Author: Mark Puckett

  • The Most Important Cybersecurity Lessons of 2020

    At the close of a year that turned our world upside down, it’s more than fair to wonder and worry about what 2021 might bring. Even as we pray for health, prosperity, and peace, cybersecurity professionals understand that these blessings will remain under constant attack by malicious actors for whom every upheaval in our lives is an opportunity to strike. 

    Despite the high-profile breach of SolarWinds and ongoing attacks from state-sponsored actors, I believe the COVID-19 pandemic best illustrates that point in a couple of different ways. Here’s why: In 2020, companies worldwide asked their teams to work remotely all or part of the time. But not all of them had appropriate security protocols in place beforehand, leaving their networks vulnerable to attackers as they made the transition. 

    I’m not suggesting that business owners (or even health professionals) should have predicted the arrival of the novel coronavirus, but there are any number of natural and manmade disasters that can force us out of our offices. We all need to have a continuity plan – and cybersecurity should certainly be one of its guiding principles. 

    For those who did have a plan, now is the time to ask if it was followed correctly and if it worked effectively. I strongly encourage CEOs and business owners to include your infosec teams in these discussions and perhaps have them take the lead. More importantly, listen and act on their recommendations because the new normal will come with new challenges for all of us. 

    Assuming that the US and other nations are able to contain the spread of COVID (as we hope and expect), some companies will ask their workers to return to an office environment, some will make the remote model a permanent feature, and still others will adopt a hybrid approach that features elements of both. Safety and productivity are the factors that will most likely (and appropriately) drive those decisions. But effective cybersecurity measures should be a non-negotiable feature regardless of the workplace model.

    Not to turn this post into a commercial, but Raxis (and some other pen-testing companies) can be of great help in this process. That’s because we understand where attackers are most likely to focus their efforts and thus where your company is most vulnerable. We speak the same language as your infosec team, so we can work with them to come up with a plan that gives you the most flexibility to meet your business needs, but still keeps you and your network safe from attackers.

    My hope is that an enduring lesson from the COVID-19 experience (and other events in 2020) is that more organizations need to take a proactive approach to cybersecurity. Though we can’t predict who will be breached and when, we know for certain that the attacks will continue indefinitely. And while we don’t know when a global or local disaster will disrupt our operations, we should be ready to respond swiftly and securely if it does.

    Here’s to a safe, secure, and prosperous new year for your business. At Raxis, our business is helping you stay that way.

  • Raxis COO Shares WFH Cybersecurity Tips on Columbus, Ohio’s Fox 28

    “Protect your data in the same way you protect your health.” That’s the main message our own Bonnie Smyre delivered today in an interview on Good Day Marketplace, a popular television show in the Columbus, Ohio area.

    Raxis COO, Bonnie Smyre, on Good Day Marketplace

    Bonnie explained to host Shawn Ireland and her audience that hackers and scammers know that Americans are worried about COVID-19 and are hungry for reliable information now. That’s why it’s important to only visit sites you know are safe and never click links inside unsolicited emails. She also talked about the importance of keeping personal information off your work devices.

    Bonnie cautioned that, even though slow Internet speeds can be frustrating, don’t disable spam and virus filtering or endpoint protection in hopes of speeding things up.

    Check out Bonnie’s full interview below here: https://myfox28columbus.com/sponsored/good-day-marketplace/gdm-raxis-information-security

  • Bonnie featured in VoyageATL interview!

    We’re so very proud to have Bonnie on our team at Raxis.   Check out her VoyageATL Interview!

    Transcript from the Interview, courtesy of VoyageATL:

    “Today we’d like to introduce you to Bonnie Smyre.

    Bonnie, please share your story with us. How did you get to where you are today?

    When I graduated from the University of North Carolina, I wanted to work in international sales. Fast forward a few years and a job at BellSouth International in Midtown and the Southern Center for International Studies in Buckhead led me down an unexpected route. I became interested in technology, specifically databases and computer programming.

    When I found an opportunity to work in both these fields at my alma mater, I returned to UNC and worked at IT departments on campus, at UNC’s School of Government and finally at the state PBS station, UNC-TV. As over fifteen years went by, I kept in touch with friends in the Marietta area where I had grown up.

    Mark Puckett, Raxis’ owner and visionary, and his wife Alison came to see me perform in an improv show up in Carrboro, NC. We started chatting about Raxis, his boutique information security company and needs he had within the company. In less than a year, I had moved back to Marietta and had filled the role of COO as well as becoming one of the penetration testers at Raxis.

    Overall, has it been relatively smooth? If not, what were some of the struggles along the way?

    I believe everyone can look back on times that were a struggle, but I also feel that people who find their way and love what they do appreciate what those times teach them. For me, I’ve had some jobs that were energizing and exciting that later became stagnant and sometimes toxic. I can remember wondering if I could update my resume enough to escape and find something fun.

    But looking back, I’m appreciative of those times because I learned that I won’t settle in my career or in my life and that I don’t want to be a part of an environment that makes others settle either. When Mark asked if I would be interested in running operations at Raxis, my first thoughts were that I would be leaving North Carolina where I had lived for fifteen years as well as leaving software development, a career that I had enjoyed for even longer.

    My second thought was absolute excitement that I had an opportunity to become an integral part of Raxis, and, from that moment I haven’t looked back. I joined Raxis in 2013 part-time and then, in 2014, I moved back to Marietta and joined Raxis full time, taking over scheduling and employee support as well as reporting. Things can get hectic, especially in the fall and towards the holidays when many customers realize that they’d better complete their pen test by the end of the year.

    Juggling penetration testing along with my operations tasks can make my head spin sometimes! Scheduling is very interesting to me. At Raxis, we aim to customize each engagement to meet the customer’s needs as best as possible. I’m working with a limited number of pen testers, and sometimes I have to shut out outside noise and focus on the puzzle pieces until I can make them fall into place.

    In the end, though, I’ve loved every minute since I’ve been at Raxis, even if sometimes it’s in retrospect!

    Please tell us about Raxis.

    I’m very proud to be a part of Raxis. When Mark started the company himself in 2012, he made the sales, ran the business and did the penetration tests himself. Over the next few years, he brought in Raxis’ first employees, including our CTO, Brian Tant, who is amazingly creative both technically and in social engineering engagements. Since I joined in 2014, we’ve brought in several more talented folks, but we still pride ourselves in being small enough to be able to accommodate the needs of all types of customers.

    We focus on information security tests, including network penetration tests as well as web and mobile application tests and code reviews. We also have a lot of fun with social engineering tests, whether onsite or using phishing emails and calls. The goal of all of these tests is to help our customers learn how their companies could be affected by hackers of all types. We always say that it’s better to learn about that in a Raxis report than to learn about it after a hacker has been in your systems.

    Last year we introduced the Raxis Transporter device which allows us to perform onsite work remotely. For many of our customers, the cost savings of not paying for a consultant onsite makes all the difference. Many customers also leave the device in place so that Raxis employees can perform incidence response (IR) work quickly if there is a security event.

    I especially take pride in our process and our reports. As more rules and regulations are created in answer to high profile hacks, increasing numbers of companies are interested in penetration tests. But, even though it’s a positive goal, it’s still going to feel unsettling to invite technical experts in to attempt to break into the systems that are your bread and butter. We pride ourselves in making that process calm and easy on the customer.

    I run project management at Raxis, and I strive to keep all customers informed throughout the process. They know how to reach us, and they also know we’ll let them know if they have critical issues that they should jump on immediately. In the end, though, the customer is left with a report and the knowledge that Raxis is only a phone call away for their next annual test, remediation consulting or incidence response work in the event of an outside hack.

    When we walk away, I want that report to be a tool for our customers to use throughout the year. My wish is that they call us back the next year and that we are unable to exploit any of the previous vulnerabilities because the report was so useful that their teams were able to remediate all of the issues. There are a lot of good information security firms out there, but I’m very proud of the work that we do and feel that we can truthfully say that we are one of the best.

    Is our city a good place to do what you do?

    Atlanta has been great to us. Over the years several tech companies have flourished here.

    We’ve found many customers in Atlanta and the neighboring regions because it’s such a great environment for companies of all sizes. And when we travel to locations all over the US & Canada, we’re lucky enough to have the world’s busiest airport ready to take us there!

    Among Raxis’ customers are a number of Atlanta based Fortune 500 companies. In fact, our CEO, Mark Puckett, and CTO, Brian Tant, met while working at The Home Depot, one of Atlanta’s very own multi-million dollar businesses. Atlanta is such an important hub for the South that we also find several customers within the large group of companies that choose to open regional offices here. We’ve enjoyed working with local companies of all sizes and also pride ourselves in treating smaller companies with the same respect and consideration as larger companies.

    Many of our customers have told us stories of failed past penetration tests where the vendor they hired did not listen to them or take the time to understand their needs. I love that Atlanta prides itself on supporting companies of all sizes flourishing. Some of our most loyal customers are small local companies… but I wouldn’t be surprised if you hear their names in the coming years!

    Raxis employees all work virtually, so we’ve had employees working from offices all over the US. Atlanta is a city filled with talented people, though, and many of Raxis’ employees live right here in Marietta. We’ve never had trouble finding great employees right here at home.

    Though I truly enjoyed my time in North Carolina as well as the locations I see in my job with Raxis, I’m always happy to be back at home in Atlanta. I enjoy living and working here. Atlanta truly is home.”

     

  • Our COO, Bonnie Smyre, Featured on Fox 5 News!

    Our Chief Operating Officer, Bonnie Smyre, was interviewed on Fox 5 News in Atlanta in a story regarding a Facebook scam involving Tyler Perry. Essentially, the scammers behind the Facebook sites and accounts are “data mining to get your information”.   If you clicked the Facebook scam link, it’s probably too late to reverse it, but try to avoid it next time – if something seems too good to be true, it almost always is.

    Click here to watch the video on Fox 5 Atlanta’s website

  • Hopefully You’re Not Next

    Recently in the news, our national security director explained that we’re under constant attack from foreign adversaries. These attacks are at the nation-state level and they are attacking “virtually everything”. This isn’t limited to the super critical power generation companies and government institutions- they mean everything, including your website, email, and personal workstation. To make matters worse, there are still many of attacks originating from other bad actors, such as credit card and personal information thieves.

    Many people think they are not targets because they have nothing of value. However, the contrary is true.  At a minimum, your computer and internet connection can be leveraged to attack other systems to cause an outage or hide the tracks of a real attacker.  Unfortunately, the worse case scenario might involve an installed key logger to capture credentials for your banking and retirement accounts.We’ve seen this first hand.  

    Raxis performs hundreds of penetration tests and breach responses a year, and 2017 proved to be no exception.  There have been many occasions where we would breach a customer network only to find the door was left open and clear evidence that someone had already been there.  After a system has been breached, there are only two viable options: to restore from a known good backup, or a complete reinstall of any software.  Recovering from a breach is very difficult as in many cases the attacker will control many or all of the systems within an organization, resulting in a massive undertaking to rebuild.

    Do something to make sure you’re not next.  Reach out to us, we’ll help you understand how a penetration test can shed some light on where the risks really are.

  • Your Security Gear Is Not Enough

    Perhaps I am a little biased considering what we do at Raxis, but I am convinced that it isn’t a good idea to bet the farm on the latest security gear to defend your organization.

    In 2017 alone, we’ve all seen many major hacks, including substantial releases from Shadow Brokers and WikiLeaks.  There’s a lot already lost, such as voter registration data and consumer credit information.

    Don’t get me wrong, I think the latest fancy security solution can help.  However, our team at Raxis is seeing many attacks that are not being stopped by current gear.  For example, we’ve breached applications through manually fuzzing API calls using a method that most hardware can’t protect against.  The latest web application firewall might be able to stop these attacks, but most organizations don’t configure it appropriately to do so.  In some cases, it’s a logic error that we’re able to exploit to gain information from the backend systems without making any illegal calls.

    And even worse, we’ve seen, time and time again, where security operations centers send an email out with no further action taken.

    Our experience also has shown that nearly every organization has a far weaker security posture internally.  Once the perimeter is breached, from using a stolen password to gaining shell access through a web service call, pivoting to other machines is often quite trivial.  None of this is hard to exploit, but fortunately none of it is hard to fix.  

    The problem is not the difficulty of the fix, it is knowing what needs to be fixed.  In almost every case, the hacks we find are very simple to execute, and our customer had no idea they existed.

    The fix for these hacks usually is not spending $100K on a new fancy next generation firewall with all of the bells and whistles.  It’s a simple code change or a system that was missed in patch management.  Perhaps this is too good to be true; but, keep in mind that hackers go after the path of least resistance.  It is far easier to breach your competitor with the Windows 2003 server install than to spend significant time researching how to get past your reasonably secure system.So keep buying your security gear.  Combine it with a penetration test on every single piece of code that runs in production, and we’ll help you find the vulnerabilities you missed. 

  • Petya Ransomware Strikes Businesses Globally

    Petya, the next major security malware since Wannacry is specifically targeting companies across the globe.  Originating from the Ukraine, the Petya ransomware uses the same Eternalblue/MS17-010 vulnerability that was used with Wannacry.  The difference this time is there is no kill switch that we know of.  It’s getting some significant traction, infecting systems everywhere.  In the US, it’s hit a major pharmaceuticals company and a food services company.  Petya has also hit Danish, French, and Russian companies.Similar to Wannacry, the malware virus is encrypting systems and demanding a ransom to get access to the data.  Our research has not found a way to bypass this ransom at this time.  Fortunately, it seems that working decryption keys are being provided once paid.

    It’s not just ransomware

    Unfortunately, there’s much more to this variant.  Once the ransomware gains a foothold, it has worm capabilities and is breaching other systems using a variety of exploitation methods.  It appears to be focused on critical infrastructure across the world, but is not limiting devices it infects by any means.  Various news sources have reported that power plants in the US and other countries have been breached. If this turns out to be a successful attack, it is quite scary to think about the damage that could occur.For those who don’t remember, you can thank the NSA for this. The NSA had developed a tool that could breach Windows systems remotely using an exploit that was previously undisclosed.  The Shadow Brokers hacker group obtained the source to the NSA tool and leaked it on April 14, 2017.

    Stop PETYA with a penetration test

    When it comes to ransomware, we haven’t found a good way to retroactively deal with the damage.  Even once the ransom is paid, it is very likely that the attackers will return again in the future.  Particularly if they know that they’ve received payment in the past.  The only real way to defend against Petya is to eliminate the vulnerability from the beginning, and a penetration test from a trusted third party might be the only real way to know you’re protected. Petya (and Wannacry) uses the Eternalblue vulnerability in SMB, fixed by MS17-010.  Systems are still falling victim, even when the organization has a patch management program.  Mistakes with configuring the vulnerability scanning tool, or unknown systems to the patch management tool will cause a few systems to remain vulnerable and outside of the view of the security administrators. A penetration test can find these gaps in process before malware can exploit these systems.  In addition, the penetration test will attempt to exploit any issues found as a proof of concept – providing you and your security organization proof that a potentially significant security event was avoided. Schedule a penetration test with Raxis before the next malware variant hits.

  • Dual LG 5K Monitors on the 2016 MacBook Pro

    The new LG UltraFine 5K monitors with the USB-C/Thunderbolt 3 ports are simply amazing. A perfect match for the 2016 MacBook Pro with TouchBar.

    Unfortunately, I lost a little time trying to set them up as they had worked once using both of the ports on the right side of the MacBook Pro. Then, one monitor stopped working. It was always the 5K monitor that I plugged in second, leaving me with the use of only one monitor. Even after a reboot, only one of the monitors would work.  

    I spent time on Google and Apple’s website trying to figure it out with zero luck, and then went on a tangent deleting plist files, clearing the PRAM, reseting the SMC, and trying to manually adjust monitor settings from the command line. No, you don’t need any of that.Even though it’s not all that related, I’m posting this on our information security blog with hopes that I save someone some trouble setting them up. It’s really simple – there are two Thunderbolt 3 buses on the new MacBook Pro. The two ports on the left create bus 0, and the two ports on the right create bus 1. You can see the currently connected devices in the System Information utility. Connect one of your 5K monitors to one bus, and the 2nd one to the other bus. Problem solved. For some reason I thought the port configuration was different, and I do think it would be nicer to have both bus 0 and 1 on each side of the machine so the cables would be more organized. Oh well.

    System Information reporting Thunderbolt 3 Bus connections

    I still don’t know why both monitors worked on one bus before. I didn’t use it that way very long, so I’m guessing it somehow was setup in 4K resolution. The Mac Pro works the same way, there are actually three Thunderbolt 2 buses on the system.In case anyone was wondering, I took the background images myself from Tortola and the Baths on a Canon 5D Mark III fitted with an L Series 28-135mm F/4 lens. They look simply amazing in 5K. Anyway, hopefully this helps someone!

  • Penetration Testing Pricing

    Updated: April 9, 2018

    How Much Should You Pay for A Pen Test?

    It’s my job to ensure that we’re priced right and delivering a strong value for what we charge.  Yet, I’m continually amazed at the price differential I am seeing for penetration tests (pen tests).  With prices ranging from $1,500 to hundreds of thousands of dollars, I can imagine how difficult it might be for our customers to understand how penetration testing pricing works.Similar to many things that you buy, generally the higher cost products tend to be better than the lower cost products.  While this is likely true in the pen testing world too, how do you know what is adequate for your needs?  Even though there’s a need for high dollar tests at the highest category, most companies don’t need to spend $250,000 on a multi-month penetration test.  For just one week of penetration testing, pricing ranges from $1,500 to about $15,000 for a full retail price.  However, not all pen tests are equal.Here’s a breakdown of why pen testing prices are so different.  There are other elements that might come into play, such as on-site vs. remote and remediation testing, however this list focuses on the penetration test work itself.

    Skill Set

    Not all pen testers are the same, and the proposed pen test pricing should reflect that.  For example, some pen testers are incredible at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology.  Make certain that the team is well versed in all technologies that you have in scope.  Many environments have a huge mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, Wireless networks, and others.  Your pen tester needs to have skills in all of the areas that affect your environment to perform a valid test.

    Time Dedicated to the Job

    The amount of time that a penetration tester spends on a job can really vary, leaving lots of room in how the jobs are quoted. Some pen testers believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a few IPs with no services running on them.  Otherwise, I’d be skeptical.  The key here is to make sure the time spent on the job makes sense with what you’ve deemed in scope for the test.  Keep in mind a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.

    Methodology

    There’s a few different ways to complete a penetration test.  I’ve broken them down into types for reference.

    • Type A would be to search for the low hanging fruit and gain access to a system as quickly as possible. The goal would be to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
    • Type B searches for every possible entry point and validates that the entry point actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
    • Type C is really more of a vulnerability scan where the results from the scanner report are validated and re-delivered within a penetration testing report. Many of your lower cost firms are delivering this as a penetration test, although it really isn’t one. It’s just a paid vulnerability scan, and, in some cases, that might be all you need. We offer a vulnerability scan called the BSA on an automatic, recurring basis and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. No, it’s not a pen test 😉

    My recommendation would be to ensure both Type A and B are part of your pen test.  This means that even a small IP range will have a week long test at a minimum, but it is the most comprehensive way to pen test your environment and best meets regulatory requirements as well.  Type A will ensure that a test is completed allowing pivoting and exfiltration of information.  Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.

    Don’t Go too Low

    If someone is offering you a pen test for less than $3,000 for an entire week of effort, I would be very skeptical that you’re getting an actual penetration test. The ethical hackers that perform these tests are costly, and as they don’t work for a salary that would fit the bill rate.  Remember that these resources need to understand networking, operating systems, applications, and security all at the same time.  In addition, there is also cost overhead from operating a business that should be considered.Regardless, penetration testing is a vital part of a strong security program.  Most regulations and security professionals recommend it be performed annually.  It’s better to be hacked by a pen testing vendor than the alternative, so give us a call at Raxis, and we’ll be glad to help you improve your security by uncovering any hidden security risks.

  • How EMV Chips Provide Increased Security

    Last week Raxis’ managing director, Bonnie Smyre, met with Dana Fowle at Fox 5 Atlanta to discuss the EMV credit card chip technology.  The US is the last major market to convert to this technology as an eventual replacement for magnetic strip credit cards.  Bonnie speaks with Dana about the increased security provided by these chips that send a one time code for each transaction.  Watch the video for more details.

     

    Please see below for a Transcript of the video interview with Fox5 News:

    …”And if you haven’t, it’s time to get on board. The bottom line is that security experts agree, it’s safer to use than your magnetic strip.

    The swipe at many retailers is on its way out. Now at the register you will “Dip the Chip.”

    Pull your credit card out of your wallet. If you got a new one, which many of you have, you should see a silver square. It’s called EMV chip technology.

    We listened in as a Home Depot employee walked a customer through it.

    “This is a chip card now, place inside – the card – like that. Just leave like that until the light is gone.”

    Bonnie Smyre of the local Internet security firm RAXIS said, “What that does that is special is that it creates a one-time code.”

    It’s an extra security layer. A new code is created for each purchase. But, it does take longer to process the card.

    It takes a good, solid 10 seconds, at major retailers. Longer at smaller shops. But, according to security expert Bonnie Smyre, it’s offering the closest thing we have to perfect credit card security protection. 

    “Even if that code is stolen by a thief nearby who is trying to get that information, the code can not be used again. And that’s your protection here.”

    The US is the last big market to use this EMV chip technology. Great Britain has used it for 10 years and it’s credit card fraud for in-person purchases has plummeted a whopping 63 percent.

    Home Depot customer Ben Darmer said there isn’t really much of a learning curve at all when using it the first time. The machine at the register walks you right through the process.

    “I like the security and it’s very easy to use. We were recently in Europe and they use them all over the place,” he said.

    Novelle Caibon was a first-timer.

    “It seemed pretty good. I like it.”

    But here’s the catch: This chip doesn’t offer any protection for online purchases.

    “In the UK, like I said, 10 years ago that they did this conversion, since then they’ve seen 120 percent increase in online fraud,” said Bonnie Smyre.

    Not all small retailers have the new chip machines yet. They’re expensive. Ms. Smyre says it can cost up to $1,000 per terminal to install. But big box retailers, like Home Depot and Target, do have them installed.

    Home Depot supervisor Kevin Cannon says while customers look at little confused at first it only takes one time to get it.

    “It’s not here to hurt you; it’s here to help you and it’s a better way,” he said.”

  • HP iLO Password Cracking

    One of my favorite parts of information security is cracking password hashes. I have a dual nVidia GPU rig that I use to run hashcat on and sometimes my research leads me to crack hashes. 

    For those who don’t know, HP has a system for Integrated Lights Out, and it allows for remote management of systems. Usually these interfaces are located on a management network that is inaccessible unless you’re a systems admin.

    Well, I got my hands on some hashes using the Metasploit module called IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval. There’s a few blogs that talk about how to do that, so I’ll let you refer to them on the how. What I thought was interesting though is that a lot of the systems I was working with were left to the default password – which is a random 8 digit number.  

    With a dual GPU hashcat instance, that is fairly trivial.  I set a bruteforce attack using -a 3 ?d?d?d?d?d?d?d?d and the result below is what happened.

    1416515636048

    It took a mere 4 seconds to spin across 8 digits. If you’re a server admin, I hope you’re setting the administrator passwords on your iLO sessions to something other than digits. Also, and this goes without saying, keep your management network completely firewall off of the production network! There is no need to have the general user with any sort of access at all to these ports.  

    Still, a very strong password is your last line of defense in the event a breach occurs.