Check out this blast from the past article about performing network discovery and mapping.
Sometimes things fail in interesting ways. Sometimes they fail in dangerous ways. Occasionally, things fail in ways that you simply can’t predict and that are astounding.
In a recent assessment of a consumer device in our lab, we found the usual host of vulnerabilities that we have come to expect in Internet of Things (IoT) devices. But, while testing this particular device, which is also tied to a cloud offering for backup and centralization of data – I never would have predicted that a local device would have a full bi-directional trust with a virtual instance in the cloud.
Popping the local device was easy. It had an easy to compromise “hidden” TCP port for telnet. It took my brute force tool only moments to find a default login and password credential set. That’s pretty usual with IoT devices.
But, once I started poking around inside the device, it quickly became apparent that the device configuration was such that it tried to stay continually connected to a VM instance in the “cloud storage and synchronization” environment associated with the device and vendor. How strong was the trust? The local device had mount points on the remote machine and both systems had full trust to each other via a telnet connection. From the local machine, simply telnet to the remote machine on the right port, and without credential check, you have a shell inside the cloud. Not good…
But, as clear of a failure as the scenario above was, the rabbit hole went deeper. From the cloud VM, you could see thousands of other VMs in the hosted cloud environment. Connect from the VM to another, and you need the default credentials again, but, no sweat, they work and work and work…
So, from brute force compromise of a local piece of consumer hardware to a compromise of thousands of cloud instance VMs in less than 30 minutes. Ugh…
Oh yeah, remember that storage centralization thing? Yep, default credentials will easily let you look through the centralized files on all those cloud VMs. Double ugh…
Remember, I said bi-directional? Yes, indeed, a connection from a VM to an end-point IoT device also works with assumed trust, and you get a shell on a device with local network visibility. Now is the time you kinda get sick to your stomach…
These kinds of scenarios are becoming more common as new IoT devices get introduced into our lives. Yes, the manufacturer has been advised, but, closing the holes will take a complete redesign of the product. The moral of this story is to pay careful attention to IoT devices. Ask questions. Audit. Assess. Test. There are a lot of bad security decisions being made out there in the IoT marketplace, especially around consumer products. Buyer beware!
Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.
It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.
The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:
- Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
- Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
- Systems that have been misconfigured or that reveal too much information to unauthorized users.
- Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
- Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
- How well third party systems present on your network are patched, updated and secured.
Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.
In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:
- Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
- Show you if the custom software applications you are using are safe from compromise.
- Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).
One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?
Thanks to John Davis for this post.
MSI has built a reputation that spans decades in and around testing hardware and software for information security. Our methodology, experience and capability provides for a unique value to our customers. World-class assessments from the chip and circuit levels all the way through protocol analysis, software design, configuration and implementation are what we bring to the table.
Some of the many types of systems that we have tested:
- consumer electronics
- home automation systems
- voice over IP devices
- home banking solutions
- wire transfer infrastructures
- mobile devices
- mobile applications
- enterprise networking devices (routers, switches, servers, gateways, firewalls, etc.)
- entire operating systems
- ICS and SCADA devices, networks and implementations
- smart grid technologies
- gaming and lottery systems
- identification management tools
- security products
- voting systems
- industrial automation components
- intelligence systems
- weapon systems
- safety and alerting tools
- and much much more…
To find out more about our testing processes, lab infrastructure or methodologies, talk to your account executive today. They can schedule a no charge, no commitment, no pressure call with the testing engineer and a project manager to discuss how your organization might be able to benefit from our experience.
At A Glance Call Outs:
- Deep security testing of hardware, software & web applications
- 20+ year history of testing excellence
- Committed to responsible vulnerability handling
- Commercial & proprietary testing tools
- Available for single test engagements
- Can integrate fully into product lifecycle
- Experience testing some of the most sensitive systems on the planet
- Powerful proprietary tools:
- many more solution specific tools
- Circuit & chip level testing
- Proprietary protocol evaluation experience
- Customized honeypot threat intelligence
- Methodology-based testing for repeatable & defendable results
Other Relevant Content:
Project EVEREST Voting Systems Testing http://stateofsecurity.com/?p=184
Lab Services Blog Post http://stateofsecurity.com/?p=2794
Lab Services Audio Post http://stateofsecurity.com/?p=2565
MicroSolved has been offering Persistent Penetration Testing (PPT) to select clients now for a couple of years. We have been testing and refining our processes to make sure we had a scalable, value driven, process to offer our full client base. We have decided to open the PPT program up to another round of clients, effective immediately. We will be open to adding three additional clients to the PPT group. In order to qualify, your organization must have an appetite for these services and meet the criteria below:
- MSI will actively emulate a focused team of attackers for either a 6 or 12 month period, depending on complexity, pricing and goals
- During that time, MSI will actively and passively target your organization seeking to reach a desired and negotiated set of goals (usually fraud or theft of IP related data, deeper than traditional pen testing)
- Full spectrum attacks will be expressed against your organization’s defenses in red team mode, across the time window
- Once an initial compromise occurs and the appropriate data has been identified and targeted, we will switch to table top exercises with the appropriate team members to discuss exploitation and exfiltration, prior to action
- If, and only if, your organization approves and desires, then exploitation and exfiltration will occur (note that this can be pivoted from real world systems to test/QA environments at this point)
- Reporting and socialization of the findings occurs, along with mitigation strategies, awareness training and executive level briefings
- The process then repeats, as desired, through the terms and sets of goals
The criteria for qualification; Your organization must:
- Have full executive support for the initiative, all the way to the C-level and/or Board of Directors
- Have a mature detection and egress process in place (otherwise, the test will simply identify the needs for these components)
- Have the will to emulate real world threat activity without applying compliance-based thinking and other unnatural restraints to the process
- Have a capable security team for MSI to work with that has the capability to interface with the targeted lines of business in a rapid, rational and safe manner
- If desired, have the capability to construct testing/QA platforms and networks to model real world deployments in a rapid and accurate fashion (requires rapid VM capability)
- Be open to engaging in an exercise with an emulated aggressive adversary to establish real world risk and threat profiles
- Be located in the US (sorry, we are not currently accepting non-US organizations for this service at this point)
If your organization meets these requirements and you are interested in discussing PPT services, please drop me a line (Twitter: @lbhuston), or via email at Info at microsolved dot com. You can also reach me via phone at (614) 351-1237 x 201.
You have heard us talk about surface mapping applications during an assessment before. You have likely even seen some of our talks about surface mapping networks as a part of the 80/20 Rule of InfoSec. But, we wanted to discuss how that same technique extends into the physical world as well.
In the last few months, we have done a couple of engagements where the customer really wanted a clear and concise way to discuss physical security issues, possible controls and communicate that information to upper management. We immediately suggested a mind-map style approach with photos where possible for the icons and a heat map approach for expressing the levels of attack and compromise.
In one case, we surface mapped a utility substation. We showed pictures of the controls, pictures of the tools and techniques used to compromise them and even shot some video that demonstrated how easily some of the controls were overcome. The entire presentation was explained as a story and the points came across very very well. The management team was engaged, piqued their interest in the video and even took their turn at attempting to pick a couple of simple locks we had brought along. (Thanks to @sempf for the suggestion!) In my 20+ years of information security consulting, I have never seen a group folks as engaged as this group. It was amazing and very well received.
Another way we applied similar mapping techniques was while assessing an appliance we had in the lab recently. We photographed the various ports, inputs and pinouts. We shot video of connecting to the device and the brought some headers and tools to the meetings with us to discuss while they passed them around. We used screen shots as slides to show what the engineers saw and did at each stage. We gave high level overviews of the “why” we did this and the other thing. The briefing went well again and the customer was engaged and interested throughout our time together. In this case, we didn’t get to combine a demo in, but they loved it nonetheless. Their favorite part were the surface maps.
Mapping has proven its worth, over and over again to our teams and our clients. We love doing them and they love reading them. This is exactly how product designers, coders and makers should be engaged. We are very happy that they chose MSI and our lab services to engage with and look forward to many years of a great relationship!
Thanks for reading and reach out on Twitter (@lbhuston) or in the comments if you have any questions or insights to share.
One of the oddest, most fun and most secretive parts of MSI is our testing lab services. You don’t hear a lot about what happens back there, behind the locked doors, but that is because of our responsible disclosure commitments. We don’t often talk publicly about the testing we do in the lab, but it varies from testing unreleased operating systems, applications, hardware devices, voting mechanisms, ICS/SCADA equipment, etc. We also do a small amount of custom controls and application development for specific niche solutions.
Mostly though, the lab breaks things. We break things using a variety of electronic tools, custom hardware, bus/interface tampering, software hacking, and even some more fun (think fire, water & electric shock) kinds of scenarios. Basically, whatever the threat model your devices or systems face, most of them can be modeled, examined, tested, simulated or otherwise tampered into place in the MSI labs.
Our labs have several segments, with a wide array of emulated environments. Some of the lab segments are virtualized environments, some are filled with discreet equipment, including many historical devices for cross testing and regression assessments, etc. Our electronics equipment also brings a set of capabilities for tampering with devices beyond the usual network focus. We often tamper with and find security issues, well below the network stack of a device. We can test a wide range of inputs, outputs and attack surfaces using state of the art techniques and creatively devious approaches.
Our labs also include the ability to leverage HoneyPoint technology to project lab tested equipment and software into parts of the Internet in very controlled simulations. Our models and HoneyPoint tools can be used to put forth fake attack surfaces into the crimestream on a global basis and identify novel attacks, model attack sources and truly provide deep threat metrics for entire systems, specific attack surfaces or components of systems. This data and the capabilities and techniques they are based upon are entirely proprietary and unique to MicroSolved.
If you would like to discuss how our lab services could assist your organization or if you have some stuff you want tested, get in touch. We would love to talk with you about some of the things we are doing, can do and some of the more creatively devious ideas we have for the future. 🙂
Drop us a line or give us a call today. We look forward to engaging with you and as always, thanks for reading!
So how “advanced” is APT?
Listen in as our tech team discusses various aspects of APT such as:
- How it has been portrayed.
- Why it often isn’t an advanced threat
- Where do they originate?
- What can companies do about APT?
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.
Click the embedded player to listen. Or click this link to access downloads. Stay safe!