Newsroom + Press

The results are in: Praetorian was included in the list of winners in Austin Business Journal's annual Fast 50 contest, which highlights the area companies that have grown rapidly in the past three years.

The list is a valuable source of info for sales people, job seekers, executives trying to keep and eye on the competition and those just wondering who's doing the most business in Austin's booming economy.

You might not know it based on the hype and marketing dedicated to APTs and vulnerabilities, but most criminals don't need to target software or use fancy tactics to ruin a network and compromise sensitive data.

Josh Abraham, a practice manager for Praetorian, recently compiled a report on common attack vectors used during 100 pen test engagements at 75 different organizations between 2013 and 2016.

"We compiled this paper to detail the top internal attacks we used over the past three years that resulted in Praetorian achieving its objectives. Common objectives include achieving a sitewide compromise and/or access to sensitive information the client requested we gain access to."

Weak passwords and phishing offer far easier mechanisms for breaking into most organizations than exploiting software vulnerabilities.

A study by US cybersecurity firm Praetorian based on 100 penetration tests and 450 real-world attacks discovered that stolen credentials offer the best way into enterprise networks.

Ninety-seven per cent of organizations have more than one root cause of compromise. The practical upshot of the report is that there should be more focus on guarding against stolen credentials and network segmentation as defenses, rather than playing "whack-a-mole" with software vulnerabilities.

Hackers most commonly use stolen credentials, often first obtained through phishing or other social engineering, to break into targeted networks and (eventually) gain access to sensitive resources, sometimes as part of a multi-stage process.

Inc. magazine today ranked Praetorian, a leading information security assessment and advisory services firm, on its 35th annual Inc. 5000, the most prestigious ranking of the nation's fastest-growing private companies. The list represents a unique look at the most successful companies within the American economy’s most dynamic segment— its independent small businesses. Companies such as Microsoft, Dell, Domino’s Pizza, Pandora, Timberland, LinkedIn, Yelp, Zillow, and many other well-known names gained their first national exposure as honorees of the Inc. 5000.

Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.

A genuine enthusiasm for enabling and advancing a connected world can only be a positive for anyone working in the IoT sector. That's certainly the case for Paul Jauregui, who oversees all aspects of marketing, branding and communications at Praetorian, a collective of highly technical engineers and developers that provides a suite of security assessment and advisory services.

His very obvious passion for the Internet of Things has led him to become acting business lead for Austin, Texas-based Praetorian's IoT security assessment and advisory services.

Listen to Praetorian IoT business lead, Paul Jauregui, sits down with Bruce Sinclair for an interview on "The IoT Inc Business Show". Operating at the epicenter of both IoT and Security provides Praetorian with a unique and valuable prospective, which we enjoy sharing with audiences. In this episode of Bruce's podcast we discuss end-to-end IoT penetration testing and other things enterprise IoT business leaders need to know about when working with an external security assessment firm. Listen to this episode to gain confidence that your Internet of Things devices and data are secure.

With the software rejiggered, the FBI could launch a traditional “brute force” attack, employing a software program to rapidly try password combinations until it arrived at the correct one. Since Farook’s iPhone 5C used a four-digit passcode, a program could run through every one of the 10,000 possible password combinations in a matter of minutes.

“That brute force technology isn't very sophisticated,” says Dylan Ayrey, a security engineer with the information security company Praetorian. “You could go on Ebay right now and purchase ways to brute force older versions of the iPhone.”

Dylan Ayrey, a security engineer with the information security company Praetorian, points out that an iPhone’s lock screen is only the first barrier to its contents. WhatsApp recently announced that it would use end-to-end encryption for all its messaging services.

“Encryption is here whether we want it to be or not,” he says. “The landscape has changed forever, mostly for the better, and these types of proposals can't gain traction.”

However just last week, two U.S. senators introduced legislation to require tech companies to unlock phones and provide other “technical assistance” to government officials with a court order.

Mislan at Rochester Institute of Technology points out that as CEO of one of the world’s leading mobile forensics companies, Bollö would be uniquely positioned to profit from any software designed to execute FACT. Bollö insists that his competitors could do the same and says he is focused on developing a new industry standard rather than a software sales pitch."

Of course, we could develop this stuff and we'd be happy to do that but I'm not trying to push that,” Bollö says. “I'm trying to say, ‘Here's a solution that could work for everyone.’"

Rather than require companies to install a key, Praetorian’s Ayrey thinks the best solution is for mobile forensics companies such as MSAB and Praetorian to continue doing what they have been doing all along—finding vulnerabilities in each new device or operating system that is released, and exploiting those holes on behalf of clients until an update renders them obsolete.

For consumers, Mislan has an even simpler strategy. “For me, it boils down to: If you really want to protect something, don't put it on your phone,” he says.

Embargos and sanctions such as these could be the new norm in dealing with cyber warfare threats—especially since companies have no real teeth to fight back.

“It has become painfully clear that even the largest corporations are incapable of preventing state sponsored cyber attacks on their own,” says Nathan Sportsman, CEO of the Praetorian, which provides security assessment and advisory services.

For instance, corporations can’t exactly “hack back” against state-based incursions. The response would have to come from the U.S. government, Sportsman says. “While economic sanctions should not be considered a panacea, U.S. sanctions will provide a partial deterrence to the rampant cyber attacks that we are currently experiencing,” he says.

As cybersecurity job market suffers severe workforce shortage, a leading information security firm engages next-generation talent face-to-face to address skills gap. 

The University of Texas at Austin welcomed two new adjunct professors to the department of computer science this fall. Nathan Sportsman and Chris Prosise, of Austin-based cybersecurity company Praetorian, have joined the university to teach the newly created CS 378 Ethical Hacking course. The two industry veterans are joining the talented and diverse group of professors as part of the computer science department’s expanded commitment to security as part of the degree curriculum. The class will provide students with a practical, hands-on opportunity to learn real-world security.

New Internet of Things (IoT) security testing and assurance services designed to help today’s leading manufacturers deliver and deploy secure connected products to the market.

Praetorian today announced expanded security testing and assurance services that cover end-to-end Internet of Things (IoT) product ecosystems. Praetorian’s Internet of Things security services take a holistic approach to security testing by reviewing the entire product ecosystem, from chip to code, while prioritizing vulnerabilities so connected product teams can successfully balance risk with time-to-market pressures.

“In today’s connected world, the perception of security risk alone, even if not realized, can still negatively impact consumer confidence necessary for new technologies to meet their full market potential,” said Paul Jauregui, Vice President of Marketing at Praetorian. “Recent, high-profile data breaches have heightened consumers’ awareness of data security and privacy issues. As a result, consumer adoption may suffer until vendors can adequately address security and privacy concerns,” he added.

Praetorian, an information security provider dedicated to helping organizations achieve risk-management success, has been honored by Inc. Magazine's 34th annual Inc. 5000, an exclusive ranking of the nation's fastest-growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs.

Security firm Praetorian outfitted a drone with custom hardware to learn how many connected devices are being used in Austin, TX.

Given the explosion of connected devices, also known as the Internet-of-things, it’s natural that people would want to know just how many such devices are out there.

But how do you go about figuring out just how many of these devices—like thermometers or light bulbs hooked to the Internet—are being used in a given city? The answer is apparently to enlist the services of a drone that can fly above the city proper and gather tons of data pertaining to the connected gadgets and appliances.

A team of researchers at security company Praetorian wanted to discover how many IOT-friendly devices were being used in Austin, TX, and found that the best way to do so would be to outfit a drone with the company’s custom built connected-device tracking appliance and have it fly over the city, Praetorian vice president of marketing Paul Jauregui told Fortune.

A new study has found that password structure is a key flaw in making login IDs hard to guess.

Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective.

A key part of the problem is with the websites themselves, as they don’t go far enough in prompting user security. Just requiring one upper case letter or number is not good enough when too many users go for the same password structure, as Praetorian explains.

Cybercriminals can still exploit the vulnerability to gain usernames and passwords as well as sensitive business and financial data. "Heartbleed is still prevalent," said Josh Abraham, vice president of services at Austin Texas- headquartered Praetorian, a cybersecurity company that helps organizations minimize risk. Heartbleed affects OpenSSL, a software which allows websites to communicate information securely over the Internet.

Samsung Electronics says its SmartTV is programmed to pick up surrounding voices as it scans airwaves for commands. Data is collected and transmitted to a third-party vendor that converts speech to text.

“Please be aware,” Samsung warns in its privacy policy, “that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”

A recent study points to a “clear connection” between consumer perception regarding the safety of their data and the commercial success of products, said Paul Jauregui, VP of cyber-security and risk consulting company Praetorian. In the study, 80% of consumers said they’re more likely to purchase from companies they believe do a better job of protecting their information.

“It’s getting to a point where it’s going to influence buying decisions,” he said.

Econolite's traffic lights are used in 100,000 U.S. and Canadian intersections, although it's unclear if all of those systems are susceptible to hacking.

The problem extends beyond just Econolite -- the U.S. traffic light communications standard, called "NTCIP 1202," is present in all modern signal systems. They can all be hacked if cities don't change their default settings.

Researchers said that the lights can be made much more difficult to hack with little effort: Guard the network. Cities that install the traffic control systems can enable encryption and set passwords for their networks -- both options are available on the Econolite systems. It's as simple as clicking on a box on the device's screen.

But that isn't likely to happen anytime soon. Local governments are cash-strapped and aren't easily convinced they must manually update every signal controller, said Adam Pridgen, a security consultant at Praetorian.

Recognized as one of the “20 Most Promising Enterprise Security Consulting Companies,” Praetorian rises above the rest in an evolving security market.

AUSTIN, Texas – April 25, 2014 – Praetorian, a leading information security provider, was named one of this year’s “20 Most Promising Enterprise Security Consulting Companies” by CIO Review Magazine. A distinguished panel comprising CIOs and CEOs of public companies, industry analysts and the CIO Review editorial board finalized the selection earlier this year. The annual listing represents not only the leading high-value enterprise security consulting companies in the U.S. but also recognizes companies impacting the information technology marketplace.

"You can run to update your password everywhere, but it won't do any good on the sites that haven't pushed out a fix yet," Josh Abraham, director of professional services for security firm Praetorian, told NBCNews.

Companies including Google, Amazon, Yahoo, Tumblr and Facebook said they have investigated the issue and are working to update their sites. But the fix could be slower for small businesses who use OpenSSL -- and entering a new password into a potentially compromised site could do more harm than help.

Without the patch, a hacker could be what experts call a man-in-the-middle -- it's like a game of Telephone you don't even know you're playing.

"Alice wants to communicate securely with Bob," explained Nathan Sportsman, a mobile security expert and CEO of Praetorian. But Eve, a hacker, uses this vulnerability to put herself between the two. "Now Alice is talking to Eve and Eve is talking to Bob," he explained. Alice and Bob think they're talking to each other privately.

This lets hackers view the communications, such as bank deposits or Facebook (FB, Fortune 500) posts. If they intercept a username and password, the hacker could return to your account later and cause more damage, Sportsman said.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.

Security researchers at Praetorian, who have been running a project known as Project Neptune to assess the security of mobile apps, did a limited assessment of the iOS and Android versions of WhatsApp and discovered a number of issues around the way the app uses SSL.

“Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk,” Paul Jauregui of Praetorian wrote in an explanation of their test.

WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.

"When you're asking companies to spend money to keep their lights on, or spend it on cybersecurity, you can guess what wins every time," said Nathan Sportsman, CEO of security firm Praetorian. "Without offering a tax break for compliance, or [levying] a fine to those who don't follow it, you're not going to change behavior."

Security experts this month tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of 10 apps were improperly configured and not built using best practices software development. Among the big-name banks whose mobile apps were tested by security firm Praetorian include Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks. Praetorian did not disclose how each bank's apps fared in the tests.

Nathan Sportsman, founder and CEO of Praetorian, says the security weaknesses in the mobile banking apps he and his team tested are not pure software vulnerabilities, so they are relatively low-risk issues that could ultimately lead to exploitation.

Praetorian released a study that explores challenges faced by today’s megabanks, regional banks, and credit unions while building and maintaining secure mobile banking apps. Praetorian has identified build and configuration weaknesses in the overwhelming majority of mobile banking apps available on the App Store and Google Marketplace. While cursory, the results of the analysis indicate a need for continued improvement in mobile application security as the critical underpinnings of society become increasingly dependent on mobile technology.