[Podcast] Infosec, the World & YOU – Episode 1

Victoria Loewengart (@gisobiz) from AKOTA Technologies and myself (@lbhuston) decided we would start a podcast series to discuss correlation between real world actions and cyber-activity of an illicit nature (“attacks”). This is the first episode which discusses why we think this is a worthy topic for exploration, how it might lead to predictive information security posture improvement and how we got here. 

This episode also covers a real time event that occurred while we were recording that may (or may not) relate to attacks experienced in the time between recording sessions. 

We hope to keep working on it, but this is a first rough attempt, so don’t expect CNN podcast polish. This is a chance for you to stay in touch with a new movement that represents a clear line of evolution for the information security problems of today. 

Stay tuned. We hope to record more episodes as the project progresses.

You can download episode 1 as an MP3 by clicking here.

Malware in Many Places

 

GlobalDisplay Orig

Just a quick reminder that malware can come in many forms and from many places. These days, it isn’t just phishing, drive-by downloads and stray email attachments that you have to worry about. USB drives, digital picture frames, wireless devices, watches with USB plugs, exercise equipment with public “charge and data monitoring ports” and whole variety of other things.

Basically, today, if it can plug into your systems or talk to your network and has any kind of processing, memory or storage – it can likely carry malware. That’s certainly something to keep in mind as the “Internet of Things” becomes more and more a part of our daily lives. 

All of the usual defenses still apply, but today we need more than just anti-virus to keep us safe. We have to be using a variety of security controls from throughout the spectrum of prevention, detection and response. Since malware can be everywhere, so too must our vigilance against it. 

PS – Those of you with teens and older parents who use/depend on electronics and computers should discuss malware and safer computing with them. They likely have an entirely different risk profile than you do, and they may not be paying as much attention to the impacts that these attacks can have or where they can come from. They may be doing risky things without even knowing it. Talk to them about malware and help keep them safer in the online world.

Watching the Watchers…

“Who watches the watchers?” is an often overheard question when we assess the information security program of clients. Way too often, the answer is either, “Huh?” or “No one, really.”. That’s a LOT of trust for an organization to place in an individual or small team.

At least in a small team, you hopefully have peers checking each other’s work. You do that right? You either rotate duties, have a peer review process or otherwise make sure that a second set of eyes from the team double checks critical work in a peer review methodology. That’s what mature teams do, and they do it both often and formally. This is a great control and an effective means to build cooperation between team members.

The problem gets harder when your security team (and/or IT team) is one person. Then it absolutely REQUIRES that someone, be it a manager, another department peer, an auditor or even a consultant checks their work periodically. After all, if they manage the servers, the firewall, the network, the intrusion detection and the logging, they essentially have complete control over the data and can do as they please without fear of getting caught. Now, that is not to say that folks in this role aren’t trustworthy. They usually are. The problem is that some are not and to further complicate the matter – it is often quite difficult to tell the difference between the honest and the dishonest humans. So, as we always say, “Trust, but verify…”. Implement an ongoing process for peer review, even if that peer is an auditor or consultant. Have them come in and double check the progress for this quarter. Ask them to spot check reports, logs and configurations. It’s not comprehensive, but it at least sends a message that someone is checking and just having someone checking different items often leads to interesting discoveries, usually not of a malicious nature, but often times something missed in the day to day.

How does your organization use peer review? What works and what hasn’t worked for you? Leave us a comment or drop us a line on Twitter (@lbhuston) and let us know.

Ensuring Security Team Coverage During the Holidays

Just a quick note to remind you that now is a good time to double check the on-call, vacation and coverage schedules for your infosec team members, all of the key members of your incident response team and the critical managers and department liaisons. It’s a good time to review and update your contact lists for these folks and to identify anyone who might be unavailable during the holidays double check that you have a secondary contact.

While we certainly hope that your team doesn’t have to respond to an incident during the holidays, it is not unheard of. So, a few moments of careful attention now, may save you some stress during an already stressful period.

Thanks for reading, have a great holiday season and stay safe out there!

ProtoPredator for Smart Meters Released

Today, MicroSolved, Inc. is proud to announce the availability of their newest software product – ProtoPredator™ for Smart Meters (PP4SM). This tool is designed for smart meter manufacturers, owners and operators to be able to easily perform security and operational testing of the optical interfaces on their devices.

PP4SM is a professional grade testing tool for smart meter devices. Its features include:

  • Easy to use Windows GUI
  • Easy to monitor, manage and demonstrate testing to management teams
  • Packet replay capability empowers testers to easily perform testing, verification and demonstrations
  • Manual packet builder 
  • Packet builder includes a standards compliant automated checksum generator for each packet
  • Automated packet session engine 
  • Full interaction logging
  • Graphical interface display with real time testing results, progress meters and visual estimations
  • Flexibility in the testing environment or meter conditions

The tool can be used for fuzzing smart meter interactions, testing protocol rule enforcement, regression testing, fix verification and even as a mechanism to demonstrate identified issues to management and other stakeholders. 

ProtoPredator for Smart Meters is available commercially through a vetted licensing process. Licenses are available to verified utilitiy companies, asset owners, asset operators and manufacturers of metering devices. For more information about obtaining PP4SM or to learn more about the product, please contact an MSI account representative. 

More information is available via:

Twitter: @lbhuston

Phone: (614) 351-1237 ext 206

Email: info /at/ microsolved /dot/ com (please forgive the spam obfuscation…) 🙂

What Is Your Browser Leaking?

Today in my tweet stream, someone pointed out this site and I wanted to blog about it. The site is called stayinvisible.com and offers a quick view of some of the data that is available to a web site or an attacker who can lure someone to a website. 

The site displays a dump of a variety of common data that you might not be aware of that is leaking from your browser. There are also tips for hardening your browser settings and operating system against some of the methods used to dump the data. 

If nothing else, it might just provide an “ah ha” moment for folks not used to the information security space. Give it a try and let us know what you think of it. 

We have no association with the site, its content or the folks who run it. We just thought it was interesting. Your paranoia may vary. 🙂

CMHSecLunch Announcement

We wanted to take a moment and send out a special announcement to our Columbus, Ohio area readers. Brent Huston is pulling together a monthly casual event for IT and InfoSec focused folks in our area. He posted this a few days ago to Twitter (@lbhuston):

#CMHSecLunch 1st attempt – Monday, Nov 12, 11:30 -1pm at Tuttle Mall food court. Informal lunch gathering of infosec geeks. Be There!

We invite all of our local readers to attend. Just have a casual lunch with infosec friends and great conversations. No sign up, no membership fees, no hassle, no fuss. If you can make it, cool, if not, also cool. So, if you have time, drop in and break bread. We hope to see you there.

Let us know on Twitter or in the comments if you have feedback. 

Ask The Experts: Online Banking

This time we asked the experts one of the most common questions we get when we are out speaking at consumer events:

Q: Hey Security Experts, do you do your banking online? If so, what do you do to make it safe for your family? If not, why not?

John Davis explained:

I’ve been banking online for many years now and have always loved the convenience and ability it gives you to monitor your accounts anywhere and any time. There are a few simple things I do to keep myself secure. I do all the usual stuff like keeping a well configured fire wall and anti-virus software package always running. I also ensure that my wireless network is as secure as possible. I make sure the signal is tuned so as to not leak much from the house, I use a long and strong password and ensure I’m using the strongest encryption protocol available. I also monitor my accounts often and take advantage of my banks free identity theft service. One final tip; instead of using your actual name as your login, why not use something different that is hard to guess and doesn’t reveal anything about your identity? It always pays to make it as tough on the cyber-criminals as possible!

Phil Grimes chimed in with:

I do almost all my banking online. This, however, can be a scary task to undertake and should always be done with caution on the forefront! In order to bank safely on line, the first thing I do is to have one machine that was built in my house for strictly that purpose. My wife doesn’t play facebook games on it. My kids don’t even touch it or know it exists. This machine comes online only to get updated and to handle the “sensitive” family business functions like bill payment or banking.  The next thing I’ve done to protect this surface was to use a strong password. I used a password generator and created a super long password with every combination of alpha, numeric, and special characters included to reduce the risk of a successful brute force attack. This password is set to expire every 30 days and I change it religiously! Then finally, using Firefox, I install the NoScript plugin to help defend against client side attacks.

Adam Hostetler added:

Yes, I do my banking online. I also pay all of my bills online and shop online. I think the biggest thing that you can do for safety is just to be aware of things like phishing emails, and other methods that fraudsters use to try to compromise your credentials. I also always use dual factor authentication when possible, or out of band authentication, most banks and credit unions support one of these methods these days. Checking all of my accounts for suspicious activity is also a regular occurrence. 

There are also the malware threats. These are mostly mitigated by having up to date software (all software, not just the OS), up to date anti-virus software, and treating social networking sites like a dark alley. Be wary of clicking on any links on social networks, especially ones that are apps that claim they will do something fun for you. Social networks are probably the largest growing vector of malware currently, and a lot of times people install it willingly!

If you’re really paranoid, just have a dedicated PC or virtual machine for online banking.

Got a question for the Experts? Send it to us in the comments, or drop us a line on Twitter (@microsolved or @lbhuston). Thanks for reading! 

Hooray! An Open-Source Password Analyzer Tool!

 

 

 

 

 

 

 

I’m one of the resident “Password Hawks” in our office. Our techs consistently tell people to create stronger passwords because it is still one of the most common ways a hacker is able to infiltrate a network.

However, we live in an age where it’s not just hackers who are trying to steal an organization’s data. There are also a variety of malcontents who simply want to hack into someone’s account in order to embarrass them, confirm something negative about them, or be a nuisance by sending spam.

This is why it is important to create a strong password; one that will not be easily cracked.

Enter password analyzer tools. Sophos’ “Naked Security” blog posted a great article today about the often misleading security policies of popular online social sites. Developer Cameron Morris discovered that if he followed one social site’s policy, he actually created a more easily “crackable” password than the one they deemed weak.

About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet’s John Fontana: The time it takes to crack a password is the only true measure of its worth.

Read the rest of the article here.

There is a free analyzer you can use and I strongly suggest you test the strength of your passwords with it.

Passfault Analyzer

Also, Morris created a tool for administrators that would allow them to configure a password policy based on the time to crack, the possible technology that an attacker might be using (from an everyday computer on up to a $180,000 password attacker), and the password protection technology in use (from Microsoft Windows System security on up to 100,000 rounds of the cryptographic hash function SHA-1/).

OWASP Password Creation Slide-Tool

This is one of the best articles I’ve read on password security, plus it has tools for both the end-user and the administrator. Test them out yourself to see if you have a password that can resist a hacker! 

As for me, I think I need to do a little more strengthening…

Have a great Memorial Day weekend (for our U.S. readers) and stay safe out there!

Audio Blog Post: Moving Toward Detection in Depth

Brent Huston, CEO and Security Evangelist for MicroSolved, Inc., explains how organizations need to move from a focus on prevention to detection.

Joined by MSI’s Account Executive Chris Lay and Marketing Communication Specialist Mary Rose Maguire, Brent maps out how an organization can get detective controls closer to the data and shows that IT departments can have a “payoff” if they pursue nuanced detection.

Click here to listen to the audio post!