The Good, the Bad and the Ugly in Cybersecurity – Week 29

The Good

Drupal have patched a critical bug that could let hackers take over sites powered by the popular, open-source web content management platform. The vulnerability, CVE-2019-6342, only affects Drupal 8.7.4, and only when the experimental Workspaces module is enabled. Although there’s no known exploit for this vulnerability to date, updating to version 8.7.5 is strongly recommended. 

The first half of 2019 saw record investment in Israeli tech companies reaching a record-breaking $3.9 billion. The three biggest deals, leading the way in a total of 250 deals that attracted investors in the first six months of 2019, were with firms Lemonade, Monday, and SentinelOne

The Bad

According to a report by the FBI this week, Business Email Compromises are on the rise, with cybercriminals raking in as much as $300 million last year alone, a figure that’s three times the amount stolen just two years ago. Top targets are manufacturing and construction businesses, commercial services and real estate outfits. Criminals typically pose as a customer or senior management and fool unsuspecting employees into paying phoney invoices or making other fraudulent wire transfers. Attackers use phishing campaigns and spyware to steal the data necessary to compromise email accounts.

There was also bad news for internet users in Kazakhstan this week, and a warning of a dangerous precedent that should worry us all. In an anti-privacy move, the government there has made it mandatory for all ISPs to use a national MITM Certificate Agency to intercept all encrypted HTTPS traffic. End users have been told to install a government-issued certificate authority on all devices and all browsers. Government-spying or necessary for national security? Where have we had that debate before…

The Ugly

Seems like Cylance found out the hard way this week something we’ve been saying for a long time. Next-Gen security solutions need to use a layered model that is updated frequently and not simply rely on one supposedly “killer” feature. The point was impressively proven by Australian researchers who easily tricked the Cylance engine into tagging a malicious file as benign simply by appending some strings to the end of a WannaCry sample. The benign strings caused the Cylance engine to give more weight to the appended strings and mis-categorize the ransomware as safe. 

image of cylance vulnerability

Continuing on from last week’s Zoom saga, Apple have since released TWO more updates for MRT.app in the last few days, in a continuing effort to nail the RCE vulnerability found to exist in many spin-off (White label) versions of the popular video conferencing app. If your head’s also in a bit of a spin trying to keep up with all these updates, you should (at the time of publishing this) currently be on v1.47. Here’s how to check from the command line:

system_profiler SPInstallHistoryDataType | grep -A4 MRTConfig

Alternatively, from the Apple menu, choose “About This Mac” and click the System Report button. Scroll down to Software > Installations, then type “MR” to find the start of the listing for MRTConfigData. 

image of apple MRT update

⬅ Subscribe to our email digest and get a weekly email including similar news summary and other posts on the SentinelOne blog.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack

Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident.

A message from iNSYNQ to customers.

Gig Harbor, Wash.-based iNSYNQ specializes in providing cloud-based QuickBooks accounting software and services. In a statement posted to its status page, iNSYNQ said it experienced a ransomware attack on July 16, and took its network offline in a bid to contain the spread of the malware.

“The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.”

iNSYNQ said it has engaged outside cybersecurity assistance and to determine whether any customer data was accessed without authorization, but that so far it has no estimate for when those files might be available again to customers.

Meanwhile, iNSYNQ’s customers — many of them accountants who manage financial data for a number of their own clients — have taken to Twitter to vent their frustration over a lack of updates since that initial message to users.

In response, the company appears to have simply deleted or deactivated its Twitter account (a cached copy from June 2019 is available here). Several customers venting about the outage on Twitter also accused the company of unpublishing negative comments about the incident from its Facebook page.

Some of those customers also said iNSYNQ initially blamed the outage on an alleged problem with U.S.-based nationwide cable ISP giant Comcast. Meanwhile, competing cloud hosting providers have been piling on to the tweetstorms about the iNSYNQ outage by marketing their own services, claiming they would never subject their customers to a three-day outage.

iNSYNQ has not yet responded to requests for comment.

Update, 4:35 p.m. ET: I just heard from iNSYNQ’s CEO Elliot Luchansky, who shared the following:

While we have continually updated our website and have emailed customers once if not twice daily during this malware attack, I acknowledge we’ve had to keep the detail fairly minimal.

Unfortunately, and as I’m sure you’re familiar with, the lack of detailed information we’ve shared has been purposeful and in an effort to protect our customers and their data- we’re in a behind the scenes trench warfare doing everything we possibly can to secure and restore our system and customer data and backups. I understand why our customers are frustrated, and we want more than anything to share every piece of information that we have.

Our customers and their businesses are our number one priority right now. Our team is working around the clock to secure and restore access to all impacted data, and we believe we have an end in sight in the near future.

You know as well as we that no one is 100% impervious to this – businesses large and small, governments and individuals are susceptible. iNSYNQ and our customers were the victims of a malware attack that’s a totally new variant that hadn’t been detected before, confirmed by the experienced and knowledgeable cybersecurity team we’ve employed.

Original story: There is no question that a ransomware infestation at any business — let alone a cloud data provider — can quickly turn into an all-hands-on-deck, hair-on-fire emergency that diverts all attention to fixing the problem as soon as possible.

But that is no excuse for leaving customers in the dark, and for not providing frequent and transparent updates about what the victim organization is doing to remediate the matter. Particularly when the cloud provider in question posts constantly to its blog about how companies can minimize their risk from such incidents by trusting it with their data.

Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings, as these businesses are completely unable to serve their customers while a ransomware infestation is active.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.

In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can send many customers scrambling to find new providers. As a result, the temptation to simply pay up may become stronger with each passing day.

That’s exactly what happened in February, when cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

KrebsOnSecurity will endeavor to update this story as more details become available. Any iNSYNQ affected by the outage is welcome to contact this author via Twitter (my direct messages are open to all) or at krebsonsecurity @ gmail.com.

11 Things You Didn’t Know About Black Hat USA 2019

It’s almost that time of year again, when hackers, researchers, gurus, and just about everybody with an interest in cybersecurity descends on Las Vegas for the annual Black Hat USA conference. This year is the venerable expo’s 22nd in succession and promises 6 action-packed days stuffed with intensive training courses, cutting-edge briefings, demos of innovative products and, of course, plenty of social networking. There’s no shortage of information on what to expect, but check out our guide below to make sure you haven’t missed anything essential. We’ve also got some tips for those of you that wish you were going but couldn’t make it, so read on!

11 Things You Didn't Know About Black Hat USA 2019

1. Everybody is Anonymous!

Black Hat USA 2019, which runs from August 3rd to August 8th, is expected to host almost 20,000 attendees, which means there’s one statistic that applies to us all: almost nobody will know you, and you will know almost nobody. One of the main aims of Black Hat is to put some small dent in that statistic so that you come away having made some new friends and acquaintances. Since everyone is in the same boat, don’t worry about being shy and strike up conversations with all those strangers! A great place to network is the hosted parties. We’ll be hosting our own on Tuesday 6th at 5.30pm, so join us for golf, gaming and a whole lot more!

image of sentinelone black hat party

2. It’s Not Paranoia If They’re Really After You!

Every year there’s a warning about being hacked at Black Hat, and to be fair, a gathering of thousands of hackers is not a place where you want to hang out if you have no idea about security. The organizers recommend Faraday bags and RFID blocking sleeves. If you’re bringing a laptop device, a good idea is to flash it with a clean install, put the bare minimum of data on it you need to survive the week, and restrict unnecessary services like Bluetooth and Wifi. When you get home, pull off any files you need to keep and restore the device from a backup. For phones, some people take a burner, others use a Faraday bag to keep out unwanted attention. Watch out for ATM skimmers, too, and because you’re a security professional we don’t need to tell you: don’t plug in any USBs handed out by strangers (or newly-met friends)!

3. Don’t Tell Your Boss, But They’re Hiring!

Black Hat USA 2019 is all about the tech, hacker craft, and improving your skill set. And it’s also a great place to pick up a new gig. With the massive shortage in cybersecurity skills facing the industry, everyone’s looking to hire talent, and if you’re in the market you’ll find plenty of people interested. Personal networking in the Business Hall is a great place to start. There’s also a Who’s Hiring page on the Black Hat USA website you can check out. 

4. You Can Be There Without Attending!

As cool as it can be to hang out with a whole tribe of like-minded infosec professionals, not everyone can find the time (or the cash!) to get to Black Hat USA 2019. While that means you will miss out on the parties and the swag in the Business Hall, it doesn’t mean you have to miss out on the most important Briefings (Black Hat lingo for conference presentations). You can sign up for online streaming access and even get a USB – we’ll trust the organizers to provide one that’s free of malware and trojans! – with recordings of all the presentations. Costs start at $299, and rise depending on which package you choose.

5. Black Hat Has Been Hacked Before

Speaking of hacking and online streaming, Black Hat themselves got pwned by Mozilla’s Michael Coates back in 2010 when he signed up for the online streaming. He quickly found a way to get the service without dishing up the cash due to a vulnerability in the web application that was supposed to handle the registration. Of course, Michael informed the organizers immediately, and the issue was quickly fixed. We wonder if they gave him a free sub after all? If like Michael, you happen to stumble across an unexpected vulnerability, responsible disclosure is the key. See the next item!

6. Don’t Do Cyber Crime!

The commencement of Black Hat USA 2019 just happens to coincide – almost to the day – with the 2nd anniversary of Marcus Hutchins’ arrest by FBI agents on August 2nd, 2017, which occurred shortly after the Black Hat and Def Con conferences of that year. Marcus, better known by his handle MalwareTech in InfoSec circles, had become the ‘accidental hero’ of the WannaCry ransomware outbreak earlier that year when he inadvertently tripped a kill switch by registering a domain he found hardcoded into the malware. That brought the ransomware infection to a sudden halt, and brought Marcus a lot of attention. Marcus fell foul of the Feds after trying to make his way home after Black Hat USA 2017 when agents charged him with distributing the Kronos banking malware some years earlier. Marcus’ story’ provides a cautionary tale: hackers attending the con who are guilty of real cyber crimes? Beware.  

7. There’s a Black Hat CTF Open to All

Everybody loves a good Capture the Flag competition, and this year there’s an online CTF aimed at all levels running throughout Wednesday 8th, with a $1000 prize for 1st place (there’s runner up prizes, too!). Don’t worry if you’re not a hardcore hacker: even first timers are welcome to participate and learn first-hand the fun of a CTF competition. Build your skills through self-learning challenges in forensics, web exploitation, scripting and reverse engineering. It’s free and open to non-attendees, so you can do it from home. What’s not to like? Find out more here.

8. You Can’t Be In Two Places At The Same Time

Yup, that old law of physics which applies to everyone (except Star Trek characters) means you’re going to have to make some hard choices about what to attend and what to miss. Schedule clashes like this for pretty much every time slot mean you’re going to have to make sacrifices.

image of black hat briefings

Fortunately, at least the Trainings and Briefings run on separate schedules, but you’ll still need to think carefully about which is most important as access depends on what kind of pass you buy. Trainings are generally well-regarded, some have even sold out already and most are nearing full subscription, so plan ahead as to what might interest you. Be aware that Trainings won’t offer you any kind of certification, but will put you in the hands of industry professionals who live and breathe their work. Briefings are vital to keep up with the direction of the latest research, but plan ahead of time which you want to attend and get there early. Queues will be long, so have a backup plan if you can’t get in to a session that’s your first choice.

9. Your World Is Walking

If you’re used to sitting behind a desk (or on a sofa) staring at your computer display for long hours, then there’s another kind of Black Hat Training you might want to consider before the con even kicks off: upping your exercise regime! You’re going to be putting in a lot of steps as there’s plenty of miles to cover between halls, conference rooms, bars, restaurants and the like. And when you’re not walking, you’re going to be spending a lot of time standing, so choose footwear with comfort not fashion in mind. You’ll also want this handy floor plan to help you find the shortest distance between two places.

10. Human Bodies Run On Water

We don’t mean that like “walk on water, only faster”, but as in “water is the elixir of life”. You’re going to the desert, in August. Water might not be everywhere, and it certainly won’t be cheap, but if you’re going to get the max out of your hectic schedule you need to ensure that you’re properly hydrated. Alcohol (no surprise) will dehydrate you, but so will lots of talking – or shouting during noisy parties. Take a refillable water bottle with you and replenish it at every available opportunity. Moisturiser for dry lips will come in handy, too.

11. The Party Has Only Just Begun

If you’re not entirely exhausted by Thursday the 8th and are lamenting not being able to see all your new found buddies till Black Hat USA 2020, the good news is Def Con 27 is waiting for you just down the strip. That’s right, Def Con begins on the last day of Black Hat, so if you really want to push yourself to the max, meet even more people, share any of the amazing things you’ve learned while loading up your knowledge base still further, there’s four more days of fun to be had. Def Con 2019 runs from August 8th to 11th, and you can check out all they have to offer here.

Conclusion

Whether you’re going to Black Hat to meet like-minded people, learn new tricks or explore the latest security solutions, you’ll find plenty of each and much more besides. With 125 Trainings, 124 Briefings and hundreds of vendors exhibiting in the Business Hall, you’ll come away with a unique insight into all the latest trends in Infosec. SentinelOne will be there, of course, so come and join us at Tuesday’s party and drop by and say hello at Booth 222 in the Business Hall.  


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Intel announces deep, multi-year partnership with SAP

Intel announced a deep partnership with SAP today around using advanced Intel technology to optimize SAP software tools. Specifically, the company plans to tune its Intel Xeon Scalable processors and Intel Optane DC persistent memory for SAP’s suite of applications.

The multi-year partnership includes giving SAP early access to emerging Intel technologies and building a Center of Excellence. “We’re announcing a multi-year technology partnership that’s focused on optimizing Intel’s platform innovations… across the entire portfolio of SAP’s end-to-end enterprise software applications including SAP S/4HANA,” Rajeeb Hazra, corporate vice president of Intel’s Enterprise and Government Business, told TechCrunch.

He says that this will cover broad areas of Intel technology, including CPU, accelerators, data center, persistent memory and software infrastructure. “We’re taking all of that data-centric portfolio to move data faster, store data more efficiently and process all kinds of data for all kinds of workloads,” he explained.

The idea is to work closely together to help customers understand and use the two sets of technologies in tandem in a more efficient manner. “The goal here is [to expose] a broad portfolio of Intel technologies for the data-centric era, close collaboration with SAP to accelerate the pace of innovation of SAP’s entire broad suite of enterprise class applications, while making it easier for customers to see, test and deploy this technology,” he said.

Irfan Khan, president of Platform and Technologies at SAP, says this partnership should help deliver better performance across the SAP suite of products including SAP S/4HANA, its in-memory database product. “Our expanded partnership with Intel will accelerate our customers’ move to SAP S/4HANA by allowing organizations to unlock the value of data assets with greater ease and operate with increased visibility, focus and agility,” Khan said in a statement.

Hazra says that this is part of a broader enterprise strategy the company has been undertaking for many years, but it is focusing specifically on SAP for this agreement because of its position in the enterprise software ecosystem. He believes that by partnering with SAP at this level, the two companies can gain further insight that could help customers as they use advanced technologies like AI and machine learning.

“This partnership is [significant for us] given SAP’s focus and position in the markets that they serve with enterprise class applications, and the importance of what they’re doing for our core enterprise customers in those areas of the enterprise. This includes the emerging areas of machine learning and AI. With their suite [of products], it gives those customers the ability to accelerate innovation in their businesses by being able to see, touch, feel and consume this innovation much more efficiently,” he said.

VComply raises $2.5 million seed round led by Accel to simplify risk and compliance management

Risk and compliance management platform VComply announced today that it has picked up a $2.5 million seed round led by Accel Partners for its international growth plan. The funding will be used to acquire more customers in the United States, open a new office in the United Kingdom to support customers in Europe and expand its presence in New Zealand and Australia.

The company was founded in 2016 by CEO Harshvardhan Kariwala and has customers in a wide range of industries, including Acreage Holdings, Ace Energy Solutions, CHD, the United Kingdom’s Department of International Trade and Burger King. It currently claims about 4,000 users in more than 100 countries. VComply is meant to be used by all departments in a company, with compliance information organized into a central dashboard.

While there are already a roster of governance, risk and compliance management solutions on the market (including ones from Oracle, HPE, Thomson Reuters, IBM and other established enterprise software companies), VComply’s competitive edge may be its flexibility, simple user interface and easy deployment (the company claims customers can on-board and start using the solution for compliance tasks in about 30 minutes). It also seeks out smaller companies whose needs have not been met by compliance solutions meant for large enterprises.

Kariwala told TechCrunch in an email that he began thinking of creating a new risk and compliance solution while working at his first startup, LIME Learning Systems, an education management platform, after being hit with a $4,000 penalty due to a non-compliance issue.

“Believe me, $4,000 really hurts when you’re bootstrapped and trying to save every single cent you can. In this case, I had asked our outsourced accounting partners to manage this compliance and they forgot!,” he said. After talking to other entrepreneurs, he realized compliance posed a challenge for most of them. LIME’s team built an internal compliance tracking tool for their own use, but also shared it with other people. After getting good feedback, Kariwala realized that despite the many governance, risk and compliance management solutions already on the market, there was still a gap in the market, especially for smaller businesses.

VComply is designed so organizations can customize it for their industry’s regulations and standards, as well as their own workflow and data needs, with competitive pricing for small to medium-sized organizations (a subscription starts at $3,999 a year).

“Most of the traditional GRC solutions that exist today are expensive, have a steep learning curve and entail a prolonged deployment. Not only are they expensive, they are also rigid, which means that organizations have little to no control or flexibility,” Kariwala said. “A GRC tool is often looked at as an expense, while it should really be treated as an investment. It is particularly the SMB sector that suffers the most. With the current solutions costing thousands of dollars (and sometimes millions), it becomes the least of their priorities to invest in a GRC platform, and as a result they fall prey to heightened risks and hefty penalties for non-compliance.”

In a press statement, Accel partner Dinesh Katiyar said, “The first generation of GRC solutions primarily allowed companies to comply with industry-mandated regulations. However, the modern enterprise needs to govern its operations to maintain integrity and trust, and monitor internal and external risks to stay successful. That is where VComply shines, and we’re delighted to be partnering with a company that can redefine the future of enterprise risk management.”

InCountry raises $15M for its cloud-based private data storage-as-a-service solution

The rise of data breaches, along with an expanding raft of regulations (now numbering 80 different regional regimes, and growing) have thrust data protection — having legal and compliant ways of handling personal user information — to the top of the list of things that an organization needs to consider when building and operating their businesses. Now a startup called InCountry, which is building both the infrastructure for these companies to securely store that personal data in each jurisdiction, as well as a comprehensive policy framework for them to follow, has raised a Series A of $15 million. The funding is coming in just three months after closing its seed round — underscoring both the attention this area is getting and the opportunity ahead.

The funding is being led by three investors: Arbor Ventures of Singapore, Global Founders Capital of Berlin and Mubadala of Abu Dhabi. Previous investors Caffeinated Capital, Felicis Ventures, Charles River Ventures and Team Builder Ventures (along with others that are not being named) also participated. It brings the total raised to date to $21 million.

Peter Yared, the CEO and founder, pointed out in an interview the geographic diversity of the three lead backers: he described this as a strategic investment, which has resulted from InCountry already expanding its work in each region. (As one example, he pointed out a new law in the UAE requiring all health data of its citizens to be stored in the country — regardless of where it originated.)

As a result, the startup will be opening offices in each of the regions and launching a new product, InCountry Border, to focus on encryption and data handling that keep data inside specific jurisdictions. This will sit alongside the company’s compliance consultancy as well as its infrastructure business.

“We’re only 28 people and only six months old,” Yared said. “But the proposition we offer — requiring no code changes, but allowing companies to automatically pull out and store the personally identifiable information in a separate place, without anything needed on their own back end, has been a strong pull. We’re flabbergasted with the meetings we’ve been getting.” (The alternative, of companies storing this information themselves, has become massively unpalatable, given all the data breaches we’ve seen, he pointed out.)

In part because of the nature of data protection, in its short six months of life, InCountry has already come out of the gates with a global viewpoint and global remit.

It’s already active in 65 countries — which means it’s already equipped to store, process and regulate profile data in the country of origin in these markets — but that is actually just the tip of the iceberg. The company points out that more than 80 countries around the world have data sovereignty regulations, and that in the U.S., some 25 states already have data privacy laws. Violating these can have disastrous consequences for a company’s reputation, not to mention its bottom line: In Europe, the U.K. data regulator is now fining companies the equivalent of hundreds of millions of dollars when they violate GDPR rules.

This ironically is translating into a big business opportunity for startups that are building technology to help companies cope with this. Just last week, OneTrust raised a $200 million Series A to continue building out its technology and business funnel — the company is a “gateway” specialist, building the welcome screens that you encounter when you visit sites to accept or reject a set of cookies and other data requests.

Yared says that while InCountry is very young and is still working on its channel strategy — it’s mainly working directly with companies at this point — there is a clear opportunity both to partner with others within the ecosystem as well as integrators and others working on cloud services and security to build bigger customer networks.

That speaks to the complexity of the issue, and the different entry points that exist to solve it.

“The rapidly evolving and complex global regulatory landscape in our technology driven world is a growing challenge for companies,” said Melissa Guzy of Arbor Ventures, in a statement. Guzy is joining the board with this round. “InCountry is the first to provide a comprehensive solution in the cloud that enables companies to operate globally and address data sovereignty. We’re thrilled to partner and support the company’s mission to enable global data compliance for international businesses.”

Investor Jocelyn Goldfein to join us on AI panel at TechCrunch Sessions: Enterprise

Artificial intelligence is quickly becoming a foundational technology for enterprise software development and startups have begun addressing a variety of issues around using AI to make software and processes much more efficient.

To that end, we are delighted to announce that Jocelyn Goldfein, a Managing Director at Zetta Venture Partners will be joining on us a panel to discuss AI in the enterprise. It will take place at the TechCrunch Sessions: Enterprise show on September 5 at the Yerba Buena Center in San Francisco.

It’s not just startups that are involved in AI in the enterprise. Some of the biggest names in enterprise software including Salesforce Einstein, Adobe Sensei and IBM Watson have been addressing the need for AI to help solve the enterprise data glut.

Computers can process large amounts of information much more quickly than humans, and as enterprise companies generate increasing amounts of data, they need help understanding it all as the volume of information exceeds human capacity to sort through it.

Goldfein brings a deep engineering background to her investment work. She served as a VP of engineering at VMware and as an engineering director at Facebook, where she led the project that adopted machine learning for the News Feed ranker, launched major updates in photos and search, and helped spearhead Facebook’s pivot to mobile. Goldfein drove significant reforms in Facebook hiring practices and is a prominent evangelist for women in computer science. As an investor, she primarily is focused on startups using AI to take more efficient approaches to infrastructure, security, supply chains and worker productivity.

At TC Sessions: Enterprise, she’ll be joining Bindu Reddy from Reality Engines along with other panelists to discuss the growing role of AI in enterprise software with TechCrunch editors. You’ll learn why AI startups are attracting investor attention and how AI in general could fundamentally transform enterprise software.

Prior to joining Zetta, Goldfein had stints at Facebook and VMware, as well as startups Datify, MessageOne and Trilogy/pcOrder.

Early Bird tickets to see Joyce at TC Sessions: Enterprise are on sale for just $249 when you book here; but hurry, prices go up by $100 soon! Students, grab your discounted tickets for just $75 here.

What is OSINT? (And How Is It Used?)

The first step in a targeted attack – or a penetration test or red team activity – is gathering intelligence on the target. While there are ways and means to do this covertly, intelligence gathering usually starts with scraping information from public sources, collectively known as open source intelligence or OSINT. There is such a wealth of legally collectible OSINT available now thanks to social media and the prevalence of online activities that this may be all that is required to give an attacker everything they need to successfully profile an organization or individual.

In this post, we’ll get you up to speed on what OSINT is all about and how you can learn to use OSINT tools to better understand your own digital footprint.

What is OSINT?

If you’ve heard the name but are wondering what it means, OSINT stands for open source intelligence, which refers to any information that can legally be gathered from free, public sources about an individual or organization. In practice, that tends to mean information found on the internet, but technically any public information falls into the category of OSINT whether it’s books or reports in a public library, articles in a newspaper or statements in a press release.

OSINT also includes information that can be found in different types of media, too. Though we typically think of it as being text-based, information in images, videos, webinars, public speeches and conferences all fall under the term.

What is OSINT Used For?

By gathering publicly available sources of information about a particular target an attacker – or friendly penetration tester – can profile a potential victim to better understand its characteristics and to narrow down the search area for possible vulnerabilities. Without actively engaging the target, the attacker can use the intelligence produced to build a threat model and develop a plan of attack. Targeted cyber attacks, like military attacks, begin with reconnaissance, and the first stage of digital reconnaissance is passively acquiring intelligence without alerting the target.

Gathering OSINT on yourself or your business is also a great way to understand what information you are gifting potential attackers. Once you are aware of what kind of intel can be gathered about you from public sources, you can use this to help you or your security team develop better defensive strategies. What vulnerabilities does your public information expose? What can an attacker learn that they might leverage in a social engineering or phishing attack?

How Can OSINT Be Gathered?

Gathering information from a vast range of sources is a time consuming job, but there are many tools to make intelligence gathering simpler. While you may have heard of tools like Shodan and port scanners like Nmap and Zenmap, the full range of tools is vast. Fortunately, security researchers themselves have begun to document the tools available.

A great place to start is the OSINT Framework put together by Justin Nordine. The framework provides links to a large collection of resources for a huge variety of tasks from harvesting email addresses to searching social media or the dark web.

image of osint framework

In many articles on OSINT tools you’ll see reference to one or two packages included in the Kali Linux penetration testing distribution, such as theHarvester or Maltego, but for a complete overview of available OSINT tools available for Kali, check out the Kali Tools listing page, which gives both a run down of the tools and examples of how to use each of them.

image of kali tools listing

Among the many useful tools you’ll find here for open source intelligence gathering are researcher-favorites like Nmap and Recon-ng. The Nmap tool allows you to specify an IP address, say, and determine what hosts are available, what services those hosts offer, the operating systems they run, what firewalls are in use and many other details.

image of namp results

Recon-Ng is a tool written in Python by Tim Tomes for web reconnaissance. You can use it to do things like enumerate the subdomains for a given domain, but there are dozens of modules that allow you to hook into things like the Shodan internet search engine, Github, Jigsaw, Virustotal and others, once you add the appropriate API keys. Modules are categorized in groups such as Recon, Reporting and Discovery modules.

image of recon ng

What Other OSINT Tools Are There?

One of the most obvious tools for use in intelligence gathering is, of course, web search engines like Google, Bing and so on. In fact, there’s dozens of search engines, and some may return better results than others for a particular kind of query. The problem is, then, how can you query these many engines in an efficient way?

A great tool that solves this problem and makes web queries more effective is Searx. Searx is metasearch engine which allows you to anonymously and simultaneously collect results from more than 70 search services. Searx is free and you can even host your own instance for ultimate privacy. Users are neither tracked nor profiled, and cookies are disabled by default. Searx can also be used over Tor for online anonymity.

image of searx admin

Many public instances of Searx are also available for those who either don’t want or don’t need to host their own instance. See the Searx wiki for a listing.

image of anonymize

There are many people working on new tools for OSINT all the time, and a great place to keep up with them and just about anything else in the cybersecurity world is, of course, by following people on Twitter. Keeping track of things on Twitter, though, can be difficult. Fortunately, there’s an OSINT tool for that, too, called Twint.

Twint is a Twitter scrapping tool written in Python that makes it easy to anonymously gather and hunt for information on Twitter without signing up to the Twitter service itself or using an API key as you would have to do with a tool like Recon-ng. With Twint, there’s no authentication or API needed at all. Just install the tool and start hunting. You can search by user, geolocation and time range, among other possibilities. Here’s just some of Twint’s options, but many others are available, too.

image of twint help

So how can you use Twint to help you keep up with developments in OSINT? Well, that’s easy and is a great example of Twint in action. As Twint allows you to specify a --since option to only pull tweets from a certain date onwards, you could combine that with Twint’s search verb to scrape new tweets tagged with #OSINT on a daily basis. You could automate that script and feed the results into a database to view at your convenience by using Twint’s --database option that saves to SQLite format.

Looks like there’s been 58 #OSINT tweets so far today!

twint -s '#osint' --since 2019-07-17

image of twint search

Another great tool you can use to collect public information is Metagoofil. This tool uses the Google search engine to retrieve public PDFs, Word Documents, Powerpoint and Excel files from a given domain. It can then autonomously extract metadata from these documents to produce a report listing information like usernames, software versions, servers and machine names.

image of metagoofil

Conclusion

In this post, we’ve covered the basic idea of OSINT and why it’s useful. We’ve looked at a couple of great places where you can discover many OSINT tools to help you with virtually any kind of information gathering you need to do, and we’ve also given you a taste of a few individual tools and shown how they can be put to work.

For anyone involved in cybersecurity, understanding how to collect open source intelligence is a vital skill. Whether you’re defending an enterprise network or testing it for weaknesses, the more you understand about its digital footprint the better able you are to see it from an attacker’s point of view. Armed with that knowledge, you can then go on to develop better defensive strategies.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Stonly lets you create interactive step-by-step guides to improve support

French startup Stonly wants to empower users so that they can solve their issues by themselves. Instead of relying on customer support agents, Stonly wants to surface relevant content so that you can understand and solve issues.

“I’m trying to take the opposite stance of chatbots,” founder and CEO Alexis Fogel told me. “The issue [with chatbots] is that technology is not good enough and you often end up searching through the help center.”

If you’re in charge of support for a big enough service, chances are your customers often face the same issues. Many companies have built help centers with lengthy articles. But most customers won’t scroll through those pages when they face an issue.

That’s why Stonly thinks you need to make this experience more interactive. The service lets you create scripted guides with multiple questions to make this process less intimidating. Some big companies have built question-based help centers, but Stonly wants to give tools to small companies so they can build their own scenarios.

A Stonly module is basically a widget you can embed on any page or blog. It works like a deck of slides with buttons to jump to the relevant slide. Companies can create guides in the back end without writing a single line of code. You can add an image, a video and some code to each slide.

At any time, you can see a flowchart of your guide to check that everything works as expected. You can translate your guides in multiple languages, as well.

Once you’re done and the module is live, you can look back at your guides and see how you can improve them. Stonly lets you see if users spend more time on a step, close the tab and drop in the middle of the guide, test multiple versions of the same guide, etc.

But the startup goes one step further by integrating directly with popular support services, such as Zendesk and Intercom. For instance, if a user contacts customer support after checking a Stonly guide, you can see in Zendesk what they were looking at. Or you can integrate Stonly in your Intercom chat module.

Editor 01

As expected, a service like Stonly can help you save on customer support. If users can solve their own issues, you need a smaller customer support team. But that’s not all.

“It’s not just about saving money, it’s also about improving engagement and support,” Fogel said.

Password manager company Dashlane is a good example of that. Fogel previously co-founded Dashlane before starting Stonly. And it’s one of Stonly’s first clients.

“Dashlane is a very addictive product, but the main issue is that you want to help people get started,” he said. It’s true that it can be hard to grasp how you’re supposed to use a password manager if you’ve never used one in the past. So the onboarding experience is key with this kind of product.

Stonly is free if you want to play with the product and build public guides. But if you want to create private guides and access advanced features, the company has a Pro plan ($30 per month) and a Team plan (starting at $100 per month with bigger bills as you add more people to your team and use the product more extensively).

The company has tested its product with a handful of clients, such as Dashlane, Devialet, Happn and Malt. The startup has raised an undisclosed seed round from Eduardo Ronzano, Thibaud Elzière, Nicolas Steegmann, Renaud Visage and PeopleDoc co-founders. And Stonly is currently part of the Zendesk incubator at Station F.

Dust Identity secures $10M Series A to identify objects with diamond dust

The idea behind Dust Identity was originally born in an MIT lab where the founders developed the base technology for uniquely identifying objects using diamond dust. Since then, the startup has been working to create a commercial application for the advanced technology, and today it announced a $10 million Series A round led by Kleiner Perkins, which also led its $2.3 million seed round last year.

Airbus Ventures and Lockheed Martin Ventures, New Science Ventures, Angular Ventures and Castle Island Ventures also participated in the round. Today’s investment brings the total raised to $12.3 million.

The company has an unusual idea of applying a thin layer of diamond dust to an object with the goal of proving that that object has not been tampered with. While using diamond dust may sound expensive, the company told TechCrunch last year at the time of its seed round funding that it uses low-cost industrial diamond waste, rather than the expensive variety you find in jewelry stores.

As CEO and co-founder Ophir Gaathon told TechCrunch last year, “Once the diamonds fall on the surface of a polymer epoxy, and that polymer cures, the diamonds are fixed in their position, fixed in their orientation, and it’s actually the orientation of those diamonds that we developed a technology that allows us to read those angles very quickly.”

Ilya Fushman, who is leading the investment for Kleiner, says the company is offering a unique approach to identity and security for objects. “At a time when there is a growing trust gap between manufacturers and suppliers, Dust Identity’s diamond particle tag provides a better solution for product authentication and supply chain security than existing technologies,” he said in a statement.

The presence of strategic investors Airbus and Lockheed Martin shows that big industrial companies see a need for advanced technology like this in the supply chain. It’s worth noting that the company partnered with enterprise computing giant SAP last year to provide a blockchain interface for physical objects, where they store the Dust Identity identifier on the blockchain. Although the startup has a relationship with SAP, it remains blockchain agnostic, according to a company spokesperson.

While it’s still early days for the company, it has attracted attention from a broad range of investors and intends to use the funding to continue building and expanding the product in the coming year. To this point, it has implemented pilot programs and early deployments across a range of industries, including automotive, luxury goods, cosmetics and oil, gas and utilities.