• Top 5: Server Administration recommendations

    Our top 5 recommendations for server administrators are Always use the latest version of the OS and the software and ensure your software has active support. Install and use only services you need. Left over services which you dont need can often lead to open doors which are not being managed as you are not […]

  • Infrastructure vulnerability test conducted

    Recently an infrastructure vulnerability test was conducted on one of numerous setups managed by us. For this test the live environment was replicated with a dedicated web server and database server. The hardware firewall remained the same (for both production and test). The Principle Security Concerns (“PSCs”) that were addressed via testing activities were as […]

  • bugbounty email?

    If you happen to receive an email similar to the one above, don’t panic. The bug bounty programs including the open bugbounty is a system designed to make the public accessible systems safe. Rather than a hacker misusing the exploit, bug bounty hackers warn you of a possible exploit, and give you enough time to […]

  • Internal policy and process/documentation update

    For the past few months we have been busy reviewing our policy and processes Work from Home policy (This was done early on when WFH hit us. Luckily our office had done a few practice runs with half to staff working from home few weeks before ensuring a smooth transition) Updating our encrypted transfer system […]

  • 250 million customer records compromised by Microsoft. Mis-configured database.

    For more than 3 weeks, 5 five Elasticsearch servers of Microsoft left 250 million customer support records publicly exposed. The misconfiguration was done on 5th December and was reported to Microsoft on 31st December after which all 5 servers were secured within 24 hours. https://www.scmagazine.com/home/security-news/database-security/microsoft-database-misconfiguration-exposes-250m-customer-support-records/

  • 15 “Priority 1” vulnerabilities detected by our team

    From SQL and XSS injections, 3rd party vulnerabilities, file upload issues to password policy we ran a comprehensive penetration test and found a range of vulnerabilities for this client’s portal. With 15 “Priority 1” and a number of other vulnerabilities our team did a great job making a detailed examination and report. “Priority 1” vulnerabilities […]

  • XSS injection on emails on our latest ethical hack findings

    While doing a basic code review for a client’s web portal (bridging customers and service) we came across potential vulnerabilities which could compromise the system and recommended a proper ethical hack to screen the system. Our team managed to find 25 vulnerabilities including several SQL and XSS injections. We also uncovered an exciting Reflected/Stored XSS […]

  • SQL and XSS injection simplified

    Technical jargon can be confusing and security related ones even more. The terms “SQL injection” and “XSS injection” seem funny as the image suggests, but understanding it is a key to resolving the issue. To simplify it in a non technical way, imagine you have a robot which reads instructions via a form and performs […]

  • 472 risk points reduced for an accounting application

    Around 8 months back we conducted a non-intrusive security audit for an accounting backend application which involved us going through their system and making data classification matrix, supplier/processor list, data flow, network diagrams and conducting fact finding in various areas like application security, data security, infrastructure, access management, monitoring/logging, and organisational policy. At the end […]