Sunday, February 19, 2012
Tuesday, November 15, 2011
Here at Netragard We Protect You From People Like Us™ and we mean it. We don’t just run automated scans, massage the output, and draft you a report that makes you feel good. That's what many companies do. Instead, we "hack" you with a methodology that is driven by hands on research, designed to create realistic and elevated levels of threat. Don’t take our word for it though; McAfee has helped us prove it to the world.
Through their Threat Intelligence service, McAfee Labs listed Netragard as a “High Risk” due to the level of threat that we produced during a recent engagement. Specifically, we were using a beta variant of our custom Meterbreter malware (not to be confused with Metasploit’s Meterpreter) during an Advanced Penetration Testing engagement. The beta malware was identified and submitted to McAfee via our customers Incident Response process. The result was that McAfee listed Netragard as a “High Risk”, which caught our attention (and our customers attention) pretty quickly.
McAfee was absolutely right; we are “High Risk”, or more appropriately, "High Threat", which in our opinion is critically important when delivering quality Penetration Testing services. After all, the purpose of a Penetration Test (with regards to I.T security) is to identify the presence of points where a real threat can make its way into or through your IT Infrastructure. Testing at less than realistic levels of threat is akin to testing a bulletproof vest with a squirt gun.
Netragard uses a methodology that’s been dubbed Real Time Dynamic Testing™ ("RTDT"). Real Time Dynamic Testing™ is a research driven methodology specifically designed to test the Physical, Electronic (networked and standalone) and Social attack surfaces at a level of threat that is slightly greater than what is likely to be faced in the real world. Real Time Dynamic Testing™ requires that our Penetration Testers be capable of reverse engineering, writing custom exploits, building and modifying malware, etc. In fact, the first rendition of our Meterbreter was created as a product of of this methodology.
Another important aspect of Real Time Dynamic Testing™ is the targeting of attack surfaces individually or in tandem. The “Netragard’s Hacker Interface Device” article is an example of how Real Time Dynamic Testing™ was used to combine Social, Physical and Electronic attacks to achieve compromise against a hardened target. Another article titled “Facebook from the hackers perspective” provides an example of socially augmented electronic attacks driven by our methodology.
It is important that we thank McAfee for two reasons. First we thank McAfee for responding to our request to be removed from the “High Risk” list so quickly because it was preventing our customers from being able to access our servers. Second and possibly more important, we thank McAfee for putting us on their “High Risk” list in the first place. The mere fact that we were perceived as a “High Risk” by McAfee means that we are doing our job right.
Friday, June 24, 2011
Friday, February 25, 2011
Recently Netragard has had a few discussions with owners and operators of sports arenas, with the purpose of identifying methods in which a malicious hacker could potentially disrupt a sporting event, concert, or other large scale and highly visible event.
During the course of the these conversations, the topic of discussion shifted from network exploitation to social engineering, with a focus on compromise of the digital signage systems. Until recently, even I hadn’t thought about how extensively network controlled signage systems are used in facilities like casinos, sports arenas, airports, and roadside billboards. That is, until our most recent casino project.
Netragard recently completed a Network Penetration Test and Social Engineering Test for a large west coast casino, with spectacular results. Not only were our engineers able to gain the keys to the kingdom, they were also able to gain access to the systems that had supervisory control for every single digital sign in the facility. Some people may think to themselves, “ok, what’s the big deal with that?”. The answer is simple: Customer perception and corporate image.
Before I continue on, let me provide some background; Early in 2008, there were two incidents in California where two on-highway digital billboards were compromised, and their displays changed from the intended display. While both of these incidents were small pranks in comparison to what they could have done, the effect was remembered by those who drove by and saw the signs. (Example A, Example B)
Another recent billboard hack in Moscow, Russia, wasn’t as polite as the pranksters in California. A hacker was able to gain control of a billboard in downtown Moscow (worth noting, Moscow is the 7th largest city in the world), and after subsequently gaining access, looped a video clip of pornographic material. (Example C) Imagine if this was a sports organization, and this happened during a major game.
Brining this post back on track, let’s refocus on the casino and the potential impact of signage compromise. After spending time in the signage control server, we determined that there were over 40 unique displays available to control, some of which were over 100″ in display size. WIth customer permission, we placed a unique image on a small sign for proof of concept purposes (go google “stallowned”). This test, coupled with an impact audit, clearly highlighted to the casino that ensuring the security of their signage systems was nearly as paramount to securing their security systems, cage systems, and domain controllers. All the domain security in the world means little to a customer if they’re presented with disruptive material on the signage during their visit to the casino. A compromise of this nature could cause significant loss or revenue, and cause a customer to never re-visit the casino.
I also thought it pertinent for the purpose of this post to share another customer engagement story. This story highlights how physical security can be compromised by a combination of social engineering and network exploitation, thus opening an additional risk vector that could allow for compromise of the local network running the digital display systems.
Netragard was engaged by a large bio-sciences company in late 2010 to assess the network and physical security of multiple locations belonging to a business unit that was a new acquisition. During the course of this engagement, Netragard was able to take complete control of their network infrastructure remotely, as is the case in most of our engagements. More so, our engineers were able to utilize the social engineering skills and “convince” the physical site staff to grant them building access. Once passing this first layer of physical access, by combining social and network exploitation, they were subsequently able to gain access to sensitive labs and document storage rooms. These facilities/rooms were key to the organizations intellectual property, and on-going research. Had our engineers been hired by a competing company or other entity, there would have been a 100% chance that the IP (research data, trials data, and so forth) could have been spirited off company property and into hands unknown.
By combining network exploitation and social engineering, we’ve postulated to the sports arena operators that Netragard has a high probability of gaining access to the control systems for their digital signage. Inevitably, during these discussions the organizations push back stating that their facilities have trained security staff and access control systems. To that we inform them that the majority of sports facilities staff are more attuned to illicit access attempts in controlled areas, but only during certain periods of operation, such as active games, concerts, and other large scale events. During non-public usage hours though, there’s a high probability that a skilled individual could gain entry to access controlled areas during a private event, or through beach of trust, such as posing as a repair technician, emergency services employee, or even a facility employee.
One area of concern for any organization, whether they be a football organization, Fortune 100 company, or a mid-size business, is breach of trust with their consumer base. For a major sports organization, the level of national exposure and endearment far exceeds the exposure most Netragard customers have to the public. Because of this extremely high national exposure, a sports organization and its arena are a prime target for those who may consider highly visible public disruption of games a key tool in furthering an socio-political agenda. We’re hopeful that these organizations will continue to take a more serious stance to ensure that their systems and public image are as protected as possible.
Tuesday, February 22, 2011
The purpose of Penetration Testing is to identify the presence of points where an external entity can make its way into or through a protected entity. Penetration Testing is not unique to IT security and is used across a wide variety of different industries. For example, Penetration Tests are used to assess the effectiveness of body armor. This is done by exposing the armor to different munitions that represent the real threat. If a projectile penetrates the armor then the armor is revised and improved upon until it can endure the threat.
Network Penetration Testing is a class of Penetration Testing that applies to Information Technology. The purpose of Network Penetration Testing is to identify the presence of points where a threat (defined by the hacker) can align with existing risks to achieve penetration. The accurate identification of these points allows for remediation.
Successful penetration by a malicious hacker can result in the compromise of data with respect to Confidentiality, Integrity and Availability (“CIA”). In order to ensure that a Network Penetration Test provides an accurate measure of risk (risk = probability x impact) the test must be delivered at a threat level that is slightly elevated from that which is likely to be faced in the real world. Testing at a lower than realistic threat level would be akin to testing a bulletproof vest with a squirt gun.
Threat levels can be adjusted by adding or removing attack classes. These attack classes are organized under three top-level categories, which are Network Attacks, Social Attacks, and Physical Attacks. Each of the top-level categories can operate in a standalone configuration or can be used to augment the other. For example, Network Penetration Testing with Social Engineering creates a significantly higher level of threat than just Network Penetration Testing or Social Engineering alone. Each of the top-level threat categories contains numerous individual attacks.
A well-designed Network Penetration Testing engagement should employ the same attack classes as a real threat. This ensures that testing is realistic which helps to ensure effectiveness. All networked entities face threats that include Network and Social attack classes. Despite this fact, most Network Penetration Tests entirely overlook the Social attack class and thus test at radically reduced threat levels. Testing at reduced threat levels defeats the purpose of testing by failing to identify the same level of risks that would likely be identified by the real threat. The level of threat that is produced by a Network Penetration Testing team is one of the primary measures of service quality.