Blog

Cracking Passwords with Michael McIntyre

Posted on 2020-10-14 by Billy Cody in Tools of the Trade


I was watching the comedian Michael McIntyre’s most recent Netflix special “Showman” when he began a segment on the evolution of the online password. He described an algorithm that would’ve cracked most of my pre-teen online passwords. I decided to dig further and see how effective this algorithm is against some real world data.

Is Michael McIntyre really a master hacker?

Is he watching me right now?

How do I protect myself from him?

No. No. Read on!

Continue reading

Security and availability in healthcare

Posted on 2020-10-08 by Matt Strahan in Business Security


Imagine you’re laying on a hospital bed in an emergency room. The doctors and nurses are rushing around in seemingly organised chaos. You hear beeping and shouting as they investigate and prepare. Imagine the fear you feel, the uncertainty of this life or death situation. Imagine, then, you hear a voice of a doctor: “Damn I can’t remember my password!”

When considering security in healthcare it sometimes feels like you’re going into an entirely different domain. One of the biggest mistakes in cyber security is to treat every organisation the same way, a one size fits all approach. Healthcare has such a different set of rules and requirements to most businesses that it’s hard to even slightly entertain that illusion.

When asked about security in healthcare, most people’s minds go to the security of their patient data. They think about their privacy, about those sensitive answers they give the doctor. When you think about mental health practices, patient records can be as personal as your diary, and the exposure of those records would be violating. Is that the worst case when it comes to healthcare cyber security though?

Continue reading

Three crazy ideas for reforming the penetration testing industry

Posted on 2020-10-02 by Matt Strahan in Industry


In two posts I looked at how it’s almost impossible to validate penetration testing results and where an Evilfirm penetration testing firm might cut costs and invest.

As much as we like to think we’re unique, there are other industries that have exactly the same issues as we do. In other industries there’s the situation where you can’t really verify the results because you’re after the skills of the other party. Some do it badly (I still don’t quite trust my mechanic), but others have made great strides in solving this problem.

Could we potentially use some of the ideas from other industries to do things better?

Continue reading

Telling whether a pentesting firm is good (and how they might get around it)

Posted on 2020-09-30 by Matt Strahan in Industry


I’ve talked about how it’s almost impossible to validate penetration testing results. Are we done then? Doomed to be left in the dark by ineffective testing?

There are other ways where you could figure out whether or not a penetration tester is good or not. We’ve already talked about things to look for when choosing a penetration testing company. I’d like to be a bit darker in this blog post and put my Evilfirm hat back on. Let’s say you’re a penetration testing firm. How could you present as a good penetration testing company but still deliver shoddy work for cheap?

Continue reading

How do you know if you've had a good pentest?

Posted on 2020-09-28 by Matt Strahan in Industry


There’s a fundamental issue with penetration testing that people don’t really talk about very much. It’s not a fun issue to talk about, because it leads to what effectively becomes corruption in the industry, which then leads to the vulnerabilities that are missed being used to cause huge damage to businesses, everyday people, and society.

The issue is simple: there’s no good way to tell whether the penetration test you have had done has found all the vulnerabilities.

This is the first of a three part blog post where I’ll be describing why it’s just so damn hard to validate penetration testing results. In the next post I’ll talk about side channels and ways to at least ensure you’re not getting ripped off, but also how an evil firm might present a good face. Finally in the third post I’ll be talking about three pie-in-the-sky crazy ideas for reforming the industry.

Before I go on I should make it clear that I am in no way saying penetration testing is bad. I do think that there are penetration testers and penetration testing firms that are bad, but a good penetration test is crucial for finding those security vulnerabilities you’re concerned about and keeping you safe.

As long as it’s a good penetration test.

Continue reading

Building vulnerability disclosure terms

Posted on 2020-09-21 by Matt Strahan in Business Security


We have now released new vulnerability disclosure terms for Volkis. You can look at them here. They were based off the excellent disclose.io templates pushed by Bugcrowd among others. I’d like to take a bit of time to talk about why vulnerability disclosure terms are important and why each and every company, no matter how large or small, should have them.

Continue reading

Board Mounting Devices for Fun & Hacker Feels

Posted on 2020-08-25 by Alexei Doudkine in Tools of the trade


Disclaimer: There is nothing about security in this post. Just a bit of fun!

A couple of weekends ago, I found myself in a rare position of having nothing to do. Sick of staring at a screen the entire week, I decided to do a small hardware project. I wanted to take all my networking gear that was in the TV unit, and mount it on a board.

Follow this DIY guide if you also want to look like a l33t h4xx0r by mounting your networking kit on a wall or a board. I did this for my networking gear I use at home, but it’ll work for anything and is a great way to keep your lab relatively tidy.

Continue reading

Security design flaw in Storage by Zapier

Posted on 2020-08-05 by Alexei Doudkine in Vulnerability Disclosure


Recently, we discovered a design flaw in how Storage by Zapier was verifying authentication. This flaw could allow attackers to compromise other users’ data stored within Storage by Zapier if the victim mistakenly chose a weak key or a key that was already in use.

This vulnerability was disclosed to Zapier and has since been partially remediated. Zapier’s solution is assessed at the end of this article.

Continue reading

How could Twitter have stopped the attack? (Part 2)

Posted on 2020-07-22 by Matt Strahan in Business Security , Social Engineering


Last week Twitter had a successful social engineering attack that pushed through a Bitcoin scam. The scam netted about $120k for the scammers, but for Twitter it caused huge damage to their brand with the news of this attack going around the world.

Although we don’t have any hidden information about the Twitter hack that’s not already public, I thought it would be fun to look at the kinds of security controls that would help stop this kind of attack.

Yesterday we looked at all the multi-X controls. Today we’ll be looking at other strategies that can help mitigate the compromise.

Continue reading

How could Twitter have stopped the attack? (Part 1)

Posted on 2020-07-21 by Matt Strahan in Business Security , Social Engineering


Last week Twitter had a successful social engineering attack that pushed through a Bitcoin scam. The scam netted about $120k for the scammers, but for Twitter it caused huge damage to their brand with the news of this attack going around the world.

Even with the greatest of anti-phishing and anti-malware security stack, social engineering attacks are extremely difficult to stop. In our social engineering exercises we may call a 5% response rate to a social engineering attack a good result, but for many organisations just having one response is a catastrophic scenario.

Many guides when they talk about social engineering talk about user training and “users being the weakest link”. While security awareness is important, the social engineers are smart. It’s almost impossible to tell the difference between what is real and what isn’t. Why are we blaming users when they’re being put in an impossible situation?

Continue reading