Suggestions for new assets

The new algorithms for finding your websites and servers work great. Shadowtrackr is finding and monitoring more than ever. A bit too much actually.

Some clients use shared services, and without any restrictions the other websites and servers on the shared infrastructure were automatically added to assets and used for expanding in turn. Without a proper stop condition, this could end up adding most of the internet. One client using a shared Baidu server ended up with 42 unrelated Baidu machines within a couple of hours. Yes, 42.

I've thought long and hard about a proper stop condition, but there isn't any that I can come up with. If machines are not on a dedicated ip (range) for you but on shared servers, there is no way of reliably determining if all urls pointing to it are really yours. You might be able to relate some of them with Whois information or by analysing links on websites, but this does not solve all cases. Whois data is not always available and larger companies tend to have several different whois contacts anyway.

The most user friendly solution I could come up with is offering suggestions. When a new server or domain is found that somehow relates to one of your assets but is not obviously yours, ShadowTrackr will "suggest" it to you and tell you what existing asset it is related to. You then have the option to reject or accept it. Check out the suggestions page in the menu to see yours.

I'm still thinking of ways to minimising the user interaction needed, like tracking known shared hosting and automatically rejecting suggested assets on it. For large organisations the initial amount of rejections needed can build up to dozens or even more than a hundred suggestions. After the initial load that number stays acceptably low though.

Two factor authentication available

All information in ShadowTrackr is found on or derived from things found on the public internet. No special internal access, firewall rules or agents on endpoints are needed. Still, the convenient overview of your attack surface and all your weak spots in one place can be quite sensitive as a whole.

Also, you can have ShadowTrackr scan for sensitive keywords on the internet. Think of specific non-public emails addresses for VIPs, or literal texts from documents that you think might end up published on Pastebin and the like. These will be visible in Shadowtrackr after login.

The above prompted some clients to ask for two factor authentication. The good news is that it has been silently added a few weeks ago and is working properly. Time-based One-time Password (TOTP, see RFC6238) are the thing now, and I choose for the ubiquitous and easy to use Google Authenticator app.

To enable it, go to the Account tab in Settings and set Authentication to “2fa with Google Authenticator”. You’ll be presented a QR code that you have to scan in the Google Authenticator app on your smartphone. If you don’t have the app you should install it first from the Google Play or Apple App Store. Note that all other users you have will be forced to enable Google Authenticator too on their next login.

If you ever have to reinstall Google Authenticator one day (new phone? different brand?) you will have a bad day. Unless of course you have saved the initial QR code in a safe place and just rescan it in the app. I recommend printing it on unhackable paper and putting it in your safe.

Create custom push notifications

Though I love ShadowTrackr push notifications on my phone for keyword hits on pastebin or security problems on important servers, I was not happy with late night push messages for no so relevant trouble on not so relevant machines. The obvious solution was more granular control over push messages and email alerts and I just released it to production.

You can set general event traps for bad ports opening, certificates that expire, website security headers that are removed. If you are a small business with a few host, the best option is likely to set them on “all” your hosts and websites. This also is the default settings for new accounts.

When you have hundreds or thousands of host, the messages can get annoying and you likely better of sending the security events to your SIEM (you do have on don’t you?). In this case, event traps are very handy for follow up or incident response.

Say one day you learn that one of your servers is under attack, or even already pwnd. I’d want to know anything that changes on that specific host the moment it happens. I’ve had some occasions where I really could have used this but had no way to quickly set it up. Now I just set an event trap on that host or website that fires for any change that is detected and have a push message send to my iPhone. Immediate alerts, finally. I can now switch to instant panic mode wherever I am.

Hopefully your boxes are never pwnd and you just use it for follow up. Every now and then you’ll find things that shouldn’t be: admin opens Elastic search on internet facing box, SSL certificate got a lower grade, etc. You notify the person responsible and are then doomed to regularly checking if they fixed it. With the new event traps, you can just set an event on port 9200 closing on that specific ip and receive a push message or alert when it happens. No more boring periodic checks.

If you have any specific events that you like to have in ShadowTrackr, please let me know and I’ll see what I can do.