Home The News
Follow us on Twitter

Sponsored Links

Regulatory Updates

Follow us on Twitter
The News
20,000 Social Security Numbers Compromised in Physical Security Breach PDF Print E-mail
Written by Jeromie Jackson   
Tuesday, 15 December 2009 21:14

 Physical_Security

 

An organization in California recently found a note in their data center one morning. It said “Dear Administrator, Please Call XXX-XXX-XXXX in order to discuss last night's physical security breach.” "This has to be a joke," the administrator thought. The organization has security guards, cameras, motion sensors, and interior locks on everything including the bathrooms. No alarms were tripped, no sensors showed any error or warning conditions.

The organization had hired us to conduct an Internal & External Vulnerability Assessment & Penetration Test, along with a Physical Security Penetration Test. The goal was to see if we could physically penetrate the organization and reach the data center in the middle of the night. This is a brief synopsis of our methodologies, the attack, and take-aways. This will be a multi-part Blog. Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

 

Remote Reconnaissance

Our initial site discovery was conducted on line. By reviewing information available on the Internet we were able to identify employees, vendors, high-level building information, and areas of interest and concern. Senior titles and emails were acquired. These could be use for a variety of email and phone based social engineering ruse. Maltego is an awesome graphical way to analyze information on the Internet, and relationships between content. It was used to graphically, and quickly, assess relationships the organization holds with business partners, associations, and manufacturers.  Below are a couple of screenshots from  Maltego.

 

Maltego-1 Maltego-2

Maltego-3

Google Maps showed the businesses in the immediate area. Identifying how big the street was, the types of adjoining and nearby businesses, and the type of neighborhood helped determine foot traffic levels at night, the amount of car traffic, etc. A review of the physical location via Google Site Maps Street View showed the rear of the building would have less visibility than the street-facing stairwell. There is an apartment complex behind the building- this may heighten the amount of potential people monitoring/seeing the building throughout the night.

 

Reconnaissance Day

Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen. Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away's were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted was the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out.

My next blog will be about the hit the following night, I'm just about done writing it.  Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

 
Last Updated on Monday, 28 December 2009 18:21
 
Metasploit & Rapid7- Nexpose Beta Test Results PDF Print E-mail
Written by Jeromie Jackson   
Thursday, 22 October 2009 01:35

Rapid7-and-Metasploit

Download the Vmware Virtual Appliance

I have been conducting security assessments since 1995. When I started my consultancy, Garrison Technologies, in 1994 commercial firewalls did not exist. That being said, the ride has been interesting. I had seen the ISS scanner well before it was commercial- often shared amongst the hack and phreak crowds in the late 80's. I utilize a combination of open source and commercial tools when conducting my assessments. For the last year Rapid7's Nexpose has been one of the more prominent tools in my bag.

I was approached back around August 13th to beta test and give any feedback I may have. I installed the application on a Vmware virtual appliance running Ubuntu 8.10. Installation basically consisted of installing Rapid7, and then installing Metasploit with the web interface. It was straight forward- no stumbling blocks yet..

Upon launching the scanner, and logging into the console, nothing appeared noticeably different. When reviewing scan results is when the integration was revealed. The # of exploits available were shown along with the # of vulnerabilities in the environment. Equally, when diving into results there was an additional Exploitation box where exploits where indeed available within Metasploit. Clicking through the URLs launched the Metasploit web interface, pre-loaded with results from the scan. While it was clear the UI was not written by the same group, the functionality worked great!


Download the Vmware Virtual Appliance if you:

  • Are using Nessus to scan your environment
  • Have a SAAS solution that is using Nessus as a back-end scanning engine
  • Looking to validate the results of your vulnerability scans
  • Are looking for a comprehensive vulnerability & penetration testing toolset

Those of you who are running Nessus, or leveraging vendors who use Nessus as the underlying scanning engine, I urge you to at minimum try a virtual appliance. I personally see huge reductions in false positives, and identification of vulnerabilities that Nessus does not. Equally, if you need to validate the results of your scans, to ensure the results are accurate & compromise is indeed possible, this is a great merger.
Last Updated on Thursday, 22 October 2009 01:39
 
Metasploit Acquired by Rapid7 PDF Print E-mail
Written by Jeromie Jackson   
Wednesday, 21 October 2009 17:05

 

Downloads

Download Rapid7 Virtual Appliance

Download Metasploit

metasploit

Metasploit Videos

 

Metasploit is the de-facto standard for open-source penetration testing frameworks. Basically, testers will leverage a vulnerability assessment utility such as Rapid7's Nexpose commercial tool, and/or Nessus to identify vulnerabilities present within the environment. Once vulnerabilities are validated the next step is to actively exploit the vulnerability. This historically was done generally with custom-coded exploits written in C, Perl, Python, etc. Metasploit provides a framework which contains exploit code along with various payloads you can deliver to the target. Payloads included provide various functions such as running a command on the remote machine, remote command-line interfaces, adding a user to the Administrator group, and other such nefarious activities- even an encrypted remote shell to ensure communications are not monitored.

Rapid7 Nexpose is a leading commercial vulnerability assessment/management utility. I personally use it when conducting penetration tests, vulnerability assessments, and also as part of my web assessments. Fast, clean, and strong reporting.
Last Updated on Wednesday, 21 October 2009 17:37
 
IT Optimization- Top 5 Tools Every CIO Should Leverage PDF Print E-mail
Written by Jeromie Jackson   
Monday, 05 October 2009 17:24

IT Optimization  

All of your vendors and suppliers are talking about reducing Total Cost of Ownership (TCO) , and higher Return On Investment (ROI) in our current economic situation. Considering how budgets are being tightened, and heightened scrutiny is on purchasing, you can't blame them. While the dancing around the dollars continues many are simply repackaging their message. The below 5 steps will help you as a manager, leader, or executive (COO, CFO, CTO, CIO, CEO) in your organization to make prudent decisions on purchases.

 

1- Maximize Current Investments

When looking over an existing environment there are almost always ways to optimize, reduce cost, or minimize upcoming investments. Multiple-Interface firewalls, under-utilized consoles, and places where countermeasures can be utilized to fix existing risks are often already existing in the environment. I often find organizations not fully leveraging their firewalls and existing log consolidation opportunities. Architectural review of as-is and to-be is almost always a very valuable project when conducted by a non-biased third party.

 

2- Optimize

I know many are of the opinion that Six Sigma, Lean Six-Sigma, Balanced Scorecards, Business Process Optimization (BPO), and the pile of other models, frameworks, and guidelines are a waste of time. I have to say, I was of this thought initially. After standing up a Security & Risk Management team I found them to be invaluable. By leveraging these practices/frameworks best-practices are documented, a clear “to-be” state is communicated, and experts have documented valuable insight the organization can use. In summary- they give guidance on how to harmonize remediation activities, and to “hack at the root” instead of “thrashing at the leaves.”

 

3- Use Platinum/Elite VARS For Maximum Discounts

Have an expensive piece of software that you intend to keep? Seek Value Added Resellers (VARs) who are of the highest-level partnership with the manufacturer. These manufacturers receive discounts small shops are unable to obtain- this generally due to the sales commitments they have with the manufacturer. A large VAR that sells products/services across many technology areas may be able to drive additional discounts by engaging in longer-term sourcing agreements.

 

4- Use Displacement SKUs

Looking at a technology that could replace, and potentially improve, existing infrastructure? You'll find many vendors have Displacement SKUs they will use when competing. These SKUs are generally deeply discounted in order to gain market-share from the competition. Use these to your advantage during migration between vendors to gain additional price reductions.

 

5- Consolidate Technologies/Consoles

Today, many organizations have best-of-breed solutions throughout the organization. As vendors merge and technologies mature, many of these tools are being consolidated. There is significant benefits to consumers. Centralized consoles simplify administrative burden and can optimize incident response times, training overhead, and maintenance fees. By reducing the number of systems in the environment efficiency is gained. Administrators have a smaller number of systems to manage, and training requirements are reduced. Often the consolidation also provides additional benefits. For example, an Intrusion Detection System (IDS) when combined with a vulnerability management system allows the IDS to determine if an active attack will be successful against the environment- directly impacting the types of response that is required. By looking at your current environment, and comparing it to current technologies, the organization may be able to sustain, or improve, the organization while equally reducing cost or improving efficiency.

 

Make no mistake, there are many areas where cost-cutting is possible, and most likely prudent. Do not be misdirected towards additional purchases before you clean up what you have. While many budgets have diminished, optimization of the current infrastructure may yield additional dollars. I spend a significant amount of time with leadership focusing on such activities- at no cost. I look forward to continuing to gain trusted-advisor status with my customers by partnering with them, instead of pitching to them.  I provide free IT budgeting sessions for our many of our customers.  Certainly reach out if you would be interested in learning more, or conducting a session.

Last Updated on Monday, 05 October 2009 17:28
 
Social Networking Dangers PDF Print E-mail
Written by Jeromie Jackson   
Thursday, 24 September 2009 23:10

Social Networking Risk

 

Knowing Me, Knowing You
(the Dangers of Social Networks)

Here's a copy of a recent presentation at Brucon that provided a compelling and unique perspective as to why individuals should be concerned about using social networking. Many real-world scenarios such as burglary, stalking, and physical attacks are easily cultivated with the plethora of data many individuals post freely on social networking sites such as Twitter, Facebook, & LinkedIn.

Social Networking Security Risks

 

 
Last Updated on Thursday, 24 September 2009 23:12
 
More Articles...
<< Start < Prev 1 2 3 4 5 Next > End >>

Page 2 of 5

Valid XHTML and CSS.