some are at a cost to the consumer. In no way do we endorse the applications in this article.

Spend Your First Hour Back the Right Way – Go Malware Hunting!

Posted on July 4, 2014 by Brent Huston

So, you’ve been out of the office for a quick holiday break or vacation. Now you face a mountain of emails and whole ton of back-logged tasks. Trust me, put them aside for one hour.

Instead of smashing through emails and working trouble tickets, spend an hour and take a look around your environment – go hunting – target malware, bots and backdoors. At a macro level, not a micro level. Were there an abnormal number of trouble tickets, outbound connections, AV alerts, IDS and log entries while you were gone? What does egress look like during that period? Were there any abnormal net flows, DNS anomalies or network issues that would indicate scans, probes or tampering on a larger scale?

Spend an hour and look for high level issues before you dig into the micro. Read some logs. See what might be getting lost in your return to work overwhelm. It is not all that uncommon for attackers to use holidays and vacations as windows of opportunity to do their nasty business.

Don’t fall victim to the expected overwhelm. Instead, use it as a lens to look for items or areas that correlate to deeper concerns. You might just find that hour invested to be the one that makes (or breaks) your career in infosec.

Good luck and happy hunting!

PS – Thanks to Lee C. for the quick edits on 7/4/14.

MSI :: State of Security

Insight from the Information Security Experts

Tag Archives: general security topics