Tag: Atlanta

  • Raxis Presents at the (ISC)² Atlanta Chapter Meeting

    Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.

    The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.

    Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.

    This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.

  • Bonnie featured in VoyageATL interview!

    We’re so very proud to have Bonnie on our team at Raxis.   Check out her VoyageATL Interview!

    Transcript from the Interview, courtesy of VoyageATL:

    “Today we’d like to introduce you to Bonnie Smyre.

    Bonnie, please share your story with us. How did you get to where you are today?

    When I graduated from the University of North Carolina, I wanted to work in international sales. Fast forward a few years and a job at BellSouth International in Midtown and the Southern Center for International Studies in Buckhead led me down an unexpected route. I became interested in technology, specifically databases and computer programming.

    When I found an opportunity to work in both these fields at my alma mater, I returned to UNC and worked at IT departments on campus, at UNC’s School of Government and finally at the state PBS station, UNC-TV. As over fifteen years went by, I kept in touch with friends in the Marietta area where I had grown up.

    Mark Puckett, Raxis’ owner and visionary, and his wife Alison came to see me perform in an improv show up in Carrboro, NC. We started chatting about Raxis, his boutique information security company and needs he had within the company. In less than a year, I had moved back to Marietta and had filled the role of COO as well as becoming one of the penetration testers at Raxis.

    Overall, has it been relatively smooth? If not, what were some of the struggles along the way?

    I believe everyone can look back on times that were a struggle, but I also feel that people who find their way and love what they do appreciate what those times teach them. For me, I’ve had some jobs that were energizing and exciting that later became stagnant and sometimes toxic. I can remember wondering if I could update my resume enough to escape and find something fun.

    But looking back, I’m appreciative of those times because I learned that I won’t settle in my career or in my life and that I don’t want to be a part of an environment that makes others settle either. When Mark asked if I would be interested in running operations at Raxis, my first thoughts were that I would be leaving North Carolina where I had lived for fifteen years as well as leaving software development, a career that I had enjoyed for even longer.

    My second thought was absolute excitement that I had an opportunity to become an integral part of Raxis, and, from that moment I haven’t looked back. I joined Raxis in 2013 part-time and then, in 2014, I moved back to Marietta and joined Raxis full time, taking over scheduling and employee support as well as reporting. Things can get hectic, especially in the fall and towards the holidays when many customers realize that they’d better complete their pen test by the end of the year.

    Juggling penetration testing along with my operations tasks can make my head spin sometimes! Scheduling is very interesting to me. At Raxis, we aim to customize each engagement to meet the customer’s needs as best as possible. I’m working with a limited number of pen testers, and sometimes I have to shut out outside noise and focus on the puzzle pieces until I can make them fall into place.

    In the end, though, I’ve loved every minute since I’ve been at Raxis, even if sometimes it’s in retrospect!

    Please tell us about Raxis.

    I’m very proud to be a part of Raxis. When Mark started the company himself in 2012, he made the sales, ran the business and did the penetration tests himself. Over the next few years, he brought in Raxis’ first employees, including our CTO, Brian Tant, who is amazingly creative both technically and in social engineering engagements. Since I joined in 2014, we’ve brought in several more talented folks, but we still pride ourselves in being small enough to be able to accommodate the needs of all types of customers.

    We focus on information security tests, including network penetration tests as well as web and mobile application tests and code reviews. We also have a lot of fun with social engineering tests, whether onsite or using phishing emails and calls. The goal of all of these tests is to help our customers learn how their companies could be affected by hackers of all types. We always say that it’s better to learn about that in a Raxis report than to learn about it after a hacker has been in your systems.

    Last year we introduced the Raxis Transporter device which allows us to perform onsite work remotely. For many of our customers, the cost savings of not paying for a consultant onsite makes all the difference. Many customers also leave the device in place so that Raxis employees can perform incidence response (IR) work quickly if there is a security event.

    I especially take pride in our process and our reports. As more rules and regulations are created in answer to high profile hacks, increasing numbers of companies are interested in penetration tests. But, even though it’s a positive goal, it’s still going to feel unsettling to invite technical experts in to attempt to break into the systems that are your bread and butter. We pride ourselves in making that process calm and easy on the customer.

    I run project management at Raxis, and I strive to keep all customers informed throughout the process. They know how to reach us, and they also know we’ll let them know if they have critical issues that they should jump on immediately. In the end, though, the customer is left with a report and the knowledge that Raxis is only a phone call away for their next annual test, remediation consulting or incidence response work in the event of an outside hack.

    When we walk away, I want that report to be a tool for our customers to use throughout the year. My wish is that they call us back the next year and that we are unable to exploit any of the previous vulnerabilities because the report was so useful that their teams were able to remediate all of the issues. There are a lot of good information security firms out there, but I’m very proud of the work that we do and feel that we can truthfully say that we are one of the best.

    Is our city a good place to do what you do?

    Atlanta has been great to us. Over the years several tech companies have flourished here.

    We’ve found many customers in Atlanta and the neighboring regions because it’s such a great environment for companies of all sizes. And when we travel to locations all over the US & Canada, we’re lucky enough to have the world’s busiest airport ready to take us there!

    Among Raxis’ customers are a number of Atlanta based Fortune 500 companies. In fact, our CEO, Mark Puckett, and CTO, Brian Tant, met while working at The Home Depot, one of Atlanta’s very own multi-million dollar businesses. Atlanta is such an important hub for the South that we also find several customers within the large group of companies that choose to open regional offices here. We’ve enjoyed working with local companies of all sizes and also pride ourselves in treating smaller companies with the same respect and consideration as larger companies.

    Many of our customers have told us stories of failed past penetration tests where the vendor they hired did not listen to them or take the time to understand their needs. I love that Atlanta prides itself on supporting companies of all sizes flourishing. Some of our most loyal customers are small local companies… but I wouldn’t be surprised if you hear their names in the coming years!

    Raxis employees all work virtually, so we’ve had employees working from offices all over the US. Atlanta is a city filled with talented people, though, and many of Raxis’ employees live right here in Marietta. We’ve never had trouble finding great employees right here at home.

    Though I truly enjoyed my time in North Carolina as well as the locations I see in my job with Raxis, I’m always happy to be back at home in Atlanta. I enjoy living and working here. Atlanta truly is home.”

     

  • City of Atlanta 2018 Ransomware Hack: What We Know and What You Can Learn From It

    What do we know?
    Municipal Court of Atlanta Site Unable to Take Payments
    Error on Alternative Citation Payment Webpage
    Citation & Case Number Lookup Tool

    While events are still unfolding, we’re piecing together facts pertaining to the March 22nd ransomware attack on the City of Atlanta. As an Atlanta-based company, my colleagues at Raxis and I have been keeping a close eye on the happenings since the attack. The City of Atlanta has so far successfully kept people informed without revealing information that may be critical in responding to the attack.It appears that the epicenter of the attack was Atlanta’s municipal court (including tickets, citations, and other information) and bill-payment systems. I examined the Municipal Court of Atlanta website as I researched this post late Monday and found that the site displayed an error message explaining that payments could temporarily be made at a different site. When I clicked through to that site, I was given two options: a link back to the original site where I had started and a link to an error message, both seen here. Whether these sites were directly affected by the attack or are disrupted as part of the aftermath, people using these sites are affected just the same. The ‘Online lookup tool’ on the same page leads to a webpage that times out. It is possible that this service was not affected by the ransomware attack directly, but access to this page may have been removed as a precautionary measure to prevent further attacks. Based on these observations, we can infer that the attack has effectively diverted Atlanta’s resources to understanding, containing, and recovering from the attack. A trusted source tells Raxis that Atlanta is still working to fully confirm that critical infrastructure systems, such as fire, water and the airport, have not been impacted. All systems that may have been impacted have been taken offline until their state of compromise can be determined.Employees have been directed not to turn on or login to their workstations, which is another proactive security measure implemented in immediate response to the attack. A source has informed Raxis directly that vendors have physically been locked out of city buildings since the attack took place. A direct source has also confirmed to Raxis that construction companies have been unable to obtain permits that had already been submitted for approval due to the attack.Raxis also noted Atlanta’s Outlook Web App (OWA) and GIS server were displaying application errors after the attack. The City of Atlanta appears to be working around the clock to fix these services, nonetheless, these issues speak to the severity of the attack and the breadth of Atlanta’s response to an active threat. 

    What can we speculate about the attack itself?

    The city has not released details about the attack yet, but we can speculate. A Raxis source stated that the attackers were demanding three bitcoin per decrypt key. Internet sources shows that the attackers are asking $6,800 per system or $51,000 to unlock the entire Atlanta system. While the math does not quite add up (currently Bitcoin rates are $8,056.44), we can see that the costs are high but also possible for Atlanta to pay.Raxis has spoken to a trusted source who confirmed that it is believed that the attackers gained access to Atlanta systems using MS-RDP (Microsoft Remote Desktop Protocol) and then installed SamSam ransomware which made the ransom demand. Our source stated that, as of close of business on Monday March 26th, Atlanta had not made a determination of whether to pay the ransom or to pursue other methods to recover business continuity.

    RDP (Remote Desktop Protocol)

    As noted above, a trusted Raxis source has informed us that the current belief is that attackers used MS-RDP as the entry point to Atlanta’s network. Raxis’ source, while not privy to the passwords that were harvested in the attack, believes that passwords likely were weak, which may have contributed to the success of the attack.While the focus currently is on the ransom demands, the full access that the attackers may have achieved in this type of attack likely may have allowed them to create back doors to Atlanta systems that they accessed, which would allow them to maintain a persistent presence for use in future attacks. Atlanta now finds itself in a position where it does not know whether a persistent threat is present on the internal network. It will need to maintain ongoing vigilance to determine the effectiveness of its response.Both the externally accessible MS-RDP service and the possible use of weak passwords are security issues that many companies deal with. This attack makes clear the importance of basic security housekeeping in protecting any network.

    Patching & EternalBlue Rumors
    Shodan Results Showing SMB Version 1.0 Enabled

    While our sources do not point to patching issues such as EternalBlue being involved in this attack, there are multiple rumors circulating on the internet stating that EternalBlue was the entry point the attackers used. Even if EternalBlue was not a part of this attack, it has been used in other recent attacks, such as the RedisWannaMine cryptominer attacks.EternalBlue was one of several exploits released by ShadowBrokers in April 2017. Microsoft released a patch (MS17-010) the previous month on March 14th. EternalBlue was also used in the WannaCry and Petya/NonPetya attacks that made headlines in 2017. It exploits SMB 1.0 and affects several versions of Windows and Windows Server, including newer versions such as Windows 10 and Windows Server 2016. Using Shodan, a search engine that focuses on the configuration aspects of publicly exposed systems, Raxis confirmed that a system reported to be a part of Atlanta’s infrastructure still allowed SMB 1.0 as of Monday afternoon. As a career penetration tester, I know how easy this attack is to perform. In many cases, a successful exploit of EternalBlue leads to administrative rights on the system itself. An experienced hacker can often use other vulnerabilities, such as weak passwords and inappropriate delegation of administrative privileges, to gain further access on the network.

    SamSam Ransomware

    A trusted Raxis source has confirmed that SamSam (also known as Samas or SamsamCrypt) ransomware, first seen in late 2015, was used in the attack. Once the attackers infiltrated Atlanta’s systems using RDP, they appear to have deployed the SamSam ransomware that alerted Atlanta. Attacks of this type have been widespread, victimizing governments, the healthcare industry, and educational institutions, as well as businesses of all sizes. The attacks have been profitable because the ransoms have often been affordable, often making it more appealing to pay to decrypt the affected files, rather than take on the expense and administrative burden of adjusting operations to compensate for lost data. Even with backups in place, it can take days or even weeks to restore systems fully. It seems best not to pay an attacker who is holding your information at ransom, but, in many cases, restoring business operations in a timely manner takes precedence.

    What now?
    Atlanta Mayor Keisha Lance Bottoms at a March 26th Press Conference

    While our source tells us that the initial internal response efforts were disorganized, Atlanta now appears to be engaged with the Microsoft and Cisco experts that they’ve brought in. The current lack of details is a positive; like any active investigation, managing communications is paramount until as many facts as possible have been discovered.A trusted source tells Raxis that Atlanta has made it clear that brand management is a priority as its bid to become the second Amazon headquarters and the 2019 Super Bowl loom large.That said, Atlanta has demonstrated effective triage measures in response to the attack. As mentioned above, employees were told not to login to their workstations, decreasing the surface area for the attack. An airport spokesman told the Associated Press that the airport Wi-Fi network (as well as part of the webpage) had been taken down as a precaution.Atlanta has also been updating the public actively with news that is considered appropriate to release. Atlanta has leveraged their Twitter account, @cityofatlanta, to great effect, using it to post videos of press conferences with Atlanta Mayor Keisha Lance Bottoms as well as alerting constituents as city information services are restored to service.

    Finally, what can your company do to not end up in this position?

    Test, test, test. Working at Raxis I’ve seen penetration tests open customer’s eyes to issues they may not have known about or did not understand. While a penetration test may feel scary (you’re asking a hacker to enter your systems; the fear is understandable!), if you choose a good company, you should find that a penetration test is an indispensable tool to discover and prioritize your security tasks. The report you receive at the end of each test should do just that. To learn more about Raxis’ penetration testing services or just to find out more about the types of tests we recommend, see our site at https://raxis.com/pentest/. At Raxis, we’ve also worked with smaller companies that don’t need or can’t afford a full penetration test. We’ve recently launched a new service, the Baseline Security Assessment, that is meant to provide the benefit of security awareness for these companies that may not require the full depth of engagement that comes with our penetration testing services. Mature organizations that have mastered the art of managing a strategic security program that includes regular testing, vulnerability and patch management, as well as identity and access control, will benefit from the next step in security readiness. Investing in our Rapid Response Incident Response retainer is a strong measure of preparedness for when a security incident does occur. See Specialized Services to learn more about how Raxis can help you with this as well.If you have questions about where to start and what services could be right for you, fill out the contact form at https://raxis.com/company/contact, and we’ll be happy to discuss how we can help fortify your defenses to keep you open for business and out of the headlines.

  • How EMV Chips Provide Increased Security

    Last week Raxis’ managing director, Bonnie Smyre, met with Dana Fowle at Fox 5 Atlanta to discuss the EMV credit card chip technology.  The US is the last major market to convert to this technology as an eventual replacement for magnetic strip credit cards.  Bonnie speaks with Dana about the increased security provided by these chips that send a one time code for each transaction.  Watch the video for more details.

     

    Please see below for a Transcript of the video interview with Fox5 News:

    …”And if you haven’t, it’s time to get on board. The bottom line is that security experts agree, it’s safer to use than your magnetic strip.

    The swipe at many retailers is on its way out. Now at the register you will “Dip the Chip.”

    Pull your credit card out of your wallet. If you got a new one, which many of you have, you should see a silver square. It’s called EMV chip technology.

    We listened in as a Home Depot employee walked a customer through it.

    “This is a chip card now, place inside – the card – like that. Just leave like that until the light is gone.”

    Bonnie Smyre of the local Internet security firm RAXIS said, “What that does that is special is that it creates a one-time code.”

    It’s an extra security layer. A new code is created for each purchase. But, it does take longer to process the card.

    It takes a good, solid 10 seconds, at major retailers. Longer at smaller shops. But, according to security expert Bonnie Smyre, it’s offering the closest thing we have to perfect credit card security protection. 

    “Even if that code is stolen by a thief nearby who is trying to get that information, the code can not be used again. And that’s your protection here.”

    The US is the last big market to use this EMV chip technology. Great Britain has used it for 10 years and it’s credit card fraud for in-person purchases has plummeted a whopping 63 percent.

    Home Depot customer Ben Darmer said there isn’t really much of a learning curve at all when using it the first time. The machine at the register walks you right through the process.

    “I like the security and it’s very easy to use. We were recently in Europe and they use them all over the place,” he said.

    Novelle Caibon was a first-timer.

    “It seemed pretty good. I like it.”

    But here’s the catch: This chip doesn’t offer any protection for online purchases.

    “In the UK, like I said, 10 years ago that they did this conversion, since then they’ve seen 120 percent increase in online fraud,” said Bonnie Smyre.

    Not all small retailers have the new chip machines yet. They’re expensive. Ms. Smyre says it can cost up to $1,000 per terminal to install. But big box retailers, like Home Depot and Target, do have them installed.

    Home Depot supervisor Kevin Cannon says while customers look at little confused at first it only takes one time to get it.

    “It’s not here to hurt you; it’s here to help you and it’s a better way,” he said.”