Skip to content

CISAnalysis – June 20, 2022

It’s Monday and time to take a gander at CISA’s Known Exploited Vulnerabilities Catalog.

Continue reading

Crowdsourcing: Utilizing Humanity’s Greatest Asset

As the old yarn goes, one Francis Galton ran an experiment at the West of England Fat Stock and Poultry Exhibition in Plymouth back in 1906. Around eight hundred people purchased tickets to guess at the weight of an ox. Surprisingly, the median guess of 1,207 pounds was only 9 pounds over the ox’s actual weight of 1,198.1 This study, told often to American middle schoolers before they guess at the number of jelly beans in a large jar, has plenty of meat to it. It’s also an example of the wisdom that comes from crowdsourcing way before “crowdsourcing” became a common term to pass the lips of many an exec.

So, what does a 1,200-pound ox have to do with crowdsourcing in cybersecurity? Very little except to set the stage for this article and illustrate that crowd wisdom can be effective under certain conditions. What are these conditions? Paraphrasing James Surowiecki in The Wisdom of Crowds, there are three requirements: independence of individuals within the crowd, diversity of experience, and some way for the information and analysis to be effectively organized.2

Given the chaotic nature of the current security environment, it’s nigh impossible for a small cybersecurity team to uncover all of the potential vulnerabilities of constantly evolving software. It’s like trying to play Whac-a-Mole with an infinitely expanding play area with the occasional mole that whacks back. But what if you had access to a thousand players that specialized in specific sections of the play area and specific moles and shared ideas? You’d get a dated metaphor for cybersecurity crowdsourcing.

Crowd Sourcing Solutions

There are a number of issues that crowdsourced cybersecurity seems naturally capable of mitigating3:

Scale: even in small organizations, keeping a close eye on the dynamic attack surface that hundreds of applications create is a daunting task. For a single security task force within a company that utilizes thousands of endpoints, third-party software, proprietary software while trying to follow compliance regs, maintaining a secure security landscape is impossible. It’s common knowledge that even critical vulnerabilities can take months to patch effectively while less severe, yet still potentially disruptive vulnerabilities are left to simmer for longer. Crowdsourcing specific aspects of a sec team’s workload allows for a more methodical and less fraught approach to organizational security.

Subject Matter: it might be possible to repeat the phrase that “cybersecurity is a complex and diverse field” too many times in a twelve-hundred-some word article, but it’s the crux of the matter when it comes to crowdsourcing. Any given application is a web (perhaps a cobweb) of different components. Each component along with their myriad interconnections is prone to vulnerabilities. The manager that’s been working IT for 20+ years might specialize in one aspect of this web, but there is zero chance that they’re an expert in each piece of tech. Open up this application to a crowd of white hats within a controlled operation, and you’d be wise to bet that each aspect of your application has at least one expert poking around.

Time: there’s never enough of it. A security team working with time constraints will only be able to cover a portion of an application and not with any major depth. Crowdsourcing this engagement can allow more ground to be covered with a much finer comb within the same timeframe. Also, crowdsourced bug searches generally don’t have time requirements and can be ongoing through the implementation of bug-bounty programs that incentivize deep-dives into the nuances of a given application.

Cybersecurity Crowdsourcing Has a History

Per an article by TechRepublic back in 2019, a little over half of 200 surveyed cybersec decision makers have instituted some form of crowdsourcing. The CISO’s that did use crowdsourced cybersecurity programs have noticed benefits like “paying for valid results rather than effort or time, the varied expertise of hackers, and continuous coverage of applications.” 4 You can also add high scalability to the list. These crowdsource programs can range from bug bounties to responsible disclosures to hiring a company that sources its own ethical hackers to assist the in-house team’s own vulnerability assessment. It’s also no secret that massive companies like Johnson & Johnson, Apple, Microsoft, Facebook, Mozilla have been using crowdsourcing programs to bolster the security of their digital landscape for years.5

Another powerful attribute of crowdsourced security is the sharing of relevant intelligence. We see the benefits of this in organizations like First, which began in 1990 and created the Common Vulnerability Scoring System in a highly successful attempt to systematize and standardize vulnerability reporting and risk. There’s also the CVE program and MITRE ATT&CK. None of these cornerstones would be able to exist without the time and effort from thousands of cybersecurity professionals and their diverse areas of expertise. You could think of intelligence sharing as a kind of herd immunity. As information spreads between organizations and professionals, the overall, massively interconnected sphere of tech inoculates itself against known vulnerabilities and 0-day threats.

Conclusion

Crowdsourced security testing, information gathering, and cybersecurity awareness are all extremely effective tools used by small to large organizations, governments, and other institutions. SaaS cybersecurity organizations, like Vicarius, offer vulnerability management solutions that curate a number of crowdsourced resources alongside the top-notch expertise of their teams. To maintain a secure digital landscape, it takes a multitude of independent and collaborative experts to ensure that even the smallest hole is detected and filled. Unless you’re keen on bailing water instead of fixing the leak.

Sauce:

1 Bernstein, W. J. (2021). Prelude. In The delusion of crowds: Why people go mad in groups (p. 11). essay, Grove Press.

2 Surowiecki, J. (2005). In The Wisdom of Crowds. essay, Anchor Books.

3 Stephens, L. (2021, November 4). Crowdsourced security is now a need, not a nice to have. Detectify Blog. Retrieved June 3, 2022, from https://blog.detectify.com/2021/11/04/crowdsourced-security-is-now-a-need-not-a-nice-to-have/

4 Rayome, A. D. N. (2019, March 28). Is crowdsourcing cybersecurity the answer to Cisos’ problems? TechRepublic. Retrieved June 3, 2022, from https://www.techrepublic.com/article/is-crowdsourcing-cybersecurity-the-answer-to-cisos-problems/

5 Dimov, D. (2015, September 22). Crowdsourcing cybersecurity: How to raise security awareness through crowdsourcing. Infosec Resources. Retrieved June 3, 2022, from https://resources.infosecinstitute.com/topic/crowdsourcing-cybersecurity-how-to-raise-security-awareness-through-crowdsourcing/

image by Camylla Battani from unsplash

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

The Good News and Bad News About 0-Day Attacks

The team at Google Project Zero deserves a lot more recognition than they receive. Since 2014, they have been systematically studying 0-days (e.g. previously unknown vulnerabilities) to understand this unique cyber threat in depth. They research where 0-days are being found, how hackers are exploiting them, and what trends are developing. And, on an annual basis, they compile their findings into a comprehensive and prescriptive report. The latest report is out, covering attacks throughout 2021, and it has information everyone should be aware of – both good news and bad news.

Bad News – Attacks Have Increased Significantly

There were 58 0-days detected and disclosed in the wild in 2021, the most the Google team has ever recorded. This number is more than double the previous high of 28. Even more alarming, it’s a substantial increase over the 2020 total of 25 0-days. These numbers leave little doubt that 0-days remain a serious threat that could be getting (much) worse than ever before. The 2022 totals seem certain to set new records.

Good News – Detection and Disclosure are Getting Better

The alarming uptick in 0-days could actually be a positive sign according to the Google researchers. They attribute the 2021 totals to improvements in detection – we are catching more 0-days than we could before. They also credit a culture shift around disclosing 0-days. Instead of hiding these flaws away, as was often the case in the past, companies are being upfront about them, pushing the overall total upwards. This would suggest the 0-day problem is not necessarily getting worse but rather we are starting to see its true scope and scale. That’s progress.

Good News – 0-Days are in a Rut

Last year’s 0-days all share a notable feature: they leverage the same attack surfaces, bug patterns, and exploit techniques that we have seen in the past. Given the large annual total, we would expect to see a number of innovative, unique, and unknown tactics in play. That wasn’t the case – only two 0-days in 2021 were considered novel by the Google team. By and large, recent 0-days look a lot like the ones that came before them, which could suggest that hackers lack either the means or skills to push them in new directions.

Bad News – Old Exploits Remain Potent

Another, arguably more valid way to interpret the lack of innovation in 0-days is that it’s unnecessary. Existing methods still work, so hackers have little incentive to devise new ones. It has been the goal of developers and cyber defenders to “make 0-days harder” for years now, but that effort seems to have accomplished relatively little, allowing hackers to return to the same well instead of making them return to the drawing board. The huge number of familiar 0-days in 2021 suggests that while detection and disclosure are improving, actual defenses are not, which raises troubling (but important) questions about how we approach this issue.

Preparing for the Future of 0-Days

The Google report makes clear that we have made some progress on 0-days but still have much left to do. The question is how we get from record high 0-days to record lows?

Above all, it will take cooperation, communication, and collaboration among stakeholders inside and outside cybersecurity. 0-days are a complicated beast, both to prevent and remediate, that exceeds what any team, department, or company can address on its own. A culture of mutual defense and shared responsibility has an obvious advantage: it gives the defenders vastly more resources than the attackers could ever muster.

But it all depends on bringing together different ideas, experiences, and perspectives, which is where the vsociety comes in. This social community provides a space for voices from across cybersecurity and the larger tech landscape to unite around issues like 0-days and so much more. The conversation starts here.

Photo by Adi Goldstein

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

OSINT Tools – Pt.3

Intro

Now that we’ve laid some theoretical foundation as to what OSINT consists of, let’s check out some tools and see how they can benefit us, as well as what are some of the most common uses. Before going any further, we would just like to quickly go over what types of information gathering there are, as well as some distinctions when it comes to these tools.

Active vs. Passive Recon

Within the context of an investigation, be it a penetration test or due diligence, we will use OSINT to gather some information.

The main distinction to be made here is active versus passive reconnaissance. Active reconnaissance means we are making some sort of a contact with a system we’re investigating. We interact with said systems. Some can be almost harmless, like ping, but some are much more intrusive, and can even mean brute forcing, and other such probing – which might be seen as hacking regardless of the fact that the resources are indeed in the open.

In general, in such a way we also might leave traces in the form of logs – which can further show the length of the connection, our IP address, etc.

When we are doing passive reconnaissance, we are not interacting with the systems. We might look up our target on Shodan, which would be considered passive, since we’re just using data that’s already out there, and are in no way interacting with any of the systems of interest.

There are merits to both sides, however, it’s crucial that we are aware of the distinction, so as to not hinder our investigation – we need to know what to use, and when.

Types of OSINT Tools

Based on what the tool does, we can say there are three main categories:

  • Aggregation Tools
  • Discovery Tools
  • Scraping Tools

Discovery Tools – tools that enable us to query and search the data that is already out there. The best example is Google search engine. Seemingly simple, but Google has a lot of websites indexed and crawled, which in turn gives us enormous potential when it comes to discovering new information. Another example would be Shodan.

Aggregation Tools – these tools help us connect the dots, so to speak, once we have gathered all of our relevant data and are in need of further relating it, and compiling it into a functional, easily digestible, format.

Scraping Tools – when we have successfully discovered the information we need, we would like to extract it in an easy and safe way. With these tools, we can avoid extracting anything that is of no use to us, as well as saving our precious resources e.g. time and bandwidth.

With all of that being said, there are a plethora of tools out there, but we have decided to give a brief overview of a few that we felt are the most essential ones. It’s up to you to establish your own methodology, and do research accordingly, as there is no exact path one would follow when conducting OSINT investigations.

Google Search Engine – Google Dorking

Beside your everyday uses of Google’s search engine, there’s a lot of options for you to refine your queries.

A simplest example is adding quotation marks to your search. By doing so, Google will interpret whatever we’ve put inside the quotation marks as an exact phrase, and will give us only the results where that exact phrase comes up.

Another common example is adding the term site to our search. If we wanted to search for let’s say imdb new movies we would get something like this… notice the number of results.

On the other hand, if we were to add site: to our search, we would get a result similar to this…

As we can see, there’s a drastic difference in the number of results obtained, just by leveraging one of the many Google dorks.

We can even look for specific filetypes, with the filetype keyword.

If we want to look for publicly available .pdf’s for example, we can add the keyword like this:

We can also say intitle – and Google will return results if the exact phrase appears in the title of the page; there’s cache too – which will give us Google’s cached version of the URL that we’ve specified.

There are many more dorks available, and this is a big topic which we will look to cover in an article dedicated just to Google dorking.

But for now, we’d like to mention that this is completely legal as we are querying against legal, publicly available information. Of course, be mindful that what you do with the information might not be legal.




Shodan.io


With Internet connected devices number being higher than ever, a search engine dedicated to IoT – Internet of Things – Shodan is an irreplaceable tool to have in your arsenal.

If, for example, publicly accessible CCTV cameras are something that you might be looking into, Shodan’s got you covered.

Heck, if you want to check if your smart fridge is publicly accessible, Shodan can help you!

To use Shodan fully, you’ll need a paid subscription, however you might start with the free tier – but you’ll only get a limited amount of searches.

Best free(mium) alternative to Shodan is Censys which also tries to discover, analyze, and monitor Internet accessible devices.


OSINT Framework

The OSINT Framework is one of the most popular OSINT tools out there, and rightly so. Structured like a web directory of tools, it has almost everything you might need for your investigation, which makes it an extremely attractive option for information gathering.

Also, most of the tools in this web directory are directly usable and accessible through a browser, which is a great thing to have, since almost all of the best OSINT tools are created for Linux. Thus, the OSINT Framework provides us with a very useful and accessible bundle of tools, regardless of the platform – which is extremely valuable.

It is worth noting that most of the tools found within are free, with only a minority being premium, subscription based tools.





Maltego

Maltego is a wonderful aggregator of interfaces to various OSINT databases – from the official Maltego website – https://www.maltego.com/.

With Maltego, we can investigate and find information on organizations, individuals, as well as investigate cryptocurrencies, and much, much, more.

Once registered (which can be done for free – as a part of community license) you are brought to a GUI from which you can start your investigation. Results of your queries (Maltego calls them transforms) are displayed in a beautiful bubble graph, which maps the relations between your nodes.

 

Maltego starting screen

In our example search, where we’ve chosen Domain as Maltego entity, for youtube.com, we’ve obtained the following:

As we can see from the image, on the bottom are the transforms that were run, and on our graph we see color-coded results of our query. We’ve got 148 entities, and some of those include MX and NS records, email addresses, people, phone numbers, emails, etc.

We just ran the all transforms search, of course, in reality we would maybe use only transforms that we need, or we would install specific modules (from Maltego starting page), so that we can query for information that’s relevant for our investigation. Some of the modules that we can install are paid, but there are also some good free ones.

Maltego definitely warrants an article of its own, but we wanted to briefly show what this awesome tool is all about. Oh, and one more thing – Maltego runs on Linux, Windows, and MacOS.

Recon-ng

Another great tool is Recon-ng. This is a completely free, open source, CLI tool made for web-based open source reconnaissance.

It is completely modular, it has its own default modules that are also open source, while also having a marketplace from which we can further enrich it with whatever we might need.

The information we collect with it is stored in a database, which means we can use it to generate custom reports, if that’s something we need.

Being an open source tool, it grows through its developer community, which is quite engaged.

It might be a bit daunting at first, due to it being a CLI-based tool, but it is actually extremely fun to navigate around, and once you’ve gotten the hang of it you will surely love it!

Conclusion

These are some our favorite tools, and we’ve given you a brief introduction on them; in the future, we hope to expand on them (ideally all the tools mentioned here, and more!) – if that doesn’t prove to be possible for us, we hope that we’ve at least managed to provide a ‘teaser’ of sorts, and that we’ve managed to pique your interest.

Lastly, honorable mentions go to TinEye – a reverse image search tool, and Phoneinfoga – Python-based phone number scanning tool.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

OSINT – Pt.2 – Intelligence Cycle and OSINT Framework

Intro

Now that we’ve covered some basics of what OSINT is, why we use it, and how it might benefit us, let us look at the core of what makes up our collective intelligence effort. Do note that even though we should be familiar with this, every analyst should develop their own techniques, methods, and even tools, depending on the case they’re investigating. Think of what we’re describing below as a loose guideline that can be used in your investigations.

Also, please note that the Intelligence Cycle, as described below, is of a broader scope, and doesn’t necessarily pertain to OSINT investigations exclusively. However, from our perspective it is vital to be at least familiar with it, which is why we chose to dedicate that much space to it.

Intelligence Cycle

The Intelligence Cycle is the process of compiling raw data into intelligence that can be used to make decisions, be it for LE use, or for business driven purposes. In its nature, the Intelligence Cycle is cyclical (hence Intelligence Cycle) – meaning that what we’ve discovered previously can influence the following routes of our investigation. The goal here is to remain open to new information, and understand that it can impact the current state of affairs in our investigation.

The Intelligence Cycle consists of five parts: 

  1. Planning and Direction
  2. Collection
  3. Processing
  4. Analysis and Production
  5. Dissemination

Planning and Direction

This part involves the management of the whole investigation, from identification of our intelligence needs, to delivering of the said intel. It is both the beginning and the end of the cycle, because it involves defining our needs (planning), the end, because once finished our new intel can produce new informational needs. This is due to the fact that our intel needs to work hand-in-hand with our decision making, which might change once we reach the end – thus leaving us at the beginning of the cycle once more.

Collection

To collect intel effectively, we need to have a good plan that we’ll stick to, as well as some sort of direction. Since in this phase we’re collecting raw data, open sources can be a treasure trove for us here; also, in the context of a pure OSINT investigation, here we would implore the analyst to pay most of their attention, and deploy their critical thinking ability as much as possible. Data can be extremely volatile, and we need to understand not only the data points itself, rather we should visualize the broader picture. (Once more, the Intelligence Cycle is a bit more broader, and goes beyond only open source data)

Processing

In this step, we convert the raw data that we’ve gathered into a format an analyst can work with. This entails managing our information, through whatever techniques we may deem necessary for our particular investigation. We reduce the data, arrange, and process it in such a way that it can be of use to the one who would be consuming it.

It follows that this step will differ greatly if we are, for example, processing our data for a LEA, or if its an investigation where we would be the consumer of the said information – if we are maybe gathering intel for a penetration test; at least before compiling the report for our client.

Analysis and Production

Analysis and production pertains to us converting all of the information that we’ve processed, into a finished product. This intel is evaluated, integrated, and further analyzed. The data is integrated into one coherent whole, what was evaluated is put in context, and then produced into a finished piece of intelligence – which includes assessments, and implications of the intel, in that particular context.

Dissemination

In this final phase, we distribute our intel to the consumer, the same ones who initiated the process with their intelligence needs and requirements. Then, based on the information, the consumer would make their decisions, which may trigger the Intelligence Cycle again.

Thoughts, conclusions

It is apparent that this type of approach is generally more geared toward LEA’s, or some businesses, but, as an aspiring OSINT analyst, we should be aware of how these things are usually done. There’s a lot of things for us to unpack here, and even though we might not use or need to follow the exact same steps, we will, however, still act somewhat in convergence with the model above.

The main takeaway, for us, is the fact that this kind of approach has a great impact on how we can further use our own critical thinking and deductive skills, since critical thinking is the most important skill an OSINT analyst needs to possess – in our opinion. That is, the ability to think rationally about the topic, in an organized way, so that we can best understand the connection of the facts that are presented to us.

For example, we should always look to define our problems and/or questions as precisely as we can. We also need to find different sources – in order to understand different points of view. Further, we should evaluate the reliability of said sources, understand if they’re biased, and if that’s the case, then we would be interested in how’s and why’s.

Once we’ve weeded out some of those crucial questions, and further crystallized our picture, we would try and understand what’s most important of the facts that we’ve gathered. Finally, once we do all of that successfully, we need to know how to present this coherently, to whomever might be the party to which our investigation refers to.

With all this in mind, of course every analyst’s process will differ, but the way in which we go on about our investigation, should be grounded around some of the same core principles. Remember, your greatest and most important tool is your ability to rationalize, analyze, connect the dots, and make good deductions based on all of that – your critical thinking ability.

OSINT Framework

Before concluding our article, we would like to mention one more thing – the OSINT Framework.

This is a web-based platform, which bundles a lot of different OSINT tools – on many different themes, such as: IP address, Images, Social Networks, People Search Engines, Public Records, Metadata, Dark Web, and many more.

Most of them are free to use, but there’s a number of tools that are subscription-based. Nevertheless, this can be a great starting point for your investigation, and is something every OSINT analyst should be well aware of, in our opinion.

OSINT Framework Homepage

Conclusion

To conclude, we’d just like to mention that the idea behind ‘teasing’ with the OSINT Framework in this article is due to the fact that our next article will focus on some of the tools one might use in their investigation, so we felt it was a good inclusion and a natural transition; at least now that we’ve laid some groundwork, and explained, albeit briefly, some of the core intelligence gathering ideas.

As we will see, there’s a myriad of tools out there, and everybody has their own preferences, but the ideas behind them are generally nested around their theme/functionality.

Lastly, here’s another teaser for you, before we go delving into the tools in our next article!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Our Path to Product-Led Growth

The year was 2020, and while I’m reluctant to call things “normal”, the impending pandemic had yet to make its mark. Like most B2B SaaS orgs at the time, Vicarius had a small army of SDRs, supplemented by automated outreach – hell-bent on ensuring every prospect received a touchpoint. Our over-simplified process likely looks familiar:

  • Track website activity and identify which companies were visiting.
  • Filter activity to identify the right person in the org (CISO, Security, IT) using LinkedIn Sales Navigator and similar tools.
  • Initiate automated LinkedIn activity and email sequences (profile view, connection request, automated messaging, etc.)

We mastered this outbound automation, but were underwhelmed with the results. Our SDR team was performing poorly, and our brute-force LinkedIn strategy nearly had us blacklisted from the platform. As time went on, I grew concerned that we were not only destroying our brand perception, but we were failing to crack our user acquisition strategy. 2020 was off to a bad start.

Dejected, my co-founder, Roi, and I returned from RSA 2020 as the world around us began to shutter. COVID was here. While we hadn’t yet grasped the magnitude, we took this new reality as an opportunity to step back and re-evaluate our go-to-market strategy.

A New Perspective

I never understood why security companies were hesitant to offer their product for self-testing and qualification. Was it a fear of being seen as “cheap” or premature to market? Or did the “blackbox” approach allow them to wrangle a Fortune 100 customer and raise a huge round before anyone asked the tough questions? Realizing that there will be no more face-to-face meetings – or even worse, no whiskey night-outs with random CISOs – I questioned how on Earth security companies will survive. Beyond the schmoozing, how can orgs perform a non-physical on-site implementation, professional services, etc.? Reality had changed, and we needed to adapt.

With this in mind, we took the next quarter to focus on a self-serve platform that required zero human interaction… because who wants to talk face-to-face with human’s when doing so can kill you? We quickly recognized some low-hanging fruit for brand awareness:

  1. Our Research Center, which pushed vulnerability data to our website with a Google-index-friendly structure, had led to tremendous organic exposure and user value.
  2. We began focusing on Google Ads, with distinctive long-tail terms that our ideal customer would search for, but perhaps lacked traditional high volume.

So, we doubled down. We focused our teams on adding organic value through CVE research and sought to engage new prospects through deeply targeted ad strategies (shout-out to Lior). At the same time, our product team focused on making trials and onboarding as low-touch as possible – funneling new users to find value as quickly as possible. And… it worked. Our qualified leads and close rate started to double – and then triple – maybe we were onto something?

Embracing Product Led Growth

The initial decision to build a self-serve engine and lead with the product was not something we did with “PLG” in mind. It’s not even something we consulted advisors on – it was a gut-feeling amongst founders.

If you’re unfamiliar with the concept, product-led growth is a go-to-market strategy that delineates the solution as the central vehicle for growth. Unlike a sales-led approach, where volume and touch-points reign supreme, a product-led approach gives prospects the tools to solve problems on their own and derive as much value as possible at every interaction with the product. These interactions eventually lead to a seamless upgrade for continued value.

Today, ‘product led growth’ is an expanding focus in broader SaaS markets, while adoption in security has been slow – largely due to over-complicated solutions and reluctance to focus on the user. I find myself consulting other CEO’s and exchanging opinions with CMO’s that implemented similar PLG strategies. Throughout this transition, I’ve developed two philosophies I feel are worth sharing:

  • Organic is King. I have a deep appreciation for marketing and growth teams, particularly how difficult their job is today. The formula for success is an ever-moving target and the “easy” strategy is throwing money at vendors/programs to acquire leads. That approach is lazy, fleeting, and often unsustainable. Organic growth is valuable because it’s hard and few are doing it… paid-marketing doesn’t buy you sustained traction, especially as a start-up. Growth hacking, content strategy, and search optimization takes time, but the results are long-lasting and compounding.
  • Give Users the Keys. The buyer is changing – and this is as much a generational transformation as it is an industrial one. Millennials and Gen Z are moving more-and-more into buyer / decision-maker roles, and these generations were raised on instant downloads and self-research. “Talking to Sales” is an inconvenience at best, and a deal-breaker at worst. Giving these buyers the self-guided path to identifying top use-cases and recognizing the quickest time-to-value is more important than ever. No one wants to talk to sales until they know the solution will work for them.

That last point is also a benefit to the sales org… and probably important that I point out: PLG does not replace sales – it makes their job easier. A product-led MQL/SQL, or even better, a PQL (product qualified lead), results in more predictable forecasting, less awkward discovery calls, and a significantly shorter sales cycle. It’s the embodiment of ‘quality over quantity’. Beyond sales prospecting, investors are also picking up on the PLG momentum, with product-led orgs receiving higher multipliers (Axonius, Snyk, Datadog) on their revenue, even while operating in less sexy security markets. After all, investors love accurate forecasting.

The PLG Reverse Triangle

I spent much time building on this product-led strategy before realizing I had not, in fact, invented it. There’s currently a wealth of resources and enablement vendors focused specifically on PLG (PLG123, and productled.org to name a few). My contribution to this concept is the reverse-triangle, which structures organic user activity on the path from open-source tool, to product usage, to community involvement, with each segment building upon the next.

The-PLG-triangle

 As it relates to us…

  • Community. Vicarius is enabling the broader security community to leverage the power of the collective, sharing insights and expertise through vsociety. vsociety is a social community for security professionals to collaborate on vulnerability solutions, share remediation insights, and network with security peers. The platform allows members to contribute to TOPIA, while gaining access to timely security research and bidirectional scripts from Vicairus and the broader user-base. The platform provides networking opportunities with industry peers, while enabling thought-leadership growth for community users. vsociety is free of charge, while allowing contributors to be paid for their insights.
  • Open-Source. Vicarius now seamlessly integrates with Nmap, one of the most ubiquitous and versatile scanning tools in the open market. Users can now visualize Nmap scans like never before, turning Nmap XML’s into vibrant dashboards inside the Vicarius TOPIA platform. Users receive the latest CVE results, consolidated vulnerability feeds, and can track scans historically, completely free of charge. Meanwhile, this opens a new user pool of potential full-featured users for Vicarius, enabling a two-way benefit.
  • Product. Each of the above is optimized inside the TOPIA platform, providing a seamless user experience, utilizing open-source tools as a force-multiplier, while leveraging the user community for insights and growth. Both free users and Vicarius customers can benefit from these crowd-sourced solutions at every turn of the triangle, with each arm communicating with the next.

With each point of the PLG reverse-triangle feeding into the next, there’s an important nucleus built at the center: the free user. Even if they never convert into new ARR, a non-paying user who derives legitimate value from your ecosystem becomes a solution evangelist, spreading word of your brand and growing your solution footprint. An organic, human recommendation will always trump a paid advertisement. And with the mutual benefit of a free platform to share information about vulnerabilities and targeted content, everyone benefits. 

At the end of the day…

Our “accidental” foray into product-led growth has been fascinating, fruitful, and focused us on the progression of our solution. We’ve gained a deep understanding of our user and how they derive value from our tool, leading us to develop a hyper-empathetic focus on our users and how they want our tool to evolve with their needs, while always providing intrinsic value to the community. We couldn’t imagine growing our tool any other way.

If you’re interested in participating in the vsociety community, you can sign up to be a pioneer today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

What is OS Fingerprinting?

How OS Fingerprinting  Works: Fundamentals You Need to Know

Continue reading

RSAC Party List 2022

Going to RSAC 2022 this year? Let’s be real… you’re not nearly as interested in talking security and business as you are in networking and partying on company time (it’s cool, we won’t snitch). At Vicarius, we like making life easier — whether it’s remediating vulnerabilities or finding the dopest parties at tradeshows. With that in mind, we’ve compiled a list of post-show networking events in San Francisco to wet your whistle this June. Have fun and be kinda responsible…

Continue reading

John the Ripper Pt.4

Intro

In this article – the last in our John the Ripper series – we would like to focus on how we can use John to crack SSH keys, as well as mention some basics of Custom Rules.

SSH

What is SSH? When do we use it (or should)? How does it work, and what are some encryption techniques/technologies that SSH has to offer?

Let’s answer all of these questions briefly (it is a very big topic), before delving further into how john can leverage some of its functionalities to crack the SSH private key password of the id_rsa files.

SSH stands for Secure Shell, and is a remote administration protocol, which gives us the ability to access, control, or modify our remote infrastructure (usually servers) over the Internet. You might want to remote to your clients server to troubleshoot something, or to deploy some code.

Historically, SSH was created as a replacement for the much more insecure protocol called Telnet, which, even though with the same purpose, doesn’t offer encryption. You can see why that might make some of us feel quite awkward. SSH encrypts all of our communication to and from the remote server, by the virtue of encryption. With SSH we can authenticate a remote user, for example.

To use SSH, we can simply pull up the terminal (for MacOS/Linux) and type:

ssh <username>@<ip_address> -p(port_number)

Where the username is the name of the user we wish to connect as, and the IP address being that of our server we are connecting to. For Windows we can use a SSH client, the most known one being PuTTY.

For example, if we were to connect as a user called john to our remote server at 184.121.23.43 at the default port (for SSH its port 22), we would give a command like this:

ssh john@184.121.23.43 -p22

Regardless of our platform, once we’ve issued our command, we will get a prompt asking for a password for the user we specified, in order to authenticate us. If the credentials are correct, we will be shown a command-line, that of our server we just got into.



SSH and John the Ripper

As we’ve already mentioned, we can use john to crack private key passwords of our id_rsa files. If our target has configured key-based authentication – which just means they are using their private key – id_rsa – as their key to authenticate against the server and to log in using SSH. Since this will generally require a password, we can once again use John to help us crack that password, so that we can authenticate over the SSH (by the usage of the said key).

Another tool (as zip2john, and rar2john previously – sound familiar?) john leverages, is a tool called ssh2john. The logic remains the same – ssh2john converts the id_rsa key to a hash that John can work with. The syntax is virtually the same as before:

ssh2john [id_rsa_file] > [output_file]

ssh2john – command to call our converter tool

id_rsa_file – path to our file that we want to convert to a hash

output_file – here, we will store our output e.g. the hash that we’ve created

One small thing of note, before we look at our example. If your terminal tells you that ssh2john can’t be found (command not found – meaning ssh2john is not installed – like in the image below)


Please note that you can still use ssh2john.py, which is basically the same thing, wrapped inside a Python script. Usually, ssh2john.py is located in /opt/john/ssh2john.py or, in case you’re using Kali, you can find it in /usr/share/john/ssh2john.py. Just remember to invoke your Python scripts by adding python/python3 to your command line first. (as shown in the image below)


This also brings us to our example.

In order to do the cracking, we’ve first created a new private/public key-pair using ssh-keygen (image below)


(Spoiler alert! We’ve used the passphrase banana)

All that’s left now is to do some john magic.

First, we run our Python version of the ssh2john conversion tool – as shown below (which is the same image as above)


Simply, we’ve asked Python to run the script called ssh2john, which can be found in the /usr/share/john/ssh2john.py path… again, if you’re not on Kali, this would be /opt/john/ssh2john.py, and then we’ve given the path to our newly created (banana-protected) private key – /root/.ssh/id_rsa – which we’ve redirected to an output file on our Desktop, called KeyHash.txt.

Now we are ready, and should have all we need in order for John to crack our private key password for us.

We invoke John, using our trusty rockyou.txt wordlist, and let it do its thing:

 

Lo and behold, 29 seconds after, John has returned to us with the correct output – banana, cracking our password successfully!

Custom Rules

Similarly to the single crack mode that we’ve covered in part 2 of our series (word mangling, or variations of a word, where we change the letters to capital letters, numbers, etc.) we can also define our own sets of rules in similar fashion. John will then use our newly created rules to create passwords. This can be quite useful if we know (or suspect) the password structure of whatever it is that we’re attacking.

With this we can integrate capital letters, numbers, symbols… same as for the single crack mode. Also, this can prove to be rather useful for us, since organizations sometimes enforce password policies in order for them to be a bit less susceptible to dictionary attacks.

This is exactly what an attacker might leverage to their advantage! As we all know people tend to make similar passwords, or even reuse them, and adding numbers and capital letters, or symbols can make it so they meet the password policy’s requirement (complexity). Still, Babyblue1! is not an example of a secure password by any means!

So, if an attacker knew about the password structure, used a bit of Social Engineering on the target they’ve picked (some employee of the company perhaps), they could then easily connect the dots and compromise the system – gain a foothold into your now compromised organization.

Password rules are usually located in the /etc/john path, in a file called john.conf. Another path could be /opt/john.

To create our rule, the first line is used to create a name for the rule, which we can later invoke with John. It looks something like this: 

[List.rules:Babyblue]

Then, we need to use a regex style pattern in order to define our rule further:

A0 – prepends the word with characters we defined

c – capitalization of the character (position based!)

Az – appends the word with any characters we defined

u – convert to uppercase

Now we just need to decide where and what we want to be changed. To define what’s going to be prepended or appended, we put that in square brackets [] – in the order of usage!

We end up with something similar to this:

cAz”[0-9] [!@%$]”

After that, all that’s left is to add our rule to our usual command, by adding this flag: –rule=Babyblue.

We would end with a command like this:

john –wordlist=/usr/share/wordlists/rockyou.txt –rule=Babyblue target_file_path

Of course, there are many resources out there, and we would suggest first checking out these two, if all this talk about custom rules has piqued your interest.

Conclusion

Some finishing thoughts before we close out this series about John the Ripper. As we’ve seen from some of our examples and stuff that what was mentioned in the series, John offers a lot of flexibility and versatility, but, as always, in order to leverage this great tool to its maximum potential, there’s a lot of ground to be covered – this does not mean you need a PhD in Cryptography, of course, just a lot of trial and error!

We wish you happy (& safe) password cracking!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

John the Ripper Pt. 3

Intro

It should come as no surprise that John can also deal with .zip and .rar archives. John does this by leveraging the zip2john and rar2john utilities, built in the tool, so that it can ingest something that it will know how to use. The syntax is pretty much the same, and by now, you should be quite familiar with it; still, we will use this article to show some examples of how we can make our .zip and .rar archives John-ready. As we will see, this is akin to the unshadow tool we’ve used previously.

zip2john

As mentioned, similar to unshadow, John has the inbuilt tool that’s called zip2john, which we use to convert our target .zip archive into a format john will know what to do with, and, we hope, crack successfully.

The basic syntax looks something like this:

zip2john [target_zip_file] > [output_file]

Flags:

target_zip_file – this is the path to our password protected protected .zip archive

> – greater than sign which redirects our command results to a specified output file

output_file – in this file we store our output

So, our command will look something like this:

zip2john target_archive.zip > zip_hash.txt

Once we’ve successfully obtained the zip_hash.txt output file, we simply supply it to John. And yes, we can use the wordlists too. Thus, we just had a couple of extra steps before we return to using John as we’ve already learned previously.

More simply put, we can say to John, something like this:

john –wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

As you can see, this is something that we’ve already learned, and we’ve just used the zip2john utility to prepare our archive for John to work with. 

Let’s quickly cover rar2john next, and then we will go over some examples.

rar2john

The same as zip files, rar can also compress various files and folders. It does so by using the Winrar archive manager.

We use it in the same way as zip2john. First, we use rar2john to make the .rar archive ready for John – by obtaining its hash, then we supply the said hash to John to try and crack it.

The syntax is the same as for zip2john:

rar2john [target_rar_file] > [output_file]

Flags:

target_rar_file – this is the path to our password protected protected ..rar archive

> – greater than sign which redirects our command results to a specified output file

output_file – in this file we store our output

It will look something like this:

rar2john rar_archive.rar > rar_hash.txt

Now we just use John, the way we’ve learned, giving it our rar_hash.txt file:

john –wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt

Examples

Now that we’ve covered some basic stuff, let’s look at some examples.


We have a .zip archive, called testZip1.zip with three files inside, called pass.txt, sop.txt, and supersecret.txt.

To digress for a bit: it would be terrible if we saw something like this on our test, as an attacker. The naming convention here in our article is there for our convenience and illustrative purposes. Nobody should have a file called sop.txt (which usually stands for standard operating procedure). Pass.txt and supersecret.txt even less so, for obvious reasons.

Going back to our .zip cracking, we give John a command asking it to make an output file it can understand, and try to crack it. (image below)


We just gave John our output file (in this case test1.hashes), and it cracked our password. Note that you can make your output file to be of any format, for further processing/manipulation. Use what makes the most sense for your purposes.

Since we have our password, we show it with John, and try to open our password protected archive, which prompts us:





Finally, we have our cracked .zip archive, and contents opened, of one of the files:


Let’s look at some more examples.


We password protect our .rar archive, called safe.rar, as we can see – password is password1. Inside, we have put two files, called pass.txt, and pass2.txt, respectively. We now need to make something John can use, out of our .rar archive:


Now we ask John to crack our new file, called rar_cracked.hash, for demonstration, we passed no arguments/options to John first.


When we ask John to crack something, without giving other arguments, it will go through the default modes, with their default settings. (That’s why it started with single crack mode first, in the image above)

Since we know our password is really weak, and we don’t want to wait that much, we use our trusty rockyou.txt wordlist:


Our wordlist mode works immediately, giving us the password we were looking for – password1, as shown above.

We then try to open our archive, finally:


As we can see, we get a popup saying we need to enter our password to access safe.rar, which we type in:


Et voila! We have managed to access the .rar archive:


From the image above – two files, called pass.txt and pass2.txt, as mentioned previously – and their contents.

Conclusion

We’ve seen how we can use John to crack password protected .zip and .rar archives, and how it’s just one extra step after what we’ve already covered previously. Please note, though, that we were using just the rockyou.txt wordlist in our examples, and there are many wordlists out there, of different sizes (which can definitely speed up your attempts), purpose/type (why stop at passwords? We can also have URLs, web shells, fuzzing payloads, etc). Personally, I like to start off with the shortest wordlist that suits my particular need, as it is simply the fastest way. After that, if I don’t crack anything, I can easily switch to some larger lists.

One awesome resource would be the Openwall wordlists found on Openwall website – which is John the Ripper’s original website. There you can find some publicly downloadable lists, as well as paid ones, which can dramatically increase your password recovery potential, as that particular collection has 20+ languages, over 40 million entries, and also has pre-applied mangling rules (in this way you can do other likely password variations – adding digits instead of words, capitalization, etc.)

Before finishing, we would like to add that the best way to get these materials to ‘stick’ is to go and try for yourself. So, go fire up a VM, make some archives, add some files to it, password protect it, and attempt to crack it! (Once you master the easy ones, like in our examples, it’s time to start attacking some more complex passwords, and that’s where the greatest fun begins)

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.