Highly specialized knowledge, intelligence, and expertise

Today, creating a truly secure IT infrastructure requires access to highly specialized knowledge, intelligence, and expertise in order to stay at least one step ahead of the evolving risks. Because Praetorian is an authority on information security, your business can leverage our subject matter expertise to solve these challenging business problems. To that end, we invite you to enjoy the following information security resources.

The following case studies serve as a representation for the kind of work performed and results achieved during a typical Praetorian engagement.

One of the largest health insurance providers was considering a new consumer web portal application developed by a third party vendor. Because the application stored patient health information, the health care provider had concerns regarding the applications security and hired Praetorian to perform an independent evaluation.

During the course of the application security assessment, Praetorian discovered several serious vulnerabilities that would have allowed an attacker to compromise every user profile. Through the use of parameter tampering, Praetorian managed to access the profile of any other user which included each individual's username and password, which were both stored in plaintext.

To simulate the devastating impact of this vulnerability, Praetorian developed a simple proof-of-concept (PoC) script that iterated through each user profile and captured the username and password for all 7200 users. In addition, Praetorian gained administrative level access to the application through stored cross site scripting and cookie stealing techniques. Once administrative access was obtained, Praetorian found administrative profiles were stored as XML flat files. Using XML injection, Praetorian performed horizontal privilege escalation and assigned their administrator account to other clients of the third party software company.

At the conclusion of the engagement, Praetorian identified a number of other vulnerabilities that included faulty implementations for authentication, authorization, data validation, error handling, session management, and data confidentiality. The vulnerability findings presented to our client's management team provided them with an informed risk analysis of the application that assisted in the final decision of whether or not to move forward with the third party software.

An ATM vendor hired Praetorian to perform a security review on a specific ATM model. The security evaluation included a formal threat model and white-box penetration test in an effort to uncover as many vulnerabilities and attack vectors as possible. By the end of the engagement, Praetorian was able to demonstrate the ATM could be successfully "jackpotted". Given the sensitive nature of the engagement, no other details can be disclosed on this project.

A leading provider of investment management software, financial services, and outsourcing services contracted Praetorian to assess the security of its cloud-based platform and mobile application for iPhone and iPad. Our mobile application assessment team evaluated the client's system and found that it was composed of a mobile application, with a simple user-interface, and a backend server that routed real time financial data to its users. Empowered by extensive experience in mobile security research, Praetorian's assessment team knew that traditional application assessment methodologies would have failed because the client used a secure and persistent communication between the server and the client.

Praetorian's assessment team reverse engineered the iOS mobile application in order to better understand the interactions between the application layer and server. Vulnerabilities within the application layer were identified and used by our team to bypass current security controls. After circumventing the current mobile security, the team developed a considerable understanding of the application's inner-workings. The mobile assessment team then demonstrated how a malicious user could modify the mobile iOS application and use it as an attack platform against the backend server. The testing yielded several key security vulnerabilities on the server, including one that would have resulted in a denial of service for users attempting to authenticate with the application.

A publicly traded company hired Praetorian to perform a penetration test to simulate a real world attack and provide a practical evaluation of their Internet facing systems. The engagement was structured as a black box test, and Praetorian had no prior knowledge of the client's network architecture, detection capabilities, or its control processes.

Initially, the client's perimeter infrastructure prevented Praetorian from compromising the environment at the network and system level. However, once the evaluation moved into the application layer, Praetorian identified several significant issues and compromised the client's DMZ due to vulnerabilities present in the client's web applications. Specifically, a SQL injection vulnerability allowed Praetorian to penetrate a database and exfiltrate sensitive and confidential customer information. Praetorian then leveraged the SQL injection vulnerability to gain unauthorized access to the underlying operating system of the database server using the stored procedure xp_cmdshell in MSSQL. The initial foothold in the DMZ environment eventually led to a complete compromise of the internal network.

The results of this assessment demonstrated that a simple vulnerability in a web application could lead to severe and irrevocable damage to the organizations IT capabilities and services. Praetorian's recommendations within the final report gave the client clear tactical action for remediation as well strategic recommendations to minimize future occurrence.

Praetorian was hired by a private equity firm to create a phishing campaign against end users to evaluate their employees' susceptibility and the company's responsiveness. To prevent any skewing of the results, only senior management had knowledge of the upcoming test.

The first step of the engagement was to devise a plan of execution. For this scenario, Praetorian decided the highest probability for success would be a phishing campaign that masked itself as an internal company initiative. To that end, Praetorian registered a domain confusingly similar to the company's domain (e.g. www.abc.com and www.abcsecurity.com) and created a site that mimicked the look and layout of the company's official website.

Praetorian then harvested valid employee emails through social networking and sales sites such as LinkedIn and JigSaw. Once the list of harvested accounts was approved by the client, Praetorian sent targeted phishing emails to convince users the company was performing an anonymous, random security audit of user passwords and requested their account credentials to test password strength. Of the random user sample targeted, Praetorian had a twenty two percent success rate where users voluntarily provided their usernames and passwords. With the credentials in hand, Praetorian could move deeper into the organization infrastructures via a SSL VPN portal that did not employ two-factor authentication.

The results of the assessment highlighted a need for user awareness and security training as well as the utilization of additional controls such as two-factor authentication. In addition, the equity firm requested follow-on phishing campaigns for metrics and trending analysis as a way to measure the success of the new employee training initiatives.

Praetorian was hired by one of the largest law firms in the country to assist the mediation process between two companies that had a joint ownership in a web application venture. A breach had occurred due to vulnerabilities in the application and the application's security had become a point of contention between the two parties. Since the breach, the company tasked with the actual development of the application had instituted new application security controls and Praetorian was hired to perform a current state analysis of the application's security.

Praetorian performed a security requirements review, threat model, application code review, and application penetration test as part of the comprehensive assessment. Although vulnerabilities were identified throughout the process, the risk the vulnerabilities identified were considered low and overall posture of the application's security had been greatly improved.

Praetorian's final report provided an independent, neutral view of the application's security and assisted the two sides in reaching a final settlement. The report also provided continuing improvement recommendations for their secure software development lifecycle.

A banking institution hired Praetorian to perform an internal penetration test as part of a comprehensive assessment. During the host and service identification phase of the assessment, Praetorian identified a lab network connected to the internal network via VPN. Unlike other VPN connections which facilitated remote access for users and instituted strong access controls on the resources available to them, the VPN tunnel connecting the lab network to the internal corporate network operated on a persistent connection and no network segmentation was in place to protect the company intranet from the attacks coming from the VPN network.

Praetorian was able to enumerate user accounts on a Linux system running on the VPN network and guess the password of a low privileged user. Praetorian logged into the Linux server with the compromised account and began mining the file system. While searching through the server, the consultant identified a large 2GB tar file which the compromised account had read access. Using the strings utility the consultant searched through the data and found instances of what he believed to be plaintext passwords. The consultant then examined the /etc/passwd file to identify other users on the local system and attempted the possible password list against each account. The brute force attack was successful and Praetorian was able to compromise several other user accounts on the system.

The results were passed on to another onsite consultant who was working to penetrate the primary Windows environment and recognized the account that had been compromised was also listed as a Domain Admin user within the primary Windows domain. Using the same password the consultant was able to authenticate to the Domain Controller with the domain admin account which gave Praetorian access to 13,000 Windows workstations and servers. Once the Windows environment fell, the network and database environments soon followed.

Praetorian later learned the VPN connection that linked the home lab environment to the corporate network was an unauthorized connection a network administrator had created so he could perform testing and troubleshooting from home.

The findings and subsequent report demonstrated the risk the weakest link can present to an environment and how a relatively low value test environment can lead to a company-wide compromise. The findings also forced the bank to rethink how security policies are defined, communicated, and enforced.

An online retail provider realized it had been hacked when Google blacklisted the site for infecting visitors with malware. In an effort to remediate the infection and restore their good standing with Google, the client hired Praetorian to determine the purpose of the malware, identify the root cause of the compromise, and assist in remediation.

Praetorian performed an initial analysis of the web server logs and quickly identified the root cause of the compromise. The client was running a misconfigured system that exposed a common vulnerability in Macromedia ColdFusion. The enabled feature allowed anonymous Internet users to upload arbitrary files to the web server. The hackers used the hole to upload a web shell that allowed them to add, modify, and delete other files on the web server. With the web shell in place, the hackers added remote JavaScript calls to the sites web pages. When users visited an infected page, the malicious JavaScript would launch client-side attacks against the unsuspecting visitors in an attempt to compromise their machines. Through security channels Praetorian was able to determine that the zero day vulnerability was being leveraged as part of a massive attack originating from China and the client was just one of many unfortunate victims.

Praetorian assisted the client in mitigating the vulnerability, removing the web shell, and sanitizing web pages of malicious data. Through our cleanup efforts, the client was able to successfully remove their site from Google's infected site list, and Praetorian's quick response helped minimize the impact of the compromise and save the company an untold amount in lost revenue and lost reputation.

A publicly traded company requested an evaluation of their physical security controls through social engineering as part of a larger security assessment. The goal of the test was to obtain unauthorized access to critical areas such as the network operations center and the data center. Praetorian was given no prior knowledge or access before the test began.

Praetorian began by first evaluating the strength of the company's primary access point where the receptionist desk was located by simply walking-in, taking a seat in the waiting area, and observing foot traffic. Praetorian noted HID badges were the primary method of physical authentication for employees, but given the layout of the main access point piggy backing would be too difficult.

The Praetorian consultant returned the next day wearing a blank HID badge and obtained access to the interior of the building using a side entrance. Using fire exit signs Praetorian was able to determine the layout and naming conventions of building areas in addition to being able to access all non-restricted areas by simply tailgating employees.

For the next three days Praetorian entered the building through the side entrance and exited through the main entrance. In an effort to build rapport with the receptionists he said goodbye each day and made extra time to chat with her. On the 4th day Praetorian entered through the main entrance and told the receptionist, who now recognized him, he had just started that very week and his manager had given him a temporary badge that didn't work until his new badge was ready. The consultant complained that the process was taking too long and becoming a bit of an inconvenience and asked where badges were made. The helpful receptionist provided the company name for the security desk and the area where it was located and allowed the consultant to enter without a badge. After returning from lunch, the consultant asked the receptionist for the extension of the security desk which the receptionist provided on a post-it note.

The consultant then utilized unauthenticated access to the company's online directory and mapped the extension to the full number (including area code) of the security desk. He then identified an IT manager's phone number through the sales site Jigsaw, used that number to spoof the caller ID at the security desk, and convinced the security staff they were speaking with the IT manager. As the "IT Manager", the consultant requested a badge for a new contractor with access to all IT areas including the targeted critical areas. The consultant also told the security staff that the contractor would arrive unaccompanied since the manager would be tied up in meetings. When the consultant arrived to obtain his badge he was not required to give any forms of identification and presented himself as Bruce Banner. A badge was created with escalated privileges and the consultant was able to buzz himself into the Network Operations Center and Data Center with his new badge.

The resulting report demonstrated glaring weaknesses in the company's physical security processes and provided recommendations for mitigation.