Newsroom + Press

Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.

A genuine enthusiasm for enabling and advancing a connected world can only be a positive for anyone working in the IoT sector. That's certainly the case for Paul Jauregui, who oversees all aspects of marketing, branding and communications at Praetorian, a collective of highly technical engineers and developers that provides a suite of security assessment and advisory services.

His very obvious passion for the Internet of Things has led him to become acting business lead for Austin, Texas-based Praetorian's IoT security assessment and advisory services.

Listen to Praetorian IoT business lead, Paul Jauregui, sits down with Bruce Sinclair for an interview on "The IoT Inc Business Show". Operating at the epicenter of both IoT and Security provides Praetorian with a unique and valuable prospective, which we enjoy sharing with audiences. In this episode of Bruce's podcast we discuss end-to-end IoT penetration testing and other things enterprise IoT business leaders need to know about when working with an external security assessment firm. Listen to this episode to gain confidence that your Internet of Things devices and data are secure.

With the software rejiggered, the FBI could launch a traditional “brute force” attack, employing a software program to rapidly try password combinations until it arrived at the correct one. Since Farook’s iPhone 5C used a four-digit passcode, a program could run through every one of the 10,000 possible password combinations in a matter of minutes.

“That brute force technology isn't very sophisticated,” says Dylan Ayrey, a security engineer with the information security company Praetorian. “You could go on Ebay right now and purchase ways to brute force older versions of the iPhone.”

Dylan Ayrey, a security engineer with the information security company Praetorian, points out that an iPhone’s lock screen is only the first barrier to its contents. WhatsApp recently announced that it would use end-to-end encryption for all its messaging services.

“Encryption is here whether we want it to be or not,” he says. “The landscape has changed forever, mostly for the better, and these types of proposals can't gain traction.”

However just last week, two U.S. senators introduced legislation to require tech companies to unlock phones and provide other “technical assistance” to government officials with a court order.

Mislan at Rochester Institute of Technology points out that as CEO of one of the world’s leading mobile forensics companies, Bollö would be uniquely positioned to profit from any software designed to execute FACT. Bollö insists that his competitors could do the same and says he is focused on developing a new industry standard rather than a software sales pitch."

Of course, we could develop this stuff and we'd be happy to do that but I'm not trying to push that,” Bollö says. “I'm trying to say, ‘Here's a solution that could work for everyone.’"

Rather than require companies to install a key, Praetorian’s Ayrey thinks the best solution is for mobile forensics companies such as MSAB and Praetorian to continue doing what they have been doing all along—finding vulnerabilities in each new device or operating system that is released, and exploiting those holes on behalf of clients until an update renders them obsolete.

For consumers, Mislan has an even simpler strategy. “For me, it boils down to: If you really want to protect something, don't put it on your phone,” he says.

Elvis Collado, a security research at cybersecurity provider Praetorian, also worries about attackers rewriting firmware code and installing it on an IoT device, saying “The attack vector varies from device to device, but improper key handling or firmware validation puts a great number of IoT devices at risk. If an attacker can program a backdoor into a device, whether it be remote or local, then it's game over.” 

From Blaster to Heartbleed, it’s clear that the tech industry often acts on security only after a major problem becomes evident. What all four of the above experts agree on is that you shouldn’t expect “them” to fix a problem before it happens.

“Builders make the best breakers,” Collado believes. “At Praetorian, we’re all developers and engineers. We just happen to focus on security. If you're a developer, try breaking your code from a non-QA perspective. Can you cause information to be leaked? Can you cause memory corruption? Do you have test code that was compiled into production that can be potentially abused? Can users access hardware debug interfaces in situations when they're not supposed to? This type of mentality shift will greatly improve the quality of your code from a security perspective.”

Embargos and sanctions such as these could be the new norm in dealing with cyber warfare threats—especially since companies have no real teeth to fight back.

“It has become painfully clear that even the largest corporations are incapable of preventing state sponsored cyber attacks on their own,” says Nathan Sportsman, CEO of the Praetorian, which provides security assessment and advisory services.

For instance, corporations can’t exactly “hack back” against state-based incursions. The response would have to come from the U.S. government, Sportsman says. “While economic sanctions should not be considered a panacea, U.S. sanctions will provide a partial deterrence to the rampant cyber attacks that we are currently experiencing,” he says.

As cybersecurity job market suffers severe workforce shortage, a leading information security firm engages next-generation talent face-to-face to address skills gap. 

The University of Texas at Austin welcomed two new adjunct professors to the department of computer science this fall. Nathan Sportsman and Chris Prosise, of Austin-based cybersecurity company Praetorian, have joined the university to teach the newly created CS 378 Ethical Hacking course. The two industry veterans are joining the talented and diverse group of professors as part of the computer science department’s expanded commitment to security as part of the degree curriculum. The class will provide students with a practical, hands-on opportunity to learn real-world security.

New Internet of Things (IoT) security testing and assurance services designed to help today’s leading manufacturers deliver and deploy secure connected products to the market.

Praetorian today announced expanded security testing and assurance services that cover end-to-end Internet of Things (IoT) product ecosystems. Praetorian’s Internet of Things security services take a holistic approach to security testing by reviewing the entire product ecosystem, from chip to code, while prioritizing vulnerabilities so connected product teams can successfully balance risk with time-to-market pressures.

“In today’s connected world, the perception of security risk alone, even if not realized, can still negatively impact consumer confidence necessary for new technologies to meet their full market potential,” said Paul Jauregui, Vice President of Marketing at Praetorian. “Recent, high-profile data breaches have heightened consumers’ awareness of data security and privacy issues. As a result, consumer adoption may suffer until vendors can adequately address security and privacy concerns,” he added.

Security firm Praetorian outfitted a drone with custom hardware to learn how many connected devices are being used in Austin, TX.

Given the explosion of connected devices, also known as the Internet-of-things, it’s natural that people would want to know just how many such devices are out there.

But how do you go about figuring out just how many of these devices—like thermometers or light bulbs hooked to the Internet—are being used in a given city? The answer is apparently to enlist the services of a drone that can fly above the city proper and gather tons of data pertaining to the connected gadgets and appliances.

A team of researchers at security company Praetorian wanted to discover how many IOT-friendly devices were being used in Austin, TX, and found that the best way to do so would be to outfit a drone with the company’s custom built connected-device tracking appliance and have it fly over the city, Praetorian vice president of marketing Paul Jauregui told Fortune.

A new study has found that password structure is a key flaw in making login IDs hard to guess.

Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective.

A key part of the problem is with the websites themselves, as they don’t go far enough in prompting user security. Just requiring one upper case letter or number is not good enough when too many users go for the same password structure, as Praetorian explains.

Cybercriminals can still exploit the vulnerability to gain usernames and passwords as well as sensitive business and financial data. "Heartbleed is still prevalent," said Josh Abraham, vice president of services at Austin Texas- headquartered Praetorian, a cybersecurity company that helps organizations minimize risk. Heartbleed affects OpenSSL, a software which allows websites to communicate information securely over the Internet.

Samsung Electronics says its SmartTV is programmed to pick up surrounding voices as it scans airwaves for commands. Data is collected and transmitted to a third-party vendor that converts speech to text.

“Please be aware,” Samsung warns in its privacy policy, “that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”

A recent study points to a “clear connection” between consumer perception regarding the safety of their data and the commercial success of products, said Paul Jauregui, VP of cyber-security and risk consulting company Praetorian. In the study, 80% of consumers said they’re more likely to purchase from companies they believe do a better job of protecting their information.

“It’s getting to a point where it’s going to influence buying decisions,” he said.

Econolite's traffic lights are used in 100,000 U.S. and Canadian intersections, although it's unclear if all of those systems are susceptible to hacking.

The problem extends beyond just Econolite -- the U.S. traffic light communications standard, called "NTCIP 1202," is present in all modern signal systems. They can all be hacked if cities don't change their default settings.

Researchers said that the lights can be made much more difficult to hack with little effort: Guard the network. Cities that install the traffic control systems can enable encryption and set passwords for their networks -- both options are available on the Econolite systems. It's as simple as clicking on a box on the device's screen.

But that isn't likely to happen anytime soon. Local governments are cash-strapped and aren't easily convinced they must manually update every signal controller, said Adam Pridgen, a security consultant at Praetorian.

Praetorian, an information security provider dedicated to helping organizations achieve risk-management success, has been honored by Inc. Magazine's 33rd annual Inc. 500 | 5000, an exclusive ranking of the nation's fastest-growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs. Companies such as Yelp, Pandora, Timberland, Dell, Domino’s Pizza, LinkedIn, Zillow, and many other well-known names gained early exposure as members of the Inc. 500|5000.

Recognized as one of the “20 Most Promising Enterprise Security Consulting Companies,” Praetorian rises above the rest in an evolving security market.

AUSTIN, Texas – April 25, 2014 – Praetorian, a leading information security provider, was named one of this year’s “20 Most Promising Enterprise Security Consulting Companies” by CIO Review Magazine. A distinguished panel comprising CIOs and CEOs of public companies, industry analysts and the CIO Review editorial board finalized the selection earlier this year. The annual listing represents not only the leading high-value enterprise security consulting companies in the U.S. but also recognizes companies impacting the information technology marketplace.

"You can run to update your password everywhere, but it won't do any good on the sites that haven't pushed out a fix yet," Josh Abraham, director of professional services for security firm Praetorian, told NBCNews.

Companies including Google, Amazon, Yahoo, Tumblr and Facebook said they have investigated the issue and are working to update their sites. But the fix could be slower for small businesses who use OpenSSL -- and entering a new password into a potentially compromised site could do more harm than help.

Without the patch, a hacker could be what experts call a man-in-the-middle -- it's like a game of Telephone you don't even know you're playing.

"Alice wants to communicate securely with Bob," explained Nathan Sportsman, a mobile security expert and CEO of Praetorian. But Eve, a hacker, uses this vulnerability to put herself between the two. "Now Alice is talking to Eve and Eve is talking to Bob," he explained. Alice and Bob think they're talking to each other privately.

This lets hackers view the communications, such as bank deposits or Facebook (FB, Fortune 500) posts. If they intercept a username and password, the hacker could return to your account later and cause more damage, Sportsman said.

Security researchers at Praetorian, who have been running a project known as Project Neptune to assess the security of mobile apps, did a limited assessment of the iOS and Android versions of WhatsApp and discovered a number of issues around the way the app uses SSL.

“Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk,” Paul Jauregui of Praetorian wrote in an explanation of their test.

WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.

"When you're asking companies to spend money to keep their lights on, or spend it on cybersecurity, you can guess what wins every time," said Nathan Sportsman, CEO of security firm Praetorian. "Without offering a tax break for compliance, or [levying] a fine to those who don't follow it, you're not going to change behavior."

Praetorian released a study that explores challenges faced by today’s megabanks, regional banks, and credit unions while building and maintaining secure mobile banking apps. Praetorian has identified build and configuration weaknesses in the overwhelming majority of mobile banking apps available on the App Store and Google Marketplace. While cursory, the results of the analysis indicate a need for continued improvement in mobile application security as the critical underpinnings of society become increasingly dependent on mobile technology.

Security experts this month tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of 10 apps were improperly configured and not built using best practices software development. Among the big-name banks whose mobile apps were tested by security firm Praetorian include Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks. Praetorian did not disclose how each bank's apps fared in the tests.

Nathan Sportsman, founder and CEO of Praetorian, says the security weaknesses in the mobile banking apps he and his team tested are not pure software vulnerabilities, so they are relatively low-risk issues that could ultimately lead to exploitation.

Praetorian, an Austin, Texas-based provider of information security solutions, has launched a new cloud-based platform that leverages the computing power of Amazon AWS in order to crack password hashes in a simple fashion.

Online at PWAudit.com, the service provides organizations with reports that measure password strength and policy effectiveness to identify potential risks stemming from weak passwords.

Praetorian, a leading information security provider, has announced the launch of PWAudit.com, a new cloud-based password auditing platform. Building on years of experience, Praetorian has designed a scalable, on-demand, cost-effective, and secure solution leveraging the elastic computing resources of Amazon AWS. Coupled with advanced reporting, organizations can finally measure password complexity and policy effectiveness to illuminate potential exposures due to weak passwords.

Praetorian, a leading provider of information security assessment and advisory services, has announced a new service that helps Fortune 500 companies and other high-profile enterprise clients improve resilience against cyber incidents through security testing that incorporates tactics, techniques and procedures (TTP) used by today’s advanced threat actors.

Organizations that are the target of advanced persistent threats (APT) are turning to scenario-based attack simulations, or red team exercises, to actively measure their ability to defend against sophisticated and agile cyber threats. Praetorian offers controlled exercises designed to simulate real-world advanced threats by using adaptive strategies for circumventing next-generation security controls, and incident response best practices. This provides a holistic approach to security testing by carefully examining weaknesses from several standpoints, including systems, networks, applications, physical locations, and employees (who may be susceptible to social engineering or phishing attacks).

Praetorian is excited to be a platinum sponsor for the upcoming ISSA Chapter Meeting on Wednesday, November 7 from 11:00am to 3:00pm at St. Edwards Professional Education Center. The event will feature the famous/infamous security researcher Charlie Miller.

Charlie Miller is currently on the Product Security Team at Twitter. Previously he was a security consultant with various firms, and also spent five years working for the National Security Agency. A four time winner of the CanSecWest Pwn2Own competition, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. In 2011, he found a security hole in an iPhone’s or iPad’s security, whereby an application can contact a remote computer to download new unapproved software that can execute any command that could steal personal data or use iOS application functions for malicious purposes. As a proof of concept, Miller created an application called Instastock that got approved by Apple’s App Store. He then informed Apple about the security hole, who then promptly expelled him from the App Store.  He has hacked batteries, Second Life, and iOS codesigning.  Charlie has authored three information security books and holds a Ph.D. in mathematics from the University of Notre Dame.