Fire detection system been pwned? You’re not going to sea

TL;DR Hardcoded SSH and VNC credentials found on Consilium Salwico CS5000 panels SSH access allows OS-level interaction, and VNC access gives UI control It may be possible to disable the fire detection system Attempts to disclose vulnerability to Consilium multiple times since 2022 Consilium...

How to load unsigned or fake-signed apps on iOS

TL;DR Issues commonly arise when clients provide an application which is unsigned or does not meet device requirements. Installing an application can be challenging without a Mac, access to Xcode or if the client is having trouble signing the application manually as this is normally done by the a...

Our capabilities. A story about what we can achieve

Introduction Over the years we have been fortunate to have been called upon to help with some challenging investigations. iPhone prize scams, ransomware attacks that weren't, aiding the Steele Dossier case, and even a fraudulent €14 million transfer. Here we've picked out the most interesting one...

Fully segregated networks? Your dual-homed devices might disagree

TL;DR Using dual-homed devices as a segregation tool is not recommended as a security design solution Use dedicated hardware and robust firewalls to segregate networks to limit access to critical networks Proactively check for unintended exposure of network services and disable unnecessary servic...

Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more…

TL;DR Restricted View allows users to read files, but not copy, download or print them Attackers will look for ways to circumvent these controls Traditional workarounds include manual transcription, screenshots, and photos OCR tools can extract text from screenshots Microsoft Copilot can read fil...

VNC. RDP for all to see

TL;DR VNC still remains in some legacy environments due to legacy deployments and ease of use. Without proprietary extensions, VNC transmits data without encryption, making credential theft through packet sniffing possible. The captured challenge and response between a VNC client and server can...

New cybersecurity rules for smart heat pump manufacturers

TL;DR Smart heat pumps face new UK cybersecurity rules Must meet ETSI EN 303 645 under the Smart Secure Electricity Systems programme Applies to most domestic heat devices up to 45 kW Compliance deadline expected to be late 2026 / early 2027 Aims to protect consumers, data, and the national grid...

RCEs and more in the KUNBUS GmbH Revolution Pi PLC

TL;DR Four new vulnerabilities in the Revolution Pi industrial PLCs Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations Documentation and firmware is public, meaning greater oversight and better security in the long run KUNBUS’ PSIRT and CISA were great at...

Exploiting Copilot AI for SharePoint

TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their hands on Your current controls and logging may be insufficient Be careful what you keep on platforms...

The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache

TL;DR How RDP Bitmap Cache can reveal user activity No RDP logs? How can we reconstruct RDP activity? How cached tiles can uncover insider threats Introduction A lot of people are aware of RDP and what its functions are. It’s known for providing remote access and making life easier for...

Hiding behind a password

What do your passwords say about you? It’s surprisingly personal. User generated passwords can reveal more than you might expect, including frustration, humour, and even how someone feels about their job. My password manager database has over 350 entries. I have chosen or generated all of them wi...

The dangers of web based messaging apps

TL;DR Anyone with a web browser and access to your phone in an unlocked state could potentially set up persistent access to your secure messaging platforms without needing to know your credentials!. Whilst this clearly requires unfettered access to your phone, scenarios such as screen replacement...

Unallocated space analysis

TL;DR Unallocated space retains remnants of deleted files, metadata, logs, caches, and other artefacts. This is useful if a user attempts to cover their tracks, delete files, reformat drives, or use anti-forensic tools. These remnants can help reconstruct user actions exposing data exfiltration...

Not everything in a data leak is real

TL;DR Data breaches make the headlines usually because of the sheer volume of data Research shows that often the volume of data is falsely inflated How forensics experts can spot it Introduction When a data breach hits the news, it's usually all about the numbers: millions of names, emails, and...

Don’t use corporate email for your personal life

TL;DR People use whatever is convenient. Segregation of work and personal matters is a key part of security. Using corporate addresses tramples on this separation. Corporate email addresses should be treated with the same care as sensitive corporate information. Create an Acceptable Use Policy th...

Preparing for the EU Radio Equipment Directive security requirements

TL;DR UK & EU IoT vendors have more security regulation coming in Applies to all wireless devices Comes into force 1st August 2025 It may be absorbed into the Cyber Resilience Act From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU’s Radio Equipment Directive...

Backdoor in the Backplane. Doing IPMI security better

TL;DR IPMI, released by Intel in 1998, is a hardware management interface operating independently of the OS, often using 623/udp. It monitors hardware data e.g., temperature, power and supports remote recovery, integrated into BMCs like HP iLO, Dell DRAC, and others. IPMI vulnerabilities include...

The first 24 hours of a cyber incident. A practical playbook

TL;DR The first 24 hours after a cyber incident are critical for containment and recovery. Small and medium-sized businesses SMBs often lack resources, but swift action is still possible. This playbook provides clear steps to follow in the heat of a breach: who to contact, what to do, and how to...

Cybersecurity communities. Small hacker groups, big impact

TL;DR Cybersecurity communities and groups are an excellent opportunity to network and learn There are OWASP, DEF CON, 2600, university hacking societies, Meetup communities and more to choose from They provide workshops, talks, and practical learning opportunities benefiting both newcomers and...

Take control of Cache-Control and local caching

TL;DR Caching speeds up website content delivery What caching directives are and how to use them The No-cache directive does not prevent caching The No-store directiveprevents caching Introduction The HTTP Cache-Control header is sometimes misunderstood. It's important because it is used to speci...

How I became a Cyber Essentials Plus assessor

TL;DR What is Cyber Essentials and why does it matter? The role of Cyber Essentials CE and Cyber Essentials Plus CE+ assessors in protecting UK businesses The difference between a CE and CE+ assessor Becoming a CE assessor Becoming a CE+ assessor Challenges I faced and tips for success Introducti...

DNSSEC NSEC. The accidental treasure map to your subdomains

TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes names, making enumeration harder, but attackers can still crack weak...

A dive into the Rockchip Bootloader

TL;DR Rockchip has a structured sequence of bootloaders. Using various plugs can allow access to the MCU’s RAM and storage. There are many utilities to allow reading of information from the MCU. Use this guide to access and reverse engineer bootloaders. Introduction Rockchip are a Chinese company...

Pen testing avionics under ED-203a

The aviation industry realised some time ago that taking a standard approach to the cyber security of its products was needed and that this was a specialist discipline. A family of documents was produced to help with this: ED-202A / DO-326A – what should be certified ED-203A / DO-356A – how these...

Watch where you point that cred! Part 1

TL;DR Poorly protected authentication requests from privileged automated tasks e.g. vulnerability scanners, health checks could be intercepted by rogue authentication servers planted in the internal network. Weak authentication methods, overly broad privileges and scopes, as well as poor network...

New mandatory USCG cyber regulations. What you need to know

TL;DR US Coast Guard introduces mandatory new Marine Transportation System cybersecurity requirements They take effect on July 16, 2025, and training must begin by July 17, 2025 US flagged large commercial vessels affected Cybersecurity Officers CySO need to be appointed Penetration testing of...

PCI DSS v4.0 Evidence and documentation requirements checklist

TL;DR PCI DSS is complex and challenging Review the 12 top level controls Arm yourself with this checklist to help you navigate it Introduction PCI DSS v4.0 is challenging for a number of reasons: increased complexity, future-dated requirements, high costs and resource demands, vendor management...

PCI DSS. Where to start?

TL;DR Determine your role: Merchant or service provider Determine your level and requirements Identify your validation method: SAQ or RoC Use the PCI website Introduction The Payment Card Industry Data Security Standard, or PCI DSS, outlines essential requirements for protecting both you and your...

ICS testing best results. Hint: Blend your approach

TL;DR Onsite ICS testing is risk averse Laboratory ICS device testing uncovers more A blended approach is key How that works Demonstrable benefits Introduction For safety’s sake onsite ICS testing adopts a risk averse approach, even if scheduled during downtime or a maintenance period. It’s vital...

A tale of enumeration, and why pen testing can’t be automated

TL;DR In an engagement we found an open directory on the internet belonging to our client By enumerating it we found a zip archive with a configuration file holding usernames and passwords That file gave us access to the client’s ArcGIS instance This contained a treasure trove of information abou...

How Garmin watches reveal your personal data, and what you can do

TL;DR A walk-through of obtaining sensitive data from a Garmin watch using forensic techniques How digital forensics on a Garmin watch helped solve a double murder case A comparison of Garmin's privacy with other brands including Fitbit, Apple, and Samsung Understand the security and privacy...

Cyber security guidance for small fleet operators

Introduction Cyber threats aren’t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt operations and compromise critical systems. This post is a guide to help small fleet...

How to secure body-worn cameras and protect footage from cyber threats

TL;DR Body-worn cameras are used by police and other security personnel Cameras are taken into the field but footage could be presented as evidence Cryptographic approaches are needed to ensure the confidentiality and integrity of captured video and audio Cybersecurity challenges of body-worn...

Security flaws found in tiny phones promoted to children

TL;DR Three mini smartphones promoted to children were analysed Those devices are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the phone, allowing data to be compromised with physical access One had malware artefacts pre-installed One had an...

Tackling AI threats. Advanced DFIR methods and tools for deepfake detection

TL; DR AI-generated documents, videos and more pose significant challenges for DFIR DFIR teams can harness innovative detection strategies and tooling Digital fingerprinting and watermarking, AI-powered and behavioural analyses Hardware-based forensics and image-specific forensic techniques...

The unexpected effects of GPS spoofing on aviation safety

GPS is one service in the Global Navigation Satellite System GNSS. Others include Russia’s GLONASS and the EU’s Galileo constellations. These are all used to provide Position, Navigation, and Timing PNT to civilian users including commercial aircraft. GPS was actually designed to have military...

10 Non-tech things you wish you had done after being breached

TL;DR Non-tech aspects to breach follow-up are often overlooked but essential NDAs, supply chain, and third party contracts and obligations should be reviewed Reviewing communication protocols and employee training increases resilience Looking after, and retaining your people improves recovery fo...

The surprising existence of the erase button on cockpit voice recorders

Introduction Safety and transparency are important in aviation. One tool that helps here is the Cockpit Voice Recorder CVR, which records audio from the cockpit during flights. It is crucial for accident investigations, helping authorities understand what happened before an incident. However, you...

Heels on fire. Hacking smart ski socks

TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks …but only when in Bluetooth range AND when the owner's phone is out of range of their feet! Having experienced painfully cold feet several times over the years while skiing, including once at minus 42°C in the Canadian...

Practice being punched in the face. The realities of incident response preparation

“Everyone has a plan until they get punched in the face.” This Mike Tyson boxing quote perfectly encapsulates the chaos of a cybersecurity breach. TL;DR Accept that your organisation may be breached Train hard. Regularly test incident response plans Build muscle memory Practice getting punched in...

How easily access cards can be cloned and why your PACS might be vulnerable

TL;DR Access cards can be cloned There are practical measures to make card cloning difficult Practical guidance on how these systems work and why you should make sure they’re configured right What is a physical access control system? A physical access control system, or PACS, is the system that...

Making sure your door access control system is secure: Top 5 things to check

Your door access control system aka a physical access control system or PACS, also referred to as RFID cards or ‘swipe’ cards often have a poor reputation for being vulnerable to cloning attacks. Here’s the thing: it’s generally possible to configure your system to be very resistant to card...

Is secure boot on the main application processor enough?

TL;DR Secure boot ensures only authentic firmware can run on a device and should form part of a layered defence strategy. Sub-systems often lack secure boot capabilities, limiting protection for non-critical processors. Focus on secure boot for the main processor; it can provide adequate security...

6 non tech things you wish you had done before being breached

Introduction When a breach happens, it’s not just technical defences that matter. Preparation in non-technical areas, like having key documents printed or emergency contacts accessible, can make all the difference. In this blog, we highlight six simple yet essential steps to help you prepare in...

BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365

TL;DR Take lessons learned from investigation, such as reviewing how emails evaded existing phishing controls to update anti-malware policies. Configure Defender for Office and Defender for Cloud Apps threat and alert policies to prevent and detect email-based attacks. Don’t rely on out-of-the-bo...

How we helped expose a £12 million rental scam

TL;DR We helped Channel 4 with trying to track down rental scammers. We are not the police so we could only take it so far and any proving guilt or innocence would be a police matter. We saw organised approaches and elaborate setups. A lot of technical and money laundering techniques were needed...

Did security gaps at Antwerp port enable drug smuggling operations?

TL;DR Why hack shipping? For profit. Criminals have been proven to have hacked port systems to bypass security and facilitate drug smuggling. Evidence of hacking? Rarely reported, but cases like MSC and Glencore’s cobalt theft and the incidents at the Port of Antwerp below provide real examples...

BEC-ware the Phish (part 2): Respond and Remediate Incidents in M365

TL;DR Ensure you can reliably take initial containment actions such as disabling accounts, resetting passwords, and revoking tokens. Token binding ensures that a token only works on the specific device the token was issued and is currently the best protection against token theft. As a minimum...

You lost your iPhone, but it’s locked. That’s fine, right?

TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the lock screen message previews. Introduction Picture this: you've lost your iPhone. Luckily, it's...

Maritime lawyers assemble!

Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships became constantly connected. Vessels were mostly not connected at sea, other than Fleet Broadband connections, rarely used...