Category Archives: End-user Focused

Sometimes, It Happens…

Posted on by
4

Sometimes things fail in interesting ways. Sometimes they fail in dangerous ways. Occasionally, things fail in ways that you simply can’t predict and that are astounding.

In a recent assessment of a consumer device in our lab, we found the usual host of vulnerabilities that we have come to expect in Internet of Things (IoT) devices. But, while testing this particular device, which is also tied to a cloud offering for backup and centralization of data – I never would have predicted that a local device would have a full bi-directional trust with a virtual instance in the cloud.

Popping the local device was easy. It had an easy to compromise “hidden” TCP port for telnet. It took my brute force tool only moments to find a default login and password credential set. That’s pretty usual with IoT devices.

But, once I started poking around inside the device, it quickly became apparent that the device configuration was such that it tried to stay continually connected to a VM instance in the “cloud storage and synchronization” environment associated with the device and vendor. How strong was the trust? The local device had mount points on the remote machine and both systems had full trust to each other via a telnet connection. From the local machine, simply telnet to the remote machine on the right port, and without credential check, you have a shell inside the cloud. Not good…

But, as clear of a failure as the scenario above was, the rabbit hole went deeper. From the cloud VM, you could see thousands of other VMs in the hosted cloud environment. Connect from the VM to another, and you need the default credentials again, but, no sweat, they work and work and work…

So, from brute force compromise of a local piece of consumer hardware to a compromise of thousands of cloud instance VMs in less than 30 minutes. Ugh… 

Oh yeah, remember that storage centralization thing? Yep, default credentials will easily let you look through the centralized files on all those cloud VMs. Double ugh…

Remember, I said bi-directional? Yes, indeed, a connection from a VM to an end-point IoT device also works with assumed trust, and you get a shell on a device with local network visibility. Now is the time you kinda get sick to your stomach…

These kinds of scenarios are becoming more common as new IoT devices get introduced into our lives. Yes, the manufacturer has been advised, but, closing the holes will take a complete redesign of the product. The moral of this story is to pay careful attention to IoT devices. Ask questions. Audit. Assess. Test. There are a lot of bad security decisions being made out there in the IoT marketplace, especially around consumer products. Buyer beware!

Custom Security and Business Intelligence at Your Fingertips

Posted on by
5

We have decided to bring what has been a service offering to very select clients for the last several years to availability for all of our clients and the public.

For years, several of our clients have been enjoying custom security intelligence driven by the MSI TigerTrax™ analytics platform and our dedicated team of analysts and subject matter experts. The research and analysis work the team has been performing has been focused on agendas like:

  • competitive analysis
  • economic industry scale market analysis
  • consumer behavior, demographic or psychographic profiling
  • organizational human network data flows and relationship mapping
  • gathering data for marketing and sales opportunities on a global scale
  • dark net data raids
  • trend and disruptive technology assessments
  • scalability & DRM techniques
  • piracy and underground market analyses
  • and even assessments of threats against brands, nation-states and multi-national cooperatives

Our team has robust expertise to gather, profile, mine, visualize and analyze public or private data en masse for your organization.

Want customized threat data about your brands, on a global scale, updated monthly with new findings from the public, deep and dark web spaces? We can do that.

Want large amounts of competitive market data gathered, visualized and summarized? We can do that too. 

Need daily briefings on a set of specific trends, geo-locations or products? Our experts are experienced at producing it.

Desire to have entire market segments deconstructed, profiled and researched to find vendors, trends and critical relationships up to 3 levels away from the core processes? We’ve done that now for multiple industries.

How about a customized monthly briefing of industry wide changes, summaries of events and monitoring of specific sets of questions your organization may have around critical topic areas? We have done this for clients across multiple industries.

Basically, if your organization would like to have customized research, analysis and intelligence – and we aren’t talking about lists of indicators of compromises and such – but REAL WORLD operational intelligence for optimizing your products, services or marketing, then we may be able to assist you. If you need a larger world view than the data you have now permits, we may be able to solve that for you. If you need to match your organization’s internal data-driven views with the views of the public or smaller groups of the public, we may be able to turn those efforts into insights.

If any of this sounds interesting and useful, join us for a cup of coffee or a conference call, and let’s talk about your needs and our capabilities. We have been performing these services for years for a select few clients, and are now ready to open these capabilities to a wider audience. To schedule a discussion, drop us a line at info@microsolved.com, hit our website at microsolved.com and click on the request a quote button or give us a call at (614) 351-1237 today. We look forward to talking with you.

Attention to Privacy Issues Growing

Posted on by
4

From the board room to main street, digital privacy is becoming more and more of a hot topic.

Organizations have been asking us to discuss it with steering committees and boards. Our intelligence team has been performing privacy-related recon and other testing engagements for the last several years. More and more of our security engagements are starting to include elements of privacy concerns from organizations and individuals alike.

In the mainstream media, you have articles being pushed heavily like this – which discusses supposedly stolen NSA technology for monitoring, to discussions of personal privacy from the likes of Tim Cook, CEO of Apple.

As such, security teams should take the time to verse themselves in the privacy debate. It is likely that management and boards will be asking in the near future, if they aren’t already, for advice on the topic. This is a fantastic opportunity for security teams to engage in meaningful discussions with organizational leaders about a security-related topic on both a professional and personal scale. It might even be worth putting together a presentation, preemptively, and delivering it to the upper management and line managers around your company.

With so much attention to privacy these days, it’s a great chance to engage with people, teach basic infosec practices and have deep discussions about the changing digital world. That’s what your security team has been asking for, right? Now’s the time… 🙂 

Microsoft Making 2FA Easier with New App

Posted on by
3

Make sure you check this out if you use any of the Microsoft 2 factor authentication tools – they just released a new app for mobile devices to make their previously very painful mishmash of authentication tools easier!

I know a lot of clients and readers use the existing Microsoft authentication tools, so I will be eager to play with this and see just how much easier they have made it. Do you think it stands up to their claims of simplification? Let me know on Twitter (@lbhuston) what you come up with when you try it… 

80/20 Rule of Information Security

Posted on by
4

After my earlier this post about the SDIM project, several people on Twitter also asked me to do the same for the 80/20 Rule of Information Security project we completed several years ago. 

It is a list of key security projects, their regulatory mappings, maturity models and such. Great for building a program or checking yours against an easy to use baseline.

Thanks for reading, and here is where you can learn more about the 80/20 project. Click here.

Ready for Ransomware?

Posted on by
5

Ransomware is becoming common. We are getting a lot of calls for help with incident response. Here’s a couple of things to think about, in general, around ransomware attacks.

1. Backups are your first line of recovery – just think about making sure they aren’t infected as well, so that you don’t restore infected files

2. Paying the ransom can be hairy – in some cases, paying the ransom could be a crime (think money laundering, banking regulations and the Patriot Act…), plus having a process to pay in bitcoin, even if you wanted to – in the time provided – is often a challenge

3. Some ransomware is recoverable – so check for options

4. Measure business impact – is re-creation of the data viable at a cost less than the cost of paying the ransom, including the work of paying the ransom – sometimes yes… 

5. Can you identify the failed controls that let you get infected? – If so, fix them, if possible.

These are a good place to start. Think about ransomware, your incident response process and current capabilities. Check your backups and have multiple sources. Be prepared instead of panicked.

Passive Assessments Continue to Astound

Posted on by
7

Our passive assessment capability continues to astound us with the things we find. I haven’t seen this many obvious hits since the early days of vulnerability scanning…

It seems that many organizations are missing issues that lie outside of their perimeter. Hosted sites, cloud-based systems and rogue network segments abound. Brand-focused assessments and passive testing of the security posture of partners, providers and external resources have proven to our clients to be a tipping point moment. It has become clear to them and us that a significant portion of the threats and attack surface have moved into wider distribution outside the network perimeter of yesterday. 

Client have been using this capability to test and audit their own risks, but also their vendors, partners and cloud “en masse”.

We are looking for 3-5 key organizations to put together a summit and think tank group to develop standards and best practices together for how to best use passive assessments and targeted threat intelligence on an enterprise level. If your organization would like to discuss passive assessment and potentially engaging in the best practices development summit, please reach out to us on Twitter (@microsolved) or contact your account executive/project manager to arrange for a quick call. Thanks and we look forward to bringing these game changing new tools to organizations around the world shortly!

3 Tools Security Teams Need to Look at Today

Posted on by
8

I would urge most security teams to hit pause for an hour and take a moment to look at these three tools that may add leverage to the work you are doing.

1. Python LogTools – This is an excellent python library that makes parsing web logs, primarily Apache logs, easy and useful. The capability also can be trivially expanded to analyze other types of logs and system outputs with a little bit of text hacking. Seriously, we know you aren’t reading the logs – find a way to use programatic tools – even if that just means you are parsing for specific issues. I know, I know – you have the SEIM – but honestly, parse the logs. You’ll likely be amazed what you find…

2. Open Source Web Task Manager – Taskfreak – Nearly every team we talk to asks about coordinating task and resource management on other security teams. Here is a free tool set that you can you can use, apart from the more difficult enterprise tools and bloatware. Get a team server or instance and share tasks and resources. Done! 

3. Nmap – yeah, we said it – NMAP! – Oh, I know – you’ve used it. It comes on Kali and nearly every distro – but forget using it for pen-testing and auditing. Now, with a clear mind – begin to think about how you can use nmap to know what’s out there. Inventory of systems and services, done. Ongoing runs to detect new devices, done. Ongoing runs to find new services on known network segments, done. Periodic runs to test network speeds and connectivity for routing issues, done. Gateway checks, done. Detection of new devices by parsing DHCP logs and launching runs – a poor man’s NAC tool, done. There are so many things you can do with nmap other than pen-testing that I am thinking of just becoming an nmap consultant. C’mon – learn the basics and then use the basic tool in new ways to solve problems you already have. Nmap and some simple scripting can up your security team’s game. Give it a shot… 

Got other ideas? Let us know on Twitter (@microsolved). See you there! 

The Dark Net Seems to be Changing

Posted on by
6

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Great Article on Spotting Skimmers

Posted on by
3

I ran across this great article with tips on spotting credit card skimmers. Check it out for some pretty good info.

Ever wondered about the prices that criminals pay for skimmers? We recently studied this and found that the average price for magnetic stripe skimmers was between $100 – $300 US. Kits that include cameras and other techniques for also capturing PIN data (ATM & Chip/PIN transactions) were around 10x that amount on the black market. Home grown solutions are significantly cheaper to build, but often lack the subtlety and camouflage of the more “commercial” offerings.

By the way, note that even where Chip and PIN transactions have become the norm (outside the US), capturing the magnetic track data is still useful for attackers to focus on e-commerce and other card holder not present transactions.

Just a few things to think about… While the credit card theft underground is robust, interesting and dynamic, companies and issuers are working hard to stay on top of things. Unfortunately, the economics involved is complex, and attackers are continually refining all phases of their operations.