A Virtual Disappearing Act

What you need to know

Vulnerability Background and Overview

On Wednesday December 11, 2018 Microsoft released a security advisory for CVE-2018-8626 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626) in parallel with a ‘Critical’ security update to address the issue. The Microsoft advisory contains very little information regarding the specific nature of the vulnerability, only that:

  • It affects systems running the Microsoft Domain Name Server (DNS) Service.
  • The exploit code has not been publicly disclosed.
  • It is not known to be exploited in the wild yet.
  • There are no current workarounds available, other than applying the patch.
  • It can be remotely exploited by an unauthenticated attacker via a malicious DNS request.
  • There is a patch for Windows 10, Windows Server 2012R2, Server 2016, and Server 2019.

The technical information available on the nature of the issue and exploit, at present, is only that it’s a heap-based buffer overflow. Since the Microsoft DNS Service runs as ‘Local System’, there is an immediate escalation of privileges on impacted systems. Furthermore, in most organizations, the DNS service runs on Domain Controllers, thus increasing the risk to a vulnerable organization. Domain Controllers provide critical authentication functions via Microsoft Active Directory.

What should you do?

BTB recommends organizations immediately patch vulnerable hosts—internally and externally.

What should you do… RIGHT NOW?

Drink some coffee and patch all vulnerable hosts.

Other considerations

  • While Domain Controllers are typically located on an “internal” (i.e., not Internet facing) network, an attacker may leverage other means to effectively exploit this vulnerability (i.e., phishing with remote access payloads).
  • Microsoft Windows DNS servers may be Internet-facing, greatly increasing the risk profile and likelihood of exploitation.
  • Occasionally, patch management processes delay patching production Domain Controllers—by prioritizing other hosts (such as development systems, workstations, or less critical servers), consider adjusting the testing and patching process for this emergency patch cycle.

What is BTB Security doing?

BTB Security’s RIOT Labs is currently researching Indicators of Compromise (IOCs), and when available, will be integrating them into RADAR to protect our clients. For current BTB Security customers, we can scan external hosts for this vulnerability at no cost. Please send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. to request the scan.


Knowing the true cost of your SOC—including capital, payroll, recurring expenses, and care—prevents wasteful spending and keeps your operation lean. Our dedicated information security experts can show you how careful planning and wise use of resources can keep your data secure and your bottom line healthy—two things previously thought to be mutually exclusive.

True Cost of a Security Operations Center (SOC)

Now, make an even greater impact with Rapid Advanced Detection and Response (RADAR)—our managed information security service that combines monitoring and detection technology with skilled expertise to accelerate incident response, reduce blind spots, and minimize false positives.

The Internet has become the world’s largest information exchange. Given a phone number, email address, license plate, LinkedIn Profile, Instagram username, or just about any other single piece of identifying information, and odds are an attacker can find the other pieces.

Scary right?

The sad part is, we’ve all knowingly (and in some cases unknowingly) helped contribute to this data depot in one way or another over the years and it’s only in hindsight that we realize we may not have made the best decisions. So now that the data is out there, what can we do about? Well, it depends on your intentions. Do you want to completely disappear, or just minimize that digital footprint? In this blog post, BTB’s Senior Security Consultant Matt Barnett provides some guidance on staging your own disappearing act. First a disclaimer: much of the content in this blog post is related from the amazingly comprehensive work compiled by Michael Bazzell and Justin Carroll in The Complete Privacy and Security Desk Reference (https://www.amazon.com/Complete-Privacy-Security-Desk-Reference/dp/152277890X/). It’s a must-read for anyone taking their disappearing act seriously since this post cannot effectively cover all facets of the topic.

Finding Yourself

No, I’m not talking about the higher path to self-enlightenment here. Before we can begin to know where to start our scrubbing process, we need to get an idea of what’s out there. Let’s start with some basic reconnaissance. The links provided in this section will help you determine what information is publicly accessible about you.

  • Google : https://google.com : The starting point for any search. Type your name in and see what happens. Don’t forget to check the Images and Videos result tabs as well. Take note of any sites that may have references to you (e.g., whitepages.com, spokeo.com, etc.). If you want a more private search, use https://startpage.com (explained in the tools section below).
  • WhitePages : https://whitepages.com : See what information is out there about you from the traditional WhitePages that has been migrated to an online search. Don’t forget to search by phone number too. Don’t be afraid to unsubscribe yourself if you don’t want your information available in these search results (https://www.whitepages.com/suppression_requests).
  • Spokeo : https://spokeo.com : Locate information about yourself as well as any social media profiles bound to your email address. This service is not free but it is highly regarded as effective.
  • Pastebin : https://inteltechniques.com/osint/menu.pastebins.html : Pastebin is a commonly used (anonymous) dumping ground for data breaches. Use this custom search to see if your email address, name, phone number, etc. appear in any data breaches that have been posted to 57 Pastebin-style sites.
  • HaveIBeenPwned : https://haveibeenpwned.com/: “Pwn” is a slang term for “owning” someone, in other words, compromising them. You can check to see what data breaches your email address has been associated with on this list.
  • Ancestry : https://ancestry.com : Are your relatives putting personal information about you on the web without you knowing? My grandmother loves this site and adds information as a hobby… or used to before we had a little chat.
  • Instagram Image Search : https://inteltechniques.com/OSINT/instagram.html : Use this page to get additional information (e.g., historical views, related/tagged posts, etc.) about yourself on Instagram via their API. Instead of going through the browser or app, this site talks to Instagram through code, which may provide additional information.
  • There are tons of alternate search engines that may provide additional information, these are just a few of the basics to get you started. Additional databases include 411, PeekYou, ZoomInfo, Radaris, and Intellius. More information on these reconnaissance sites can be found at https://inteltechniques.com/menu.links.html

Basic Tidying

For those not looking to perform a complete vanishing act (assuming it were even possible), this section will help provide some useful links to improve the security of your online presence. We need to be mindful of what information we share with our digital friends and family as well as what information we make public to anyone that may be curious.

  • Facebook : Privacy Checkup : From the help menu (“?” icon in the top left corner), select “Privacy Checkup” and review your sharing settings. Make sure you limit visibility of posts, apps, and your personal info.
  • Twitter : https://twitter.com/settings/safety : Review the “Privacy and Safety” tab on the left-hand side menu. Review all settings in here and select options that match your comfort level.
  • Instagram : https://www.instagram.com/emails/settings/?hl=en : Remove unnecessary subscriptions. In the event these lists are shared/sold, it will reduce the number of places your email address is sent.
  • 411 : https://411.info/manage : Manage the results displayed when people search for you by name and location or phone number.
  • PeopleSmart : https://www.peoplesmart.com/optout-go : Another search database to opt out of.
  • DoNotCall Registry : https://donotcall.gov/register/reg.aspx : Government maintained list of DoNotCall numbers. Now allows for mobile numbers as well.
  • NoMoRobo : https://nomorobo.com : This app will help stop spam callers on your mobile phone. It’s only available for iPhone (Android coming soon) and costs $1.99/mo. It’s a free service if you are protecting a landline.

Complete Disappearing Acts

So you’ve decided to go rogue. Completely off the grid. Respectable choice. This section will provide a few helpful to aid in eliminating your digital footprint.

Staying Invisible

I’ll offer a few pro tips in this section that you should consider during your visits to the Internet. These tips draw from the experience of professional hackers that use these techniques to remain stealthy during client engagements. There are also a few staple tools-of-the-trade that I’ll touch on. The tools will help protect you and preserve your anonymity online.

To Like or Not to Like:

The first tip is to avoid using the “Like” button on your favorite social media site(s). I know this is going to be hard one. Allow me to explain. Even if your profile is private, the user posting the content you “Like” may not be. Searching through posts and images you “Like” may be a way to build a profile about your hobbies, interests, political views/affiliations, etc. Some court cases have even allowed these “Like”s to be introduced into evidence or used to bias jurors in civil cases. Think before you click!

Tag You’re It

Allowing others to tag you in photos has similar risks as the previous tip. Imagine how your boss would feel if he saw you doing that keg-stand with your old college buddies on Friday night when you called out sick earlier that morning.

Speaking of Photos

Have you ever seen this site (http://exif.regex.info/exif.cgi). Upload a photo from that iPhone of yours and see what happens (or Android if you’re on the dark side). Photos contain metadata, or data about the picture, known as EXIF data. This data is embedded by default on cameras and smartphones. It contains date/time information, source, GPS position, and more; this data can be harvested from any site you upload it to. Note: many social media sites (e.g., Facebook) strip this data before the picture is posted (Flickr does not), but that doesn’t guarantee that they aren’t capturing (and storing/selling) the EXIF data in the process. Better check those terms of service again. I’ve posted a link for a tool that will strip this data for you below.

Nothing Lasts Forever, Except on the Internet

My final tip is to always be mindful that what you put online will live there forever. There are companies that make it their work to archive the Internet (https://archive.org/web/). Once the content is up there and cached by an archiving site, it will be available in perpetuity. The more we move to a digital society, the more important controlling our digital footprint becomes. Think job interviews and future in-laws.


Many of these will help you avoid the tracking techniques used by companies and keep your data private/anonymous. 

VPN Software: https://www.privateinternetaccess.com/ : VPNs (Virtual Private Networks) create a tunnel from your computer to the VPN provider and encrypt all of your traffic along the way. Your ISP (e.g., Comcast, Verizon) will only “see” you communicating with the VPN company, while the sites you visit will only see the IP address of the VPN company, thus making you disappear like Batman after he says something really cool. There a numerous VPN providers, I personally like PIA for its ease of use, low fees ($30/yr), and lack of log retention. Be sure to read the terms of service on any vendor you are considering. Your smartphone can also use VPN technology.

Photo EXIF Data Removal : http://verexif.com/en : As mentioned above, this tool will strip the metadata in your photos, removing things such as date, time, GPS position, camera source, etc.

Google Alerts : https://google.com/alerts : Google allows you to configure alerts around specific keywords (e.g., your name, place of business) and will send you and email whenever a new search result matches your query. This can help you stay informed about when your private information hits the public Internet. (This service is free but requires a Gmail account).

Start Page : https://startpage.com : Google is an amazingly powerful search engine but it comes with a few strings. Tracking. All Google queries are logged and saved. If you’re searching for something you’d rather not keep record of consider using Start Page. Start Page will make the search request on your behalf—preserving your anonymity while allowing you to use all the features of Google’s powerful searching algorithm.

Signal : https://signal.org : Signal provides end-to-end encryption for your text messages and phone calls. To use this, both parties need to have the app installed on their smart device.



We’ve covered a lot of ground today and despite that fact, this is still a very incomplete list of resources, tools, and knowledge. It should be a great start for beginning privacy aficionados looking to dissipate that digital footprint—or at a minimum, at least stop some of those spam calls. BTB Security is constantly researching new tools, techniques, and services that help protect customer’s privacy, improve security, and reduce inadvertent information disclosures. We’re always here to help so feel free to drop us a line if you have any questions. A big thank you to Michael Bazzell and Justin Carroll for their extensive research in this field and making searchable resources available at https://inteltechniques.com. Be safe out there and think before you click!

In the wake of the Yahoo, Equifax, Whole Foods, Sonic Drive-in, Deloitte, Securities Exchange Commission, Viacom, Vevo… all in the last month, btw. I feel confident in predicting the future, there will be another major data breach this year.

Ok, so maybe those words aren't as surprising as they once were, and you're already annoyed about the clickbait title. Good. That means we've progressed in terms of our collective consciousness with respect to the realities of attacks and InfoSec risks. Just a few years ago, most of the organizations I worked with felt fairly confident in saying, "I have a firewall" or "we've never had an incident here." Times have changed. Good.

However, what hasn't changed, at all, are the commonalities amongst the majority of breaches, be they highly publicized or not. There's fundamental control breakdowns that inevitably exist, are eventually reported on, and debated at nauseum on CNN, Fox News, or whatever your favorite talking head platform may be. Here's where I earn my Doctorate in Fortune Telling. This next breach WILL involve:

  1. One or more unpatched systems
  2. Default or insecure configurations
  3. Some weak explanation on why their monitoring capabilities failed
  4. At least one third party relationship (e.g. a vendor)

Time and time again these same issues come up as root 'contributors' if not outright causes. Why? The momentum is shifting in many organizations towards a more proactive approach that would address these fundamental issues, we haven't hit a critical mass, not yet. Each incident the general public rightfully asks, "How could this happen?" or "How could this happen at BIG COMPANY?" The C-suite of the breach victim will release statements or make public appearances to re-assure us that this breach was unavoidable, that all reasonable measures had been taken, that these magical hackers are just too darn good, that it's not their fault. Negative.

Advanced Persistent Threats (APT) and Nation State actors absolutely exist, and at times may play a role in some of the well-publicized breaches, but overwhelming evidence points to these basic blocking and tackling functions as being on the critical path to a breach. To be clear, I'm not advocating you completely ignore the potential APT attack, rather I'm challenging your organization to more effectively prioritize the boring but important or the simple not easy risks. Many organizations fall victim to the line of thinking where if only they had the next latest and greatest tool/solution, they would be secure. The focus on Technology alone stands as the flaw in the approach. People, Process, and Technology. All must work in concert to meaningfully reduce breach risk.

In the midst of Cybersecurity Awareness month, consider my prediction and take action. Refuse to accept that your organization will be the next victim, that this new normal is inevitable and therefore pointless to fight against. Avoid chasing the next latest and greatest solution at the expense of the fundamentals. Invest your scarce resources smartly. Some quick wins you can execute on today:

  1. Patch something, anything in your environment today. Find that old Windows XP/Server 2003 host delivering the app that nobody uses anymore, the ancient firewall protecting the network that once was but is no longer.
  2. Read through your logs. Again any log will do, firewall, SPAM filter, domain controller, wireless controller. I'll even take a core switch. Do this every day for the next week, then once a week for the rest of your career.
  3. Run a vulnerability scan. Pick some hosts, make sure you have management approval, and find some technical weaknesses. Challenge yourself to apply remediation by the end of the month.
  4. Print out a list of privileged accounts, on your domain, in key applications, whatever. Do you know what they are? Do you know who they are tied to? Find out. Do this every month.

With quick wins comes an energy which you can then employ to viciously execute your strategic plan… you do have a strategic, comprehensive, prioritized, InfoSec plan… right?

See also Top 10 Cybersecurity Controls to Keep Your Company out of the News

The General Data Protection Regulation 2016/679 (GDPR) is an action passed by the European Parliament, Council of the European Union (EU), and European Commission to unify and strengthen data protection for all individuals and return control of personal data to citizens.

Enforceable on May 25, 2018, GDPR replaces Directive 95/46/EC 2 of 1995. It does not require enabling legislation through the governments of individual member nations—making it directly binding and applicable. Further, the GDPR extends the concept of personal data to include any data element that may identify, directly or indirectly, the “Data Subject.” This includes a name, a photo, an email address, bank details, social network posts, medical information, or a computer IP address.

With controversial topics surrounding this regulation, much conversation will surely take place. For example, technology firms and industries who have long had data-retention requirements may find data destruction—the Right to be Forgotten detailed below—difficult to integrate. They will likely need to change both their processes and use of technology.

My New Solution Guide provides the most important things you need to know in an easy-to- understand format.

As a security consultant, I see companies of all sizes breached at an alarming rate. I see the true consequence go beyond system damage or downtime. I see larger consequences—including loss of confidence and damaged trust. To prevent this, I help organizations defeat intrusions and enhance the probability of detection.

Most cyberattacks are not complex or coordinated. Many simply exploit compromised passwords, faulty configurations, or obscure settings. Using these, attackers access a network and—once inside—escalate their own privileges. Defeating such exploits before someone finds them can improve your security posture dramatically. Below are low-cost, low-impact security controls that reduce the risk to your company's valuable reputation.

Limiting Access

Exploiting compromised passwords or other user credential is the most-common way attackers penetrate commercial networks. Setting tougher access controls is the first line of defense.

  • Separate domain administrator accounts from personal accounts. An administrator’s personal PC is subject to hacking, phishing, malware, and other threats.
  • Separate your password policy. Setting stricter password policies, holding to them, and requiring they change frequently helps ensure secure access.
  • Ensure domain administrators only log in to domain controls. When an administrator logs in, their password is often visible. Having them log in only where required helps limit access.
  • Delegate administrative controls to appropriate groups. Limiting administrator access to a specific area helps mitigate the effects of a breach or other compromise.
  • Disable cached credentials. Remote access leads to credentials stored or cached on external devices. For devices that never leave your physical environment, set the cache to zero.

Setting Controls

Policy exploits, faulty controls, and mismanaged network settings are the second most-common means of attack. Review your network settings to greatly reduce vulnerability.

  • Deploy Microsoft Security Compliance Manager. This tool helps users establish baseline security controls for all systems that they can add to, relax, or modify as needed.
  • Disable Null Sessions. Null sessions allow unauthorized intruders who have already achieved entry to guess passwords in an attempt to gain further access to your systems.
  • Disable Link-Local Multicast Name Resolution (LLMNR). This protocol allows an attacker to access to your authentication credentials. This passive attack is likely to avoid detection.
  • Set Simple Network Management Protocol (SMNP) to "Require and Enable." The "Require and Enable" setting requires authentication of any user issuing system commands.
  • Do not store passwords and group policy preferences. Passwords in SYSVOL are accessible to authenticated users. Consider an alternate solution to change local administrator passwords.

Going Further

Additional steps I recommend to secure against attack include disabling interactive login for service accounts, using managed service accounts, using NT LAN Manager (NTLM), and disabling both command and power shells. I have seen firsthand how these quick, simple steps can strengthen a client’s security posture and help them defeat many common forms of intrusion.

I have based these insights on experience helping organizations of all sizes located all over the world to detect, defend, and defeat security breaches since 2006. This experience ranges from ethical hacking and vulnerability assessments to comprehensive managed security services programs, incident response, and forensic analysis.

Start a conversation with one of my colleagues to discuss how you can strengthen your current information security strategy. Schedule a consultation

NY DFS enacted 23 NYCRR 500 to establish cybersecurity requirements for financial businesses in New York State. This regulation seeks to protect industry and consumer from cyberattack—requiring banks and other institutions to safeguard transaction records and consumer data.

Governor Andrew M. Cuomo stated: "New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cybercrimes."

Unfortunately, anything written by legislators can seem complex or intimidating. Businesses without cybersecurity policies risk allowing deadlines established under 23 NYCRR 500 get past them. As a result, many are scrambling. These businesses need a rational voice to guide them.

With this in mind, BTB Security has distilled the most important things to know about 23 NYCRR 500 into a Solution Guide that presents this regulation in plain language—so that you can get ahead, remain ahead, stay compliant, and remain secure. Read the Solution Guide

Contact Us
  • Headquarters:
    Three Bala Plaza - Suite 701
    Bala Cynwyd, PA 19004
    (484) 223-2598
  • Other Locations:
    541 N. Fairbanks Court, Chicago, IL
    (312) 239-3139

    100 Congress Avenue, Austin, TX
  • Phone:
    (888) 234-5990
  • Email: info@btbsecurity.com
Say Hello



© BTB Security. Web Design By The 215 Guys