Showing posts from 2020

Launching the GRIMM Red Team

Since GRIMM’s inception, our dedicated teams have helped build confidence in clients’ underlying security posture -- largely through demonstrating the business impact of vulnerable systems during client engagements. GRIMM teams have covered functional areas in Application Security, Cyber-Physical (aka CyPhy), Tailored Software, Training, and CISO-level consulting. Many of GRIMM’s client engagements include an element of campaign-style adversarial security assessments to fully demonstrate the security risks inherent in underlying networks and systems -- that is, a Red Teaming engagement embedded within a broader security assessment. 
Up to this year, GRIMM has been able to manage Red Team engagements as a part of other offerings -- that is now changing. Client demand has increased enough for GRIMM to now offer a dedicated Red Team platform, service, and leadership. This overall service enhancement builds upon a model that has worked so well for GRIMM -- support and grow proven capabilit…

DJI Privacy Analysis Validation

Photo by Mitch Nielsen on Unsplash DJI Privacy Analysis Validation Given the recent controversy with DJI drones, a defense and public safety technology vendor sought to investigate the privacy implications of DJI drones within the Android DJI GO 4 application. To conduct their analysis, the vendor partnered with Synacktiv who performed an in-depth dynamic and static analysis of the application. Their analysis discovered four main causes of concern within the DJI GO 4 application, most notably:
The application contains a self-update feature that bypasses the Google Play store.The application contains the ability to download and install arbitrary applications (with user approval) via the Weibo SDK. During this process, the Weibo SDK also collects the user's private information and transmits it to Weibo.Prior to version 4.3.36, the application contained the Mob SDK, which collects the user’s private information and transmits it to MobTech, a Chinese analytics company.The application r…

IBM i Security Demystified Blog, Episode 1

I. Introduction“Nobody Can Hack an AS/400.” “Never in my 40 years in the business has anyone hacked an AS/400!” “AS/400’s don’t have hacking problems like Windows computers.” “AS/400’s are bullet-proof. They don’t have zero-days like other computers.”

If you know anyone who works with an IBM i (formerly known as "AS/400", also branded as "eServer iSeries"), you may have heard some of these statements, typically spoken with the emphasis of someone who wants it to be true; someone willing to speak loudly enough to overcome their sense of dread: that they may be wrong.
… and you may be surprised at just who is using IBM i in 2020.
We (Security Researchers Matthew Carpenter and Roni Michaels) decided to dig into these beasts of old to answer a few question:
Is the IBM i "old" and inherently vulnerable?Or Is it a hardened ecosystem whose design and age shield it from hackers?Are it's notable uptime percentages an indicator of a safe environment?If …

While teleworking work/life balance are in conflict - a personal story

While teleworking work/life balance are in conflict - a personal story
The corona-virus pandemic has fundamentally changed the way many people and organizations operate. While many countries have started progress towards opening up and returning to normal, companies are faced with the decision of whether or not having a remote workforce makes sense for them. Working remotely might be a normal thing for some, but with the advent of the COVID-19 pandemic, a new, massive portion of the global workforce is being thrown into it without any training or past experience. As a security professional when thinking about working remotely I focused on the 3 main points: People, Process and Technology. Notice that people are first and technology is just an enabler to the business. A technology-first approach often leads to unhappy people, who break processes to be productive or at least work in a manner that's most desirable to them.Major observations from the past couple months... Many organiza…