We launched our first paid podcast ad on one of our favorite podcasts – Darknet Diaries with Jack Rhysider. And we’re really excited.
Darknet Diaries, for the few who aren’t already avid listeners, combines stories from the dark side of the internet with a narration that takes cues from the likes of Radiolab and This American Life – but with its own nerdy and endearing educational style.
It really is our favorite.
In honor of this kickoff, we thought it would be fun to share some of the episodes that Sepio could have helped in. Go ahead and download them if they are new to you, and you might even hear our ad. These are just a few of the more than 130 episodes. We highly recommend listing to them all and subscribing.
Kyle Lovett discovered some really alarming security vulnerabilities on certain Asus brand routers. However, his responsible disclosures were repeatedly ignored by Asus. To force change, Kyle went public with some of the lesser zero day vulnerabilities he found – singlehandedly launching the #Asusgate public relations nightmare.
Breaking it down: When a vulnerability is made public, you want to know if you have any of those assets in your environment, whether or not they’re being used. Companies need to be able to see a full list of every connected asset regardless of if they are currently using the network. Sepio would instantly give an enterprise complete visibility into if any of the risky routers are on their network, regardless of the scale of the enterprise.
The focus of the story, his engagement in a Beirut bank, begins with a Rubber Ducky plugged into an executive’s computer after only a few minutes. And it still manages to go downhill for the bank from there.
Breaking it down: Sepio automatically blocks Rubber Duckies based on their USB Asset DNA, stopping the attack vector before it starts. In addition, policies can be set only allowing approved peripherals and devices, hardening company endpoints and network ports.
There is a lot that is unknown when state actors are involved in a cyber-attack. However, Stuxnet is probably one of the most widely known and studied viruses because of its incredible sophistication and success in attacking an air gapped OT environment in Natanz, Iran.
There are a ton of amazing details in this episode. One question the attackers had to face is how to get into an air gapped network? It is likely the attack vector was USB sticks with the Stuxnet virus on them that were brought into the facility by unknowing employees. The rest is history.
There is so much more to this story involving how Stuxnet was developed, the zero days it used, and the impact it had. We really recommend listening to the whole episode.
Breaking it down: Air gapped environments shouldn’t allow USB storage devices to connect to any device. Sepio hardens endpoints stopping USB devices from delivering their harmful payloads.
Kyle is a physical penetration tester hired to test the security of a major utility conglomerate. There is a lot in this episode so make sure to listen to its entirety.
One of the first things Kyle does upon gaining access to one of the many facilities at the utility is plug a dropbox into a network port. His dropbox was a battery and a Rasperry Pi attached to a wireless care that connected to a mobile hotspot.
Domain admin within minutes.
That is a lot for a short amount of work but Kyle doesn’t stop there. They go to another site and get into a server room with their dropbox. Then later they find a copier with a network port and, yes, once again plug in a dropbox between the copier and network.
Breaking it down: There are multiple layers of protection that this critical infrastructure utility was missing. Sepio would see the dropbox not as yet another copier or computer connected to the network but as the Rasberry Pi it truly is, allowing alerting or automated blocking by security teams.
Jek is hired to test the physical security of an international manufacturing business. She brings along her partner Carl who is an expert on rogue devices and dropboxes. Yes, this is another dropbox episode but listen to this one too. The social engineering aspect combined with the fear aspect of working in a foreign country makes this a stand out episode.
The script for our part remains the same: a couple of days on site, dropbox on the network port, and domain admin access.
Breaking it down: Sepio would be used to find this device before it could listen to traffic and find its way into the network.
Episode 42 is a series of 3 interesting short stories by pen testers. In the first one, Dave Kennedy tested the physical security of a nationwide retail store. Besides walking off with a literal checkout register, Dave planted what he calls Tap devices. They are little devices with cellular comms that connect directly into network ports to avoid firewalls. From there it seems everything was compromised.
Breaking it down: Sepio can determine that the device plugging in is not supposed to be there and either use policies to immediately cut access or alert a SOC.
The 3rd story with Dan Tentler, has a little less apparent hardware story since some key details are missing. An insider threat, the head of security, was planting listening devices in conference rooms as part of a series of wrong doings.
Breaking it down: While we don’t know if these devices were connected to the network, Sepio has found spy cameras in customer ecosystems.
This one we would have all fallen for. John Strand’s mother seems like a truly amazing woman and we all would have let her put USBs into any computer in the building. Which is exactly what happened in a prison of all places.
Breaking it down: In this case, Sepio could have blocked removable storage devices while allowing keyboards, mice, and cameras.
Jeremiah Roe was on the red team assigned to test that assertation.
In Jeremiah’s kit was a Bash Bunny. Bash Bunnies look like a normal USB to a person but to a computer they look like a keyboard. Imagine what you can do with a programmable keyboard set to open programs and deliver keystrokes.
Well, in the lobby was a kiosk which was just a computer and monitor plugged into an ethernet port. The computer had no attached peripherals but there was a USB port. With the Bash Bunny plugged in, Jeremiah had control of a networked computer before even making it into the offices.
Later, Jeremiah saw some printers connected to the network. He was able to make his computer appear to be the same printer model by spoofing a MAC address to get passed the NAC. Network access in a secure government contractor – check.
Breaking it down: Sepio sees devices based on existence not how they present themselves. To Sepio, a Bash Bunny is a malicious USB attack tool, not a keyboard. A computer is a computer even though the MAC address shows a printer. Both of these could have been automatically blocked and/or used for alerts.
This site did have a NAC implemented but the NAC couldn’t see the computer for what it really was. Sepio can also be used to provide proof of identity and full asset visibility to the existing NAC to make it more effective.