Newsroom + Press

Microsoft has launched a new program for its Azure cloud platform to help business customers strengthen their security posture amid the rise of the Internet of Things. Security and privacy concerns are top of mind for IT pros as the IoT continues to grow within the enterprise. Many struggle to verify the security of their IoT infrastructure and may delay product implementation as they establish best practices.

"In today's connected world, the perception of security risk alone, even if not realized, can still negatively impact consumer confidence necessary for new technologies to meet their full market potential," says Paul Jauregui, VP Marketing and IoT Business Lead at Praetorian. Praetorian, as a partner in the program, will review organizations' full IoT solutions while focusing on vulnerabilities. By helping them close security gaps, Praetorian and other partner companies will help Microsoft's business customers balance risk and time-to-market. 

"Solving and managing IoT security is going to take a village," says Jauregui.

Microsoft recognizes Praetorian as a "best-in-class" Internet of Things (IoT) global auditing partner and a founding member of its new Security Program for Azure IoT.

Praetorian today announced a partnership with Microsoft, becoming one of its first global auditing partners under the new Security Program for Azure IoT. The new program brings together a curated set of best-in-class security auditors that Microsoft customers can choose from to perform security audits on their IoT solutions, find issues and provide recommendations. As a part of the Security Program for Azure IoT, Praetorian will deliver a holistic approach to security auditing by reviewing the entire solution, from chip to cloud, while prioritizing vulnerabilities so Microsoft’s enterprise customers can successfully balance risk with time-to-market pressures.

Microsoft is working with best-in-class security auditors with multiple areas of expertise. Our initial auditing partners will deliver independently validated security assessments of our customers’ IoT solutions, find issues and provide recommendations. We are also working with standards organizations and consortia, such as the Industrial Internet Consortium (IIC), to establish industry protocols and best practices for security auditing at multiple levels of the entire IoT ecosystem.

The Security Program for Azure IoT is built on Microsoft’s holistic approach to security for customers with broad investments across platforms for devices, infrastructure, identity, apps and data. Businesses in many industries can benefit, including automotive, smart cities, healthcare, military and more.

The results are in: Praetorian was included in the list of winners in Austin Business Journal's annual Fast 50 contest, which highlights the area companies that have grown rapidly in the past three years.

The list is a valuable source of info for sales people, job seekers, executives trying to keep and eye on the competition and those just wondering who's doing the most business in Austin's booming economy.

You might not know it based on the hype and marketing dedicated to APTs and vulnerabilities, but most criminals don't need to target software or use fancy tactics to ruin a network and compromise sensitive data.

Josh Abraham, a practice manager for Praetorian, recently compiled a report on common attack vectors used during 100 pen test engagements at 75 different organizations between 2013 and 2016.

"We compiled this paper to detail the top internal attacks we used over the past three years that resulted in Praetorian achieving its objectives. Common objectives include achieving a sitewide compromise and/or access to sensitive information the client requested we gain access to."

Weak passwords and phishing offer far easier mechanisms for breaking into most organizations than exploiting software vulnerabilities.

A study by US cybersecurity firm Praetorian based on 100 penetration tests and 450 real-world attacks discovered that stolen credentials offer the best way into enterprise networks.

Ninety-seven per cent of organizations have more than one root cause of compromise. The practical upshot of the report is that there should be more focus on guarding against stolen credentials and network segmentation as defenses, rather than playing "whack-a-mole" with software vulnerabilities.

Hackers most commonly use stolen credentials, often first obtained through phishing or other social engineering, to break into targeted networks and (eventually) gain access to sensitive resources, sometimes as part of a multi-stage process.

Inc. magazine today ranked Praetorian, a leading information security assessment and advisory services firm, on its 35th annual Inc. 5000, the most prestigious ranking of the nation's fastest-growing private companies. The list represents a unique look at the most successful companies within the American economy’s most dynamic segment— its independent small businesses. Companies such as Microsoft, Dell, Domino’s Pizza, Pandora, Timberland, LinkedIn, Yelp, Zillow, and many other well-known names gained their first national exposure as honorees of the Inc. 5000.

Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.

A genuine enthusiasm for enabling and advancing a connected world can only be a positive for anyone working in the IoT sector. That's certainly the case for Paul Jauregui, who oversees all aspects of marketing, branding and communications at Praetorian, a collective of highly technical engineers and developers that provides a suite of security assessment and advisory services.

His very obvious passion for the Internet of Things has led him to become acting business lead for Austin, Texas-based Praetorian's IoT security assessment and advisory services.

With the software rejiggered, the FBI could launch a traditional “brute force” attack, employing a software program to rapidly try password combinations until it arrived at the correct one. Since Farook’s iPhone 5C used a four-digit passcode, a program could run through every one of the 10,000 possible password combinations in a matter of minutes.

“That brute force technology isn't very sophisticated,” says Dylan Ayrey, a security engineer with the information security company Praetorian. “You could go on Ebay right now and purchase ways to brute force older versions of the iPhone.”

Dylan Ayrey, a security engineer with the information security company Praetorian, points out that an iPhone’s lock screen is only the first barrier to its contents. WhatsApp recently announced that it would use end-to-end encryption for all its messaging services.

“Encryption is here whether we want it to be or not,” he says. “The landscape has changed forever, mostly for the better, and these types of proposals can't gain traction.”

However just last week, two U.S. senators introduced legislation to require tech companies to unlock phones and provide other “technical assistance” to government officials with a court order.

Mislan at Rochester Institute of Technology points out that as CEO of one of the world’s leading mobile forensics companies, Bollö would be uniquely positioned to profit from any software designed to execute FACT. Bollö insists that his competitors could do the same and says he is focused on developing a new industry standard rather than a software sales pitch."

Of course, we could develop this stuff and we'd be happy to do that but I'm not trying to push that,” Bollö says. “I'm trying to say, ‘Here's a solution that could work for everyone.’"

Rather than require companies to install a key, Praetorian’s Ayrey thinks the best solution is for mobile forensics companies such as MSAB and Praetorian to continue doing what they have been doing all along—finding vulnerabilities in each new device or operating system that is released, and exploiting those holes on behalf of clients until an update renders them obsolete.

For consumers, Mislan has an even simpler strategy. “For me, it boils down to: If you really want to protect something, don't put it on your phone,” he says.

Elvis Collado, a security research at cybersecurity provider Praetorian, also worries about attackers rewriting firmware code and installing it on an IoT device, saying “The attack vector varies from device to device, but improper key handling or firmware validation puts a great number of IoT devices at risk. If an attacker can program a backdoor into a device, whether it be remote or local, then it's game over.” 

From Blaster to Heartbleed, it’s clear that the tech industry often acts on security only after a major problem becomes evident. What all four of the above experts agree on is that you shouldn’t expect “them” to fix a problem before it happens.

“Builders make the best breakers,” Collado believes. “At Praetorian, we’re all developers and engineers. We just happen to focus on security. If you're a developer, try breaking your code from a non-QA perspective. Can you cause information to be leaked? Can you cause memory corruption? Do you have test code that was compiled into production that can be potentially abused? Can users access hardware debug interfaces in situations when they're not supposed to? This type of mentality shift will greatly improve the quality of your code from a security perspective.”

Embargos and sanctions such as these could be the new norm in dealing with cyber warfare threats—especially since companies have no real teeth to fight back.

“It has become painfully clear that even the largest corporations are incapable of preventing state sponsored cyber attacks on their own,” says Nathan Sportsman, CEO of the Praetorian, which provides security assessment and advisory services.

For instance, corporations can’t exactly “hack back” against state-based incursions. The response would have to come from the U.S. government, Sportsman says. “While economic sanctions should not be considered a panacea, U.S. sanctions will provide a partial deterrence to the rampant cyber attacks that we are currently experiencing,” he says.

As cybersecurity job market suffers severe workforce shortage, a leading information security firm engages next-generation talent face-to-face to address skills gap. 

The University of Texas at Austin welcomed two new adjunct professors to the department of computer science this fall. Nathan Sportsman and Chris Prosise, of Austin-based cybersecurity company Praetorian, have joined the university to teach the newly created CS 378 Ethical Hacking course. The two industry veterans are joining the talented and diverse group of professors as part of the computer science department’s expanded commitment to security as part of the degree curriculum. The class will provide students with a practical, hands-on opportunity to learn real-world security.

New Internet of Things (IoT) security testing and assurance services designed to help today’s leading manufacturers deliver and deploy secure connected products to the market.

Praetorian today announced expanded security testing and assurance services that cover end-to-end Internet of Things (IoT) product ecosystems. Praetorian’s Internet of Things security services take a holistic approach to security testing by reviewing the entire product ecosystem, from chip to code, while prioritizing vulnerabilities so connected product teams can successfully balance risk with time-to-market pressures.

“In today’s connected world, the perception of security risk alone, even if not realized, can still negatively impact consumer confidence necessary for new technologies to meet their full market potential,” said Paul Jauregui, Vice President of Marketing at Praetorian. “Recent, high-profile data breaches have heightened consumers’ awareness of data security and privacy issues. As a result, consumer adoption may suffer until vendors can adequately address security and privacy concerns,” he added.

Praetorian, an information security provider dedicated to helping organizations achieve risk-management success, has been honored by Inc. Magazine's 34th annual Inc. 5000, an exclusive ranking of the nation's fastest-growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs.

Security firm Praetorian outfitted a drone with custom hardware to learn how many connected devices are being used in Austin, TX.

Given the explosion of connected devices, also known as the Internet-of-things, it’s natural that people would want to know just how many such devices are out there.

But how do you go about figuring out just how many of these devices—like thermometers or light bulbs hooked to the Internet—are being used in a given city? The answer is apparently to enlist the services of a drone that can fly above the city proper and gather tons of data pertaining to the connected gadgets and appliances.

A team of researchers at security company Praetorian wanted to discover how many IOT-friendly devices were being used in Austin, TX, and found that the best way to do so would be to outfit a drone with the company’s custom built connected-device tracking appliance and have it fly over the city, Praetorian vice president of marketing Paul Jauregui told Fortune.

A new study has found that password structure is a key flaw in making login IDs hard to guess.

Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective.

A key part of the problem is with the websites themselves, as they don’t go far enough in prompting user security. Just requiring one upper case letter or number is not good enough when too many users go for the same password structure, as Praetorian explains.

Samsung Electronics says its SmartTV is programmed to pick up surrounding voices as it scans airwaves for commands. Data is collected and transmitted to a third-party vendor that converts speech to text.

“Please be aware,” Samsung warns in its privacy policy, “that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”

A recent study points to a “clear connection” between consumer perception regarding the safety of their data and the commercial success of products, said Paul Jauregui, VP of cyber-security and risk consulting company Praetorian. In the study, 80% of consumers said they’re more likely to purchase from companies they believe do a better job of protecting their information.

“It’s getting to a point where it’s going to influence buying decisions,” he said.

Econolite's traffic lights are used in 100,000 U.S. and Canadian intersections, although it's unclear if all of those systems are susceptible to hacking.

The problem extends beyond just Econolite -- the U.S. traffic light communications standard, called "NTCIP 1202," is present in all modern signal systems. They can all be hacked if cities don't change their default settings.

Researchers said that the lights can be made much more difficult to hack with little effort: Guard the network. Cities that install the traffic control systems can enable encryption and set passwords for their networks -- both options are available on the Econolite systems. It's as simple as clicking on a box on the device's screen.

But that isn't likely to happen anytime soon. Local governments are cash-strapped and aren't easily convinced they must manually update every signal controller, said Adam Pridgen, a security consultant at Praetorian.

Praetorian, an information security provider dedicated to helping organizations achieve risk-management success, has been honored by Inc. Magazine's 33rd annual Inc. 500 | 5000, an exclusive ranking of the nation's fastest-growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs. Companies such as Yelp, Pandora, Timberland, Dell, Domino’s Pizza, LinkedIn, Zillow, and many other well-known names gained early exposure as members of the Inc. 500|5000.

Recognized as one of the “20 Most Promising Enterprise Security Consulting Companies,” Praetorian rises above the rest in an evolving security market.

AUSTIN, Texas – April 25, 2014 – Praetorian, a leading information security provider, was named one of this year’s “20 Most Promising Enterprise Security Consulting Companies” by CIO Review Magazine. A distinguished panel comprising CIOs and CEOs of public companies, industry analysts and the CIO Review editorial board finalized the selection earlier this year. The annual listing represents not only the leading high-value enterprise security consulting companies in the U.S. but also recognizes companies impacting the information technology marketplace.

"You can run to update your password everywhere, but it won't do any good on the sites that haven't pushed out a fix yet," Josh Abraham, director of professional services for security firm Praetorian, told NBCNews.

Companies including Google, Amazon, Yahoo, Tumblr and Facebook said they have investigated the issue and are working to update their sites. But the fix could be slower for small businesses who use OpenSSL -- and entering a new password into a potentially compromised site could do more harm than help.

Without the patch, a hacker could be what experts call a man-in-the-middle -- it's like a game of Telephone you don't even know you're playing.

"Alice wants to communicate securely with Bob," explained Nathan Sportsman, a mobile security expert and CEO of Praetorian. But Eve, a hacker, uses this vulnerability to put herself between the two. "Now Alice is talking to Eve and Eve is talking to Bob," he explained. Alice and Bob think they're talking to each other privately.

This lets hackers view the communications, such as bank deposits or Facebook (FB, Fortune 500) posts. If they intercept a username and password, the hacker could return to your account later and cause more damage, Sportsman said.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.

Security researchers at Praetorian, who have been running a project known as Project Neptune to assess the security of mobile apps, did a limited assessment of the iOS and Android versions of WhatsApp and discovered a number of issues around the way the app uses SSL.

“Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk,” Paul Jauregui of Praetorian wrote in an explanation of their test.

WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.