Sec Tec Blog

Automated Teller Machines Vs Thermal Imaging

The £200 device that could steal your bank PIN.

The increasing availability of cheap thermal imaging equipment -once the sole preserve of only the best equipped attacker- is creating an ever increasing risk to push button security devices. Using a readily available IPhone accessory costing less than £200, Sec-Tec tested a wide range of push button security devices, including ATMS, locks and safes, and found that certain devices could leak the digits pressed by a legitimate user for over a minute after use:

The very important boring stuff: The benefits of documenting your Information Security Management System

I think it’s safe to say that most penetration testers prefer the testing aspect of their role to the reporting aspect. When I interview potential candidates, very rarely are they the first to mention report writing. We talk about passive enumeration, active scanning, exploit writing, shellcode, Shodan, Maltego, all the “fun” stuff. But report writing is vital, it is the deliverable. If the client cannot receive a useful penetration test report, then there is no value in the service. All too often, report writing is –sadly- seen as the bit you have to do at the end.

The Human Factor. Why do so many organisations continue to ignore staff awareness and social engineering from penetration testing scopes?

On average, Sec-Tec receives four penetration testing RFQs (Request for Quotation) a week, from a massive array of organisations, all with different information security goals and objectives. As you would expect, they range from organisations deeply experienced in information security – often with a dedicated security team – to those who are just realising that information security is something that cannot be ignored, and need quite a bit of help and guidance.

Patching the unpatchable – After Microsoft Update comes the real work

I think it is safe to say that the majority of organisations have mastered Microsoft Update. More and more we see regularly updated Windows installations, which greatly reduces the number of exploitable vulnerabilities within the core operating systems of your organisation. This is good news. Not that long ago, a large percentage of organisations were still exploitable through the penetration tester’s old favourites such as MS08-067, years after a patch had been released to fix the issue.

Sec-Tec announces Fixed Price PSN ITHC Health Check Service

Anyone who manages a PSN (Public Sector Network) connected organisation will know well the hard work and anxiety that the annual PSN submission can cause. Well, thankfully, there is now one less thing to worry about as Sec-Tec launches a fixed price PSN health check service, conducted by Tigerscheme certified consultants.

Application logic flaws. Often overlooked, but deadly

When discussing a web application penetration test, you will often hear of cross-site scripting, SQL injection and a number of other "classic" web application attacks. Often overlooked, but critical to an application's security however is the implementation of application logic.

Logic flaws are a significant risk for a number of reasons:

The Desktop is Now The Target

Organisations are failing to understand the risks now presented by desktop applications and continuing to focus security efforts on server and network infrastructure. This is despite a massive increase in desktop application attacks worldwide that are crippling organisations of all sizes, including state of the art technology giants.