Monday, June 20, 2016

Deep Diving xDedic Marketplace

First off I would like to thank SecureList for posting the full unredacted IP address information on the servers posted to Pastebin in their recent article. Upon seeing the file I decided to have our analyst take a look and see what servers were affected and figure out who owns those server (The companies affected).

Using our Intelligence Platform to process the 70000+ entries and to perform analytic modeling on the data we came up with the following.

Ingest Time: 35 seconds
Total Records Ingested: 176,076
DNS Enrichment: 5 minutes 25 seconds

So now we have the data in our big data platform and we want to see exactly what the IP's resolve to. Our goal is to figure out what companies are affected by this and breached without them being aware of it and notify them.

More information will be posted shortly...

Monday, June 6, 2016

UPDATED: A look at Guardzilla - They have eyes even when you don't!

Look familiar? Well this device started showing up in all the big box retailers last year so we decided to give one a try. Hooking the device up to a EVDO hotspot on Verizon was interesting at best. During our testing we discovered that the device streams continuously back to Guardzilla (even if you don't subscribe to their monitoring) all the time. So this "security" device has some serious "privacy" issues. The way most camera's work is that you access the camera and it streams the images to you directly but Guardzilla is not setup that way. When you setup the device it ALWAYS streams the video back to Guardzilla even if you don't subscribe to that service.

This is troubling for a number of reasons as now Guardzilla get's a sneak peek into your "secure" area without your consent.

The Guardzilla Privacy Policy:
Practecol takes reasonable efforts to ensure that your personal information is protected while you use the Services.

Oh and theres this line:
Also, video, audio, and other information received or recorded by your Guardzilla device may be stored on our servers or the servers of third parties.

I wonder who these third parties are because they are not disclosed anywhere in the privacy policy or terms of use.

Wait what?! So let me get this straight the information is protected while you use the services but not when your not using the services. So if I'm watching the video I'm now being protected by reasonable efforts to ensure that my information is protected but when I stop using the services they are not protected any longer? This is quite confusing honestly. So while your in bed sleeping your information is not protected because your not actively using the services?

Here's the problem. Even when you don't subscribe to the recording and playback features offered by Guardzilla the devices still stream to Guardzilla and we assume that the video is being stored otherwise why would you send it? What tipped us off was the fact that the device uses nearly 1GB of bandwidth per day even when your not viewing the camera. So basically your allowing Guardzilla to see into your protected space and to hear everything that goes on in this space because these devices are constantly streaming even when you are not using them.

We thought you might like to know. I can tell you this. Our Guardzilla test unit is about to be smashed in the parking lot never to be seen or heard from again.... Ever...

UPDATE: So Guardzilla reached out to me via email and specifically stated that this is how the product works. I definitely would NOT recommend the purchase of these devices under any circumstances since the terms of service basically says they can do what they want with your videos, and the fact that it will use 30GB of data per month which is ridiculous. Best to purchase a camera that only sends the information to you and only when requested.

Saturday, June 4, 2016

University of Berkely In Trouble AGAIN

Started seeing reports from the University of Berkeley again this evening. Specifically 169.229.3.91 which has been observed trying to run shellcode against a rash of servers the last 2 weeks. The activity is very high today. Maybe the "Office of the President" at Berkeley can hire somebody to secure their network. Not that they have ever been breached or anything.

We have a history with reporting on activity at Berkeley. Search our archives for more information.