Car Dealership Threat Scenario – Wireless Printer Hacking AP Fraud

Today, I wanted to talk about a threat scenario that we have modeled recently. In the scenario, the victim was a car dealership, and the target was to commit accounts payable fraud. The testing scenario is a penetration test against a large group of car dealerships, but our research shows the threat to be valid against any number of organizations. 

Here’s the basics of the scenario:

  • The team found a car dealership with an extensive wireless network. Though the network was encrypted and not available to the public, the team was able to compromise the wireless credentials using a wifi pineapple in a backpack, while pretending to shop for a new car.
  • The team used the credentials to return later, appearing to wait for a service visit and working from the customer lounge. (The coffee and snacks were great! )
  • The team logged into the wireless network and quickly identified many devices, workstations and such available. Rather than focus on the workstations or attempt an attack on the users – the team instead focused on the shared printers.
  • One printer was identified with the name “BackOffice”, and access to the print spool was easily obtained through known default passwords which hadn’t been changed on the device.
  • Our team made notes of attack their recon attack path, and left the dealership.
  • Once away from the dealership a couple of simple social engineering calls were made to the accounts payable folks, pretending to be a vendor that we had observed at work at the facility. Without any real information, the accounts payable team member explained when we could expect payment, because accounts payable checks were processed every Thursday morning. The social engineer thanked them and completed the call.
  • On Thursday morning, the team showed up at the dealership again, pretending to wait for a service appointment. While in the lounge, they accessed the compromised network and printer. This time, taking deeper control of the printer’s file buffer.
  • The team waited for the accounts payable staff to submit their weekly check printing to the printer. Indeed, around 10:45, the printer file showed up in the printer spool, where our penetration testing team intercepted it. 
  • The team quickly edited the file, changing one of the checks in amount (increasing the amount by several thousand dollars) and the payee (making the check payable to a fictional company of our choosing). They also edited the mailing address to come to our office instead of the original vendor. (PS – we alerted the manager to this issue, so that the bill could be paid later — never harm a client while doing testing!!!)
  • The file was then re-sent to the printer and released. The whole process occurred in under 3 minutes, so the AP person never even noticed the issue.
  • One expected control was that perhaps the AP staff would manually reconcile the checks against their expected checks, but this control was not in place and the fake check was mailed to us (we returned it, of course!).

This is a pretty simple attack, against a very commonly exploitable platform. Poor wireless network security and default installs of printer systems are common issues, and often not given much thought in most dealerships. Even when organizations have firewalls and ongoing vulnerability scanning, desktop controls, Anti-Virus, etc. – this type of attack is likely to work. Most organizations ignore their printers – and this is an example of how that can bite you.

These types of threat scenarios are great examples of our services and the threat modeling, fraud testing and penetration testing available. If you’d like to learn more about these kinds of activities, or discuss how to have them performed for your organization – get in touch. You can contact us via web form or give us a call at (614) 351-1237. You can also learn more about our role and services specific to car dealerships here.

Thanks for reading and let me know if you have any questions – @lbhuston on Twitter.

Business Email Compromise Attacks on Dealerships

Business email compromise attacks are a significant threat to car dealerships.

Among the car dealerships we work with, two large threats represent the most significant risks at the moment. The first is ransomware, which we have covered extensively on this blog. The second, business email compromise, we’ve also talked a lot about, but mostly in terms of traditional financial services firms. However, business email compromise is one of the most common cybersecurity attacks today and, according to the FBI’s Internet Crime Complaint Center, costs American firms $1.7 billion in 2019, while worldwide losses might well have reached over $5 billion!

How big is the risk of a business email compromise in a dealership?

Business email compromise attacks occur every single day across a variety of industries. Business email compromises typically occur via two specific attack vectors: phishing and stolen credential reuse. Most of our dealerships have significant controls around phishing, with those detection systems reporting tens to hundreds of attempts per day. While the phishing tools are good enough to stop the vast majority of common phishing attacks, there are some that make it through the network and computer-based defenses. When this happens, it is up to the humans in the dealership to be aware enough of the issue, be paying enough attention and have good enough training to prevent the phishing message from becoming a compromise.

In the second attack vector for business email compromise, attackers reuse stolen or leaked credentials (logins and passwords) that have become available on the Internet. There are several common forums and pastebin-type sites where these credentials are dumped, traded or sold (if you want to learn about a common tool to help monitor for these issues, check out ClawBack) and attackers monitor these sites with various tools. Once they see a leaked set of credentials, they try and use it on the web mail logins of their targets. If the user has the same login and password across many sites (many do), then the attacker may compromise the web mail account and be logged into the corporate email system as the user.

What happens in a typical business email compromise in a dealership?

Once the attacker has access to the email system, they will often spend a little time reading the emails and browsing through any files that the email server maintains. If the system includes chat capabilities, they often read those as well. They do this to learn about the user, their position and what the attacker may be able to use the compromised account to do. If any valuable information is in the email archive or on exposed files, they often steal that data right away for resale.

It’s not uncommon for attackers to set a forwarding address for compromised mail accounts, redirecting copies of emails to themselves so that they can monitor the email activity of the user without logging back into the server – thus reducing their chances of being discovered. If the compromised account doesn’t seem useful to the attacker, they will often use it to send phishing emails to other people in the address book, including other internal users, business partners, customers and the like. These phishing attacks are often highly successful, given that they come from a trusted contact and the attacker can tailor the language and tone of the email to match usual conversations.

Once the attacker gets access to an account that they feel is capable of either gaining them network access (think executives who can make requests of subordinates) or allow them to move money (think about accounts payable, wire, ACH and other banking fraud), they will use the email account to send messages, forms (if available) or other requests to get what they want. Again, these attacks are often highly successful, because the attacker comes from a known account, can tailor the language and tone of the messages, and can use social engineering techniques to apply pressure to the victims in order to get them to do things they might not ordinarily do.

What can dealerships do to prevent business email compromises?

Dealerships can combat business email comprise attacks by ensuring that their phishing and authentication defenses are up to par. They can train their team members to be on guard for messages that apply pressure, declare urgency or ask for unusual activities. The dealership can implement training and protocols for voice validation checks for unusual requests and perform ongoing testing of these types of scenarios to educate and keep their staff on guard.

Dealerships can also be vigilant about their email systems, configuring them to apply controls, ensure that logging and other security measures are in place. They can implement multi-factor authentication. They can have ongoing assessments and penetration testing – including business email comprise-based scenarios.

Reducing the risk is doable, but it does require work, investment and continued vigilance. Attackers only have to be right once, while the security controls and your team have to be right every single time to prevent losses. With incidents ranging from tens of thousands of dollars to hundreds of thousands of dollars in losses – paying attention to business email compromises is critical for dealerships of all sizes.

To learn more about tools, techniques and testing to help your organization prevent, detect and respond to business email compromise attacks, get in touch with our team at SecureDrive Alliance for more information and a free risk discussion today.

ClawBack Professional and Managed Services Launched

Clawback small

ClawBack™, our data leak detection engine which we released last fall, is a cloud-based SaaS tool focused on helping organizations detect leaked source code, device/application configurations and credentials. You can learn more about the product and why we made it in this quick 8 minute video by clicking here.

While ClawBack has been a very successful product in its own right, the SaaS platform is primarily “Do It Yourself” in terms of operations. It’s easy to use and manage, but the customer does the work of reviewing the alerts and managing the responses. Over the last several months, some clients have asked for a managed service option, where MSI will manage the ClawBack product, review the alerts and work with the customer to issue take downs or provide mitigation advice. Today, we are proud to announce the immediate availability of the ClawBack Managed Service. Now you can get the power and vigilance of ClawBack without the overhead of managing and monitoring the product directly, reviewing the alerts and issuing appropriate take down requests.

Several clients have also asked us about other professional services associated with ClawBack and with Data Leak Prevent/Protection (DLP) capabilities in general. MSI is also proud to announce the immediate availability of the following associated professional services:

  • Monitoring term identification, optimization and improvement
  • Watermark implementation in source code and device configurations
  • Data leak awareness training, especially focused on source code, configurations and credentials
  • Data leak impact modeling and table top simulations
  • 30/60/90 day data leak assessments
  • Exfiltration testing and Data Loss Prevention (DLP) assessments and optimization
  • Data classification and data leak policy and process development and reviews

Additionally, we are launching multiple year packages that combine these services in 3 and 5 year plans, allowing our clients to create long term solutions to the problems of data leakage, intellectual property risk management and compromises stemming from leaked source code, configs and credentials. To learn more about these services or create a package that fits your firm’s needs, give us a call at 614-351-1237 or drop us a line (info@microsolved.com).

WARNING: Migrate Windows Server 2003 Immediately

Believe it or not, we still get queries from a few utility companies that have operational processes locked on Windows Server 2003 as a platform. Most of the time, these are legacy applications associated with some form of ICS device or data management system that they have not been able to afford to replace.

Windows 2003 Server end-of-life searches are still among the most popular searches on our StateOfSecurity.com blog, receiving more than 200 queries most months. Keep in mind, this is an operating system that patches haven’t been released for since 2015. According to Spiceworks, an online community for IT professionals, the Windows 2003 Server operating system still enjoys a market share of 17.9%, though we could not validate the time frames of their claim.

But, just in the last year or so, we have seen it alive and well in natural gas, energy and the communications infrastructures, both foreign and domestic. So, we know it is still out there, and still being used in seemingly essential roles.

I’m not going to lecture you about using a system that is unmatched for 5 years. That’s just common sense. Instead, what I am going to do is make three quick suggestions for those of you who can’t get rid of this zombie OS. Here they are:

1. Install a firewall or other filtering device between the legacy system and the rest of your environment. This firewall should reduce the network traffic allowed to the system down to only specifically required ports and source addresses. It should also restrict all unneeded outbound traffic from the device to anything else in the network or the world. The device should be monitored for anomalies and security IOCs.

2. If the hardware is becoming an issue, as well, consider virtualizing the system using a modern virtualization solution. Then apply the firewalling above. Server 2003 seems to be easily virtualized and most modern solutions can handle it trivially.Hardware failure of many of these aging systems is their largest risk in terms of availability.

3. Eliminate the need AS SOON AS POSSIBLE. Even with the firewalling and filtering, these systems have high risk. You might also consider if you can migrate portions of the services from Windows 2003 to a more recent system or platform. This isn’t always possible, but everything you can move from Windows 2003 to a supported OS is likely to let you crank down your filtering even more.

Lastly, if you’re still trapped on Windows 2003, make sure you review this every quarter with the application owners and management. Keep it on their mind and on the front burner. The sooner you can resolve it, the better. 

If you need more help or advice on risk mitigation or minimization, get in touch. We’d love to help! Just email us at info@microsolved.com and we can connect.

EDI – The Often Overlooked Critical Process in Utilities

EDI (Electronic Data Interchange) is an often forgotten underpinning of many utility companies, even though many of its functions are likely to be critical to the operation. In many states, EDI is a mandated operation for commercial bill pay and meter reading data exchange with third party services. In fact, between the Gas Industry (GISB) and North American Energy (NAESB) Standards Boards, a substantial set of requirements exist for industry use of EDI.

Data

While EDI exists as a specific set of functions for exchanging digital data, it is often managed through third party applications and networks. These operations carry several different threat models, from disruption of service and outages that impact the data availability, to tampering and compromise of the data in transit. As such, it is essential that utilities have performed business function and application specific risk assessment on EDI implementations.

Additionally, many of our clients have performed EDI-focused penetration testing and technical application assessments of their EDI translators and network interconnects. Some clients still utilize a Value Added Network (VAN) or other service provider for EDI transmissions, and MSI can work with your VAN to review their security program and the configuration of your interconnections to ensure maximum security and regulatory compliance.

Lastly, our team has been very successful doing tabletop incident response and disaster recovery/business continuity exercises involving modeling EDI outages, failures and data corruption. Impacts identified in these role playing exercises have ranged from critical outages to loss of revenue.

If you’d like to learn more about our EDI services and capabilities, give us a call at 614-351-1237 or drop us a line at info@microsolved.com. We’d love to talk with you about our nearly 30 years of experience in EDI, information security and critical infrastructure.

 

 

 

A vCISO Interview With Dave Rose

I had the pleasure to interview, Dave Rose, who does a lot of our virtual CISO engagements at MSI. I think you might enjoy some of his insights.

Q) In a few sentences, introduce yourself and describe your background that makes you a valuable virtual CISO. What are the keys to your success?

A) So my name is Dave Rose and I have been a CTO and in Technology for 25+ years. I started working daily with Risk as an Internal IT Auditor with the State of Ohio and expanded exponentially my knowledge and skills with JP Morgan Chase where I had day to day Risk responsibility for their Branch, ATM, Branch Innovation, Enterprise and Chase wealth Management applications. (548 to be exact!) What makes me a valuable CISO? In technology I have been audited by the best of them, SEC OCC,FINRA,Internal Audit, and been responsible for PCI and Basil compliance. I have had to review, implement and modify controls from NIST, ISO,SOX, GLBA, OWASP and CIS. In the financial industry I have worked with Agribusiness, Commercial Real Estate, Retail Banking, Investment Banking, Mutual Funds, Wealth Management, Credit Unions and 401K plans. As an IT/Operations manager/leader I have been responsible for Network Management, Finance, HR, Contract and Vendor Management, Help Desk, Development staff, Investment Operations, Sales, Cyber Engineers and Project Management, which I started my career performing. 

With the diversity that I listed above, there is a pretty good chance my past experience can help you to solve your current problems, now. A modicum of common sense, perseverance and a passion to do what right for the business while being responsible to the controls that make you successful has made me successful. 

Q) Speaking as a virtual CISO, what are some of the toughest challenges that your clients are facing this year?

A) I think that one of the biggest challenge that our clients are facing this year is Technology Deficit. I dont think this is anything new but with the deprecation of Win 7 and the threat of Ransomware, holding onto old technology with critical vulnerabilities is no longer an option. Whether is is hardware, software or code updates, companies cannot continue to mortgage technology debt to the future. Hate to be cliche but the time is now. 

Q) If you met with a board and they wanted to know what percentage of revenue they should be spending on information security, how would you answer that question?

A) I hate this question because it really does not have a good answer. A board asked me once “How much money would it cost me to get to a 3.5 on the NIST scale?” Money is only one facet of solving risk, there is culture, leadership, technology and business vision. Know and set the roadmap for all of those items for the next 5 years and your dollar investment will come naturally. So 6-7% (Rolls eyes)

Q) In terms of the NIST model, can you walk us through how you would prioritize the domains? If you came into a new organization, where would you start in the NIST model to bring the most value and what would the first 100 days look like?

A) There are two areas of the NIST model I would focus on, identify and protect. I would take a good hard look at access administration and all the components that make that up. Next I would look at log analysis and aggregation. I would spend the first hundred days doing a Risk Assessment of the entire environment but would also create a roadmap based on evaluation of current state for both Access Administration and Log Governance. Based on your results and determination of Risk and Reward (80/20 rule) map out the next 1-3 years. 

Q) If folks wanted to learn more about your insights or discuss having you work with them as a virtual CISO or security oversight manager, how can they reach you?

A) If you would like to talk further about these question, insights or would like to hear more about the MSI vCISO service, you can reach me at 614 372–6769, twitter @dmr0120 or e-mail at drose@microsolved.com!

3 Lessons From 30 Years of Penetration Testing

I’ve been doing penetration tests for 30 years and here are 3 things that have stuck with me.

I’ve been doing penetration testing for around 3 decades now. I started doing security testing back when the majority of the world was dial-up access to systems. I’ve worked on thousands of devices, systems, network and applications – from the most sensitive systems in the world to some of the dumbest and most inane mobile apps (you know who you are…) that still have in-game purchases. 

Over that time, these three lessons have stayed with me. They may not be the biggest lessons I’ve learned, or the most impactful, but they are the ones that have stuck with me in my career the longest. 

Lesson 1: The small things make or break a penetration test. The devil loves to hide in the details.

Often people love to hear about the huge security issues. They thrill or gasp at the times when you find that breathtaking hole that causes the whole thing to collapse. But, for me, the vulnerabilities that I’m most proud of, looking back across my career are the more nuanced ones. The ones where I noticed something small and seemingly deeply detailed. You know the issues like this, you talk about them to the developer and they respond with “So what?” and then you show them that small mistake opens a window that allows you to causally step inside to steal their most critical data…

Time and time again, I’ve seen nuance vulnerabilities hidden in encoded strings or hex values. Bad assumptions disguised in application session management or poorly engineered work flows. I’ve seen developers and engineers make mistakes that are so deeply hidden in the protocol exchanges or packet stream that anyone just running automated tools would have missed it. Those are my favorites. So, my penetration testing friend, pay attention to the deep details. Lots of devils hide there, and a few of those can often lead to the promised land. Do the hard work. Test every attack surface and threat vector, even if the other surfaces resisted, sometimes you can find a subtle, almost hidden attack surface that no one else noticed and make use of it.

Lesson 2: A penetration test is usually judged by the report. Master report writing to become a better penetration tester. 

This is one of the hardest things for my mentees to grasp. You can geek out with other testers and security nerds about your latest uber stack smash or the elegant way you optimized the memory space of your exploit – but customers won’t care. Save yourself the heartbreak and disappointment, and save them the glazed eyes look that comes about when you present it to them. They ONLY CARE about the report.

The report has to be well written. It has to be clear. It has to be concise. It has to have make them understand what you did, what you found and what they need to do about it. The more pictures, screen shots, graphs and middle-school-level language, the better. They aren’t dumb, or ignorant, they just have other work to do and need the information they need to action against in the cleanest, clearest and fastest way possible. They don’t want to Google technical terms and they have no patience for jargon. So, say it clear and say it in the shortest way possible if you want to be the best penetration tester they’ve seen. 

That’s hard to swallow. I know. But, you can always jump on Twitter or Slack and tell us all about your L33T skillz and the newest SQL technique you just discovered. Even better, document it and share it with other testers so that we all get better.

Lesson 3: Penetration tests aren’t always useful. They can be harmful.

Lastly, penetration tests aren’t always a help. They can cause some damage, to weak infrastructures, or to careers. Breaking things usually comes with a cost, and delivering critical failure news to upper management is not without its risks. I’ve seen CIOs and CISOs lose their jobs due to a penetration test report. I’ve seen upper management and boards respond in entirely unkind and often undeserved ways. In fact, if you don’t know what assets your organization has to protect, what controls you have and/or haven’t done some level of basic blocking and tackling – forget pen-testing altogether and skip to an inventory, vulnerability assessment, risk assessment or mapping engagement. Save the pen-testing cost and dangerous results for when you have more situational awareness. 

Penetration testing is often good at finding the low water mark. It often reveals least resistant paths and common areas of failure. Unfortunately, these are often left open by a lack of basic blocking and tackling. While it’s good news that basics go a long way to protecting us and our data, the bad news is that real-world attackers are capable of much more. Finding those edge cases, the things that go beyond the basics, the attack vectors less traveled, the bad assumptions, the short cut and/or the thing you missed when you’re doing the basics well – that’s when penetration tests have their biggest payoffs.

Want to talk more about penetration testing, these lessons or finding the right vulnerability management engagement for your organization? No problem, get in touch and I’ll be happy to discuss how MicroSolved can help. We can do it safely, make sure it is the best type of engagement for your maturity level and help you drive your security program forward. Our reports will be clean, concise and well written. And, we’ll pay attention to the details, I promise you that. 🙂 

To get in touch, give me a call at (614) 351-1237, drop me a line via this webform or reach out on Twitter (@lbhuston). I love to talk about infosec and penetration testing. It’s not just my career, but also my passion.

Detecting Info Leaks with ClawBack

Clawback smallClawBack Is Purpose Built to Detect Info Leaks

ClawBack is MicroSolved’s cloud-based SaaS solution for performing info leak detection. We built the tool because we worked so many incidents and breaches related to three common types of info leaks:

  • Leaked Credentials – this is so common that it lies at the root of thousands of incidents over the last several years, attackers harvest stolen and leaked logins and passwords and use them anywhere they think they can gain access – this is so common, it is even categorized by OWASP as a specific form of attack: credential stuffing 
  • Leaked Configurations – attackers love to comb through leaked device and application configuration files for credentials, of course, but also for details about the network or app environment, sensitive data locations, cryptographic secrets and network management information they can use to gain control or access
  • Leaked Code – leaked source code is a huge boon for attackers; often leaking sensitive intellectual property that they can sell on the dark web to your competitors or parse for vulnerabilities in your environment or products

MicroSolved knows how damaging these info leaks can be to organizations, no matter the type. That’s exactly why we built ClawBack to provide ongoing monitoring for the info leak terms that matter most to you.

How to Get Started Detecting Info Leaks

Putting ClawBack to work for you is incredibly easy. Most customers are up and monitoring for info leaks within 5 minutes.

There is no hardware, software, appliance or agent to deploy. The browser-based interface is simple to use, yet flexible enough to meet the challenges of the modern web. 

First, get a feel for some terms that you would like to monitor that are unique to your organization. Good examples might be unique user names, application names, server names, internal code libraries, IP address ranges, SNMP community strings, the first few hex characters of certificates or encryption keys, etc. Anything that is unique to your organization or at the very least, uncommon. 

Next, register for a ClawBack account by clicking here.

Once your account is created, and you follow the steps to validate it, you can login to the ClawBack application. Here, you will be able to choose the level of subscription that you would like, picking from the three different service levels available. You will also be able to input your payment information and set up additional team members to use the application, if available at your subscription level. 

Next, click on Monitoring Terms and input the terms that you identified in the first step. ClawBack will immediately go and search for any info leaks related to your terms as you put them in. Additionally, ClawBack will continually monitor for the terms going forward and provide alerts for any info leaks that appear in the common locations around the web. 

How To View Any Info Leaks

Reviewing any info leaks found is easy, as well. Simply click on Alerts on the top menu. Here, your alerts will be displayed, in a sortable list. The list contains a summary of each identified leak, the term it matched and the location of the leak. You can click on the alert to view the identified page. Once reviewed, you can archive the alert, where it will remain in the system and is visible in your archive, or you can mark it as a false positive, and it will be removed from your dataset but ClawBack will remember the leak and won’t alert you again for that specific URL. 

If you have access to the export function, based on your subscription level, you can also so export alerts to a CSV file for uploading into SIEM/SOAR tools or ticketing systems. It’s that easy! 

You can find a more specific walkthrough for finding code leaks here, along with some screen shots of the product in action.

You can learn more about ClawBack and view some use case videos and demo videos at the ClawBack homepage.

Give ClawBack a try today and you can put your worries to rest that unknown info leaks might be out there doing damage to your organization. It’s so easy, so affordable and so powerful that it makes worries about info leaks obsolete.

State of Security Podcast Episode 16 is Out!

This episode is a tidbit episode, weighing in just under 20 minutes. I sat down last week with Megan Mayer (@Megan__Bytes) in the lobby bar of the Hyatt during the Central Ohio Security Summit. Pardon the background noise, but we riffed on what Megan believes are the top 3 things that every security manager or infosec team should do this week. She had some great insights and I think her points are fantastic.

Give it a listen, and as always, if you have feedback or have someone in mind that you’d like to have interviewed on the podcast or a topic that you’d like to see covered, drop me a line (@lbhuston). 

As always, thanks for listening and stay safe out there!

 

Network Segmentation with MachineTruth

network segmentation with MachineTruth

About MachineTruthTM

We’ve just released a white paper on the topic of leveraging MachineTruth™, our proprietary network and device analytics platform, to segment or separate network environments.

Why Network Segmentation?

The paper covers the reasons to consider network segmentation, including the various drivers across clients and industries that we’ve worked with to date. It also includes a sample work flow to guide you through the process of performing segmentation with an analytics and modeling-focused solution, as opposed to the traditional plug and pray method, many organizations are using today.

Lastly, the paper covers how MachineTruthTM is different than traditional approaches and what you can expect from such a work plan.

To find out more:

If you’re considering network segmentation, analysis, inventory or mapping, then MachineTruthTM is likely a good fit for your organization. Download the white paper today and learn more about how to make segmentation easier, safer, faster and more affordable than ever before!

Interested? Download the paper here:

https://signup.microsolved.com/machinetruth-segmentation-wp/

As always, thanks for reading and we look forward to working with you. If you have any questions, please drop us a line (info@microsolved.com) or give us a call (614-351-1237) to learn more.