The zero-day exploit market is secretive. People as a whole tend to fear what they don’t understand and substitute fact with speculation. While very few facts about the zero-day exploit market are publicly available, there are many facts about zero-days that are available. When those facts are studied it becomes clear that the legitimate zero-day exploit market presents an immeasurably small risk (if any), especially when viewed in contrast with known risks. Many news outlets, technical reporters, freedom of information supporters, and even security experts have used the zero-day exploit market to generate Fear Uncertainty and Doubt (FUD). While the concept of a zero-day exploit seems ominous reality is actually far less menacing. People should be significantly more worried about vulnerabilities that exist in public domain than those that are zero-day. The misrepresentations about the zero-day market create a dangerous distraction from the very real issues at hand. One of the most common misrepresentations is that the zero-day exploit market plays a major role in the creation of malware and malware’s ability to spread. Not only is this categorically untrue but the Microsoft Security Intelligence Report (SIRv11) provides clear statistics that [...]
Here at Netragard We Protect You From People Like Us™ and we mean it. We don’t just run automated scans, massage the output, and draft you a report that makes you feel good. That's what many companies do. Instead, we "hack" you with a methodology that is driven by hands on research, designed to create realistic and elevated levels of threat. Don’t take our word for it though; McAfee has helped us prove it to the world. Through their Threat Intelligence service, McAfee Labs listed Netragard as a “High Risk” due to the level of threat that we produced during a recent engagement. Specifically, we were using a beta variant of our custom Meterbreter malware (not to be confused with Metasploit’s Meterpreter) during an Advanced Penetration Testing engagement. The beta malware was identified and submitted to McAfee via our customers Incident Response process. The result was that McAfee listed Netragard as a “High Risk”, which caught our attention (and our customers attention) pretty quickly. McAfee was absolutely right; we are “High Risk”, or more appropriately, "High Threat", which in our opinion is critically important when delivering quality Penetration [...]
We (Netragard) recently completed an engagement for a client with a rather restricted scope. The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas. With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a remote threat, and succeeded. The first method of attack that people might think of when faced with a challenge like this is the use of the traditional autorun malware on a USB stick. Just mail a bunch of sticks to different people within the target company and wait for someone to plug it in; when they do its game over, they're infected. That trick worked great back in the day but not so much any more. The first issue is that most people are well aware of the USB stick threat due to the many published articles about the subject. The second is that more and more companies are pushing out [...]
Recently Netragard has had a few discussions with owners and operators of sports arenas, with the purpose of identifying methods in which a malicious hacker could potentially disrupt a sporting event, concert, or other large scale and highly visible event. During the course of the these conversations, the topic of discussion shifted from network exploitation to social engineering, with a focus on compromise of the digital signage systems.Â Until recently, even I hadn't thought about how extensively network controlled signage systems are used in facilities like casinos, sports arenas, airports, and roadside billboards.Â That is, until our most recent casino project. Netragard recently completed a Network Penetration Test and Social Engineering Test for a large west coast casino, with spectacular results. Not only were our engineers able to gain the keys to the kingdom, they were also able to gain access to the systems that had supervisory control for every single digital sign in the facility.Â Some people may think to themselves, "ok, what's the big deal with that?".Â The answer is simple:Â Customer perception and corporate image. Before I continue on, let me provide some background; Early in 2008, [...]
The Chevy Volt will be the first car of its type: not because it is a hybrid electric/petrol vehicle, but because GM plans to give each one the company sells its own IP address.Â The Volt will have no less than 100 microcontrollers running its systems from some 10 million lines of code. This makes some hackers very excited and Adriel Desautels, president of security analysis firm Netragard, very worried. Â Before now, you needed physical access to reprogram the software inside a car: an 'air gap' protected vehicles from remote tampering. The Volt will have no such physical defence. Without some kind of electronic protection, Desautels sees cars such as the Volt and its likely competitors becoming 'hugely vulnerable 5000lb pieces of metal'. Desautels adds: "We are taking systems that were not meant to be exposed to the threats that my team produces and plug it into the internet. Some 14 year old kid will be able to attack your car while you're driving. ... The full article can be found here.
Weâ€™ve heard a bit of â€œnoiseâ€ about how IPv6 may impact network penetration testing and how networks may or may not be more secure because of IPv6.Â Lets be clear, anyone telling you that IPv6 makes penetration testing harder doesnâ€™t understand the first thing about real penetration testing. Whats the point of IPv6? IPv6 was designed by the Internet Engineering Task Force (â€œIETFâ€) to address the issue of IPv4 address space exhaustion.Â IPv6 uses a 128-bit address space while IPv4 is only 32 bits.Â This means that there are 2128 possible addresses with IPv6, which is far more than the 232 addresses available with IPv4. Â This means that there are going to be many more potential targets for a penetration tester to focus on when IPv6 becomes the norm. What about increased security with IPv6? The IPv6 specification mandates support for the Internet Protocol Security (â€œIPSecâ€) protocol suite, which is designed to secure IP communications by authenticating and encrypting each IP Packet. IPSec operates at the Internet Layer of the Internet Protocol suite and so differs from other security systems like the Secure Socket Layer, which operates at the application [...]
Our CEO (Adriel Desautels) recently spoke at the Green Hills Software Elite Users Technology Summit regarding automotive hacking. During his presentation there were a series of reporters taking photographs, recording audio, etc. Of all of the articles that came out, one in particular caught our eye. We made the front page of "Elektronik iNorden" which is a Swedish technology magazine that focuses on hardware and embedded systems. You can see the full article here but you'll probably want to translate: http://www.webbkampanj.com/ein/1011/?page=1&mode=50&noConflict=1 What really surprised us during the presentation was how many people were in disbelief about the level of risk associated with cars built after 2007. For example, it really isn't all that hard to program a car to kill the driver. In fact, its far too easy due to the overall lack of security cars today. Think of a car as an IT Infrastructure. All of the servers in the infrastructure are critical systems that control things like breaks, seat belts, door locks, engine timing, airbags, lights, the radio, the dashboard display, etc. Instead of these systems being plugged into a switched network they are plugged into [...]
Our (Netragard's) founder and president (Adriel Desautels) was recently interviewed by the local news (Fox 25) about car hacking. We thought that we'd write a quick entry and share this with you. Thank you to Fox 25 for doing such a good job with the interview. Note for the AAA guy though, once cars have IP addresses (which is now) hackers won't need to "pull up next to you to hack [your car]" and turning the car off is the least of the problems. Hackers will be able to do it from their location of choice and trust us when we say that "firewalls" don't pose much of a challenge at all. Anyway, enjoy the video and please feel free to comment. http://www.myfoxboston.com/dpp/news/special_reports/could-your-car-be-a-hackers-target-20101111Netragard, LLC. -- The Specialist in Anti Hacking.
Link: http://news.cnet.com/8301-27080_3-20015184-245.html Of course, your car is probably not a high-priority target for most malicious hackers. But security experts tell CNET that car hacking is starting to move from the realm of the theoretical to reality, thanks to new wireless technologies and evermore dependence on computers to make cars safer, more energy efficient, and modern. "Now there are computerized systems and they have control over critical components of cars like gas, brakes, etc.," said Adriel Desautels, chief technology officer and president ofÂ Netragard, which does vulnerability assessments and penetration testing on all kinds of systems. "There is a premature reliance on technology." Illustration for a tire pressure monitoring system, with four antennas, from a report detailing how researchers were able to hack the wireless system. (Credit: University of South Carolina, Rutgers University (PDF)) Often the innovations are designed to improve the safety of the cars. For instance, after a recall of Firestone tires that were failing in Fords in 2000, Congress passed the TREAD (Transportation Recall Enhancement, Accountability and Documentation) Act that required that tire pressure monitoring systems (TPMS) be installed in new cars to alert drivers if a tire is [...]
Our philosophy here at Netragard is that security-testing services must produce a threat that is at least equal to the threat that our customers are likely to face in the real world. If we test our customers at a lesser threat level and a higher-level threat attempts to align with their risks, then they will likely suffer a compromise. If they do suffer a compromise, then the money that they spent on testing services might as well be added to the cost in damages that result from the breach.This is akin to how armor is tested. Armor is designed to protect something from a specific threat. In order to be effective, the armor is exposed to a level of threat that is slightly higher than what it will likely face in the real world. If the armor is penetrated during testing, it is enhanced and hardened until the threat cannot defeat the armor. If armor is penetrated in battle then there are casualties. That class of testing is called Penetration Testing and the level of threat produced has a very significant impact on test quality and results.What is particularly scary [...]