Netragard Blog

Netragard Blog2020-04-02T16:38:21-04:00

The dark side of bug bounties

Bug Bounty companies (often called crowd sourced penetration tests) are all the hype.  The primary argument for using their services is that they provide access to a large crowd of testers, which purportedly means that customers will always have a fresh set of eyes looking for bugs.  They also argue that traditional penetration testing teams are finite and, as a result, tend to go stale in terms of creativity, depth, [...]

Protecting Your Business From Your Remote Workforce

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modify your business processes and workflows to accommodate this change, it’s important to understand how remote work affects your cybersecurity posture and what openings and opportunities exist for cybercriminals to take advantage of you.  We would like to take this opportunity to provide advice on how to [...]

Industry standard penetration testing and the false sense of security.

Our clients often hire us to as a part of their process for acquiring other businesses.   We’ve played a quiet role in the background of some of the largest acquisitions to hit the news and some of the smallest that you’ve never heard of.  In general, we’re tasked with determining how well secured the networks of the organization to be acquired are prior to the acquisition.   This is important because [...]

The reality behind hospital and medical device security.

We recently presented at the DeviceTalks conference in Boston Ma about the vulnerabilities that affect hospitals and medical devices (insulin pumps, pacemakers, etc.).  The goal of our presentation wasn’t to instill fear but sometimes fear is a reasonable byproduct of the truth.  The truth is that of all the networks that we test, hospital networks are by far the easiest to breach.  Even more frightening is that the medical devices [...]

Gizmodo interview with Netragard – "Snake Oil Salesmen Plague the Security Industry, But Not Everyone Is Staying Quiet"

https://gizmodo.com/snake-oil-salesmen-plague-the-security-industry-but-no-1822590687 Adriel Desautels was suddenly in a serious mess, and it was entirely his fault. Sitting in his college dorm room back in the mid-1990s, Desautels let his curiosity run rampant. He had a hunch that his school’s network was woefully insecure, so he took it upon himself to test it and find out. “My thoughts at the time were, ‘Hey, it’s university. I’m here to learn. How much harm [...]

Retro: FACEBOOK – Anti-Social Networking (2008).

This is a retro post about a penetration test that we delivered to a client back in 2008.  During the test we leveraged personal data found on Facebook to construct and execute a surgical attack against an energy company (critical infrastructure).  The attack was a big success and enabled our team to take full control of the client's network, domain and their critical systems. Click to download:   Given the [...]

We protect voters from people like us.

Dear Kris Kobach, We recently read an article published by Gizmodo about the security of the network that will be hosting Cross Check.  In that article we noticed that you said "They didn't succeed in hacking it." referring to the Arkansas state network.  First, to address your point, no we did not succeed in hacking the network because we didn't try.  We didn't try because hacking the network without contractual [...]

What hackers know about vulnerability disclosures and what this means to you

Before we begin, let us preface this by saying that this is not an opinion piece.  This article is the product of our own experience combined with breach related data from various sources collected over the past decade.  While we too like the idea of detailed vulnerability disclosure from a “feel good” perspective the reality of it is anything but good.  Evidence suggests that the only form of responsible disclosure is one that [...]

What Thieves Know About Anti-Phishing Solutions & What This Means To You

Without taking proper precautions, your computer is a veritable smörgåsbord for hackers. Hackers have developed an array of techniques to infiltrate your system, extract your data, install self-serving software, and otherwise wreak havoc on your system. Every network in the world is vulnerable to hacking attempts; it's simply a matter of which systems the hackers deem worth the effort. Preventing hackers from successfully compromising your data requires an understanding of [...]

What they are not telling you about the CIA leaks.

The CIA leaks are making huge waves across the world. In a nutshell, the documents claim to reveal some of the hacking capabilities that the CIA has. Many privacy advocates believe that exposure of secrets like these is a net benefit for citizens because it provides transparency in government action. The media also likes leaks like these because it provides excellent story fodder. But there is one thing that no [...]

Hacking casinos with zeroday exploits

Most popular email programs like Microsoft Outlook, Apple Mail, Thunderbird, etc. have a convenient feature that enables them to remember the email addresses of people that have been emailed.  Without this feature people would need to recall email addresses from memory or copy and paste from an address book. This same feature enables hackers to secretly breach networks using a technique that we created back in 2006 and named Email [...]

EXPOSED: How These Scammers Tried To Use LinkedIn To Steal Our Client’s Passwords

Earlier this morning one of our more savvy customers received an email from [email protected] The email contained a “New Message Received” notification allegedly sourced from CEO Tom Morgan. Contained in the email was a link that read, “Click here to sign in and read your messages”. Fortunately we had already provided training to this particular customer that covered Social Engineering and Phishing threats. So, rather than click on the link [...]

Load More Posts