-
Infrastructure vulnerability test conducted
Recently an infrastructure vulnerability test was conducted on one of numerous setups managed by us. For this test the live environment was replicated with a dedicated web server and database server. The hardware firewall remained the same (for both production and test). The Principle Security Concerns (“PSCs”) that were addressed via testing activities were as […]
-
bugbounty email?
If you happen to receive an email similar to the one above, don’t panic. The bug bounty programs including the open bugbounty is a system designed to make the public accessible systems safe. Rather than a hacker misusing the exploit, bug bounty hackers warn you of a possible exploit, and give you enough time to […]
-
Internal policy and process/documentation update
For the past few months we have been busy reviewing our policy and processes Work from Home policy (This was done early on when WFH hit us. Luckily our office had done a few practice runs with half to staff working from home few weeks before ensuring a smooth transition) Updating our encrypted transfer system […]
-
250 million customer records compromised by Microsoft. Mis-configured database.
For more than 3 weeks, 5 five Elasticsearch servers of Microsoft left 250 million customer support records publicly exposed. The misconfiguration was done on 5th December and was reported to Microsoft on 31st December after which all 5 servers were secured within 24 hours. https://www.scmagazine.com/home/security-news/database-security/microsoft-database-misconfiguration-exposes-250m-customer-support-records/
-
15 “Priority 1” vulnerabilities detected by our team
From SQL and XSS injections, 3rd party vulnerabilities, file upload issues to password policy we ran a comprehensive penetration test and found a range of vulnerabilities for this client’s portal. With 15 “Priority 1” and a number of other vulnerabilities our team did a great job making a detailed examination and report. “Priority 1” vulnerabilities […]
-
XSS injection on emails on our latest ethical hack findings
While doing a basic code review for a client’s web portal (bridging customers and service) we came across potential vulnerabilities which could compromise the system and recommended a proper ethical hack to screen the system. Our team managed to find 25 vulnerabilities including several SQL and XSS injections. We also uncovered an exciting Reflected/Stored XSS […]
-
SQL and XSS injection simplified
Technical jargon can be confusing and security related ones even more. The terms “SQL injection” and “XSS injection” seem funny as the image suggests, but understanding it is a key to resolving the issue. To simplify it in a non technical way, imagine you have a robot which reads instructions via a form and performs […]
-
472 risk points reduced for an accounting application
Around 8 months back we conducted a non-intrusive security audit for an accounting backend application which involved us going through their system and making data classification matrix, supplier/processor list, data flow, network diagrams and conducting fact finding in various areas like application security, data security, infrastructure, access management, monitoring/logging, and organisational policy. At the end […]
-
Debian 10
The long awaited Debian 10 (code name buster) has finally been released. It has the latest software versions and boasts of 57,703 packages. Long term support (LTS) of 5 years has been promised as well to ensure security updates are available till mid 2024! Debian 8 LTS is till June 2020Debian 9 LTS is till […]