3 Things Attackers Can Leverage From a Device Configuration Leak

One of the questions I often get around our ClawBack data leak detection SaaS product is “What can a hacker get from a leaked config?”. I put together this quick post about three of the most common and powerful elements that we often find in leaked configurations we discover.

1) Credentials – Let’s face it, credentials are often the easiest way to leverage leaked configs. Sure, it might be for an edge router or some network gear, or maybe it’s for the VPN. Configs often contain sets of credentials, either in plain text or in hashed form. Hashes need to be cracked, sure, but that is often quite possible. Even when the credentials aren’t able to be used remotely, they often help us tune our password guesses and learn more about the policies and password requirements of other systems. You wouldn’t believe the number of times, though, that the credentials from a leaked config simply work across the network or enterprise and often at a significantly powerful level. 

2) Encryption Keys – Leaked router, firewall or VPN device configurations often contain encryption keys. While these still require an attacker to be in a position to gather traffic, they are very useful to well resourced attackers with that capability. If you’re at the level of risk where you need to worry about nation-state or politically motivated attackers, you really don’t want to leak your encryption keys. In addition to simply being a significant issue going forward, leaking encryption keys is a “long tail” vulnerability, because it provides cryptanalysis capabilities to adversaries who might have historic traffic archived, that the leak makes possible for them to leverage. Thus, the life of the key becomes the window of vulnerability. This is especially true when static cryptographic protocols are in use.

3) Network Recon Data – From IP addresses to firewall rules and from SNMP strings to dynamic routing data, device configurations can provide a veritable treasure trove of recon data about your environment. Partner connections, vendors with remote access, interconnects with other environments and the general day to day operations of the computing systems can often be found in leaked configurations. Depending on the type and criticality of the device, the config can often give up a complete view of the guts of the organization.

That’s just the top 3. We’ve seen thousands of leaked configurations in our work on ClawBack and penetration testing. It’s no doubt that leaked configs are useful to the attacker. The big question is, if you had leaked configurations out in the world, would you know about it? Would you know how to hunt them down, claw them back and mitigate the damage? If not, or if the idea makes you nervous, give us a call. We’re happy to help you solve these problems. You can get in touch by calling 614-351-1237 or drop us an email at info@microsolved.com. 

ClawBack Professional and Managed Services Launched

Clawback small

ClawBack™, our data leak detection engine which we released last fall, is a cloud-based SaaS tool focused on helping organizations detect leaked source code, device/application configurations and credentials. You can learn more about the product and why we made it in this quick 8 minute video by clicking here.

While ClawBack has been a very successful product in its own right, the SaaS platform is primarily “Do It Yourself” in terms of operations. It’s easy to use and manage, but the customer does the work of reviewing the alerts and managing the responses. Over the last several months, some clients have asked for a managed service option, where MSI will manage the ClawBack product, review the alerts and work with the customer to issue take downs or provide mitigation advice. Today, we are proud to announce the immediate availability of the ClawBack Managed Service. Now you can get the power and vigilance of ClawBack without the overhead of managing and monitoring the product directly, reviewing the alerts and issuing appropriate take down requests.

Several clients have also asked us about other professional services associated with ClawBack and with Data Leak Prevent/Protection (DLP) capabilities in general. MSI is also proud to announce the immediate availability of the following associated professional services:

  • Monitoring term identification, optimization and improvement
  • Watermark implementation in source code and device configurations
  • Data leak awareness training, especially focused on source code, configurations and credentials
  • Data leak impact modeling and table top simulations
  • 30/60/90 day data leak assessments
  • Exfiltration testing and Data Loss Prevention (DLP) assessments and optimization
  • Data classification and data leak policy and process development and reviews

Additionally, we are launching multiple year packages that combine these services in 3 and 5 year plans, allowing our clients to create long term solutions to the problems of data leakage, intellectual property risk management and compromises stemming from leaked source code, configs and credentials. To learn more about these services or create a package that fits your firm’s needs, give us a call at 614-351-1237 or drop us a line (info@microsolved.com).

What Do I Need To Know About Source Code Leaks?

Leaked source code happens a lot more frequently than most of our clients care to admit. Often, many clients are surprised when they begin using ClawBack™ to hunt for and take down leaked source code, configuration data and credentials. Most customers tell us they expect not to find anything at all, and many times they are simply astounded when their initial monitoring reports find critical examples of leaked source code out in the wild.

At MSI, however, we’re not surprised when these things happen. After all, that’s why we built ClawBack to begin with. We were tired of working incident after incident and breach after breach that resulted from these leaks. We knew we had to create a better way for our clients to stay on top of leaked source code, configurations and credentials.

Why Source Code Matters

When we talk about leaked source code with clients, most are worried about the loss of intellectual property. That’s a fair risk assessment, and the impacts can be long standing. Take for example, the leak of RSA source code in 2011, that underlined their flagship SecureID product, and was perpetrated via an external hacking team. The SecureID token is used to add a layer of security into the login process for corporate networks and applications. This meant that the very heart of security in an organization that used these tokens was at risk. In the end, RSA had to replace all of the SecureID devices in circulation. The cost to RSA hit $66 million in terms of replacing the physical tokens. However, other intangible costs such as reputation have a longer and less quantifiable reach. (stop-source-code-theft.com)

But, while we know that intellectual property loss can be an issue, we’ve seen many breaches stem from leaked code. In fact, an estimated 75% of security breaches are enabled when developers code secret access keys and passwords into source code. (assembla.com) We’ve seen it time and time again, across verticals from manufacturing to healthcare and from banking and finance to critical infrastructure. Source code leaks are often a powerful tool of the attacker.

How Source Code Leaks

External hackers are certainly a significant threat to source code security, as seen in the RSA leak above. But hackers are responsible for a far smaller percentage of leaks than you would expect. Instead, the majority of source code leaks come from human mistakes. 

According to Wikipedia, source code leaks are usually caused by misconfiguration of software like CVS or FTP which allow people to get source files through exploits, software bugs , or employees that have access to the sources or part of them revealing the code. (en.wikipedia.org) We agree with this stance, since the majority of leaks ClawBack finds for clients end up getting traced back to misconfigurations of IDE plugins or developers not checking carefully which code repository they are committing their code to. 

Yet another common root cause of code leaks found by ClawBack has been developers sharing code they developed at different companies as a part of their resume and portfolio. While this is very common for freelancers, consultants and contractors, several significant leaks have also been traced back to the portfolios of full-time employees.

A good source code security awareness program and ongoing auditing of plugins, configurations and repositories are strong controls to reduce these risks. After all, as several firms have found out the hard way, even approved and well-known code repositories, that began as open source contributions or accepted projects for sharing with the public, can drift into leaking critical confidential data before you know it. That’s why keeping an eye on all repositories, even the ones fully approved to be public, is essential. If you need help with any of these controls, don’t worry, MicroSolved is here to help with any or all of them.

How Can ClawBack Help With Leaked Code?

ClawBack stands ever-vigilant, continually searching for and hunting down code that leaks from your organization. You configure monitoring terms, using MSI’s documented process, experience and guidance, and set ClawBack to work. Since it serves as an independent third party, it doesn’t rely on monitoring your network or workstations like traditional Data Leak Protection (DLP) products. In fact, almost all of our clients have extensive DLP instances, but still find leaked code. Traditional DLP often focuses on common PII/PHI data types, and even more concerning, the majority of the leaks our clients have found with ClawBack actually get traced back to origins outside of the company network and computing environment – a fact that renders traditional DLP powerless.

ClawBack monitors for your terms in the most common areas of the Internet where source code leaks occur. It searches thousands of code repositories, product support sites, question and answer forums and other nooks and crannies of the web where code samples and such are likely to end up. Once identified, ClawBack alerts you to the presence of your critical data and provides advice on “clawing back” that critical information with takedown requests and search engine cleanup.

Overall, ClawBack serves clients as a watchful eye for leaked source code. It can mean the difference between code being available for minutes versus years, and between a leak and a breach. If you’d like to learn more about ClawBack, give us a call today (614-351-1237) or drop us a line (info@microsolved.com). We’d love to tell you how ClawBack can work for you! 

Detecting Info Leaks with ClawBack

Clawback smallClawBack Is Purpose Built to Detect Info Leaks

ClawBack is MicroSolved’s cloud-based SaaS solution for performing info leak detection. We built the tool because we worked so many incidents and breaches related to three common types of info leaks:

  • Leaked Credentials – this is so common that it lies at the root of thousands of incidents over the last several years, attackers harvest stolen and leaked logins and passwords and use them anywhere they think they can gain access – this is so common, it is even categorized by OWASP as a specific form of attack: credential stuffing 
  • Leaked Configurations – attackers love to comb through leaked device and application configuration files for credentials, of course, but also for details about the network or app environment, sensitive data locations, cryptographic secrets and network management information they can use to gain control or access
  • Leaked Code – leaked source code is a huge boon for attackers; often leaking sensitive intellectual property that they can sell on the dark web to your competitors or parse for vulnerabilities in your environment or products

MicroSolved knows how damaging these info leaks can be to organizations, no matter the type. That’s exactly why we built ClawBack to provide ongoing monitoring for the info leak terms that matter most to you.

How to Get Started Detecting Info Leaks

Putting ClawBack to work for you is incredibly easy. Most customers are up and monitoring for info leaks within 5 minutes.

There is no hardware, software, appliance or agent to deploy. The browser-based interface is simple to use, yet flexible enough to meet the challenges of the modern web. 

First, get a feel for some terms that you would like to monitor that are unique to your organization. Good examples might be unique user names, application names, server names, internal code libraries, IP address ranges, SNMP community strings, the first few hex characters of certificates or encryption keys, etc. Anything that is unique to your organization or at the very least, uncommon. 

Next, register for a ClawBack account by clicking here.

Once your account is created, and you follow the steps to validate it, you can login to the ClawBack application. Here, you will be able to choose the level of subscription that you would like, picking from the three different service levels available. You will also be able to input your payment information and set up additional team members to use the application, if available at your subscription level. 

Next, click on Monitoring Terms and input the terms that you identified in the first step. ClawBack will immediately go and search for any info leaks related to your terms as you put them in. Additionally, ClawBack will continually monitor for the terms going forward and provide alerts for any info leaks that appear in the common locations around the web. 

How To View Any Info Leaks

Reviewing any info leaks found is easy, as well. Simply click on Alerts on the top menu. Here, your alerts will be displayed, in a sortable list. The list contains a summary of each identified leak, the term it matched and the location of the leak. You can click on the alert to view the identified page. Once reviewed, you can archive the alert, where it will remain in the system and is visible in your archive, or you can mark it as a false positive, and it will be removed from your dataset but ClawBack will remember the leak and won’t alert you again for that specific URL. 

If you have access to the export function, based on your subscription level, you can also so export alerts to a CSV file for uploading into SIEM/SOAR tools or ticketing systems. It’s that easy! 

You can find a more specific walkthrough for finding code leaks here, along with some screen shots of the product in action.

You can learn more about ClawBack and view some use case videos and demo videos at the ClawBack homepage.

Give ClawBack a try today and you can put your worries to rest that unknown info leaks might be out there doing damage to your organization. It’s so easy, so affordable and so powerful that it makes worries about info leaks obsolete.

ClawBack Insights :: A Conversation with MicroSolved, CEO, Brent Huston

I recently got interviewed over email by one of my mentees. I thought their questions were pretty interesting and worth sharing with the community. This session focused on ClawBack™ and was done for a college media class assignment. I hope you enjoy the interview as much as I did giving it. 

Q: What is ClawBack?

ClawBack is a platform for helping organizations detect data leaks. It’s a cloud-based engine focused on three specific kinds of leaked data – source code, device and application configurations and credentials. It systematizes many of the manual efforts which mature organizations had been doing either partially, or in an ad hoc fashion, and makes them ongoing, dependable and available to organizations of any size and technical capability.

The engine lets the customer pick monitoring terms, and yes, we have a very nice guide available in the online help to guide them. Once the terms are chosen, the engine goes to work and begins to scour the sites most commonly associated with these types of leaks. At first, it does historical searches to catch the client up to the moment, and then, periodically, it provides ongoing searching for signs of leaked data.

Once a leaked dataset is found, the user is alerted and can view the findings in the web portal. They can take immediate action from the takedown advice we provide in online help, or they can choose to archive the alert or mark it as a false positive to be ignored in the future. Email alerts, team accounts and alert exports for SEIM/SOAR integration are also available to customers at the advanced levels.

Basically, ClawBack is a tool to help developers find code that accidentally slipped to the Internet, network admins and security teams find configurations and credentials that have escaped into the wild. We wanted to make this easy, and raise the maturity level of data leak detection for all organizations. We think we hit the mark with ClawBack, and we hope you do too.

Q: Why did your team create ClawBack and why now?

This is a great question! For many years now, we have been working a variety of security incidents that all tie back to attackers exploiting leaked data. They routinely comb the Internet looking in these common repositories and posting locations for code, configs and credentials. Once they find them, they are pretty quick to take advantage.

Take for example, a leaked device configuration from a router. The global paste bins, code repositories and forums are full of these kinds of leaks. In many cases, these leaked files contain not just the insights the attacker can gain from the configuration, but often, logins and passwords that they can use to compromise the device. Many also give up cryptographic secrets, network management credentials and other significantly dangerous information. The attackers just harvest it, use it and then spread into other parts of the network – stealing as they go.

At MSI, we just got tired of seeing organizations compromised the same way, over and over again. Time after time, the clients would say they had no idea the data had been exposed. Some had ad hoc processes they ran to search for them, and others had tools that just weren’t getting the job done. We knew we had to make something that could help everyone solve this problem and it had to be easy to use, flexible and affordable. Nothing like that was on the market, so we built it instead.

Q: How does ClawBack address the issues of leaked critical data?

As you read above, we wanted to focus on the things that hurt the most – leaked code, configs and credentials. These three types of leaks are at the core of more than 90% of the leak-related incidents we’ve worked over the last several years. We didn’t try to solve every problem with this new tool – or make it a swiss army knife. We focused only on those 3 kinds of leaks.

Today, ClawBack monitors the most common sites where these leaks often occur. It monitors many of the global pastebins associated with leaks, forums and support sites where folks often accidentally expose data while getting or giving help and work repositories where many of these items often end up from inadvertent user errors or via misconfigured tools.

ClawBack provides the dependable process and ongoing vigilance that the most mature firms have access to – and it brings that capability to everyone for less than a fancy cup of coffee a day.

Q: How is it different than DLP solutions?

For starters, there’s no hardware, software or agents to deploy and manage. The cloud-based platform is so simple to use that most customers are up and monitoring in less than 5 minutes. You simply register, select your subscription, input monitoring terms and ClawBack is off and running. It’s literally that easy!

Now, DLP is a great tool. When it’s properly configured and managed, it’s very capable. Most of our ClawBack clients have DLP solutions of some sort in place. The problem is, most of these data leaks occur in ways that render the DLP unable to assist. In most cases, the data leaks in the incidents we have worked have occurred outside of the corporate network that the DLP is monitoring. When we traced back the root of the incident, most of them came from workers who were not using the corporate network when they made their grave mistake.

Additionally, of those that did use the corporate network, often the DLP was either misconfigured, the alert was missed or the transaction was protected by cryptography that circumvented the DLP solution. A few of the incidents came from users who routinely handle code and configuration files, so the anomaly-based DLP tools assumed the leak was normal, usual traffic.

Sadly, the last group of incidents that had DLP in place went undetected, simply because the DLP solution was configured to meet some regulatory baseline like HIPAA, PCI or the like and was only searching for leaked PII that matched those specific kinds of patterns. In those cases, source code, configurations and even dumped credentials were far outside of the protection provided by the DLP.

ClawBack takes a different approach. It lets users know when this type of data turns up and lets them respond. It’s easy, plain language monitoring term management makes it trivial to define proper terms to tackle the 3 critical types of leaks. We provide a very detailed set of suggested terms for customers in our online help, which most folks master in moments.

Q: If an organization doesn’t have any in-house development or code, what can ClawBack do for them? Same question for organizations that outsource their device management – how can they get help from ClawBack?

Organizations that don’t do any development or have any source code are few and far between, but they still gain immense capability from ClawBack. Nearly every organization has device and application configurations and credentials that they need to monitor for exposure. Even if you outsource network management, you should still use ClawBack as a sanity check to watch for data leaks. We’ve seen significant numbers of leak-related security breaches from networks managed by third parties.

Requesting the key device configurations from your vendor and inputting identifying data into ClawBack is easy and makes sure that those configurations don’t end up somewhere they shouldn’t – causing you pain. Identifying unique account names and such, and using those as ClawBack monitoring terms can give you early warning when attackers dump credentials, hashes or other secrets that could cause you harm. Being able to change those passwords, kill accounts, increase monitoring and claw back those files through takedown efforts can mean the difference between a simple security incident and a complete data breach with full legal, regulatory and reputational impacts.

Q: Several people have said you are leaving money on the table with your pricing model – why is the pricing so affordable?

The main reason that the product costs under $200 per month at the highest level, currently, is that I wanted not-for-profit firms to be able to afford to protect themselves. Credit unions, charities, co-op utilities and the like have been huge supporters of MicroSolved for the last 30 years, and I wanted to build a solution that didn’t leave them out – simply because they have limited funds. Sure, we could charge larger fees and only target the Fortune 500 or the like, and make a lot of money doing it. The problem is, the security incidents we built this to help eliminate happen to small, mid-size and less than Fortune 500 companies too and there are a LOT MORE of those firms than 500. They need help, and they need to be able to afford the help they require.

Secondly, we were able to get to such an affordable price point by really focusing on the specific problem. We didn’t build a bunch of unneeded features or spend years coding capabilities to address other security problems. ClawBack detects leaks of critical data. That’s it. It provides basic alerting and reporting. We based the monitoring technology off our existing machine learning platform and re-used much of the know how we have developing past products and services like TigerTrax™ and SilentTiger™. What saves us money and resources, saves our clients money and resources.

Lastly, at MSI, we believe in making more value than we harvest. We want to provide significant levels of value to our clients that way over scales what they pay for it. We can do that using technology, our expertise and by building solutions that focus on significant problems that many feel are untenable. We’ve been doing it for almost 30 years now, so we must be getting something right…

Q: What’s next for ClawBack? Is there a road map?

We are talking about adding some forms of risk determination to the findings. We are currently in discussion with clients and experts about how best to do that and communicate it. We are discussing using some additional machine learning techniques that we developed for our social media monitoring and threat intelligence platforms. That’s the next step for us, that we can see.

We’re also looking at user feedback and curating what folks are asking about and thinking about when using the product. That feedback is being ranked and added to the road map as we create it. We’ve got some ideas of where we want to go with ClawBack, but honestly, the tool addresses the problem we built it to help with. That’s the core mission, and anything outside of that is likely to fall out of the mix.

Q: You have a history of designing interesting products – what is on the horizon or what are you playing with in the lab these days?

I wish I could tell you about the things we are playing with, because it is fascinating. We are exploring a lot of new capabilities in TigerTrax with different machine learning models and predictive techniques. We’re working on updates to HoneyPoint™ and SilentTiger that will bring some very cool new features to those capabilities.

We’re also continuing to gather, analyze and deliver specific types of threat intelligence and data analytics of hostile data sets. We’re studying adversarial use of machine learning techniques, attacks against different AI, IoT and cloud platforms and we’re diving deep into cyber-economics and other factors related to breaches. I’m also working on a pretty interesting project with some of my mentees, where we are studying the evolution, use and capability growth of various phishing kits in use today. The mentees are learning a lot and I’m getting to apply significant amounts of machine learning techniques to new data and in new ways that I haven’t explored before. All in all, pretty cool stuff!

I’ll let you know what we come up with. Thanks for interviewing me, and thanks to the readers for checking this out. Give me a shout out on Twitter – @lbhuston and let me know if you have questions or feedback on ClawBack. I’d love to hear your thoughts!

Introducing ClawBack :: Data Leak Detection Powered By MicroSolved

Cb 10We’ve worked with our clients and partners to put together a world-class data leak detection platform that is so easy to use that most security teams have it up and running in less than five minutes. No hardware appliance or software agent to deploy, no console to manage and, best of all, affordable for organizations of any size.

In short, ClawBack is data leak detection done right.

There’s a lot more to the story, and that’s why we put together this short (3 minute) video to describe ClawBack, its capabilities and why we created it. Once you check it out, we think you’ll see just how ClawBack fits the mission of MSI to make the online world safer for all of us.

View the video here.

You can also learn a lot more about ClawBack, its use cases and some of the ways we hope it can help you here. On that page, you can also find pricing for three different levels of service, more videos walking you through how to sign up and a video demo of the platform.

Lastly, if you’d like to just get started, you can visit the ClawBack Portal, and select Register to sign up and put ClawBack to work immediately on providing detection for your leaked data.

In the coming weeks, we’ll be talking more about what drove us to develop ClawBack, the success stories we’ve had just while building and testing the platform, and provide some more specifics about how to make the most of ClawBack’s capabilities. In the meantime, thanks for reading, check it out and if you have any questions, drop us a line.