Tag Archives: Device Configuration

ClawBack For Credit Unions

Posted on by
Reply

I got a question recently from one of our Credit Union clients about ClawBack™. They explained that they don’t really do any internal development, so leaking source code was not a concern for them. Based on that, they wondered, would ClawBack still be a useful tool for them?

I pointed out that most larger Credit Unions do some form of development, or at the very least, that their systems admin folks often write (and potentially expose) scripts and other management tools that would be of use to an attacker. However, even if they didn’t do any development at all, leveraging something like the Professional level of ClawBack as a DIY tool ($149.00 per month) is still a good idea.

Further, I explained that source code leaks are only one third of the focus of the ClawBack tool. It also searches for leaked device/application configurations and leaked credentials. Every Credit Union with a network needs to think about leaked device and application configurations. These are the most commonly found items in ClawBack’s history. Whether by accident, or misunderstanding or malicious intent, thousands of leaked configuration files wind up on the Internet in repositories, support forums, answer sites, social media and paste bins. When found, they can provide significant amounts of damaging information to attackers, ranging from logins and passwords to sensitive cryptography and API keys. In some cases, they can be a nearly complete map of the internal network.

Thirdly, ClawBack also focuses on leaked credentials. It can help identify stolen and compromised passwords belonging to members of your organization. Many times, these credentials contain the same or similar passwords as Internet exposed applications, webmail or email access and potentially even weakly secured VPN instances. Stolen and leaked credentials are among the most significant root causes of breaches, business email compromise and a variety of other fraud.

Your CU Security team can add ClawBack to their toolkit for less than $150 per month. It’s simple to use, flexible and an incredibly powerful capability to minimize the damage from data leaks. Check out this less than 8 minute video for more information. If you’d like to discuss ClawBack or our ClawBack Managed and Professional Services, please drop us a line, or give us a call at (614) 351-1237 today. 

3 Things Attackers Can Leverage From a Device Configuration Leak

Posted on by
Reply

One of the questions I often get around our ClawBack data leak detection SaaS product is “What can a hacker get from a leaked config?”. I put together this quick post about three of the most common and powerful elements that we often find in leaked configurations we discover.

1) Credentials – Let’s face it, credentials are often the easiest way to leverage leaked configs. Sure, it might be for an edge router or some network gear, or maybe it’s for the VPN. Configs often contain sets of credentials, either in plain text or in hashed form. Hashes need to be cracked, sure, but that is often quite possible. Even when the credentials aren’t able to be used remotely, they often help us tune our password guesses and learn more about the policies and password requirements of other systems. You wouldn’t believe the number of times, though, that the credentials from a leaked config simply work across the network or enterprise and often at a significantly powerful level. 

2) Encryption Keys – Leaked router, firewall or VPN device configurations often contain encryption keys. While these still require an attacker to be in a position to gather traffic, they are very useful to well resourced attackers with that capability. If you’re at the level of risk where you need to worry about nation-state or politically motivated attackers, you really don’t want to leak your encryption keys. In addition to simply being a significant issue going forward, leaking encryption keys is a “long tail” vulnerability, because it provides cryptanalysis capabilities to adversaries who might have historic traffic archived, that the leak makes possible for them to leverage. Thus, the life of the key becomes the window of vulnerability. This is especially true when static cryptographic protocols are in use.

3) Network Recon Data – From IP addresses to firewall rules and from SNMP strings to dynamic routing data, device configurations can provide a veritable treasure trove of recon data about your environment. Partner connections, vendors with remote access, interconnects with other environments and the general day to day operations of the computing systems can often be found in leaked configurations. Depending on the type and criticality of the device, the config can often give up a complete view of the guts of the organization.

That’s just the top 3. We’ve seen thousands of leaked configurations in our work on ClawBack and penetration testing. It’s no doubt that leaked configs are useful to the attacker. The big question is, if you had leaked configurations out in the world, would you know about it? Would you know how to hunt them down, claw them back and mitigate the damage? If not, or if the idea makes you nervous, give us a call. We’re happy to help you solve these problems. You can get in touch by calling 614-351-1237 or drop us an email at info@microsolved.com. 

Deeper Than X-Ray Vision: Device Configuration Reviews

Posted on by
1

Many of our assessment customers have benefitted in the last several years from having their important network devices and critical systems undergo a configuration review as a part of their assessments. However, a few customers have begun having this work performed as a subscription, with our team performing ongoing device reviews of one to three devices deeply per month, and then working with them to mitigate specific findings and bring the devices into a more trusted and deeply hardened state.

From credit unions to boards of elections and from e-commerce to ICS/SCADA teams, this deep and focused approach is becoming a powerful tool in helping organizations align better with best practices, the 80/20 Rule of Information Security, the SANS CAG and a myriad of other guidance and baselines.

The process works like this:
  1. The organization defines a set of systems to be reviewed based on importance, criticality or findings from vulnerability assessments.
  2. The MSI team works with the organization to either get the configurations delivered to MSI for testing or to access the systems for local assessments in the case of robust systems like servers, etc.
  3. The MSI team performs a deep-level configuration assessment of the system, identifying gaps and suggested mitigations.
  4. The MSI team provides a technical level detail report to the organization and answers questions as they mitigate the findings.
  5. Often, the organization has the systems re-checked to ensure mitigations are completed, and MSI provides a memo of our assertions that the system is now hardened.
  6. Lather, rinse and repeat as needed to continually provide hardening, trust and threat resistance to core systems.
Our customers are also finding this helpful as a separate service. Some smaller credit unions and IT departments may simply want to identify their critical assets and have this deep-level review performed against them in advance of a regulatory audit, to prepare for the handling of new sensitive data or important business process or simply to harden their environment overall.
 
Deep-dive device configuration reviews are affordable, easy to manage, and effective security engagements. When MSI works with your team to harden what matters most, it benefits your team and your customers. If you want to hear more about these reviews, engage with MSI to perform them; or to hear more about device/application or process focused assessments, simply drop us a line or give us a call. We would be happy to discuss them with you and see how we can help your organization get clarity with a laser-focus on testing the systems, devices and processes that you value most.
 
As always, thanks for reading and stay safe out there!