Who Watches the Watchmen?

How does our behavior change when we know we’re being watched?In the health care industry, those practicing in the field must take the Hippocratic oath and swear to uphold specific ethical standards. This standard helps promote the idea of “do no harm” and health care practitioners take this oath very seriously. But what about the Information Technology industry? How do we ensure that those we give ultimate power to in our organizations are not abusing their power and are acting in the best interest of the company?There is nothing similar to the Hippocratic oath for systems administrators, network engineers, or security analysts. Although we would like to hope that throughout our interview processes and background checks, we are hiring morally upstanding folks, there really is no overall ethical oath that professionals in Information Technology subscribe to. The majority of us will respect ourselves enough to hold high ethical standards, but there is also a minority of those who won’t. So, how can we ensure that our employees are not abusing their access?You may argue that you have logs, you have a SIEM, if anything were to happen, you could pour through your logs and build a forensic timeline to answer...
Read more

Using DNS to Clean Your Pipes

I really despise ads, they completely ruin my browsing experience. Auto-playing videos, popup and overlay ads, and Forbes begging me to buy a subscription or “turn off your adblocker.” It‘s all a drag, and although an browser-based ad-blocker will take care of most of them, ad-blockers work when you can actually install them in the browser Many of us have more than just desktops and laptops on our home networks. Gaming consoles, smart-phones, tablets, E-Readers, and more. How do you block ads on those devices if you can’t install ad-blockers on them?To take it a step beyond just ads and focusing on security as well, many ad-blockers don’t block malware domains, browser-based bitcoin miners, and phishing sites. Even if you could configure your ad-blocker to handle these security issues, it still wouldn’t apply to your devices in which you have no control over the browser. The only way to really ensure what sites your devices can ‘talk’ to is to control the answers it gets from the server to their DNS queries.The Power of DNSIf you’re not familiar with DNS, think of it like a phonebook. Wait, come to think of it, I haven’t owned a phonebook in over a decade. Instead,...
Read more

Six Gone, Moving on Eight

25 or 6 to 4?No matter how tired you are, you’ve gotta keep moving forward.I’ve just returned from a strenuous, Sunday-morning hike to Chimney Tops to get some exercise in, clear my mind, and reflect. I’m currently listening to Christmas music and sipping on hot tea and just thought “Wow, Christmas already?” and then I thought “Oh… yeah… about that six months update.”It’s pretty amazing to think that when we started Savage Security, it was just shortly after St. Patrick’s Day. April showers had yet to begin, and May flowers were just a future promise. We started with a simple idea: rely on our experience and research to cut through the noise and bring lasting and durable security solutions to anyone who would listen. It was a leap of faith, a bond of trust between two partners, and a firm belief in what we were doing was the right approach.Since April 1, we’ve been spreading what I call “The Savage Gospel” across the U.S. and its territories, as well as globally (here’s looking at you Switzerland). As I look back, I realize that this is absolutely, without a doubt, the hardest I’ve ever worked at anything in my life....
Read more

Savage Security October 2017 Newsletter

Savage DeedsPhotos from EDGE2017 aren’t available yet, so we’ll all have to settle for this REALLY OLD picture of Adrian from last year’s EDGE conference.Savage Security NewsOctober was another busy month for us, but we love busy! We kicked off the month joining our friends Jake and Tori on “The Morning After” to once again bring security education to the masses. I think it’s almost safe to say that we are regulars on the show by now. We also attended EC Council’s Hacker Halted conference in Atlanta, GA and presented at the EDGE Security Conference in Knoxville, TN. We’ve also got a new offering that our customers say are “extremely valuable” and might just kill the need for a pentest (well, unless you’re bound by regulation to have a pentest).Security TrainingSavage Security has begun to put together training programs. The goal of these are not only to educate on best practices for keeping the organization safe, but also on how to secure your personal assets. Although many organizations choose to use phishing campaigns as a means of training, email is just one aspect of security that should be covered: for example, data privacy, security, and...
Read more

September 2017 Newsletter

Firing on all cylinders with no end in sight.Wow… what a month it’s been. We’re running on all… 12 cylinders (remember the Jaguar V12?) and don’t plan on slowing down anytime soon. September was also a busy month for the security industry as a whole. New vulnerabilities, new breaches, and new tools being revealed at conferences. Let’s dig in!Adrian here: I don’t know much about Jaguars, but back in the late Eighties, BMW developed it’s first 12-cylinder motor, designated the M70. Essentially two inline 6-cylinder engines mated, the engine had a novel ‘limp home’ mode. Should something go wrong that was isolated to one bank of cylinders, the car would shut it down and you could drive it to the dealer safely. Notably, a later version of this engine (S70/2) is what powers the infamous McLaren F1.Savage Security NewsIn September, we investigated a job recruitment scam, published market reports on Axonius and Threatcare’s new Violet virtual assistant (!), and analyzed the Equifax breach (and were interviewed on the local news). We were at InfoSec Nashville, caught up with our friends in Louisville, KY at DerbyCon 7, then hopped on a plane to...
Read more

Scammer, Meet Hacker: Part 3

Posing as a target in a job scam to see how deep the rabbit hole goes…In part 2, our involvement became more than just a chat, and the scammers started trying to get some money out of me in earnest. Their persistence is as impressive as their lack of attention to detail is bewildering. You’d think scammers this organized and prepared would be able to keep the name of a company straight, especially when they’re supposedly a hiring manager for said company. If we accept the idea that attackers are only as sophisticated as they need to be, the average victim must not notice that the name of the business changes, chooses not to challenge the scammers on the discrepancy or is just so desperate for the job and money that they don’t care.Here, in part 3, the scam leaves the virtual world and enters the physical. Let’s dive in.This image really becomes relevant in this post. You’ll see :)Step 10: How scammers make money from thin airThe process of how a totally fake, made up check, can become real, spendable US dollars, and in the process, ruin the victim’s day (or week, or month!).After emailing me a .pdf of a fake Chase...
Read more

Scammer, Meet Hacker: Part 2

Posing as a target in a job scam to see how deep the rabbit hole goes…In part 1, I started playing a scammer’s game to learn more about how it would play out. Where we left off, I had managed to get ‘hired’. It seemed impossible to fail in this task, as all the scammers’ plans seem to hinge on things that could only happen after I was hired. Here, in part 2, we’ll get into what some of the scammers might have had in mind.The scammers aren’t mad at me yet, but we’re getting there…Guess what everyone!? I’m hired!!! Wow, all my dreams are coming true.Wait… how many jobs do I have now?Red Flag #4: They welcome me to a different company (red in the image, we’ll call them “Secure Access Company” from here on out).Wait… I thought I was interviewing for The IT Company?No matter, I just ignore this extremely large discrepancy to continue the conversation, and they don’t seem to notice.Interesting they ask about MYOB, which is an Austrailian company.Better throw in a few more emojis, just to let them know my mind is at ease. Notice how they flip back and forth between The IT Company...
Read more

Scammer, Meet Hacker: Part 1

Posing as a target in an employment scam to see how deep the rabbit hole goes…This afternoon (8/30/17), I was checking up on all the chats I missed on Slack while I was away on my epic adventure. I noticed that in one of our local security groups, someone mentioned that a scammer was impersonating a company employee, and attempting to trick people by means of offering them a job. Intrigued, I asked if anyone had followed up… and to my delight, no one had.Note: Names of some of the affected people and companies have been anonymized per request.Red Flag #1: The “employee’s” email address was theitcodesk@gmail.com.They were impersonating a real person who works at The IT Company, a managed IT services provider.This is how I like to imagine the scammers, desperately trying to call me, as I ignore their calls.Step 1: Engage the ScammerI knew the pretext already, so I emailed the scammer’s email with a rather… enticing request. If you’re gonna investigate a scam, you’re gonna have to appear to be as easy going and be as much of a victim as possible. You’ll see that more as the conversation goes on.Simple enough, right? I’m just a candidate...
Read more

A Morning with Nothing Too Fancy

The awesome crew of Nothing Too Fancy (including doggo).As with any company, eventually, you’re gonna need some swag. You know, the “Stuff We All Get” at conferences. However, here at Savage, we didn’t want just another piece of swag, e.g. cheap coozie, cheap pens, or…sigh… a cheap fidget spinner. Instead, we wanted to give our customers something valuable, something durable, and something useful. Thus, the idea of the “Welcome Kit” came about. Our Welcome Kit is set to include a shirt, a nice large ceramic mug for copious amounts of coffee, pens that are a pleasure to write with and don’t break after 3 uses, a nice notebook to keep your ideas, and a handy cheat sheet with some of the most valuable tips and tricks our customers can use to keep themselves safe.Step one of that package is a shirt. We could have gone to one of the many online companies, slapped up a logo, and called it a day. That’s simple enough. However, if you recall some earlier posts in our blog, we really do care about our community involvement. Whether that’s working with local colleges and institutions, having free fix it days for those...
Read more

August 2017 Newsletter

A month of adventuresKyle’s bike in repose — a rare moment when it isn’t conspiring with the terrain to murder him.Savage Security NewsThis past month, we attended Black Hat; explored the Trans America Trail; analyzed a thinly veiled attack piece; presented on ransomware at a local DEF CON group and a remote OWASP group (simultaneously); signed up several new subscription customers and started planning our first buyer’s guide.Yeah, it was a busy month.Words have meaningsThe level of hyperbole in a piece by Digital Defense was too much to ignore, especially when the post singled out Carbon Black for something that’s common throughout the industry, off by default and shipped with more than adequate disclaimers. Pieces like this only serve to confuse and distract our industry from what’s really important — like the fact that, what’s often referred to as ‘the basics’ are neither basic nor easy.Worrying about one product in the industry uploading proprietary code to VirusTotal when an optional feature is enabled is far from a top priority for most enterprises. It’s tempting and easy to get lured away from practical improvements for the more exciting scenarios presented at security conferences, which brings us to…Black HatAdrian went to Black Hat to officially announce and launch our...
Read more
Page 1 of 212