TL:DR Being asked to speak at events is great …except when it looks like a scam or a phishing attempt This is walkthrough of my experience If you think it’s a scam, it probably is It’s a typical Sunday evening, and as I’m gearing up for the week ahead and an interesting email lands in my inbox. The message? An invitation to speak at a prestigious event in Spain on a subject I hold dear, with the added bonus of covered expenses. Colour me thrilled ¡España, aquí vengo! “Your insights and experiences would greatly enrich our conference agenda and contribute to the learning and engagement of ou ..read more

TL;DR Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is common The attack only needs minimal set-up and commands Quicker and more cost effective for an attacker than using C2 infrastructure Reduces likelihood of Blue team detection Introduction Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. A simple SSH Split Tunnelling attack is not a ne ..read more

TL;DR PSTI: The UK Product Security and Telecommunications Infrastructure (Product Security) Act Regulations effective from 29 April 2024 Assess how, where, why, and when you may be affected Review supply chain and in-house teams for compliance readiness Specific obligations for manufacturers, importers, and distributors Use the PSTI Act and its regulations as your compliance blueprint Implement robust due diligence in system acquisitions Prepare for potential cybersecurity incidents with rigorous testing and validation Don’t overlook the importance of comprehensive training Regulatory evol ..read more

American consumers have two clear yet vastly differing choices when it comes to banking. Many opt for a large-sized national or regional bank. Folks select this option for a variety of reasons, typically due to the vast services and ease of use these powerhouses provide. Roughly 60% of Americans count themselves as customers of these large-scale institutions. Others choose to conduct their banking business differently – and more locally – via credit unions. According to the NCUA (National Credit Union Administration), there are over 4,500 credit unions with over 136 million members nationally ..read more

October 2023’s Cyber Security Awareness Month  led to a flurry of blog posts about a new attack called Quishing (QR Code phishing) and how new AI powered email gateways can potentially block these attacks. What’s the attack? To understand the attack you need understand the challenge that the attacker faces. Currently, most initial access attempts are carried out with social engineering, commonly  phishing. Why is that? Well, it looks like people have finally got good at patching. According to the 2022 Verizon data breach incident report only 5% of data breaches investigated by them ..read more

Introduction Android has a number of different types of components that a program or app can instantiate to interact with the user or other programs. Recently I’ve been looking at exported as an interesting way to manipulate information that other apps have stored. A content provider is what it sounds like – it creates a standard mechanism for allowing access to centralised data. An example may be a fitness tracker could allow a central database of activity which could be queried by other apps to pull out data. It is accessed in a similar way than you would access a database. A ContentResolve ..read more

TL;DR Livall smart ski and bike helmet app leaks the wearers real time position Group audio chat allows snooping on conversations Both issues are due to missing authorisation Bike app affects ~1 million users, ski app affects a few thousand users Fixed by the vendor, but after we had to call on a trusted journalist to escalate at Livall Backstory Some of us at PTP are keen skiers, and all of us are into IoT and connected devices. This means that smart ski tech is right up our straße! Connected / smart products are continually emerging in the ski sector. We’ve looked at some in the past, inc ..read more

We’ve been testing the security of a number of different electronic flight bag, or EFB, applications for a few years now. Here’s the latest on that now it has been remediated, 19 months after our initial disclosure to Airbus. TL;DR Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights One of the iOS appshad ATS (App Transport Security) intentionally disabled, together with any form of certificate validation, exposing the app to interception attacks over Wi-Fi This could enable tampering with, for example, the engine performance calcu ..read more

TL;DR We were asked to help with a Channel 5 consumer education series about online banking scams The presenter, Alexis Conran, was to ‘read’ the minds of members of the public walking past a coffee shop A release form was signed by the targets, with their name, email, and phone number, then passed surreptitiously to us We were given as little as 90 seconds to gather open-source data and pass it to Alexis over an earpiece as he ‘read their minds’ Despite that significant challenge it was surprisingly successful. This post is about how we did it Finally, not shown in the piece, we spent time ..read more

It’s over a decade since the Target data breach. It was an event that reinforced the need for supply chain security reviews. It seems that much has changed since then, or has it? Has the security profile of the average connected building in the USA improved in that time period, be it retail, commercial or otherwise? I would argue not. As a refresher, the Target store networks were compromised via a HVAC management supplier’s systems. Card data was stolen, acrimony ensued, stock prices dived. So much was learned as a result, including for example: Segregation of IT & OT Validation of that ..read more