Review of Puppy Linux 5.0

Posted on July 6, 2010 by Brent Huston

Lucid Puppy Linux 5.0 was released back in May of 2010, but as one of my favorite distros, I have been playing with it heavily since then. I have been so impressed with the new version that I wanted to take a moment and write a quick review of this release.

You can find the official release page here, along with download information.

First, let me say that I have really come to love Puppy Linux over the last several years. I use it as a LiveCD/USB platform for secure on the go browsing, a Linux OS for old hardware that I donate to a variety of folks and causes, and as a platform for using HoneyPoint as a scattersensor. I like the ease of use, wide range of hardware support, and small footprint. All of these make this a very workable Linux distro.

This version especially seems to be stable, fast, and capable. I have taken to running it from a bootable USB drive and the performance has been very nice. Being able to drop these onto untrusted systems and use them as a browser, VPN client, and productivity tool has been handy. Using HoneyPoint Personal Edition, the nmap plugins and some other Puppy installs of security tools gives me a great platform for working incidents, gaining visibility and catching rogue scans, probes and malware that are in circulation when I pull in to help a client. Over and over again, the distro has proven itself to be a very powerful tool for me.

I suggest you take a look at the distro, LiveCD or USB and see how it can help you. I think you’ll find it fun, easy to use, and quite addicting. The pictures of the puppies don’t hurt either. 🙂

Check it out!

Fighting Second Stage Compromises

Posted on July 1, 2010 by Brent Huston

Right now, most organizations are fighting a losing battle against initial stage compromises. Malware, bots and client side attacks are eating many security programs alive. The security team is having a nearly impossible time keeping up with the onslaught and end-user systems are falling left and right in many organizations. Worse, security teams that are focused on traditional perimeter security postures and the idea of “keeping the bad guys outside the walls” are likely unaware that these threats are already active inside their networks.

There are a number of ways that second stage compromises occur. Usually, a compromised mobile device or system comes into the environment via remote access, VPN or by being hand carried in by an employee or consultant. These systems, along with systems that have been exploited by client-side vulnerabilities in the day to day network represent the initial stage compromise. The machines are already under attacker control and the data on these machines should already be considered as compromised.

However, attackers are not content with these machines and their data load. In most cases, they want to use the initial stage victims to compromise additional workstations and servers in whatever environment or environments they can ride those systems into. This threat is the “second stage compromise”. The attackers use the initial stage victims as “pivot points” or bots to attack other systems and networks that are visible from their initial victim.

Commonly, the attacker will install bot-net software capable of scanning other systems and exploiting a few key vulnerabilities and bad passwords. These flaws are all too common and are likely to get the attacker quite a bit of success. The attacker then commands the bot victim to scan on new connections or at designated times, thus spreading the attacker’s presence and leading to deeper and deeper compromise of systems and data.

This pattern can be combated in a number of ways. Obviously, organizations can fight the initial stage compromise. Headway has been made in many organizations, but the majority are still falling quite short when it comes to protecting against a growing diverse set of attack vectors that the bot herders and cyber-criminals use. Every day, the attackers get more and more sophisticated in their campaigns, targeting and approach. That said, what can we do if we can’t prevent such attacks? Perhaps, if we can’t prevent them easily, we can strengthen our defenses in other ways. Here are a couple if ideas:

One approach is to begin to embrace enclave computing. This is network and system trust segregation at the core. It is an approach whereby organizations build their trust models carefully, allowing for initial stage compromises and being focused on minimizing the damage that an attacker can do with a compromised workstation. While you can’t prevent compromise, the goal is to create enough defensive posture to give your team time to detect, isolate and respond to the attack. You can read more about this approach in our 80/20 rule of Information Security.

A second idea is to use HoneyPoint decoy hosts on network segments where exposures and initial stage compromise risks are high. These decoy hosts should be dropped where they can be easily scanned and probed by infected hosts. VPN segments, user segments, DMZs and other high exposure areas are likely candidates for the decoy placement. The idea is that the systems are designed to receive the scans. They offer up services that are fake and implemented just for this purpose. The decoy systems have no other use and purpose than to detect scans and probes, making any interaction with them suspicious or malicious. Decoy services, called HoneyPoints, can also be implemented on the servers and other systems present in these network segments. Each deployed HoneyPoint Agent ups the odds of catching bots and other tools deployed by the attacker in the initial stage compromise.

Both of these strategies can be combined and leveraged for even more defense in depth against initial stage compromises. If you would like to learn more about how these tools and techniques can help, drop us a line or give us a call. We would be happy to discuss them with you.

In the meantime, take a look at how your team is prepared to fight initial stage compromises. What you find may be interesting, especially if your team’s security focus has been on the firewall and other perimeter controls.

HoneyPoint Decoy Host Pays Off

Posted on June 29, 2010 by Brent Huston

Just talked to a client who had dropped a HoneyPoint decoy host in their VPN termination segment a couple of weeks ago. Yesterday, it paid off.

They caught a machine that had passed the anti-virus and patching requirements of the NAC for the VPN. The machine was AV scanned clean. But, immediately upon connection the machine began to port probe hosts around it. This triggered the decoy machine’s HoneyPoints, causing the security team to investigate. The machine was brought in and examined. Closer inspection found it infected with a bot tool that escaped AV detection, but was capable of scanning for bad passwords and a couple of common vulns on surrounding machines. The machine is currently being imaged and rebuilt.

This is an excellent example of how HoneyPoint can help catch bots and malware, even when other controls fail. Defense is depth pays off and the leverage that HoneyPoint provides is often quite powerful, as in this case.

Have you thought about using decoy hosts? If so, how?

HoneyPoint Security Server Console 3.00 Released

Posted on August 18, 2009 by Brent Huston

This is an informal notice to the readers of the blog and the Twitter feed that we have made the 3.00 console release available on the FTP site. You can get the latest version using the credentials shipped with your original purchase.

Installation and upgrade is through the normal processes. Please let us know if you have any questions. A formal announcement and press release will be forthcoming tomorrow, but we wanted to give our readers a chance to grab the code before the onslaught begins. 🙂

Thanks to everyone who participated in the 3.00 testing and we are very happy to make this available. The next release will likely be the 3.00 version of the newly consolidated HoneyPoint Agent and Configuration Utility. More on that in the near future!

HoneyPoint Appliance and Virtual Appliance Growing

Posted on July 28, 2009 by Brent Huston

I was so pleased with the news from my team yesterday that we are just about ready for the formal release of the HoneyPoint physical appliance. We are putting the final polish on the devices and they will be ready for release by the end of next week.

The virtual appliance is now going into its 2.0 architecture. The appliance has been rebuilt from scratch, hardened and reconfigured. It is also ready for shipment.

Special thanks to Adam for his work on completing these “decoy hosts” for folks that don’t want to put HoneyPoints on their production servers. His work is pushing HoneyPoint to the next stage of evolution and is much appreciated!

You can get both the virtual appliance and the physical appliance as a part of HoneyPoint Security Server and through the Managed HoneyPoint service as well. Drop us a line or give us a call to learn more about either of these programs!

HoneyPoint Cracks with a Hidden Cost

Posted on July 10, 2009 by Brent Huston

OK, so we have been aware of a couple of cracked versions of HoneyPoint Personal Edition for a while now. The older version was cracked just before the 2.00 release and made its way around the torrent sites. We did not pay much attention to it, since we believe that most people are honest and deserve to be trusted. We also feel like people who value our work will pay the small cost for the software and those that just want to play with it and are willing to risk the issues of the “warez” scene would not likely buy it anyway….

However, today, someone sent me a link to a site that was offering a crack for HoneyPoint Personal Edition. The site was not one I had seen before, so I went to explore it. I fired up a virtual lab throw away machine and grabbed a copy of the crack application.

As one might expect, the result was a nice piece of malware. Just for grins, I uploaded it to Virus Total and here is the result:

http://hurl.ws/432e

Now, two things are interesting here. First, the crack is not even real and does not work. Second, once again, the performance of significant anti-virus tools are just beyond poor. 6 out of 41 products detected the malware in this file. That’s an unbelievably low 14.6% detection rate!

The bottom line on this one is that if you choose to dabble in the pirate world, it goes without saying that, sometimes you will get more than you bargained for. In this case, trying to get HoneyPoint Personal Edition for free would likely get you 0wned! Ahh, the hidden costs of things…..

If you are interested in a legitimate version of HPPE, check it out here.

In the meantime, true believers, take a deep breath the next time your management team says something along the lines of “…but, we have anti-virus, right…” and then start to educate them about how AV is just one control in defense in depth, and not a very significant one at that…

HoneyPoint Managed Service Now Available

Posted on June 19, 2009 by Brent Huston

The initial private launch is complete, and the public launch has begun. HoneyPoint Security Server is now available as a managed service!

HoneyPoints can be deployed as software on your internal existing servers and workstations or on our VMWare virtual appliance. We manage the console and deliver real time email alerts, support and advice on security incidents. Incident response consulting and handling help is also available at a reduced hourly rate to HP Managed Service clients.

In addition to leveraging the power of HoneyPoints and HornetPoints, you also get easy, automated monthly reporting to make your life as an IT administrator or security team member easier.

As a special introductory price for readers of the blog, our newsletter and friends of the firm, you can sign up now for HoneyPoint Managed Services for as low as $99.00 (US) per month. Plus, for being a supporter of MicroSolved and our efforts, we will waive the setup fee ($195.00 normally) if you join the program before the end of July, 2009!

Interested in putting the power of the HoneyPoint Hive to work for your organization? Give us a call (614-351-1237 x206) or drop us a line (info@microsolved.com) and learn more about how to get more security with the least amount of effort. We’ll be happy to share our success stories with you. We look forward to working with your team!

New Web Scanner Patterns

Posted on June 11, 2009 by Brent Huston

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Super Secret Squirrel Pics of the New HoneyPoint Appliance

Posted on June 3, 2009 by Brent Huston

Here is a super secret picture of the soon to be released HoneyPoint appliance. The worker bees are hovering all around the hive and making last minute adjustments to the initial release.

I managed to snap this quick pic with my camera before they began to sting me. I hope you enjoy the preview.

The HoneyPoint appliance will likely be available late summer. Stay tuned for more info the details settle.

Tiny isn’t it?!!!

Picture with a Bee Contest – Win FREE HoneyPoint!

Posted on April 14, 2009 by Brent Huston

That’s right! Send us your picture taken in a “security-related pose” with a stuffed, bee costume or bee-related item and we will pick the winner of a FREE license for HoneyPoint Security Server!

Just like in life, style counts, so get your ideas together and send us those pictures! Our judges will pick the winner on April 30th, so get your pics in before then. Imagination, security details and fun will be the key to your success. Three runners up will receive FREE licenses for HoneyPoint Personal Edition!

You can send your pictures via email to: hppics@microsolved.com

Remember, we reserve the right to publish all submissions, so make sure you are OK with that before you submit. 🙂 Contest closes and winners picked at noon on April 30th, 2009. Enter as often as you wish, odds of winning depends on number of people entering. Have fun!

MSI :: State of Security

Insight from the Information Security Experts

Tag Archives: HoneyPoint