Security Alert: RSA Breach and 7 Ways to Secure Your Tokens

Since the compromise of the RSA environment several months ago, much attention has been paid to the potential impact of the attack on RSA customers.

Given the popularity of the RSA products and the sensitivity of the processes that they protect, the situation should be taken very seriously by RSA token users.

Last night, RSA made a public announcement that their breach and information stolen in that breach has now been used in attacks against RSA customers. The primary focus, as far as is known, has been the defense sector, but it is very likely that additional threat-focus has been placed on other critically sensitive verticals such as financial and critical infrastructure.

There are a number of things that RSA customers should do, in the advice of MicroSolved, Inc. Below is a short list of identified strategies and tactics:

  1. Identify all surfaces exposed that include RSA components. Ensure your security team has a complete map of where and how the RSA authentication systems are in use in your organization.
  2. Establish a plan for how you will replace your tokens and how you will evaluate and handle the risks of exposure while you perform replacement.
  3. Increase your vigilance and monitoring of RSA exposed surfaces. This should include additional log, event and intrusion monitoring around the exposed surfaces. You might also consider the deployment of honeypots or other drop-in measures to detect illicit activity against or via compromised systems available with the RSA exposed surfaces.
  4. Develop an incident response plan to handle any incidents that arise around this issue.
  5. Increase the PIN length of your deployments as suggested by RSA, where appropriate, based on identified risk and threat metrics.
  6. Teach your IT team and users about the threats and the issue. Prepare your team to handle questions from users, customers and other folks as this issue gains media attention and grows in visibility. Prepare your technical management team to answer questions from executives and Board-level staff around this issue.
  7. Get in contact with RSA, either via your account executive or via the following phone number for EMC (RSA’s parent company): 1-800-782-4362

In the meantime, if MSI can assist you with any of these steps or work with you to review your plan, please let us know. Our engineers are aware of the issues and the processes customers are using to manage this problem in a variety of verticals. We can help you with planning or additional detection and monitoring techniques should you desire.

We wish our clients the highest amount of safety and security as we, as an industry, work through this challenge. We wish RSA the best of luck and the highest success in their remediation and mitigation efforts. As always, we hope for the best outcome for everyone involved.

Thanks for your time and attention to this issue. It is much appreciated, as is your relationship with MicroSolved, Inc.

MSI HoneyPoint Featured on Virtualization Security Podcast

Brent Huston, CEO and Security Evangelist of MicroSolved, Inc., was recently a guest for the popular podcast, “Virtualization Security Podcast.”

Brent talked about HoneyPoint Wasp and discussed with other panelists how honeypot technology can help an organization detect real attacks and also the legal ramifications of stealth monitoring.

The Virtualization Practice also featured HoneyPoint in their recent post, “New Virtualization Security Products Available.”

The podcast panelists include;

  • Edward L. Haletky, Author of VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment and virtualization security analyst, as Moderator.
  • Michael Berman, CTO of Catbird Security
  • Iben Rodriguez, Independent Virtualization and Security Consultant and Maintainer of the ESX Hardening Guidance from CISecurity

Click on the player below to listen. To listen on iTunes or download the MP3, go here. Enjoy!

An Explanation of Our HoneyPoint Internet Threat Monitoring Environment #HITME #security

One of the least understood parts of MicroSolved is how the HoneyPoint Internet Threat Monitoring Environment (#HITME) data is used to better protect our customers. The engineers have asked me to drop this line into the newsletter and give you a “bees knees” perspective of how it works! First, if you don’t know about the #HITME, it is a set of deployed HoneyPoints that gather real world, real time attacker data from around the Internet. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. You can even follow the real time updates of attacker IPs and target ports on Twitter by following @honeypoint or the #HITME hash tag. MSI licenses that data under Creative Commons, non-commercial for FREE as a public service to the security community.

That said, how does the #HITME help MSI better protect their customers? Well, first, it allows folks to use the #HITME feed of known attacker IPs in a blacklist to block known scanners at their borders. This prevents the scanning tools and malware probes from ever reaching you to start with. Next, the data from the #HITME is analyzed daily and the newest, bleeding edge attack signatures get added to the MSI assessment platform. That means that customers with ongoing assessments and vulnerability management services from MSI get continually tested against the most current forms of attack being used on the Internet. The #HITME data also gets updated into the MSI pen-testing and risk assessment methodologies, focusing our testing on real world attack patterns much more than vendors who rely on typical scanning tools and back-dated threats from their last “yearly bootcamp”.

The #HITME data even flows back to the software vendors through a variety of means. MSI shares new attacks and possible vulnerabilities with the vendors, plus, open source projects targeted by attackers. Often MSI teaches those developers about the vulnerability, the possibilities for mitigation, and how to perform secure coding techniques like proper input validation. The data from the #HITME is used to provide the attack metrics and pattern information that MSI presents in its public speaking, “State of the Threat,” the blog, and other educational efforts. Lastly, but certainly not least, MSI provides an ongoing alerting function for organizations whose machines are compromised. MSI contacts critical infrastructure organizations whose machines turn up in the #HITME data and works with them to mitigate the compromise and manage the threat. These data-centric services are provided, pro-bono, in 99% of all of the cases!

If your organization would be interested in donating an Internet facing system to the #HITME project to further these goals, please contact your account executive. Our hope is that the next time you hear about the #HITME, you’ll get a smile on your face knowing that the members of my hive are working hard day and night to protect MSI customers and the world at large. You can count on us, we’ve got your back! 

On Black Tuesday, RDP Shines

Microsoft patched two privately reported vulnerabilities for RDP today. Yes, RDP. No, not the server, the client. One of the most widely used tools by Windows system administrators is vulnerable to remote code execution. Not good. There is good here though, in order to exploit this vulnerability the user of an RDP client must be tricked or social engineered to connect to a malicious RDP server or a specially crafted website. Also, Microsoft is not aware of an exploit for this vulnerability at the time of this writing. It shouldn’t be long though, as we all know the more popular the software, the more likely there will be an exploit for an existing vulnerability.

Users currently employing automatic updates should see this issue resolved during their next update. For those of us who cannot have automatic updates enabled, we’d recommend getting this patch in during the next maintenance window.

MSI Announces May Virtual Event – Corporate Counterintelligence

Corporate Counter Intelligence: Ancient Strategy,Bleeding-Edge Protection


The message is very clear. What we have been doing to secure information has not been working. Attackers are on the rise, the number of successful compromises is higher than before and all of the legislation and regulations just make things more complicated. Attackers continue to grow in number capability and sophistication.

The principles of corporate counterintelligence are rooted in the history of warfare. This presentation will explain how organizations can improve, simplify and increase the effectiveness of their information security programs. Using ancient principles and techniques based on the art of counter intelligence information security teams can become more strategic, focused their resources where they will achieve the highest return and reduce the risk that their organizations face.

MSI security visionary, Brent Huston, will explain how these techniques can be applied to your business and introduce specific strageties and tactics that you can deploy today. Explanations of how these evolutions in security thought can truly translate into faster, safer and more powerful protection for your organization will be revealed.

For more information, access to the visual and audio content for the presentation, simply email

The virtual event will be conducted Tuesday, May 20, 2008 at 4pm Eastern.

Hardware Security Testing Presentation & MP3 Available

The pdf of the slides and the audio from yesterday’s presentation on Hardware Security Testing is now available.

You can get the files from this page on the main MicroSolved site.

Thanks to the many who attended and who sent me the great feedback this morning. I am really glad everyone liked the content so much!

Check out the next virtual event scheduled for March 25th at 4 PM Eastern. The topic will be 3 Application Security “Must-Do’s”.

Here is the abstract:

This presentation will cover three specific examples of application security best practices. Developers, security team members and technical management will discover how these three key processes will help them mitigate, manage and eliminate risks at the application layer. The presenter will cover the importance of application security, detail the three key components to success and provide strategic insight into how organizations can maximize their application security while minimizing the resources required.

We look forward to your attendance. Email to sign up!

Storm Worm Goes Active Again and Odd Port 56893/TCP Probes

Two fairly interesting items tonight:

1) SANS is getting reports that the Storm worm is active again. This time sending messages attempting to draw victims to the “merry” <take out the space> domain. As of 10:30 PM Eastern tonight, the domain is being flooded with traffic, but appears to be functional. SANS is suggesting applying domain blocks to the domain, and it would probably be good to add mail and other content filtering rules as well, if you are still using the blacklist approach. Here is the whois for the domain:

Creation Date: 2007.11.27
Updated Date: 2007.12.17
Expiration Date: 2008.11.27
Registrant ID: P4DHBN0-RU
Registrant Name: John A Cortas
Registrant Organization: John A Cortas
Registrant Street1: Green st 322, fl.10
Registrant City: Toronto
Registrant Postal Code: 12345
Registrant Country: CA
Administrative, Technical Contact
Contact ID: P4DHBN0-RU
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail:
Registrar: ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.24 06:17:35 MSK/MSD

2) Also, on a secondary note, we are getting a rapid increase in probes to TCP 56893. This port has been a known port for an SSH trojan and botnet deployment in the past. This may be related to the Storm worm activity or may be another bot group gearing up for activity.

It looks like the holiday is likely to bring a high level of increase in bot activity and as always, attackers will be looking for new machines received as gifts that will suddenly appear online and may be missing a patch or two. Make sure you give some advice to new techies and computer owners this holiday – patch early, patch often and make sure you build layers of defense against today’s emerging threats!

Ohio Voting Systems Review (EVEREST)

MicroSolved, Inc. announced today that it has completed its assessment of the security of Ohio’s electronic voting systems. The testing, a part of project EVEREST, was lead by the Ohio Secretary of State’s office and was designed to seek a comprehensive, independent and objective assessment of the risks to elections integrity associated with Ohio’s voting systems. The project leveraged MicroSolved’s advanced methodologies and in-depth experience to perform “red team” penetration testing of the voting systems. MicroSolved emulated various attacks against the voting systems and analyzed the impact of these attacks on the confidentiality, integrity and availability of the voting systems and their elections data.

While the study revealed several critical security issues in the various elections systems, MicroSolved also identified specific strategies for mitigating or managing these risks. “By applying the identified mitigation strategies, all of the administrative stakeholders in the elections process have an opportunity to demonstrate their commitment to the integrity of Ohio’s elections.”, said Brent Huston, CEO of MicroSolved. “While these strategies require hard work, significant investment in resources and continued vigilance, they represent the best approach to creating truly secure mechanisms for electronic voting in Ohio.”

“We appreciate the opportunity to participate in the EVEREST project and to help the Secretary of State further her goal of restoring trust in Ohio’s elections.”, Huston added.

For information about the specifics of the project, MicroSolved’s role and findings, please see