Tag: Device Security

  • Meet the Team: Adam Fernandez, Lead Developer

    Hi, everyone! I’m Adam Fernandez, and it’s my turn to introduce myself as part of the Raxis Meet the Team series. So, I spoke to our marketing specialist, and we talked about my how I came to be a security professional. (As it turns out, I started down that path early in life). I certainly enjoy working with this team and, if you think you might also, read on and then check out our careers page or subscribe to our YouTube channel.

    Jim:  Adam, you’ve done a lot penetration tests, but your title is Lead Developer. What’s going on there?

    Adam: I started out at Raxis as a penetration tester when I joined the company in 2017, but I also enjoy developing software, testing devices, and taking apart and building new ones. One of the great things about working for Raxis is that our leaders understand how those skills complement each other, and I have a lot of flexibility to work on new and advanced projects in addition to helping with pentesting engagements.

    Jim: As I understand it, you came to Raxis from an entirely different career field, right?

    Adam: That’s right. I actually studied stage management and lighting design at Kennesaw State University. In fact, theater was the focus of much of my time at Woodstock High School in Woodstock, GA as well as in college.

    I started out as a stagehand, moving a ladder on and off stage. But I really wanted to work with sound and lighting, so I started learning as much as I could about that through YouTube videos, the Internet, and books my mom bought for me. I also sought out internships in Seattle, where I lived in the summers, and worked on the production of Sweeney Todd at SecondStory Reparatory Theater.

    Jim: Did that help spur your interest in development?

    Adam: In a way. As I transitioned into stage management, I knew that the sound and lighting people needed a better system for taking their cues, and my high school couldn’t afford an expensive solution. I really believed that was something I could figure out. So, I built a device to let them know what they were supposed to be doing when. Then I sold it to the school for $350.

    The device Adam created as a senior in high school.

    Jim: That’s pretty amazing for a student, but you didn’t stop there, right?

    Adam: No, I also wanted the theater department to have its own website to manage membership dues and ticket sales, so I created the whole thing from scratch. It was the ugliest site ever, but the school paid me $500 per year to manage it.

    Jim: Sounds like you were a bit of an entrepreneur as well.

    Adam: Well, I did create my first company at KSU. I developed software that would automate the audition process with searchable applications and headshots. The school paid me to manage events, but there was a rule that prevented them from paying students directly, so I had to create a company to make it all legit.

    Jim: So, how did you move from doing events at KSU to penetration testing?

    Adam: Well, I was also a student assistant at KSU for the Facilities Manager, Brad Herring, who ended up leaving KSU to go to work with Raxis and is now VP of Business Development. After he’d been here a while, he told me, “I think you’d be really good at pentesting, and I want you to talk to our CEO.” Brad’s always been a mentor to me and one of my best friends, so I took his advice and had lunch with him and (Raxis CEO) Mark Puckett. Before I knew it, I was working in a fascinating new field that I loved.

    Jim: What is it about cybersecurity that’s interesting to you? How did you make that leap?

    Adam: Looking back on it, security really wasn’t a leap at all. I remember as a small child, having an intense interest in padlocks and how they worked. I asked for a safe for Christmas one year. Then, it was spy gadgets, alarms, and games. My stepdad was a software developer, and, at a very young age, he helped me make a program that required you to enter a certain color sequence to unlock the app.

    Now, I’m intrigued by using software to control things in the real world, which is why I love the IoT and figuring out how various devices work. In fact, I have an electronic access keycard system at my house. It’s antiquated, but I bought it in part so that I could reverse engineer it and learn how it works.

    Adam’s favorite device is his Tesla

    Jim: Do you get to work with devices at Raxis?

    Adam: Yes, we have our Transporter that we use to do remote pentesting, and we recently bought the Boscloner company. That’s a very advanced badge-cloning device. Of course, with more and more devices online, IoT security is becoming a lot more important every day.

    Jim: What’s your favorite part about working with Raxis?

    Adam: I love having the ability to introduce new ideas and not only have them heard but also make them a reality. And Raxis just feels like family. Theatre was like that too, but this feels way more genuine.

  • Three Questions to Ask Before Connecting a Device to the Internet

    “In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.”

    Raxis Lead Penetration Tester, Scottie Cole

    I’m a gadget guy with a lot of IT experience, which of course makes me the pro bono tech troubleshooter for every friend and relative within 100 miles. It also means I’m the guy they call when they want to connect their latest gizmo to the Internet.

    I don’t usually mind helping, but I often find myself wondering if people are putting enough thought behind this race to connect to the Internet of Things (IoT). 

    Ha! Just kidding. I know for a fact that most aren’t putting any thought behind it.

    The allure of convenience, the snob appeal of being an early adopter, and the FOMO factor make it incredibly easy to sell these devices. But there’s no incentive to also talk about security issues – and that’s a big problem. 

    So, as a public service, I’m taking off my gadget-geek gear and putting on my professional hacker hoodie. Before you connect any device to the Internet, ask yourself these questions (and answer them honestly):

    Will I really use it as much as I think? This is about more than simply being frugal. The less you use a device or an associated app, the more likely you are to miss important updates and leave security patches uninstalled. You might not be paying attention, but hackers surely are. Which brings up a second question . . . 

    Can I secure it? Why don’t we pose that question to Alexa? Oh, wait. Can we trust her? Really, we only have a pinky swear from the company that she’s not spying on us. And that’s a potential problem with many devices. Even as a security professional, I can only control the security on my end. If it’s a centrally administered service, I have to also trust the company to protect access to the device as well. That’s why it pays to really read what they have to say about security. And that raises a third, even more important question . . . 

    What am I putting at risk if it’s hacked? One of the great IoT ironies is that some of the products sold under the guise of making us more secure are often the most vulnerable to attack. That means security cameras can turn into spy cameras. The ability to lock our doors remotely means they can be unlocked the same way. In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.

    A more urgent concern is that any device connected to your network can become a pathway for unauthorized access. If you think that’s unlikely, watch my colleague Scott Sailors hack a wireless mouse. From a practical perspective, that means you should segment your network so that, if your toaster is hacked, you’re not putting all your bank and credit card data at risk as well. 

    The reality is that connected devices are improving our lives dramatically and we haven’t even scratched the surface of their real capabilities. It’s exciting to realize that more and more devices are becoming smarter and more capable. In order to fully enjoy the advantages of being connected, we simply need to be realistic about our abilities, mindful of the risks we take, and diligent about mitigating them effectively.

    Companies hire the team here at Raxis to identify vulnerabilities and correct them before hackers can take advantage. As individuals, it’s up to us to do it ourselves.

    Of course, you can also call on a friend or relative to help. (Not me, though. I’m all booked up through the end of the year.)

  • Why Companies Shouldn’t Overlook Mobile Application Testing

    There are apps sold to the general public and ones that are made available by businesses to their customers, as well as proprietary apps used only within organizations. What all of these apps have in common is that, without proper security, they are all vulnerable to attack. And each of those 200 billion downloads represents an ever-expanding pool of potential hackers and victims.

    That’s why conducting penetration tests on mobile applications is one of the most important services we offer here at Raxis. We’ve tested apps for Apple, Android, and Windows phones, using up-to-date devices, jailbroken iPhones, and rooted Android devices, as well as emulators that allow further testing.

    Here are some of the most common issues we find:

    Jailbroken or Rooted Devices

    Ideally, apps should be setup so that they won’t even run on devices that are jailbroken or rooted. People often do that to their devices to have more control than the vendor intended, allowing them to download unauthorized apps from stores such as Cydia. The danger is that such apps that may allow nefarious activities or steal users’ data.

    Phones that have been jailbroken or rooted are also open to attacks on the operating system itself, possibly giving an attacker control of the device as well as control of legitimate applications. Our strong recommendation to developers is to build into apps the ability to recognize a device that has been compromised and to block its access until the device is updated correctly.

    No SSL Certificate Pinning

    We also find many mobile apps that don’t use SSL certificate pinning. SSL certificate pinning validates the authenticity of an SSL certificate. When an application fails to verify the certificate, it opens the door for a man-in-the-middle (MitM) attack, in which the attacker can insert himself into the encrypted traffic between the app and the server. This can be accomplished through name resolution poisoning, adding a proxy server, or a number of other ways.

    The attacker then can use his own certificate to impersonate the API server and decrypt the application traffic, read or manipulate it, re-encrypt it, and forward it onto the intended destination without detection. This type of attack not only allows an attacker to decrypt both incoming and outgoing traffic (such as credit card numbers and passwords), but also allows the attacker to change it. Using a typical bank transaction as an example, the hacker could transfer the funds to his account instead of yours.

    Shared Vulnerabilities

    Not all vulnerabilities are exclusive to mobile applications. We also find many, such as SQL injection (SQLi) attacks, that can be weak points within web applications as well. That’s why it’s important to test mobile apps separately from web apps. Even though they may use the same APIs and databases, and the user experience may feel nearly identical, the platform code and environment are different. Testing each one ensures that a hacker can’t exploit the app simply by changing platforms.

    Internal Apps

    Raxis has tested apps that are made available for customers as well as proprietary apps that are used within organizations, such as on flights for meal service. We’ve worked with companies that were less concerned with internal apps and proprietary devices because they were only available to employees. In those cases, we explain that personal and proprietary devices could fall into the wrong hands. If an internal mobile device or app runs on a production network, an attacker that gains access to the device is one step closer to accessing company data that may be on that network.

    What You Can Do

    Many of the companies that come to Raxis for mobile tests use that as a marketing tool. They are proud to show potential customers that they have a strong focus on securing their data. So, take a look at the apps on your mobile device. Do you know if they’ve been tested by a company like ours? It’s always a good idea to read the security and privacy data before you download.

    And remember, if you’re not sure, you can always ask – in public forums or user groups, or even directly to the app developers themselves. If they don’t currently conduct routine penetration testing, your questions might convince them they should.

    *SOURCE: Statista c. 2020

  • How to Pull Off a Mousejacking Attack

    What’s an easy, effective and potentially devastating cyberattack . . . that’s also named for a rodent?

    If you guessed mousejacking, you are a star student today. 

    A mousejacking attack occurs when an attacker scans for the wireless transmissions sent from your wireless mouse to the USB dongle plugged into your computer. These transmissions from a mouse contain data that describes the mouse’s actions. When an attacker is able to scan and find these transmissions, they may also be able to quickly intercept and, with a few quick keystrokes and clicks, impersonate the mouse and begin sending their own malicious commands through the wireless dongle and into the computer. 

    Users may see a brief pop-up screen with code, but things returns to normal quickly, and many times they don’t think it’s significant enough to notify their security team.

    To add a little insult to injury, an attacker doesn’t even have to be in the building or in close proximity to the workstation to pull this off. They can be in your parking lot or maybe that park across the street.

    Now, there are a lot more technical things that go into it, so take a look at the video above to learn the details.

    So how do you prevent a mousejacking attack? Since this attack only can occur on workstations that are open and running, remember (and remind your colleagues) to always lock your station if you are walking away or not actively working on it. Also, let your colleagues in IT security know about anything suspicious you see. Trust me, they want to know.

    Remember it only takes a few minutes for attackers to get into your network and start causing trouble. 

    Please share this blog and video with your team so they know what to look for and how quickly it can happen, and encourage them to report it immediately. 

    With years of penetration testing and general mischief making behind us, we at Raxis have learned that there is always a way in. And we can find it. Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • Securing the Internet of Things

    The term “Internet of Things” is almost redundant now. If it’s a “thing” that has more than one setting, odds are it is or can be online. Whether or not you need remote access to your toaster oven is a question for another day, but it is an option

    Here’s the problem: As the Raxis team proves on a near-daily basis, anything that’s connected can be hacked. It’s not that someone’s going to overcook your morning bagel as a prank (although that would be a good one). Instead, it’s that uncontrolled access to any device can give a bad guy a way into your network (and maybe all your devices) if you’re not careful.

    The good news is that there are some simple safeguards you can take to protect your smart devices, and our new Securing the Internet of Things series will take you through them.

    Scottie Cole, senior penetration tester, is kicking things off with the quick video above about securing your home thermostat or corporate HVAC system. I encourage you to watch and to follow Scottie’s advice. Better to take a few minutes now than take a big loss later.

    PS – We’ll do a video on protecting your smart toaster . . . as soon as we find someone who owns one.