Finegrained Microsoft cloud detection

One client rightfully complained that his timeline got all clogged up with not so useful banner changes. I was fixing this by moving the details to the details section (duh) of the notifications. This way they only become visible after you explicitly click something. While working on this I noticed that the most chatty servers in terms of banner changes where Microsoft Exchange online servers. This should not be, cloud services like this are supposed to be recognized and handled differently.

What was happening? I immediately updated the Microsoft IP ranges, which up until now was done manually. But this only fixed part of the problem. There were still servers that were clearly part of the Microsoft cloud that were not recognized. Microsoft publishes the ip ranges for the services (Office 365, Exchange, Sharepoint, Skype, etc,) they offer in these big 5 clouds:

• Worldwide Public and Government Community Cloud (GCC)
• U.S. Government GCC High
• U.S. Government DoD
• Germany
• China (Vianet)

I thought that "Worldwide Public and GCC" had to be located in one place, and since most of the ips in this range where in the U.S., it probably all was in the U.S. Consequently, all these ips were labeled "US public" in ShadowTrackr.

I did also know from some Dutch government clients that their servers are located in the Netherlands in the datacentre MS calls "Europe West" (yes, it's a shame they don't call it "Netherlands Central"). After a bit of searching it turned out that there are many more of these local datacentra. Microsoft even publishes a nice map that shows them all: https://azure.microsoft.com/en-us/global-infrastructure/regions/

And there is a weekly updated XML file available on a different part of the Microsoft site. This XML file has ip ranges that only partly overlap with the big 5, which explains why ShadowTrackr did not recognize some servers as being in the Microsoft cloud. Problem solved!

So, if you have servers at Microsoft you might see them change the cloud description on your timeline. The old cloud clusters will still be available for about a week on your attack surface map in parallel to the new (actual) ones.

Oh, and cloud ip ranges are now automatically updated daily :-)

Better weekly pdf reports

The weekly pdf reports have been available for a while. You could even already subscribe and get them by email. This option wasn't really promoted because, to be honest, the reports were quite boring. The good news is, that has been fixed!

The first page of the new weekly report now has fancy colored donut charts that will give you an instant overview of how many assets you have and how big your problems are. There is also a graph showing how your events are distributed over the week. Critical alerts now have a colored icon showing how critical it is, just like on your timeline. And ip addresses and urls for blacklisted items, new assets and most active assets are now clickable. The links will take you straight to the source of the information in de webversion of ShadowTrackr.

Although this is a big improvement, it's not yet done. The last part of the report is still much like it was before, and traps and keywords are not properly reported. This is still a work in progress, I'll keep you updated.

Website security grade

After last week's blunder things could only get better. And they do this week. So far the website security checks that Shadowtrackr did were not mature enough. I always wanted some sort of easy to grasp grade like SSLLabs has for certificates. After looking around for a while I settled on the Mozilla Observatory grading system.

It has a similar grading scheme too SSLLabs and does proper security checks. Some other ratings systems, like internet.nl, are less focused on security. Don't get me wrong, I fully support the internet.nl checks, but I just don't think that if your hosting provider's nameserver is not reachable over ipv6 this should cost you security points. I'd rather have a good CSP to protect against XSS attacks.

The scoring on the CSP part is, for now, quite brutal to be honest. A CSP that allows unsafe-inline will cost you about 20 points, which caps your grade at a B+. This means ShadowTrackr will show it as a warning (orange). Al lot of orange and red will show up. Interpret these as your opportunities to really improve website security :-)

The grades are added to the website report. If you click the website link frmo the report, you can see on the website page what tests were done and how your grade is calculated.