Red dots on the attack surface map

The attack surface map gives you a good overview of your assets and how they're are related. You can quickly see where most of your servers and websites are, and easily spot the outliers.Wouldn't it be great if it also showed where your problems are? Starting today, it does!

Any ip or url that is on a blacklist somewhere will turn red. Websites with troublesome certificates will be orange, and bad certificates will be red too. Of cource, there's a similar rating for servers. If a server has a troublesome port open it will be orange. The really bad ones (think pownable or DDOS amplifiers) will be red.

I'm quite happy with the result. You'll have an instant view of where most of your problems are and where you need to start improving your security. The thing that does need some work is the layout for really big (3000+ assets) organisations. It still works, but it's just not as beautiful. The attack surface map is built with D3 and it allows for very specific tweaking of the various forces in the force-layout graph that I use, so it should be solvable. I've put it on my todo list and will come back on this later. For now, have fun with the new fancy attack surface map.

Suggestions for new assets

The new algorithms for finding your websites and servers work great. Shadowtrackr is finding and monitoring more than ever. A bit too much actually.

Some clients use shared services, and without any restrictions the other websites and servers on the shared infrastructure were automatically added to assets and used for expanding in turn. Without a proper stop condition, this could end up adding most of the internet. One client using a shared Baidu server ended up with 42 unrelated Baidu machines within a couple of hours. Yes, 42.

I've thought long and hard about a proper stop condition, but there isn't any that I can come up with. If machines are not on a dedicated ip (range) for you but on shared servers, there is no way of reliably determining if all urls pointing to it are really yours. You might be able to relate some of them with Whois information or by analysing links on websites, but this does not solve all cases. Whois data is not always available and larger companies tend to have several different whois contacts anyway.

The most user friendly solution I could come up with is offering suggestions. When a new server or domain is found that somehow relates to one of your assets but is not obviously yours, ShadowTrackr will "suggest" it to you and tell you what existing asset it is related to. You then have the option to reject or accept it. Check out the suggestions page in the menu to see yours.

I'm still thinking of ways to minimising the user interaction needed, like tracking known shared hosting and automatically rejecting suggested assets on it. For large organisations the initial amount of rejections needed can build up to dozens or even more than a hundred suggestions. After the initial load that number stays acceptably low though.

Two factor authentication available

All information in ShadowTrackr is found on or derived from things found on the public internet. No special internal access, firewall rules or agents on endpoints are needed. Still, the convenient overview of your attack surface and all your weak spots in one place can be quite sensitive as a whole.

Also, you can have ShadowTrackr scan for sensitive keywords on the internet. Think of specific non-public emails addresses for VIPs, or literal texts from documents that you think might end up published on Pastebin and the like. These will be visible in Shadowtrackr after login.

The above prompted some clients to ask for two factor authentication. The good news is that it has been silently added a few weeks ago and is working properly. Time-based One-time Password (TOTP, see RFC6238) are the thing now, and I choose for the ubiquitous and easy to use Google Authenticator app.

To enable it, go to the Account tab in Settings and set Authentication to “2fa with Google Authenticator”. You’ll be presented a QR code that you have to scan in the Google Authenticator app on your smartphone. If you don’t have the app you should install it first from the Google Play or Apple App Store. Note that all other users you have will be forced to enable Google Authenticator too on their next login.

If you ever have to reinstall Google Authenticator one day (new phone? different brand?) you will have a bad day. Unless of course you have saved the initial QR code in a safe place and just rescan it in the app. I recommend printing it on unhackable paper and putting it in your safe.