Add your own private certificate authority

Also, the GUI had a big update this week. But first the private CA thing. One client has numerous test systems facing the internet on which they use certificates issued by a private Certificate Authority. If you can add the CA manually to the browsers used for testing, that works fine of course. The thing is, since that CA is not known to monitoring services like ShadowTrackr, it will affect your grade. This client had quite the list of trust issues in their certificate report. Since this was intended behaviour, they asked for the option to ignore these.

If you have a similar issue, you can now add your own trusted certificate issuers under Settings->General. Any certificate from this issuer will be treated and scored as if the issuer was part of the trust list, and it will be graded without looking at the trust issue. The name of the certificate issuers you manually add to your ShadowTrackr trust list will appear in green everywhere (instead of blue), so it’s easy to recognise later on.

The rest of this update was all about getting the user interface more consistent. The weekly pdf had some major improvements, and we made the same changes under the reports sections. This makes it much easier to find the problems from your report in the online version and lookup more context.

Since the problems are now appearing under reports, the problem section in the menu has become redundant and is removed. The format of all online reports has also changed and all reports now use the same layout. This makes the UI much more consistent and easier to understand.

Weekly pdf report additions

Last week you saw our brand new weekly report. We got a lot positive reactions, and a few bugs. The bugs are fixed in this week’s version, and we’ve added two new report items to both the pdf and the webinterface.

The first is “Cloud providers detected”. Some of you are interested to know in which clouds your assets live. Since our scanning nodes are already tracking those, it was easy to add an overview. You’ll see a list of cloudservices and the domains that are hosted there behind them.

The second new item is “Datadump & code repository detections”. ShadowTrackr monitors a list of datasump sites (like Pastebin) and code repositories (like GitHub) for the keywords you have given us. Since this week, we also automatically check if we see any of your domains referenced in these source. Both keyword and domain hits will be listed.

Enjoy the new version!

Improved weekly pdf reports

ShadowTrackr has been growing, and the weekly pdf reports hadn’t really been growing along. Some of the information available under reports in the web interface or with queries was missing in the weekly, and some other information that wasn’t really useful for a weekly was still in there. An increasingly larger group of you were pulling the interesting data out with queries. So, time to fix that!

Starting this week everyone will receive version 1 of the new weekly report. It contains a clear overview of the things you should work on like bad certificates, insecure ports open on servers, and blacklisted assets. These where available in the old version, but are more concise and easier to track over time now.

A lot of you are interested in a list of certificates that will expire in the next few weeks. This was available with a search query, but now you’ll find it in the weekly and under reports as well. The same goes for a list of remote login services (like Citrix, Pulse Secure and Check Point) that we have detected on your assets. You’ll want to have that list handy when the next exploit is published.

The list of software detected on your assets and information about vulnerabilities in that software was already available under reports. We strive for a concise report and it would be too much to list it all, but vulnerable internet facing software is listed in the weekly now. Note that only those vulnerabilities that MITRE scores as HIGH or CRITICAL are mentioned in the weekly. For vulnerabilities scored lower you still need to go to the web interface and look those up under reports.

The last addition to the weekly is a list of your publicly exposed email addresses that are found in data breaches. You should make sure the password of these accounts have been reset since the last data breach and password are not re-used anywhere else. The complete list of your publicly exposed email addresses, including those that don’t appear in data breaches, is available under reports in the web interface.