Author: Scottie Cole

  • The CrowdStrike Outage: Lessons Learned

    Just a few days ago the world felt the rippling effects of a third-party push to networks across the globe. What would have normally been a routine undertaking instead caused mass disruption of information systems and brought businesses of all sizes to a standstill. Almost everyone was impacted by this incident in one way or another. At the time of this writing, some companies continue to struggle to resume normal business activities.

    As with any incident, we must take a look at our processes to see what lessons we can learn and how we can improve – an after-action report, if you will.

    Third-Party Risks

    Our society is more interconnected than ever before, and third-party vendors increasingly are active on customer production business networks. The advantages businesses receive from these interactions are often worth the risks. However, as with all business decisions, we must understand the risks that we are accepting and take steps to mitigate them to the greatest practical extent.

    One of the key takeaways from this incident is that we need to incorporate third-party risks into our business continuity (BC) plans, incident response (IR) plans, and tabletop exercises. Businesses cannot control every aspect of a third-party integration, but they can control how that risk is incorporated into the environment and put safeguards in place for maintaining continuity when an action fails to go as planned.

    Businesses should not only take this into account with their BC/IR planning but should actively incorporate this into their tabletop simulation drills. At Raxis, we conduct tabletop offerings as a simulated attack intended to model real-world threats. They facilitate cohesion and seek to highlight process gaps and less obvious exposures. A plan is only as good as its execution, and tabletop exercises are an excellent way to identify improvement opportunities in plans and processes.

    A Few Things to Think About

    • Do you have redundant systems in place that would be resilient to a third-party incident?
    • Do you have tested backups (emphasis on tested) that allow you to quickly restore your system?
    • Do you maintain adequate logging, and are these logs stored for a long enough time period to allow your team to review them and determine affected systems?
    • Do you have a current BC/IR plan, and does this plan include incidents that could be caused by third-party vendors?
    • Do you actively review your vendors and their operational processes that could affect your business stability?

    Vince Lombardi once said, It’s not whether you get knocked down, it’s whether you get up. This rings true after every security incident. What do we learn, and how do we improve?

    Need help testing or developing your incident plans? Raxis can help. Reach out to one of our advisors to learn more.

  • Cool Tools Series: Host Discovery

    Before starting any penetration test, you must know the scope of the work. Depending on the type of assessment, this could be specific hosts or full ranges of IP addresses with live hosts scattered throughout. If the scope is the latter, then it is a good idea to initially identify which hosts are live and then discover common, known vulnerabilities on the hosts. This will narrow down the attack surface and potential attack vectors to help establish a list of priority targets during the assessment.  

    There are several tools that I like to use when I start a new assessment. Some are free open-source tools, while others are commercial.

    Open-Source Tools

    Nmap

    The first tool I always use in Nmap. Nmap is an open-source tool that can identify live hosts and services by conducting protocol enumeration across systems. It can also be used for specific configuration checks or even as a vulnerability scanner by using the Nmap Scripting Engine (NSE).

    Even when I use Nmap with vulnerability scanners, I still regularly utilize Nmap scripts. Nmap come pre-installed with Kali Linux but can easily be installed on any Linux or Windows system. Using Nmap for the first time can be intimidating, but after using it for a bit, users often find it very easy and reliable.  I usually run the initial scans by ignoring ICMP checks (Ping) and just assume that all hosts are live. I do this because some network admins like to disable ICMP on live hosts as a security measure (Good on ’em!).

    nmap -v -A --open -Pn -iL targets.txt -oA nmap_scan

    Note: -Pn disables the ICMP check.

    If the scope is extremely large and the Nmap scans won’t complete in the time allowed, I enable the ICMP check by remove the “-Pn”:

    nmap -v -A --open -iL targets.txt -oA nmap_scan

    Below is a screen shot of a typical initial scan I perform on network assessments (internal & external):

    nmap -v -A -Pn --open {IP Range} -oA {Output File Name}
    Nmap Discovery Scan

    The commands above are easy to learn once you use them a few times, and I’ll cover what is going on here.  

    • First, I like to use the “-v” which enables verbose outputs.
    • The “-A” enables OS and version detection, as well as script scanning and traceroute output.
    • “-Pn” disables ICMP ping for host discovery, causing the scan to assume that all hosts are live.
    • Next, we have the IP range, in this instance a standard /24 internal network. If I have specific hosts or multiple ranges to target, I will create a text file and use the “-iL” switch to point to the text file.
    • Lastly, I like to output the results to all supported formats by setting “-oA.” The reason I do this is because I like to ensure I have the different file types for future use. For example, the .nmap output is easy to read when I want to scan through the output. I typically use the XML output for importing into Metasploit or when using Eyewitness to enumerate web hosts.

    There are quite a few good cheat sheets out there too if you let the Googles do the work for you. If not, follow this series for more Nmap tips and tricks in the future.

    Masscan

    Another tool similar to Nmap is Masscan. Masscan is a TCP port scanner that scans faster than Nmap. Unlike Nmap, Masscan requires you to define the ports you want to scan. I typically don’t use Masscan and just stick with Nmap, but it’s a good option if you want to quickly look for specific open ports on a network.

    OpenVas

    Another tool I use on occasion is OpenVAS (a.k.a. Greenbone), a vulnerability scanner. Greenbone offers a commercial version, but there is an open-source version available as well. I’ve used this many times when I am unable to access my usual vulnerability scanners. One downside to the tool is that It can be difficult to install. I recently followed the instructions for installing with Kali and ran into quite a few issues with the install. I’ve also noticed that the initial setup can take some time due to the signatures that are downloaded. If purchasing a commercial vulnerability scanner is too expensive, then Greenbone is definitely worth looking into, despite its challenges.

    OpenVAS Dashboard

    Commercial Tools

    Nessus

    By far, my favorite vulnerability scanner is Tenable’s Nessus. There is a free version available, but it’s limited to 16 IP addresses. If you are doing a lot of vulnerability scanning or time-boxed penetration tests, then it might be worth looking into purchasing this.

    The thing I like most about Nessus is how I can sort by vulnerabilities across all hosts in a given scan. I can also sort these vulnerabilities by risk rating, which helps me narrow down critical or specific vulnerabilities to exploit or signs that a host or service may be a high priority for a closer look.

    When viewing Nessus results, never ignore the informational findings. They often provide clues that more may be going on on a host or service than you realize at first glance.

    Nexpose

    Another great vulnerability assessment tool is Nexpose, owned by Rapid7. Nexpose is similar to Nessus, as it provides similar vulnerabilities. There are some slight differences in the way the products display results.

    Nexpose is built around “sites.” Each site has defined hosts or IP ranges under it. From there each host’s vulnerabilities will be listed.  The easiest way I’ve found to list out all vulnerabilities is to create a report from the site I’m working in.

    Besides greater extensibility, one major advantage with Nexpose is that it ties in with Rapid7’s vulnerability management product, InsightVM. If you’re looking for a full vulnerability management solution and not just a vulnerability scanner, Nexpose is a good option to check out.

    There are many other tools that I use, but these are always my first go to tools to start an assessment. 

    Follow the series!

    Stay tuned for more posts in the Cool Tools series, where the Raxis penetration testing team will highlight some of their favorite tools and explain how to get started with them.

    Take a look as Adam Fernandez dives into Nmap for Penetration Tests in the next post in this series.

  • What to Expect with a Raxis Wireless Penetration Test

    Although social engineering attacks – including phishing, vishing, and smishing – are the most popular and reliable ways to gain unauthorized access to a network, some hackers simply don’t have the social or communications skills necessary to perform those attacks effectively. Wireless attacks, by contrast, are typically low-risk, high-reward opportunities that don’t often require direct interaction with the target.

    That’s one reason why pentesting for wireless networks is one of Raxis’ most sought-after services. We have the expertise and tools to attack you in the same ways a real hacker will. In fact, I’ve successfully breached corporate networks from their parking lots, using inexpensive equipment, relatively simple techniques, and by attacking devices you might never suspect.

    To appreciate how we test wireless networks, remember that wireless simply means sending radio signals from one device to another. The problem with that is that no matter how small the gap between them, there’s always room for a hacker to set up shop unless the network is properly secured.

    So, if Raxis comes onsite to test your wireless network, the first thing we will likely do is map your network. This is a mostly passive activity in which we see how far away from your building the wireless signal travels normally. But we also have inexpensive directional antennas that allow us to access it from further away if we need to be stealthier.

    Using an easily accessible aircrack-ng toolkit, we can monitor and capture traffic from wireless devices as well as send our own instructions to others that are unprotected. (I’ll go into more detail about that in a moment.)

    As we establish the wireless network’s boundaries, we also determine whether there are guest networks or even open networks in use. Open networks, as the name implies, require no special permission to access. Even on controlled guest networks, we can usually get in with little effort if weak passwords are used or the same ones reused. Once we’re in as a guest, we’ll pivot to see if we can gain unauthorized access to other areas or other users’ data.

    While this is going on, we will often set up a rogue access point, essentially just an unauthorized router that passes traffic to the internet. If the network is configured properly, it should detect this access point and prevent network traffic from accessing it. If not, however, we can capture the credentials of users who log into our device using a man-in-the-middle attack.

    Scottie with a directional wireless antenna

    Our primary goal here is to capture usernames and password hashes, the characters that represent the password after it has been encrypted. In rare cases, we’re able to simply “pass the hash” and gain access by sending the encrypted data to the network server.

    Most networks are configured to prevent this technique and force us to use a tool to try to crack the encryption. Such tools – again, readily available and inexpensive – can guess more than 300 billion combinations per second. So, if you’re using a short, simple password, we’ll have it in a heartbeat. Use one that’s more complex and it may take longer or we might never crack it.

    If a network isn’t properly secured, however, we might be able to find a way in that doesn’t require a password. Many people who use wireless mice and keyboards, for example, don’t realize that we can sometimes intercept those signals as well. For non-Bluetooth devices, we can use our aircrack-ng tools to execute commands from a user’s (already logged-in) device.

    As a proof of concept, we sometimes change screensavers or backgrounds so that network admins can see which devices are vulnerable. However, we can also press the attack and see if we’re able to pivot and gain additional access.

    The good news for business owners is that there are simple methods to protect against all these attacks:

    • Never create an open network. The convenience does not justify the security risk.
    • If you have a guest network, make sure that it is not connected to the corporate network and that users are unable to access data from any others who may also be using it.
    • Use the latest wireless security protocol (WPA3) if possible.
    • If you’re using WPA2 Enterprise, make sure the network is requiring TLS and certificates.
    • If you’re using WPA3 Personal, make sure your password is at least 30 characters long. (That’s not a typo – 30 characters is still out of reach for most hash-cracking software.)

    Here’s the most important piece of advice: Test your network regularly. New exploits are found every day, and hackers’ tools get better, faster, and cheaper every day. The only way to stay ahead of them is with professionals like us who live in their world every day.

    And, trust me, you’d much rather have Raxis find your vulnerabilities than the bad guys.

  • 5 Things You Should (and Shouldn’t) Take Away from the Starlink Hack

    “As a professional, ethical hacker, I’ve gotten questions from family, friends, and neighbors about what this means – from its impact on the cost of the service to the future of humanity, depending on the paranoia level of the person asking.”

    Scottie Cole, Lead Penetration Tester

    The big news from this year’s Blackhat and DEF CON 30 hacker conventions came from a presentation by an engineer from Belgium, Lennert Wouters, detailing how he successfully hacked the entire Starlink ground network using one of the company’s own Dishy McFlatface® receivers. The way oversimplified summary is that he built a circuit board that allowed him to introduce a fault into Starlink’s security, which he then exploited to run custom code on the device.

    After seeing some of the headlines, I now understand why some people are a little freaked out. So, as a public service, what follows is my opinion of what the non-hacker public should (and should not) take away from this news.

    1. Yes, it’s a big deal (but maybe not for the reason you think). Let me be clear from the start, Lennert Wouters is a genius who deserves great respect for both the creative thinking and tenacity it took to accomplish this feat. This was a very complex hack that required a lot of hardware and software expertise, as well as a great deal of time to complete. That’s why . . .
    2. The media’s “$25 in off-the-shelf components” is highly misleading. Scalpels are cheap, but you still don’t see a lot of DIY brain surgery. Expense usually isn’t a barrier to hackers, but expertise, time, and motivation frequently are. Wouters conceived of and executed the brilliant hack, but he was working on it because . . .
    3. It was part of Starlink’s bug bounty program, designed to engage and reward super smart white hat hackers for finding problems first. In that sense, Wouters didn’t defeat Starlink’s cybersecurity but rather was an integral part of it. Other bounty hunters are still busy working on other exploits that could prove more significant – as are the bad guys. In fact . . .
    4. The Russians (and likely others) have been trying to take down Starlink because the Ukrainian government now relies on the satellite network so heavily. State-sponsored hackers reportedly took down the Ukrainian government’s internet service early in the war. According to Starlink founder Elon Musk, however, the Russians have not been able to disrupt Ukraine’s access to the service or breach its network. Taken together, what all this means is that . . .
    5. The Starlink hack, though impressive, likely does not represent a significant threat to the company or its users. On the one hand, I think this is a great story because I’m an electronics and “gadget” guy. As a penetration tester, however, I worry when business owners place a lot of focus on high-risk, low-probability hacks simply because they make the news. Over the course of thousands of penetration tests, the most common vulnerabilities Raxis finds are ones that are much simpler to exploit. Weak passwords, missing software patches, insufficient network segmentation, and a host of other, more pedestrian problems. The vulnerabilities might not make news, but the successful attack that follows – on a business, a hospital, or a school – many times does.

    Wouters used a Starlink setup much like this one, plus “$25 in off-the-shelf materials” to carry out his hack. It’s a fascinating story, but there are much bigger threats facing businesses today.

    Wouters used a Starlink setup much like this one, plus “$25 in off-the-shelf materials” to carry out his hack. It’s a fascinating story, but there are much bigger threats facing businesses today.

    The most important takeaways are that the biggest corporate networks on Earth (and beyond) can be hacked. The most secure networks are those that have an effective testing protocol that identifies vulnerabilities before they become breaches.

     

  • Meet the Team: Scottie Cole, Lead Penetration Tester

    I’m Scottie Cole, and this week, it’s my turn to be interviewed by our marketing specialist. Unlike my Raxis colleagues, I’ve been friends and worked with Jim for well over a decade (that is, if you consider what he does actual ‘work.’ ) What follows is our best attempt at an interview, but it highlights one of the things I like best about this team: For as hard as we work, we also have a lot of fun. If that sounds like an environment that would bring out your best, check out our careers page and learn more about our opportunities.

    Jim: I seem to remember you having much darker hair when we first met.

    Scottie: That’s right! And I seem to remember you actually having hair when we first met.

    Jim: True enough. You were responsible for our internal security at the cybersecurity company where we both worked for many years. Some of our readers might think that would be an easy job or maybe even redundant.

    Scottie: Thanks to you and your marketing people, I always had plenty of new risks to mitigate. 

    Jim: You’re welcome.

    Scottie: Seriously, security companies are frequent targets of hackers, so we have to pay extra attention to keeping our own house in order. We have customers counting on us, of course, but we also have our reputation to protect. That raises the stakes and adds a lot of pressure.

    Jim: Given your previous jobs, you were accustomed to working under pressure, right?

    Scottie: I spent several years as a dispatcher, a firefighter, and a law enforcement officer. Those jobs gave me plenty of experience working in high-stress situations. In cybersecurity, the ‘bad guys’ are different, and the fire drills aren’t literal, but the consequences can still be very severe. That’s especially true when you consider how many devices are being connected to the internet now.

    Jim: You’d know that better than most. Your house is like Area 51, except with more electronics.

    Scottie: Well, maybe more radios.

    Jim: That’s right. You’re a HAM radio operator. How’d you get into that? More importantly, why?

    Some of Scottie’s HAM radio gear

    Scottie: As a dispatcher, I became fascinated with radios. When cell service and other forms of communication go down, the HAM operators can continue to broadcast, and that’s an important civil defense benefit. During the terrible hurricane in Puerto Rico, for example, it was the HAM operators providing updates to people in the US. Think about how relieved people were to hear that their loved ones were okay. Or how important it was to know what relief supplies were needed where.

    Jim: Is that how you found your way into the IT security world?

    Scottie: That was actually more by chance than by design. As you remember, our former company was growing fast, especially in the early days. They needed help, so a friend of mine offered me an opportunity to join the team and learn about infosec. Being a first responder was a great job, but cybersecurity offered better pay and more predictable hours . . . in theory.

    Jim: I’ve asked other team members how they found Raxis, but as I understand it, Raxis found you.

    Scottie: That’s right. In my previous job, I didn’t like to take phone calls for security reasons.

    Jim: I thought it was only my calls you didn’t take.

    Scottie: There were a lot of reasons I didn’t take your calls. But I was always wary, and the folks at the front desk knew to screen everyone. But (Raxis’ COO) Bonnie Smyre actually got me on the phone to talk about doing a penetration test for us. My first thought was, “She must be really good if she got through that easily.”

    Scottie Cole, drone operator and wannabe surfer

    Jim: Did you hire Raxis for the pentest?

    Scottie: Yep. But I also got to know Bonnie, (VP of business development) Brad Herring, and (CEO) Mark Puckett and realized this is the type work I want to do, and they are the people I want to work with. As I met other team members, I knew it was a great culture and a great team, so I jumped at the opportunity to join them.

    Jim: What’s your favorite part of the job?

    Scottie: What’s not to like? I get paid to hack into other people’s networks. I get to learn from the best in the business and share what I know with them. It’s an outstanding company in a space that’s becoming a lot more important. When business owners say that a network breach would be more damaging than a fire, you understand just how critical cybersecurity is in our daily lives.

  • Hurricane Ida: Limiting the Damage

    As someone who has lived through several hurricanes and worked as a first responder for years, my heart breaks for our neighbors on the Gulf Coast and inland areas who are now assessing the damage from Hurricane Ida. For those who haven’t experienced it, devastation doesn’t begin to describe the aftermath of such a powerful storm.

    While we hope and pray for the people who were in the storm’s path, I want to offer a few tips from the cybersecurity career I’ve pursued since leaving emergency services work 16 years ago:

    • Scammers strike when we’re most vulnerable. Don’t let your guard down now.
    • Be mindful of what you post on social media. Giving too much personal information could lead to identity theft or give a criminal the location of your home you just evacuated. Provide personal information only to valid sources like FEMA, the Red Cross, and your insurance companies.
    • Be on high alert for phishing emails disguised as aid requests. Legitimate rescue personnel (volunteer or professional) will never ask for money. Donate to the Red Cross, Salvation Army, or a local organization you already know and trust.
    • Rely only on reputable sources for critical information. Social media is good for keeping up with friends and relatives, but it’s also full of misinformation and scams. Double-check important news by cross-referencing it on local, state, or federal government pages, or with reliable media. Also, remember that there are a lot of “fake” media pages.
    • If you’re in an area that is hard hit and don’t have cell phone service, turn off your phone. The phone will die more quickly if it’s searching for a cell tower. Turn it on later and see if cell service is restored. If not, turn it back off, and try again later.
    • Likewise, don’t send sensitive information over public WiFi. In the wake of a disaster, it’s all too easy for scammers to intercept traffic and collect passwords, credit card numbers, banking information, and other private data.

    We can’t prevent hurricanes, and it’s likely there will always be scammers and hackers among us. However, a little caution can help us avoid being victims of a man-made disaster at the same time we deal with nature’s worst destruction.

  • Three Questions to Ask Before Connecting a Device to the Internet

    “In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.”

    Raxis Lead Penetration Tester, Scottie Cole

    I’m a gadget guy with a lot of IT experience, which of course makes me the pro bono tech troubleshooter for every friend and relative within 100 miles. It also means I’m the guy they call when they want to connect their latest gizmo to the Internet.

    I don’t usually mind helping, but I often find myself wondering if people are putting enough thought behind this race to connect to the Internet of Things (IoT). 

    Ha! Just kidding. I know for a fact that most aren’t putting any thought behind it.

    The allure of convenience, the snob appeal of being an early adopter, and the FOMO factor make it incredibly easy to sell these devices. But there’s no incentive to also talk about security issues – and that’s a big problem. 

    So, as a public service, I’m taking off my gadget-geek gear and putting on my professional hacker hoodie. Before you connect any device to the Internet, ask yourself these questions (and answer them honestly):

    Will I really use it as much as I think? This is about more than simply being frugal. The less you use a device or an associated app, the more likely you are to miss important updates and leave security patches uninstalled. You might not be paying attention, but hackers surely are. Which brings up a second question . . . 

    Can I secure it? Why don’t we pose that question to Alexa? Oh, wait. Can we trust her? Really, we only have a pinky swear from the company that she’s not spying on us. And that’s a potential problem with many devices. Even as a security professional, I can only control the security on my end. If it’s a centrally administered service, I have to also trust the company to protect access to the device as well. That’s why it pays to really read what they have to say about security. And that raises a third, even more important question . . . 

    What am I putting at risk if it’s hacked? One of the great IoT ironies is that some of the products sold under the guise of making us more secure are often the most vulnerable to attack. That means security cameras can turn into spy cameras. The ability to lock our doors remotely means they can be unlocked the same way. In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.

    A more urgent concern is that any device connected to your network can become a pathway for unauthorized access. If you think that’s unlikely, watch my colleague Scott Sailors hack a wireless mouse. From a practical perspective, that means you should segment your network so that, if your toaster is hacked, you’re not putting all your bank and credit card data at risk as well. 

    The reality is that connected devices are improving our lives dramatically and we haven’t even scratched the surface of their real capabilities. It’s exciting to realize that more and more devices are becoming smarter and more capable. In order to fully enjoy the advantages of being connected, we simply need to be realistic about our abilities, mindful of the risks we take, and diligent about mitigating them effectively.

    Companies hire the team here at Raxis to identify vulnerabilities and correct them before hackers can take advantage. As individuals, it’s up to us to do it ourselves.

    Of course, you can also call on a friend or relative to help. (Not me, though. I’m all booked up through the end of the year.)