506 matches found
Living off the land, GPO style
TL;DR The ability to edit Group Policy Object GPOs from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog post takes a deep dive into what steps were taken to find out why domain joined machines are needed in the first place and what...
Smart home security advice. Ring, SimpliSafe, Swann, and Yale
Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you're looking to monitor your property remotely, enhance your home's security, or see who’s at the front door, this guide will provide you with valuable insights. We have...
Living off the land with Bluetooth PAN
TL:DR Bluetooth is enabled by default on the majority of Windows laptops Bluetooth PAN can be used to bridge connections locally between a client laptop and attacking device Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is accessible to...
Dodgy disks. My 32TB SSD Adventure
TL;DR "Hard drive” had reflashed firmware to make it look larger Buyer beware: Cheap storage may not be the value you think it is Background Earlier this year I found myself in need of various cheap electronic components. So naturally I turned to AliExpress. I came across a listing for a cheap...
Pipedream ICS malware toolkit is a nightmare
TL;DR Malware toolkit specifically designed for attacking ICS Modular and framework based Main features are enumeration, Modbus comms, and HTTP interactions Operational Technology OT network breaches are often due to connected Windows devices Off-network compromise assessments give a strategic vi...
Stop using phishing as a measure of your cyber awareness culture
If I had a penny for every time someone said to me “let’s measure our security culture by phishing our staff” I’d probably be able to fill my car up. It’s a really easy thing to do, you carry out some online training and typically they come with phishing simulations as a free or low cost add on. ...
To Pay or Not to Pay? That is the Ransomware question
During a review of a client’s incident response capabilities the discussion turned to ransomware and strategies for handling it. The client’s board-level view was that if they were unable to restore their systems they would pay-up. They’d gone so far as considering setting up a cryptocurrency...
VNC. RDP for all to see
TL;DR VNC still remains in some legacy environments due to legacy deployments and ease of use. Without proprietary extensions, VNC transmits data without encryption, making credential theft through packet sniffing possible. The captured challenge and response between a VNC client and server can...
Don’t use corporate email for your personal life
TL;DR People use whatever is convenient. Segregation of work and personal matters is a key part of security. Using corporate addresses tramples on this separation. Corporate email addresses should be treated with the same care as sensitive corporate information. Create an Acceptable Use Policy th...
The first 24 hours of a cyber incident. A practical playbook
TL;DR The first 24 hours after a cyber incident are critical for containment and recovery. Small and medium-sized businesses SMBs often lack resources, but swift action is still possible. This playbook provides clear steps to follow in the heat of a breach: who to contact, what to do, and how to...
Cybersecurity communities. Small hacker groups, big impact
TL;DR Cybersecurity communities and groups are an excellent opportunity to network and learn There are OWASP, DEF CON, 2600, university hacking societies, Meetup communities and more to choose from They provide workshops, talks, and practical learning opportunities benefiting both newcomers and...
The unexpected effects of GPS spoofing on aviation safety
GPS is one service in the Global Navigation Satellite System GNSS. Others include Russia’s GLONASS and the EU’s Galileo constellations. These are all used to provide Position, Navigation, and Timing PNT to civilian users including commercial aircraft. GPS was actually designed to have military...
10 Non-tech things you wish you had done after being breached
TL;DR Non-tech aspects to breach follow-up are often overlooked but essential NDAs, supply chain, and third party contracts and obligations should be reviewed Reviewing communication protocols and employee training increases resilience Looking after, and retaining your people improves recovery fo...
Heels on fire. Hacking smart ski socks
TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks …but only when in Bluetooth range AND when the owner's phone is out of range of their feet! Having experienced painfully cold feet several times over the years while skiing, including once at minus 42°C in the Canadian...
Making sure your door access control system is secure: Top 5 things to check
Your door access control system aka a physical access control system or PACS, also referred to as RFID cards or ‘swipe’ cards often have a poor reputation for being vulnerable to cloning attacks. Here’s the thing: it’s generally possible to configure your system to be very resistant to card...
OPSEC failures when threat hunting
Over the last few years I’ve carried out a lot of phishing, and have some interesting observations on how organisations respond. However, the purpose of this blog is to highlight a worrying and amusing trend in response actions taken by the blue team and researchers when threat hunting a phishing...
Are Vehicle to Grid spikes coming?
If you didn’t already know, I’m a massive fan of electric vehicles. One of the aspects that intrigues me is Vehicle to Grid V2G, the potential for our car batteries to store and release electricity to and from the grid, providing balance for the peaks and troughs of demand. It’s a part of what is...
Finding forensics breadcrumbs in Android image storage
Introduction Our digital forensics work is wide and varied. Often there’s very little that we can talk about in the public domain, so when I find something that we can share I get a bit excited. In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint...
EFB Tampering. Holdover Time
TL;DR Holdover applications are a relatively new method of calculating the effectiveness of anti-icing fluid sprayed onto aircraft wings. Applications such as these have additional attack surfaces as the developer and source databases need to be considered Airlines often view limits as targets to...
OpSec. Hunting wireless access points
Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. How do we go about finding wireless access points and what can they tell us? Finding wireless We have spoken...
Stealing container ship cargo through LOC messaging
In a previous post post I looked at hacking and manipulating EDIFACT messages to destabilise a ship. However, criminals will be far more interested in using these techniques to re-route containers and steal their contents. Similar techniques appear to have been used to steal containers in the pas...
DNSSEC NSEC. The accidental treasure map to your subdomains
TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes names, making enumeration harder, but attackers can still crack weak...
Pen testing avionics under ED-203a
The aviation industry realised some time ago that taking a standard approach to the cyber security of its products was needed and that this was a specialist discipline. A family of documents was produced to help with this: ED-202A / DO-326A – what should be certified ED-203A / DO-356A – how these...
A tale of enumeration, and why pen testing can’t be automated
TL;DR In an engagement we found an open directory on the internet belonging to our client By enumerating it we found a zip archive with a configuration file holding usernames and passwords That file gave us access to the client’s ArcGIS instance This contained a treasure trove of information abou...
Is secure boot on the main application processor enough?
TL;DR Secure boot ensures only authentic firmware can run on a device and should form part of a layered defence strategy. Sub-systems often lack secure boot capabilities, limiting protection for non-critical processors. Focus on secure boot for the main processor; it can provide adequate security...
Mounting memory with MemProcFS for advanced memory forensics
Mounting memory? This changes everything! TL;DR Memory forensics is crucial for investigations, providing access to volatile data, like running processes and network connections. MemProcFS is a game-changer tool in memory forensics, allowing memory dumps to be mounted and browsed like file system...
Insights and highlights from DEF CON 32
TL; DR Event Dates : August 8-11, 2024, in Las Vegas. PTP Presentations : Windows Hello : Our Ceri Coburn with Outsider Security's Dirk-Jan Mollema revealed vulnerabilities in biometric authentication. Maritime Security : Paul Brownridge discussed vulnerabilities in maritime systems and...
Key safe security, or the lack of it
A few years back we put a key safe into our office. Previously, we had used a very simple locked cabinet to ensure keys were returned, as before that, keys kept being accidentally taken home. There’s no data of significance kept at the office. Everything is hosted elsewhere, but we could do witho...
Pen testing cruise ships
New build ships contracted for build from 1st July 2024 must comply with IACS UR E26 & 27. What does this mean for assessing the cyber security of a cruise ship? What’s the risk profile? Cruise ships have a unique risk profile. This is due to the huge number of guests on board, highly complex...
10 years on from the Target breach. Has building cyber security improved?
It’s over a decade since the Target data breach. It was an event that reinforced the need for supply chain security reviews. It seems that much has changed since then, or has it? Has the security profile of the average connected building in the USA improved in that time period, be it retail,...
WhosHere Plus. Trilateration vulnerability
WhosHere Plus is a dating app that uses GPS data to recommend users near to each other, based on similar interests. PTP constantly researches the state of privacy and security in apps that use GPS data, because the consequences of poor security and privacy are alarming: Tracking and snooping on a...
Reporting of cyber incidents becomes law in the USA
On March 15th 2022, president Joe Biden and the US Government passed new legislation to strengthen the Department for Justice DOJ Cybersecurity and Infrastructure Security Agency CISA position by requiring the reporting of all cyber incidents or ransomware payments. The Cyber Incident Reporting f...
When the IoT vendor goes bust
Over recent years, legislation has started to emerge to protect consumers from unethical behaviour from IoT vendors. Far too many smart devices didn’t charge for a subscription to the online platform that made the device ‘smart’. As a result, manufacturers had a perverse incentive to end-of-life...
Congrats, you got everyone remote. But did you do it securely?
The lockdown has meant entire companies of typically office based staff being forced to work from home. The change to our way of life is like nothing anyone has in living memory ever seen. However, alongside that, IT teams have had to rush to deliver solutions that were simply not designed for th...
Take control of Cache-Control and local caching
TL;DR Caching speeds up website content delivery What caching directives are and how to use them The No-cache directive does not prevent caching The No-store directiveprevents caching Introduction The HTTP Cache-Control header is sometimes misunderstood. It's important because it is used to speci...
How I became a Cyber Essentials Plus assessor
TL;DR What is Cyber Essentials and why does it matter? The role of Cyber Essentials CE and Cyber Essentials Plus CE+ assessors in protecting UK businesses The difference between a CE and CE+ assessor Becoming a CE assessor Becoming a CE+ assessor Challenges I faced and tips for success Introducti...
Security flaws found in tiny phones promoted to children
TL;DR Three mini smartphones promoted to children were analysed Those devices are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the phone, allowing data to be compromised with physical access One had malware artefacts pre-installed One had an...
The surprising existence of the erase button on cockpit voice recorders
Introduction Safety and transparency are important in aviation. One tool that helps here is the Cockpit Voice Recorder CVR, which records audio from the cockpit during flights. It is crucial for accident investigations, helping authorities understand what happened before an incident. However, you...
6 non tech things you wish you had done before being breached
Introduction When a breach happens, it’s not just technical defences that matter. Preparation in non-technical areas, like having key documents printed or emergency contacts accessible, can make all the difference. In this blog, we highlight six simple yet essential steps to help you prepare in...
Unauthenticated local file disclosure on Milesight DeviceHub
TL;DR Nginx container on Milesight DeviceHub includes MQTT private key store Can download MQTT private keys across network Milesight eventually responded and issued a firmware update Unauthenticated local file disclosure on Milesight DeviceHub CVSS: 6.5 Medium CVSS:3.1:...
Cap Dev. Better red teaming with continuous Capability Development
TL;DR What Capability Development Cap Dev is in this context The big Cap Dev benefits for red teaming Operations and Development, sharing and improving Improvements to TTPs, hardware, and developing strategies Benefits of using a DevSecOps model for offensive security The essence of Cap Dev Cap D...
PCI v4 is coming. Are you ready?
If you’ve landed here the chances are you are considering PCI compliance. At present the scheme is running against v3.2.1. In March 2022, the PCI Council released the long-anticipated v4.0. The Council stated that the changes represent their determination to “continue to meet the security needs o...
ASSURE Case Study: Two
The engagement The purpose of this exercise was to validate the clients’ baseline security assessment against NIS and the CAF and prepare them for the CAA Assure audit against NIS and CAF. There were 24 systems for the client and 9 third party systems. The client had carried out some initial...
ASSURE Case Study: One
The engagement The client needed to meet the requirements of the Network Information Systems NIS CAF. There was a target profile for the NIS CAF that the CAA had set out for the client’s systems. However, we discovered early on that this had the potential to be a transformational piece of work fo...
Imposter syndrome in cyber security
TL;DR Imposter syndrome is the belief that you are undeserving of your achievements Anyone can be affected by it There are ways to cope What is imposter syndrome? Imposter syndrome is the psychological pattern in which a person downplays their achievements and believes that they are secretly a...
How to handle vulnerability reports in aviation
TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide regular updates to avoid miscommunication. Keep researchers informed throughout the process. W...
Consumer advice for buying smart IoT devices this Christmas
Rightly or wrongly there’s plenty of fear, uncertainty, and downright doom associated with the IoT and devices. So, is it safe to buy these things as gifts or even as a treat for yourself this year? In our opinion it probably is, as long as you follow some basic advice. What can you do? Do your...
Living off the Cloud. Cloudy with a Chance of Exfiltration
Part one of a series aimed at demonstrating malicious usage of Office 365 services. TL;DR Unless default settings are changed, typical Office 365 O365 licences come loaded with various services that are all usable by end users without special permissions. Power Automate can be used maliciously by...
Container theft, the legal system and poor maritime security
One of the most interesting legal cases I’ve read recently involves a theft of two containers of cobalt metal briquettes from a terminal at the port of Antwerp. Original judgment: Appeal: What drew me to this case was the amount of useful data that had entered the public domain concerning a crime...
Fully segregated networks? Your dual-homed devices might disagree
TL;DR Using dual-homed devices as a segregation tool is not recommended as a security design solution Use dedicated hardware and robust firewalls to segregate networks to limit access to critical networks Proactively check for unintended exposure of network services and disable unnecessary servic...