From Dark Net Research to Real World Safety Issue

On a recent engagement by the MSI Intelligence team, our client had us researching the dark net to discover threats against their global brands. This is a normal and methodology-driven process for the team and the TigerTrax™ platform has been optimized for this work for several years.

We’ve seen plenty of physical threats against clients before. In particular, our threat intelligence and brand monitoring services for professional sports teams have identified several significant threats of violence in the last few years. Unfortunately, this is much more common for high visibility brands and organizations than you might otherwise assume.

In this particular instance, conversations were flagged by TigerTrax from underground forums that were discussing physical attacks against the particular brand. The descriptions were detailed, politically motivated and threatened harm to employees and potentially the public. We immediately reported the issue and provided the captured data to the client. The client reviewed the conversations and correlated them with other physical security occurrences that had been reported by their employees. In today’s world, such threats require vigilant attention and a rapid response.

In this case, the client was able to turn our identified data into insights by using it to gain context from their internal security issue reporting system. From those insights, they were able to quickly launch an awareness campaign for their employees in the areas identified, report the issue to localized law enforcement and invest in additional fire and safety controls for their locations. We may never know if these efforts were truly effective, but if they prevented even a single occurrence of violence or saved a single human life, then that is a strong victory.

Security is often about working against things so that they don’t happen – making it abstract, sometimes frustrating and difficult to explain to some audiences. But, when you can act on binary data as intelligence and use it to prevent violence in the kinetic world, that is the highest of security goals! That is the reason we built TigerTrax and offer the types of intelligence services we do to mature organizations. We believe that insights like these can make a difference and we are proud to help our clients achieve them.

3 Reasons You Need Customized Threat Intelligence

Many clients have been asking us about our customized threat intelligence services and how to best use the data that we can provide.

1. Using HoneyPoint™, we can deploy fake systems and applications, both internally and in key external situations that allow you to generate real-time, specific to your organization, indicators of compromise (IoC) data – including a wide variety of threat source information for blacklisting, baseline metrics to make it easy to measure changes in the levels of threat actions against your organization up to the moment, and a wide variety of scenarios for application and attack surface hardening.

2. Our SilentTiger™ passive assessments, can help you provide a wider lens for vulnerability assessment visibility than your perimeter, specifically. It can be used to assess, either single instance or ongoing, the security posture of locations where your brand is extended to business partners, cloud providers, supply chain vendors, critical dependency API and data flows and other systems well beyond your perimeter. Since the testing is passive, you don’t need permission, contract language or control of the systems being assessed. You can get the data in a stable, familiar format – very similar to vulnerability scanning reports or via customized data feeds into your SEIM/GRC/Ticketing tools or the like. This means you can be more vigilant against more attack surfaces without more effort and more resources.

3. Our customized TigerTrax™ Targeted Threat Intelligence (TTI) offerings can be used for brand specific monitoring around the world, answering specific research questions based on industry / geographic / demographic / psychographic profiles or even products / patents or economic threat research. If you want to know how your brand is being perceived, discussed or threatened around the world, this service can provide that either as a one-time deliverable, or as an ongoing periodic service. If you want our intelligence analysts to look at industry trends, fraud, underground economics, changing activist or attacker tactics and the way they collide with your industry or organization – this is the service that can provide that data to you in a clear and concise manner that lets you take real-world actions.

We have been offering many of these services to select clients for the last several years. Only recently have we decided to offer them to our wider client and reader base. If you’d like to learn how others are using the data or how they are actively hardening their environments and operations based on real-world data and trends, let us know. We’d love to discuss it with you! 

Sometimes, It Happens…

Sometimes things fail in interesting ways. Sometimes they fail in dangerous ways. Occasionally, things fail in ways that you simply can’t predict and that are astounding.

In a recent assessment of a consumer device in our lab, we found the usual host of vulnerabilities that we have come to expect in Internet of Things (IoT) devices. But, while testing this particular device, which is also tied to a cloud offering for backup and centralization of data – I never would have predicted that a local device would have a full bi-directional trust with a virtual instance in the cloud.

Popping the local device was easy. It had an easy to compromise “hidden” TCP port for telnet. It took my brute force tool only moments to find a default login and password credential set. That’s pretty usual with IoT devices.

But, once I started poking around inside the device, it quickly became apparent that the device configuration was such that it tried to stay continually connected to a VM instance in the “cloud storage and synchronization” environment associated with the device and vendor. How strong was the trust? The local device had mount points on the remote machine and both systems had full trust to each other via a telnet connection. From the local machine, simply telnet to the remote machine on the right port, and without credential check, you have a shell inside the cloud. Not good…

But, as clear of a failure as the scenario above was, the rabbit hole went deeper. From the cloud VM, you could see thousands of other VMs in the hosted cloud environment. Connect from the VM to another, and you need the default credentials again, but, no sweat, they work and work and work…

So, from brute force compromise of a local piece of consumer hardware to a compromise of thousands of cloud instance VMs in less than 30 minutes. Ugh… 

Oh yeah, remember that storage centralization thing? Yep, default credentials will easily let you look through the centralized files on all those cloud VMs. Double ugh…

Remember, I said bi-directional? Yes, indeed, a connection from a VM to an end-point IoT device also works with assumed trust, and you get a shell on a device with local network visibility. Now is the time you kinda get sick to your stomach…

These kinds of scenarios are becoming more common as new IoT devices get introduced into our lives. Yes, the manufacturer has been advised, but, closing the holes will take a complete redesign of the product. The moral of this story is to pay careful attention to IoT devices. Ask questions. Audit. Assess. Test. There are a lot of bad security decisions being made out there in the IoT marketplace, especially around consumer products. Buyer beware!

Custom Security and Business Intelligence at Your Fingertips

We have decided to bring what has been a service offering to very select clients for the last several years to availability for all of our clients and the public.

For years, several of our clients have been enjoying custom security intelligence driven by the MSI TigerTrax™ analytics platform and our dedicated team of analysts and subject matter experts. The research and analysis work the team has been performing has been focused on agendas like:

  • competitive analysis
  • economic industry scale market analysis
  • consumer behavior, demographic or psychographic profiling
  • organizational human network data flows and relationship mapping
  • gathering data for marketing and sales opportunities on a global scale
  • dark net data raids
  • trend and disruptive technology assessments
  • scalability & DRM techniques
  • piracy and underground market analyses
  • and even assessments of threats against brands, nation-states and multi-national cooperatives

Our team has robust expertise to gather, profile, mine, visualize and analyze public or private data en masse for your organization.

Want customized threat data about your brands, on a global scale, updated monthly with new findings from the public, deep and dark web spaces? We can do that.

Want large amounts of competitive market data gathered, visualized and summarized? We can do that too. 

Need daily briefings on a set of specific trends, geo-locations or products? Our experts are experienced at producing it.

Desire to have entire market segments deconstructed, profiled and researched to find vendors, trends and critical relationships up to 3 levels away from the core processes? We’ve done that now for multiple industries.

How about a customized monthly briefing of industry wide changes, summaries of events and monitoring of specific sets of questions your organization may have around critical topic areas? We have done this for clients across multiple industries.

Basically, if your organization would like to have customized research, analysis and intelligence – and we aren’t talking about lists of indicators of compromises and such – but REAL WORLD operational intelligence for optimizing your products, services or marketing, then we may be able to assist you. If you need a larger world view than the data you have now permits, we may be able to solve that for you. If you need to match your organization’s internal data-driven views with the views of the public or smaller groups of the public, we may be able to turn those efforts into insights.

If any of this sounds interesting and useful, join us for a cup of coffee or a conference call, and let’s talk about your needs and our capabilities. We have been performing these services for years for a select few clients, and are now ready to open these capabilities to a wider audience. To schedule a discussion, drop us a line at info@microsolved.com, hit our website at microsolved.com and click on the request a quote button or give us a call at (614) 351-1237 today. We look forward to talking with you.

Ready for Ransomware?

Ransomware is becoming common. We are getting a lot of calls for help with incident response. Here’s a couple of things to think about, in general, around ransomware attacks.

1. Backups are your first line of recovery – just think about making sure they aren’t infected as well, so that you don’t restore infected files

2. Paying the ransom can be hairy – in some cases, paying the ransom could be a crime (think money laundering, banking regulations and the Patriot Act…), plus having a process to pay in bitcoin, even if you wanted to – in the time provided – is often a challenge

3. Some ransomware is recoverable – so check for options

4. Measure business impact – is re-creation of the data viable at a cost less than the cost of paying the ransom, including the work of paying the ransom – sometimes yes… 

5. Can you identify the failed controls that let you get infected? – If so, fix them, if possible.

These are a good place to start. Think about ransomware, your incident response process and current capabilities. Check your backups and have multiple sources. Be prepared instead of panicked.

Getting Smart with Mobile App GeoLocation to Fight Fraud

If your mobile application includes purchases with credit cards, and a pickup of the merchandise, then you should pay attention to this.

Recently, in our testing lab and during an intelligence engagement, we identified a fraud mechanism where stolen credit cards were being used via the mobile app in question, to fraudulently purchase goods. In fact, the attackers were selling the purchase of the goods as a service on auction and market sites on the dark web.

The scam works like this. The bad guys have stolen credit cards (track data, likely from dumps), which they use to make a purchase for their client remotely. The bad guys use their stolen track data as a card not present transaction, which is standard for mobile apps. The bad guys have access to huge numbers of stolen cards, so they can burn them at a substantial rate without impacting their inventory to a large extent. The bad guy’s customer spends $25 in bitcoins to get up to $100 in merchandise. The bad guy takes the order from the dark net, uses the mobile app to place the order, and then delivers the receipt and/or pickup information to the bad guys customer. The customer then walks into the retailer and shows the receipt for their mobile order, picking up the merchandise and leaving.

The bad guy gets paid via the bitcoins. For them, this is an extremely low risk way to convert stolen credit card info to cash. It is significantly less risky for them than doing physical card replication, ATM use or other conversion methods that have a requirement for physical interaction.

The bad guy’s customer gets paid by picking up the merchandise. They get up to $100 value for a cost of $25. They take on some risk, but if performed properly, the scam is low risk to them, or so they believe. In the odd event, they simply leave the store after making their demands for satisfaction. There is little risk of arrest or prosecution, it would seem, especially at the low rate of $100 – or at least that was how the bad guy was pitching it to their prospective customers…

The credit card issuer or the merchant gets stuck. They are out the merchandise and/or the money, depending on their location in the world, and the merchant agreement/charge back/PCI compliance issues they face.

Understanding the fraud and motivations of the bad guys is critical for securing the systems in play. Organizations could up their validation techniques and vigilance for mobile orders. They could add additional fraudulent transaction heuristics to their capability. They could also implement geo-location on the mobile apps as a control – i.e.. If the order is being physically placed on a device in Ukraine, and pick up is in New York, there is a higher level of risk associated with that transaction. Identifying ways  to leverage the sensors and data points from a mobile device, and rolling it into fraud detection heuristics and machine learning analytics is the next wave of security for some of these applications. We are pleased to be helping clients get there…

To hear more about modern fraud techniques, application security testing or targeted threat intelligence like what we discussed above, drop us a line (info at microsolved dot com) or via Twitter (@lbhuston). We look forward to discussing it with your team.

Passive Assessments Continue to Astound

Our passive assessment capability continues to astound us with the things we find. I haven’t seen this many obvious hits since the early days of vulnerability scanning…

It seems that many organizations are missing issues that lie outside of their perimeter. Hosted sites, cloud-based systems and rogue network segments abound. Brand-focused assessments and passive testing of the security posture of partners, providers and external resources have proven to our clients to be a tipping point moment. It has become clear to them and us that a significant portion of the threats and attack surface have moved into wider distribution outside the network perimeter of yesterday. 

Client have been using this capability to test and audit their own risks, but also their vendors, partners and cloud “en masse”.

We are looking for 3-5 key organizations to put together a summit and think tank group to develop standards and best practices together for how to best use passive assessments and targeted threat intelligence on an enterprise level. If your organization would like to discuss passive assessment and potentially engaging in the best practices development summit, please reach out to us on Twitter (@microsolved) or contact your account executive/project manager to arrange for a quick call. Thanks and we look forward to bringing these game changing new tools to organizations around the world shortly!

Hosting Providers Matter as Business Partners

Hosting providers seem to be an often overlooked exposure area for many small and mid-size organizations. In the last several weeks, as we have been growing the use of our passive assessment platform for supply chain assessments, we have identified several instances where the web site hosting company (or design/development company) is among the weakest links. Likely, this is due to the idea that these services are commodities and they are among the first areas where organizations look to lower costs.

The fall out of that issue, though, can be problematic. In some cases, organizations are finding themselves doing business with hosting providers who reduce their operational costs by failing to invest in information security.* Here are just a few of the most significant issues that we have seen in this space:
  • “PCI accredited” checkout pages hosted on the same server as other sites that are clearly under the control of an attacker
  • Exposed applications and services with default credentials on the same systems used to host web sites belonging to critical infrastructure organizations
  • Dangerous service exposures on hosted systems
  • Malware infested hosting provider ad pages, linked to hundreds or thousands of their client sites hosted with them
  • Poorly managed encryption that impacts hundreds or thousands of their hosted customer sites
  • An interesting correlation of blacklisted host density to geographic location and the targeted verticals that some hosting providers sell to
  • Pornography being distributed from the same physical and logical servers as traditional businesses and critical infrastructure organizations
  • A clear lack of DoS protection or monitoring
  • A clear lack of detection, investigation, incident response and recovery maturity on the part of many of the vendors 
It is very important that organizations realize that today, much of your risk extends well beyond the network and architectures under your direct control. Partners, and especially hosting companies and cloud providers, are part of your data footprint. They can represent significant portions of your risk, and yet, are areas where you may have very limited control. 
 
If you would like to learn more about using our passive assessment platform and our vendor supply chain security services to help you identify, manage and reduce your risk – please give us a call (614-351-1237) or drop us a line (info /at/ MicroSolved /dot/ com). We’d love to walk you through some of the findings we have identified and share some of the insights we have gleaned from our analysis.
 
Until next time, thanks for reading and stay safe out there!
 
*Caveat: This should not be taken that information security is correlated with cost. We have seen plenty of “high end”, high cost hosting companies with very poor security practices. The inverse is also true. Validation is the key…

Interesting Talk on Post Quantum Computing Impacts on Crypto

If you want to really get some great understanding of how the future of crypto is impacted by quantum computing, there is a fantastic talk embedded in this link
 
The talk really turns the high level math and theory of most of these discussions into knowledge you can parse and use. Take an hour and listen to it. I think you will find it most rewarding.
 
If you want to talk about your thoughts on the matter, hit us up on Twitter. (@microsolved)

GRUB2 Authentication Bypass Vulnerability

A vulnerability has been discovered in the GRUB2 boot loader that affects versions dating back to 2009. GRUB2 is the default boot loader for a variety of popular Linux distributions including Ubuntu, Red Hat and Debian. The vulnerability can be exploited by pressing the backspace button 28 times when the boot loader asks for your username. This sequence of keys places the user into a “rescue shell”. An attacker could leverage this shell to access confidential data or install persistent malware.

It’s worth noting that the vulnerability requires access to the system’s console. Even if your organization has proper physical security controls in place, this issue should still be addressed as soon as possible. Ubuntu, RedHat and Debian have already released patches for this vulnerability.