506 matches found
When disclosure goes wrong. People
My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes VDPs would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons. It’s not all bad though...
Constrained environment breakout. .NET Assembly exfiltration via Internet Options
It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with banking systems, insurance firms, actuarial services etc, most developers aren’t going to understand the proces...
Commercial Air Transport EFB Regulation
Introduction The Electronic Flight Bag EFB is a device pilots use to gather information. This includes viewing airport charts ground and in-flight, calculating take-off and landing performance, as well as multiple other uses as detailed in our other EFB blog posts. EFB regulation is, in a word,...
EFB Tampering. Approach and Landing Performance Part 1
Approach and Landing Performance Part 1: Introduction and Landing Distance Calculations Click here for part 2 TL;DR Approach and landing performance applications perform calculations to provide critical performance data to pilots e.g. speed / flap settings on approach Modifying any one of these...
EFB Tampering. The Human Factor
Like most people, pilots want to expedite things and generally make their work easier. A common conception about aviation is that its a leading industry with technology at its forefront. While this is generally true some of the systems in use today are rather dated to put it mildly. A great examp...
What an IoT assurance scheme could look like
We’ve seen our fair share of vulnerable smart devices over recent years, our blog is littered with examples. We have already commented on the DCMS Secure by Design initiative, it’s a great initiative as is, however, we do want to see it evolve and become more rigorous over time. This should not b...
Penetration Testing Requirements for GDPR
We get lots of people asking us what it is they need to have tested as a requirement for GDPR Compliance, so I've put this together to provide some clarity. This post is NOT a definitive guide to the General Data Protection Regulations. It is however, helpful, real world advice about what you...
BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365
TL;DR Take lessons learned from investigation, such as reviewing how emails evaded existing phishing controls to update anti-malware policies. Configure Defender for Office and Defender for Cloud Apps threat and alert policies to prevent and detect email-based attacks. Don’t rely on out-of-the-bo...
UK PSTI? You’ll need a Vulnerability Disclosure Program!
If you are distributing or selling smart devices in to the UK market, your products will need to be compliant with the UK Product Security and Telecommunications Act. One of the three mandatory areas is that you have a vulnerability disclosure program VDP In the supporting materials for the Act,...
Helping a mobile malware fraud victim
Back at the start of October, we had a call from the BBC asking if we could help unpick a fraud. The victim had been defrauded of £12,000 through a rogue bank transfer and mentioned that her Android mobile phone had been behaving oddly. Of course we would help; who wouldn’t be up for the...
Maritime regulation. All Hands-on Deck!
TL;DR The regulation from the IMO has changed, you need to do more about cyber security. Key things to focus on: Start asking questions of your supply chain, of your own IT and OT teams Assess the security configuration per vessel – each are different Use Critical National Infrastructure controls...
How to build a password cracking rig during a worldwide chip shortage
… and keep a domain password auditing service online. Making money on GPUs, the hard way… At PTP we had a fairly decent GPU password cracking box called Titan. It used 4×1080 GPUs and had an NTLM hash rate of around 180GH/s. Several years ago I realised that the box was sitting idle much of the...
9 things to consider when staff work from home unexpectedly
Many businesses are reviewing and updating their response plans currently. Some might consider closing offices. This may be an appropriate response, but have you considered the effect on employees that have never worked from home before? Security considerations can be quite different, as working ...
UK Government gets serious about consumer IoT security. Legislation on the way
The Digital Minister Margot James today announced a concrete mandate for dealing with the slew of insecure IoT dross that has plagued consumers over the last few years. The aim is simple, to ensure that the millions of household items that are connected to the internet are better protected from...
Hacking the Echo echo echo
Smart home assistant. Not-so-smart TV Amazon Echo is considered pretty secure in the security community. Remote exploitation is a pipe dream, requiring months of research to stand any chance. But what about using other devices in the home to exploit it instead? Working on a smart Samsung TV and a...
Hacking the Bitfi Part 3: The device with no storage
TL;DR? Here’s proof that the Bitfi has storage and that it’s been rooted. -The Bitfi boots at 20 seconds. We’re not disclosing the method yet, as there is plenty more work to be done here. If you’ve been keeping an eye on Twitter, no doubt you’ve seen the unravelling mess that is the security of...
‘Hacking’ the Nespresso Prodigio and Jura E8 coffee machines
You’ll probably know by now that I have a particular interest in the security of IoT coffee machines and tea kettles. Sometimes security is so poor that we have to laugh. Such simple security issues. Now, when I’m feeling lazy and possibly a bit hung over, I really can’t be bothered to make coffe...
Using Volatility for advanced memory forensics
TL;DR Memory forensics enhances investigations by analysing volatile data in RAM unavailable in disk forensics. Key insights from memory include running processes , network connections , encryption keys , and user activity , vital for real-time investigations. Smaller memory images 4-32 GB offer...
Bootloaders explained
TL;DR Modern computers have a program that starts the operating system, known as a bootloader Bootloaders can be communicated with to access storage and sometimes RAM directly They are all individual to the chipset in use. Bootloaders explained In its simplest form, a bootloader is a low-level...
Ski & bike helmets protect your head, not location or voice
TL;DR Livall smart ski and bike helmet app leaks the wearers real time position Group audio chat allows snooping on conversations Both issues are due to missing authorisation Bike app affects 1 million users, ski app affects a few thousand users Fixed by the vendor, but after we had to call on a...
FDA medical IoT cyber device compliance. FD&C 524b
TL;DR FD&C 524b is new FDA legislation for medical cyber device compliance Introduced on March 30th 2023 it is now a firm requirement as of October 1st 2023 It demands provision of complex evidence that manufacturers take security seriously Medical cyber device market There are over 10,000 medica...
Call centres. Outbound call verification
TL;DR: Stop asking customers to verify themselves Reduce friction and annoyance Empower your staff to be more effective Develop an alternative model that works best for you I’m sure we’ve all experienced authenticating ourselves when calling a company. You have a hopefully trusted contact number,...
Which security framework? All of them, in the SCF
TL;DR: All roads lead to Rome. There are plenty of ways to meet your security requirements ISO 27001 is not everything. There, I said it What is the Secure Controls Framework SCF? Why you should consider SCF on your journey to security excellence PTP has a myriad of customers coming for help to...
Scorpion CBS show. Plane hack
Having got on a bit of a roll with dismantling plane hacking in the media with the MH370 documentary critique, it’s probably time to tear apart the pilot episode of Scorpion from 2014. Here’s a link to the relevant part of the show: Why? It’s clearly just an entertainment show, so why bother...
Carbon reduction at PTP
Introduction I’ve been a bit of an eco-warrior since I got my first electric car in 2015, and I’ve been on a personal mission since then to reduce my carbon footprint. I realised I could do more for the environment if I could get Pen Test Partners PTP on board with some carbon reduction ideas too...
Attacking Encrypted HTTP Communications
TL;DR The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers. Introduction Different embedded devices have their own take on...
CMC Electronics EFB breakout vulnerability
We’ve been finding vulnerabilities in electronic flight bags for a few years now. Disclosure response from the vendors involved has varied from excellent to radio silence. In every case we have tried extremely hard to engage with the vendors involved, even where we were ignored. We asked friendly...
747 Hackathon
As is probably clear from our blog and public talks aviation cyber security is an area of huge interest to us. Some of us are also light aircraft pilots, so the crossover of two of our loves makes for some fascinating research. Over the last few years we’ve managed to get access to several...
Gumtree – leaking your data and not really listening
Sometimes finding vulnerabilities is as simple as… just looking. TL;DR 1. Gumtree is a UK-based site where users can advertise items for sale. 2. It leaked the PII of sellers to other users of the site within the HTML source of the adverts. Email address, postcode, GPS location, and the seller’s...
Our capabilities. A story about what we can achieve
Introduction Over the years we have been fortunate to have been called upon to help with some challenging investigations. iPhone prize scams, ransomware attacks that weren't, aiding the Steele Dossier case, and even a fraudulent €14 million transfer. Here we've picked out the most interesting one...
Watch where you point that cred! Part 1
TL;DR Poorly protected authentication requests from privileged automated tasks e.g. vulnerability scanners, health checks could be intercepted by rogue authentication servers planted in the internal network. Weak authentication methods, overly broad privileges and scopes, as well as poor network...
How Garmin watches reveal your personal data, and what you can do
TL;DR A walk-through of obtaining sensitive data from a Garmin watch using forensic techniques How digital forensics on a Garmin watch helped solve a double murder case A comparison of Garmin's privacy with other brands including Fitbit, Apple, and Samsung Understand the security and privacy...
Cyber threats to shipping explained
TL;DR Modern vessels are becoming increasingly connected. While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the Power Management System PMS, leading to blackouts and associated loss of propulsion and steering. Although...
RAID Technology and the importance of disk encryption in data security
Introduction Recently we were engaged by a client experiencing a potential data leak incident. Amidst their expansion, they were constructing a new data centre. Due to pressing business needs, they accelerated the setup of part of their infrastructure. This urgency led to them setting up a Domain...
Navigate FDA 524b to get your medical cyber device to market
With amendment 524b officially enacted, medical devices across the United States and the globe are living under some new rules and procedures. You’re not alone if you are finding these new regulations a bit complex. Changes to business practices – particularly ones that involve millions of...
The most hated man on the internet. Lessons to learn
A while ago I was scouring Netflix and stumbled across the 2022 The most hated man on the internet docuseries. What’s that all about then? The show is about Hunter Moore and his isanyoneup.com website Wikipedia article, where abhorrent people uploaded naked / pornographic images, intended to sham...
Password policy guidance
Why do we need strong passwords? Passwords are stored by using a one-way hashing algorithm to generate a representation of the original password on a securely designed system. Authentication mechanisms then compare the calculated hash of an entered password with the stored hash value to determine...
Got the security controls wrong in OT and maritime? Watch as engineers work around them
Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique challenges that engineers looking after OT environments face. We see controls brought in...
What does the Product Security and Telecommunications Infrastructure bill mean for me?
The UK’s Department for Culture, Media and Sport DCMS introduced a bill to Parliament yesterday. But what does that mean for IoT manufacturers and consumers? First, this bill has been a long time coming. Many people have been lobbying and working hard to create it. Industry and others with vested...
Hacking, tracking, stealing and sinking ships
At Infosecurity Europe this year, we demonstrated multiple methods to interrupt the shipping industry, several of which haven’t been demonstrated in public before, to our knowledge. Some of these issues were simply through poor security hygiene on board, but others were linked to the protocols us...
Cyber security guidance for small fleet operators
Introduction Cyber threats aren’t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt operations and compromise critical systems. This post is a guide to help small fleet...
Die Hard 2. Or how not to hack airplanes
How could I criticise possibly the best action movie series of all time? Well, it’s to help dispel myths about hacking planes. TV shows and films help set a narrative that is hard to shift around aviation cyber, giving the travelling public a misleading view of their security when flying. So let’...
How to load unsigned or fake-signed apps on iOS
TL;DR Issues commonly arise when clients provide an application which is unsigned or does not meet device requirements. Installing an application can be challenging without a Mac, access to Xcode or if the client is having trouble signing the application manually as this is normally done by the a...
Backdoor in the Backplane. Doing IPMI security better
TL;DR IPMI, released by Intel in 1998, is a hardware management interface operating independently of the OS, often using 623/udp. It monitors hardware data e.g., temperature, power and supports remote recovery, integrated into BMCs like HP iLO, Dell DRAC, and others. IPMI vulnerabilities include...
Glastonbury ticket hijack vulnerability fixed
The Glastonbury ticket website was vulnerable to a relatively simple attack that that allowed ticket theft and data leakage. What’s the issue? An attacker could scrape collaborative ticket buying information e.g. on Reddit to gather people’s details, use a flaw in the registration process and...
HUMINT in a cyber world
TL;DR HUMINT / Human Intelligence is gathered from a person in the location in question. It’s the sort of information we think of in the context of spying. A modern intelligence apparatus is multi-discipline with many different collection methods. HUMINT sources include officers, agents, diplomat...
The big play of autonomous vehicles
TL;DR The benefits of autonomous vehicles may not yet be for us consumers There are other areas where autonomy can benefit auto manufacturers and others Having your autonomous car drive you home from the bar may be some way off yet! Car manufacturers and technology startups make a big play of...
Socks! Our cyber prediction for 2024
I get pretty bored of reading pointless prediction puff pieces from vendors about what is going to happen next year in cyber. Don’t tell me, it’ll be security issues that their next-gen, xDR, paradigm-shifting, lowest TCO turnkey solution resolves. So here’s what I can guarantee for next year:...
Monetising hacking by shorting commodity shipments
I’m continually asked by the maritime industry about the motivations of hackers. “Why would anyone hack us, we operate ships?” It strikes me that many of the public and a lot of maritime businesses still think of the ‘hacker’ as a solo operator in a dark hoodie in a basement of their parents’...
Living off the land, AD CS style
Introduction Unless you have been living under a rock for the last year or so, Active Directory Certificate Services AD CS abuse continues to be a hot topic in offensive security, ever since the excellent research released by Will Schroeder @harmj0y and Lee Christensen @tifkin. I, like many, have...