Netragard Blog

Netragard Blog2020-04-24T15:31:19-04:00

Embedded Device Security Research: AXON Body 2 – Body Worn Cameras

Introduction Netragard performs regular vulnerability research against software and hardware. While most of this research is customer confidential, some of the research is intended for disclosure. The focus of our research for this article was the AXON Body 2 Worn Camera which plays a critical role in protecting civilians and police officers. Due to the sensitive nature of the evidence collected by the AXON Body 2 it is particularly [...]

SolarWinds, SOX, and Corporate Responsibility for Cybersecurity

By now, most everyone has heard of the SolarWinds breach. Cybercriminals took advantage of SolarWinds’ poor cybersecurity practices to gain access to their network and implant malicious code within updates to their Orion network monitoring solution. This Orion solution is widely used, and its compromise led to the attackers gaining access to the networks of many large enterprises and a significant percentage of US government agencies. As a result, [...]

The Security Risks Behind Voting Machines & Mail-in Ballots

In recent months, the security of absentee voting, widely used due to the threat of the COVID-19 pandemic, has been called into question. But are these processes any less secure than the electronic voting systems used on a “normal” election day? Introduction to Electronic Voting System Security Electronic voting systems come in a number of different forms. At the polls, a voter may experience a few different types of voting [...]

Inside the 2020 Ping of Death Vulnerability

What is the 2020 Ping of Death? Ping of Death vulnerabilities are nothing new. These vulnerabilities arise from issues in memory allocation in the TCP/IP stack. If memory is improperly allocated and managed, a buffer overflow vulnerability can be created that leaves the application vulnerable to exploitation. The original Ping of Death was discovered in 1997 and was the result of an implementation error in how operating systems handled [...]

Inside Zerologon

What is the Zerologon Vulnerability? Zerologon is a vulnerability in the Windows netlogon protocol (on Windows Server version 2008 and later) discovered by Tom Tervoort of Secura during a security review of the protocol (which had not previously undergone such a review).  Due to cryptographic and implementation errors in the protocol, an attacker can falsely authenticate and elevate their privileges to Domain Admin.  This has a number of potential [...]

What You Need to Know About Penetration Testing Liability

Penetration tests are designed to identify potential gaps in an organization’s cybersecurity. With an effective penetration test comes a variety of different risks.  Before engaging a penetration test provider, it is essential to understand the risks of penetration tests, how to minimize them, and why a good penetration testing firm will not be able to accept liability for actions performed in good faith. A Good Penetration Test Carries the [...]

How To Scope a Penetration Test (The Right Way)

How to Define the Scope of Your Next Pentest Engagement One of the most important factors in the success of a penetration test is its scope.  Scope limitations are an understandable and even common desire.  However, they can make the results of a pentest worse than useless by providing a false sense of security.  Read on to learn why it is important to work with and trust your pentest [...]

How To Become A Hacker – CyberSecurity Careers

With Cybersecurity Career Talks Do you want to know "How To Become A Hacker" let us learn from world-renowned hackers, cybersecurity experts, social engineering experts. Adriel Desautels, Jayson E. Street and Philippe Caturegli share the mindset, training, experience and education (if any) required for a cybersecurity career. Who is a hacker? A person who finds innovative ways of solving problems. Attributes required for breaking [...]

Protect Yourself – Chronicle’s 4-Part Video Series

This first clip focuses on confidence tricks (Social Engineering) which is something that we also do when we deliver Realistic Threat Penetration Tests to our customers. Our objective when using social engineering isn't to con our customers out of money but instead to trick them into doing things that enable us access to their corporate network. This can include stealing passwords, deploying malware, or simply convincing someone to grant [...]

The dark side of bug bounties

Bug Bounty companies (often called crowd sourced penetration tests) are all the hype.  The primary argument for using their services is that they provide access to a large crowd of testers, which purportedly means that customers will always have a fresh set of eyes looking for bugs.  They also argue that traditional penetration testing teams are finite and, as a result, tend to go stale in terms of creativity, depth, [...]

Protecting Your Business From Your Remote Workforce

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modify your business processes and workflows to accommodate this change, it’s important to understand how remote work affects your cybersecurity posture and what openings and opportunities exist for cybercriminals to take advantage of you.  We would like to take this opportunity to provide advice on how to [...]

Industry standard penetration testing and the false sense of security.

Our clients often hire us to as a part of their process for acquiring other businesses.   We’ve played a quiet role in the background of some of the largest acquisitions to hit the news and some of the smallest that you’ve never heard of.  In general, we’re tasked with determining how well secured the networks of the organization to be acquired are prior to the acquisition.   This is important because [...]

Load More Posts