Since GRIMM’s inception, our dedicated teams have helped build confidence in clients’ underlying security posture — largely through demonstrating the business impact of vulnerable systems during client engagements. GRIMM teams have covered functional areas in Application Security, Cyber-Physical (aka CyPhy), Tailored Software, Training, and CISO-level consulting. Many of GRIMM’s client engagements include an element of […]
Launching the GRIMM Red Team Read More »
Given the recent controversy with DJI drones, a defense and public safety technology vendor sought to investigate the privacy implications of DJI drones within the Android DJI GO 4 application. To conduct their analysis, the vendor partnered with Synacktiv who performed an in-depth dynamic and static analysis of the application. Their analysis discovered four main causes of concern within
DJI Privacy Analysis Validation Read More »
I. Introduction “Nobody Can Hack an AS/400.” “Never in my 40 years in the business has anyone hacked an AS/400!” “AS/400’s don’t have hacking problems like Windows computers.” “AS/400’s are bullet-proof. They don’t have zero-days like other computers.” If you know anyone who works with an IBM i (formerly known as “AS/400”, also branded as
IBM i Security Demystified Blog, Episode 1 Read More »
The corona-virus pandemic has fundamentally changed the way many people and organizations operate. While many countries have started progress towards opening up and returning to normal, companies are faced with the decision of whether or not having a remote workforce makes sense for them. Working remotely might be a normal thing for some, but with
While teleworking work/life balance are in conflict – a personal story Read More »
SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun
SOHO Device Exploitation Read More »
Program History The GRIMM Intern program began three years ago. Interns work on billable client and research projects. Additionally, past Interns worked on the development of GRIMM’s “Howdy Neighbor”, a portable Capture the Flag competition built entirely around hacking Home Automation devices. Howdy Neighbor is one of GRIMM’s go-to, hands-on demonstrations at conferences across the
GRIMM 2020 Summer Internships Read More »
Sparked from a question on our public discord channel https://discord.gg/HeHuehh What does GRIMM’s threat modeling process look like? Is it only used in the design phase of the Software/System Development Life Cycle (SDLC), or can it be applied to systems already in production? We use the Trike methodology on account of it’s friendliness
Announcing #GRIMMCon for free for the community! We’ll have two tracks, one especially for First Time Speakers who we’ll pair with an expert (looking for volunteers!). Talks will be a mix of tech and personal fun. Check https://www.grimm-co.com/grimmcon for speaker and talk updates. Date/Time: 14 APR 20, 1100 – 1900 EST. Call-for-papers (CFP): https://docs.google.com/forms/d/e/1FAIpQLScEY5IWwiofqBLip7-VaY_1mOIjuTqVbqBwlhbqJif6OpWb6w/viewform CFP
Hacking Floaty Things In July 2019 the U.S. Coast Guard issued a safety alert https://www.cyberscoop.com/coast-guard-significant-malware-attack/ https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf urging civilian mariners to get their cyber-poop in a group, encouraging the most basic of cyber-opsec on ships and supporting computer systems. Apparently a large international freighter ship heading for New York and New Jersey experienced “degraded” computer systems
Maritime CyberThreats Read More »
In our spare time, we hunt for bugs in various pieces of software. Thus, when winding down from a project recently, we decided it might be fun to audit one of our own laptops to see if we can locate a local privilege escalation (LPE) vulnerability in the software we use every day. This blog
Analyzing SUID Binaries Read More »