Improved weekly pdf reports

ShadowTrackr has been growing, and the weekly pdf reports hadn’t really been growing along. Some of the information available under reports in the web interface or with queries was missing in the weekly, and some other information that wasn’t really useful for a weekly was still in there. An increasingly larger group of you were pulling the interesting data out with queries. So, time to fix that!

Starting this week everyone will receive version 1 of the new weekly report. It contains a clear overview of the things you should work on like bad certificates, insecure ports open on servers, and blacklisted assets. These where available in the old version, but are more concise and easier to track over time now.

A lot of you are interested in a list of certificates that will expire in the next few weeks. This was available with a search query, but now you’ll find it in the weekly and under reports as well. The same goes for a list of remote login services (like Citrix, Pulse Secure and Check Point) that we have detected on your assets. You’ll want to have that list handy when the next exploit is published.

The list of software detected on your assets and information about vulnerabilities in that software was already available under reports. We strive for a concise report and it would be too much to list it all, but vulnerable internet facing software is listed in the weekly now. Note that only those vulnerabilities that MITRE scores as HIGH or CRITICAL are mentioned in the weekly. For vulnerabilities scored lower you still need to go to the web interface and look those up under reports.

The last addition to the weekly is a list of your publicly exposed email addresses that are found in data breaches. You should make sure the password of these accounts have been reset since the last data breach and password are not re-used anywhere else. The complete list of your publicly exposed email addresses, including those that don’t appear in data breaches, is available under reports in the web interface.

haveibeenpwned integration

Since ShadowTrackr now has a list of your exposed email addresses, we should do something useful with it.

Troy Hunt hunt runs the awesome haveibeenpwned.com. It’s a big collection of data breaches, and you can check if your email appeared in one. There’s also an API, and that’s what ShadowTrackr now uses to check your exposed email addresses daily.

You can see the result in under Reports->Email addresses. Of course, there’s more work to be done here, like sending out alerts when one of your email addresses appears in a new data breaches.

Exposed email addresses report

The new exposed email report is part of some interesting plans with email addresses. Step 1 has just gone live, and all your assets are continually scanned for email addresses. Not only email addresses on websites are tracked, but also those in the CAA fields of your certificates.

This results in a list of email addresses you have publicly exposed on the internet. You can find it under Reports->Email addresses, along with the domains they are listed on. These email addresses will very likely be targeted with SPAM, phishing or password spraying attacks. If you click on an email address in the report, you’ll get a list with all exact pages that we found it on. Handy right?

Next step is of course setting up extra monitoring on those email addresses. You can do this internally in your SIEM or email security appliance, but of course we’ll try to facilitate you here. That is what step 2 will be about. Stay tuned :-)