Cybersecurity Insights

David Kirkpatrick

Recent Posts

David Kirkpatrick

Testing Problematic Authorisation Tokens With Burp

05/10/18 15:36

Every so often a web application comes along where a bit of customization is required in your testing strategy to test it properly. The Burp Suite proxy tool is probably one of the most used tools by penetration testers to test web applications. When a situation comes along where its normal customization menu options isn’t sufficient (e.g. using Burp Macros) we can include a custom written Burp Extension to do what we want.

Read More
David Kirkpatrick

Know Your Attack Surfaces

02/05/18 14:22

During our engagements, we sometimes find customers have difficulty in determining what hosts they own and if they are live on the Internet. This can easily happen when you have a high turnover of networking staff, where the knowledge is not passed on, or you have a large infrastructure presence that can make it difficult to constantly manage/monitor. In a worst-case scenario, this can lead to compromise of data and possible exploitation of your internal network where ‘forgotten’ hosts are left unpatched and unmanaged.

Read More
David Kirkpatrick

You are the Weakest Link … Goodbye!

16/03/18 16:31

Historically, customers have used penetration testing to test the security of their infrastructure from an external or internal perspective. For a long time, this has been the ‘de facto’ standard to test for security vulnerabilities. However, we (penetration testers), have been aware for quite some time that this is not the full story.

Read More
David Kirkpatrick

Penetration Testing: The Quest For Fully UnDetectable Malware

05/07/17 10:57

Malware continues to be one of the main attack vectors used by criminals to compromise user and corporate data. Using phishing or social engineering based attacks, criminals attempt to lure an unsuspecting victim into launching a malicious piece of code. It can then do anything from sit in the background as a zombie waiting for the next instruction, or something more sinister, such as lock your computer and demand payment. This is something we've  seen in the recent NHS WannaCry and Petya/NotPetya ransomware breakouts (as badly orchestrated as they may both have been).

Read More

David Kirkpatrick

Recent Posts

David Kirkpatrick

Testing Problematic Authorisation Tokens With Burp

05/10/18 15:36

Every so often a web application comes along where a bit of customization is required in your testing strategy to test it properly. The Burp Suite proxy tool is probably one of the most used tools by penetration testers to test web applications. When a situation comes along where its normal customization menu options isn’t sufficient (e.g. using Burp Macros) we can include a custom written Burp Extension to do what we want.

Read More
David Kirkpatrick

Know Your Attack Surfaces

02/05/18 14:22

During our engagements, we sometimes find customers have difficulty in determining what hosts they own and if they are live on the Internet. This can easily happen when you have a high turnover of networking staff, where the knowledge is not passed on, or you have a large infrastructure presence that can make it difficult to constantly manage/monitor. In a worst-case scenario, this can lead to compromise of data and possible exploitation of your internal network where ‘forgotten’ hosts are left unpatched and unmanaged.

Read More
David Kirkpatrick

You are the Weakest Link … Goodbye!

16/03/18 16:31

Historically, customers have used penetration testing to test the security of their infrastructure from an external or internal perspective. For a long time, this has been the ‘de facto’ standard to test for security vulnerabilities. However, we (penetration testers), have been aware for quite some time that this is not the full story.

Read More
David Kirkpatrick

Penetration Testing: The Quest For Fully UnDetectable Malware

05/07/17 10:57

Malware continues to be one of the main attack vectors used by criminals to compromise user and corporate data. Using phishing or social engineering based attacks, criminals attempt to lure an unsuspecting victim into launching a malicious piece of code. It can then do anything from sit in the background as a zombie waiting for the next instruction, or something more sinister, such as lock your computer and demand payment. This is something we've  seen in the recent NHS WannaCry and Petya/NotPetya ransomware breakouts (as badly orchestrated as they may both have been).

Read More