RAID Technology and the importance of disk encryption in data security

Introduction Recently we were engaged by a client experiencing a potential data leak incident. Amidst their expansion, they were constructing a new data centre. Due to pressing business needs, they accelerated the setup of part of their infrastructure. This urgency led to them setting up a Domain...

Mobile malware analysis for the BBC

This is a version of our report referenced in the Helping a mobile malware fraud victim blog post, with all sensitive information removed. Summary One malicious application was identified on the device, and evidence identified during the examination strong suggests though this cannot be confirmed...

Helping a banking fraud victim

A few months ago an elderly friend of a friend asked for some help. They had been scammed and had £10K stolen. Was there anything I could do to help? This wasn’t going to be a pleasant task: recovering monies stolen as a result of banking fraud is all but impossible. I was going to have to explai...

Helping a mobile malware fraud victim

Back at the start of October, we had a call from the BBC asking if we could help unpick a fraud. The victim had been defrauded of £12,000 through a rogue bank transfer and mentioned that her Android mobile phone had been behaving oddly. Of course we would help; who wouldn’t be up for the...

Socks! Our cyber prediction for 2024

I get pretty bored of reading pointless prediction puff pieces from vendors about what is going to happen next year in cyber. Don’t tell me, it’ll be security issues that their next-gen, xDR, paradigm-shifting, lowest TCO turnkey solution resolves. So here’s what I can guarantee for next year:...

Intercepting MFA. Phishing and Adversary in The Middle attacks

3 of my last 5 business email compromise investigations have involved an Adversary in The Middle AiTM attack. Even the more security-aware people with bolstered Microsoft 365 M365 configurations are coming up blank as to how their comprehensive MFA policies have been bypassed. It’s a technique we...

Navigate FDA 524b to get your medical cyber device to market

With amendment 524b officially enacted, medical devices across the United States and the globe are living under some new rules and procedures. You’re not alone if you are finding these new regulations a bit complex. Changes to business practices – particularly ones that involve millions of...

OSINT. What can you find from a domain or company name

We carry out lots of attack surface assessments, parts of which involve investigating information that has been unintentionally disclosed. To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names. Domain name So let’s div...

OPSEC failures when threat hunting

Over the last few years I’ve carried out a lot of phishing, and have some interesting observations on how organisations respond. However, the purpose of this blog is to highlight a worrying and amusing trend in response actions taken by the blue team and researchers when threat hunting a phishing...

Are Vehicle to Grid spikes coming?

If you didn’t already know, I’m a massive fan of electric vehicles. One of the aspects that intrigues me is Vehicle to Grid V2G, the potential for our car batteries to store and release electricity to and from the grid, providing balance for the peaks and troughs of demand. It’s a part of what is...

Cap Dev. Better red teaming with continuous Capability Development

TL;DR What Capability Development Cap Dev is in this context The big Cap Dev benefits for red teaming Operations and Development, sharing and improving Improvements to TTPs, hardware, and developing strategies Benefits of using a DevSecOps model for offensive security The essence of Cap Dev Cap D...

FujiFilm printer credentials encryption issue fixed

TL;DR Many multi-function printers made by FujiFilm Business Innovation Corporation Fujifilm which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation Xerox which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials o...

FDA medical IoT cyber device compliance. FD&C 524b

TL;DR FD&C 524b is new FDA legislation for medical cyber device compliance Introduced on March 30th 2023 it is now a firm requirement as of October 1st 2023 It demands provision of complex evidence that manufacturers take security seriously Medical cyber device market There are over 10,000 medica...

Using Velociraptor for large-scale endpoint visibility and rapid threat hunting

TL;DR Network-wide collection, acquisition and monitoring tool for use in DFIR engagements Designed for enterprise networks 150k+ Deployments aren’t unheard of Boasts many features that your commercial EDR has, and a few more Flexible querying language that can adapt to new threats and encourages...

IoT Secure Development Guide

Introduction This guide deals with threat modelling and early stages of development so that security issues and controls are identified before committing to manufacturing. Current attack methods, and the pitfalls we find in embedded designs, have been highlighted so that a finished product is as...

The reality of Apple watch pen testing

Introduction We were approached to do an Apple Watch application test. It seems this isnt a service offered by many companies including us, although we’ve done plenty of work on Android Wear before but also, little information exists online about attempts, experiences or if it’s even possible. So...

Call centres. Outbound call verification

TL;DR: Stop asking customers to verify themselves Reduce friction and annoyance Empower your staff to be more effective Develop an alternative model that works best for you I’m sure we’ve all experienced authenticating ourselves when calling a company. You have a hopefully trusted contact number,...

Fastboot Fuzzing

TL;DR The Fastboot protocol can often have hidden commands Those commands can do interesting things Conventionally they’re found by reverse engineering Cant find a copy of the firmware? Guess the commands A custom implementation of the protocol enables fuzzing via dictionary or brute force A simp...

Which security framework? All of them, in the SCF

TL;DR: All roads lead to Rome. There are plenty of ways to meet your security requirements ISO 27001 is not everything. There, I said it What is the Secure Controls Framework SCF? Why you should consider SCF on your journey to security excellence PTP has a myriad of customers coming for help to...

3yrs of CAA ASSURE assessments. What we’ve learned

Introduction Were now in our third year of CREST CAA ASSURE auditing and weve learned a lot. The Cyber Assessment Framework CAF is big, theres no denying that. It’s not something that you can complete overnight, it’s not something that requires minimal effort and can just be thrown at an auditor ...

PCI v4 is coming. Are you ready?

If you’ve landed here the chances are you are considering PCI compliance. At present the scheme is running against v3.2.1. In March 2022, the PCI Council released the long-anticipated v4.0. The Council stated that the changes represent their determination to “continue to meet the security needs o...

Information disclosure through insecure design

Introduction Insecure design can lead to many issues. The Software Development Life Cycle SDLC should contain steps to evaluate and consider security throughout the process. Several recent web application and API tests have revealed a common issue of responses containing too much data, and leakin...

A broken marriage. Abusing mixed vendor Kerberos stacks

My first DEF CON talk was nerve-racking but something I would definitely put myself through again. In hindsight I should have submitted a 45-minute talk as there were some elements missing from what I presented, based on additional research since submitting the CFP. With that in mind, and for tho...

The most hated man on the internet. Lessons to learn

A while ago I was scouring Netflix and stumbled across the 2022 The most hated man on the internet docuseries. What’s that all about then? The show is about Hunter Moore and his isanyoneup.com website Wikipedia article, where abhorrent people uploaded naked / pornographic images, intended to sham...

Scorpion CBS show. Plane hack

Having got on a bit of a roll with dismantling plane hacking in the media with the MH370 documentary critique, it’s probably time to tear apart the pilot episode of Scorpion from 2014. Here’s a link to the relevant part of the show: Why? It’s clearly just an entertainment show, so why bother...

Die Hard 2. Or how not to hack airplanes

How could I criticise possibly the best action movie series of all time? Well, it’s to help dispel myths about hacking planes. TV shows and films help set a narrative that is hard to shift around aviation cyber, giving the travelling public a misleading view of their security when flying. So let’...

Vulnerability disclosure in aviation

We joined Boeing and United Airlines on a panel recently at the RSA Conference to talk about vulnerability disclosure in the aviation world. The engagement we are now seeing between researchers and industry is a powerful force for positive change. Hopefully this will start to reduce the number of...

PTP at DEF CON 31 2023

Come and see us at the Aerospace Village, at Caesars Forum. Aerospace Village Fri 11th to Sun 13th Activity Take off in an A320 with hacked engine performance calculator. Then try to land it again. Fri 11th August 5:00 PM Pen Test Partners Power Hour We’ll be talking about: Hacking Electronic...

n00b’s guide to DEF CON. Surviving the Matrix of the underground

Ah, DEF CON. The worlds largest hacker convention. A beacon for the diverse spectrum of cyber security enthusiasts. From code-cracking challenges to the infamous Wall of Sheep, the event is a hive of activities and opportunities. But before we dive into the world of hackerdom, lets get one thing...

Have you been compromised?

Imagine the scenario… A nation state recruits an asset / spy at age 18. Their education and living expenses are fully funded, all with the aim of getting them a job at a target organisation. All goes to plan, on paper they’re a good fit and they get a low profile graduate role in the company. Lif...

Exposed Gits: 10 Years on

Nearly 10 years ago my colleague wrote a cracking post on exposed Git repositories. 10 years is a long time in cyber security, but you’d be surprised how many things you thought should have gone extinct that haven’t. A prime example is a recent finding of a handful of exposed .git repositories. A...

Black Basta ransomware

What is Black Basta ransomware? Black Basta is a threat group that provides ransomware-as-a-service RaaS. The service is maintained by dedicated developers and is a highly efficient and professionally run operation; theres a TOR website that provides a victim login portal, a chat room, and a wall...

WhosHere Plus. Trilateration vulnerability

WhosHere Plus is a dating app that uses GPS data to recommend users near to each other, based on similar interests. PTP constantly researches the state of privacy and security in apps that use GPS data, because the consequences of poor security and privacy are alarming: Tracking and snooping on a...

EFB vulnerability in Lufthansa’s Lido eRouteManual

Almost all commercial airlines now use electronic flight bags EFBs to drive efficiency and safety in their operations. We’ve been testing the security of EFBs and their apps, here’s our latest findings. TL;DR Many airlines use Lufthansa Systems Lido eRoute Manual for their EFB approach plates. We...

All your building are belong to us

TL;DR Building Management Systems BMS bring new risks to businesses that havent had previous experience of securing Operational Technology OT While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. I...

It’s always DNS, here’s why…

Introduction Theres an old adage in network and Internet support: When something breaks in any network "it was DNS". Sadly its usually true. …or at least it is when you have certain timeouts, or when a company you used to work for moves from the stable Unix based DNS to a Windows based one and th...

Netflix MH370: The plane that wasn’t hacked

I’m a sucker for a good documentary, but the recent Netflix MH370: The Plane That Disappeared had me shouting at the screen. The first episode talks about the most widely accepted theory; a tragic pilot-created murder-suicide. However, the second episode goes completely off the rails, discussing ...

Bullied by Bugcrowd over Kape CyberGhost disclosure

TL;DR The CyberGhost VPN client suffers from an elevation of privilege vulnerability and is filed under CVE-2023-30237. A specially crafted JSON payload sent to the CyberGhost RPC service can lead to command line injection when the OpenVPN process is launched, leading to full system compromise. T...

Netflix MH370: The plane that wasn’t hacked

I’m a sucker for a good documentary, but the recent Netflix MH370 piece had me shouting at the screen. The first episode talks about the most widely accepted theory; a pilot-created murder-suicide. However, the second episode goes off the rails, discussing Russian special operations hacking the...

London Councils & pirate books. Google dorking for subdomain takeovers

TL;DR Google dorks found me an exploited DigitalOcean subdomain takeover on London Councils’ .gov.uk domain It used a meta refresh to redirect to a site hosting unprovenanced PDFs London Councils had a security.txt file which made disclosure a doddle Their security team were awesome and fixed it...

Carbon reduction at PTP

Introduction I’ve been a bit of an eco-warrior since I got my first electric car in 2015, and I’ve been on a personal mission since then to reduce my carbon footprint. I realised I could do more for the environment if I could get Pen Test Partners PTP on board with some carbon reduction ideas too...

Monetising hacking by shorting commodity shipments

I’m continually asked by the maritime industry about the motivations of hackers. “Why would anyone hack us, we operate ships?” It strikes me that many of the public and a lot of maritime businesses still think of the ‘hacker’ as a solo operator in a dark hoodie in a basement of their parents’...

Finding forensics breadcrumbs in Android image storage

Introduction Our digital forensics work is wide and varied. Often there’s very little that we can talk about in the public domain, so when I find something that we can share I get a bit excited. In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint...

Causing incidents with in-flight entertainment systems

Some odd things have happened on airplanes recently. The voice on the PA system on an American Airlines flight was one of these. Before the airline put out a response, we were asked to speculate about how it might have happened. American then discovered that there was an issue with one of the PA...

OSINT your OT suppliers

There is much talk about supply chain security and reviewing your suppliers for cyber security. But how much information do they intentionally and unintentionally leak about your organisation online? We see this particularly in the industrial controls sector as its cyber security maturity is...

UK gov website being used to redirect to porn sites

TL;DR UK Government Environment Agency web site had an open redirect that was actively being used to redirect to various porn sites, including OnlyFans clone sites. Disclosure should have been easy but wasn’t, as the agency haven’t followed wider UK government policy on vulnerability disclosure...

What’s My Name Again? Reolink camera command injection

TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless. Introduction The camera is vulnerable to an authenticated command injecti...

Consumer advice for buying smart IoT devices this Christmas

Rightly or wrongly there’s plenty of fear, uncertainty, and downright doom associated with the IoT and devices. So, is it safe to buy these things as gifts or even as a treat for yourself this year? In our opinion it probably is, as long as you follow some basic advice. What can you do? Do your...

Hive Ransomware is on the rise. How should you deal with it?

Why Now? Hive is not a new problem. It first surfaced in 2021 but it’s becoming a much bigger issue now. This is due to a growing number of affiliates and therefore attacks. 2022 has seen more widespread country and industry target interest too. Ransomware growth in general is becoming a massive...

Effecting positive change in the Internet of Things

Way back when… We started our journey back in the day when the IoT was in its infancy. Our first published research was in June 2015 with a post about extracting the Wi-Fi PSK from Fitbit’s Aria weighing scales. This led to a challenging disclosure process with Fitbit, though it ended positively...