“We’ve sent a six-digit code to your email address. Enter it below to login.”

We see them all the time while testing web applications. In order to verify your identity, the application sends a 6 digit numerical code to your registered email address or phone number. The purpose is to prove that the person performing the action is also in possession of the phone or mailbox attached to it. No access, no authorisation. It’s a useful second factor to apply a little extra security to a process.

If you try to guess the code it expires after 5 or so…

Free and open proxy servers promise anonymous internet access, but at what cost?

In a world of ever-decreasing online privacy, it’s easy to get sucked into the ‘use an anonymous proxy to stay safe’ narrative. I’ve got nothing against using reputable proxy services or VPNs (virtual private networks), but the ‘free’ proxy services you find on the web can be anything but.

What’s the Difference Between a Proxy and a VPN?

People use proxies and VPNs (Virtual Private Networks) to hide their real IP address and masquerade as other devices on the internet. There are many reasons to do this including bypassing content geo-restrictions, bypassing government filters ( Great…

Evading detection and building trust with Captcha challenges and Smishing attacks.

This week I received another SMS Phishing attack which was almost identical to the previous Smishing attack I covered. There were two things that struck me as particularly interesting this time:

1. The attack used the s.id Indonesian link shortening service
2. The attack used a Captcha page to limit access to the phishing page to real people only

Thinking about the first point, it’s clear that s.id, the “World’s shortest URL shortener”, has been chosen to minimise the size of the links in the phishing text message. …

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

(This article aims to contextualize an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victim's inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company…

Every image you post online leaks information about you. This is how anyone can find your location using Open Source Intelligence (OSINT).

Open Source Intelligence In Action — Geolocating a Photograph

Open Source Intelligence (OSINT) is the practice of using public or ‘open source’ information available on the internet to gather intelligence and gain insights on given targets. By combining public data sources you can find answers to a variety of questions that most people wouldn’t think is possible.

For example, the sunset photo above is one I took a couple of years ago while travelling for work. It’s not an instantly recognisable location. It’s probably not even that…

I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage…

User accounts are still the number one target for hackers today. The reason for this is that with a legitimate user account you can access, control, and change all of the information available to that user. To achieve this level of control through a software vulnerability can be incredibly difficult, if not impossible. Yet, with the right username and password, you can do all sorts of incredible things that you shouldn’t. When used as intended, user accounts are very valuable. When used by criminals they are incredibly powerful and dangerous. …

We create and use user accounts without thinking about it, but how do they actually work and how do they keep our things secure?

A user account is a digital identity used by a person or piece of software. The identity allows us to associate things in the digital world with a real person or a specific application. In an ideal world, a user account will only ever be used by one person or one instance of a software application. Unfortunately, that isn’t always the case. (More on this later).

How Do User Accounts Work?

Identity and Access Management (IAM) is a framework of processes…