HTB CBBH Course Review

Posted on 2024-06-06 by Nathan Jarvie in Certifications


Oops, I did it again.
I did a new course, got lost learning new things.
Oh baby, baby,
Oops, I passed all the tests
Got a new web app cert
Now I’m certified (Bug Bounty Hunter)

Continue reading

Securing the laptops that schools give to children

Posted on 2024-05-27 by Matt Strahan in Business Security

This week Alexei and I will be presenting at the AISNSW ICT Management and Leadership Conference. Alexei is giving workshops on physical security and going from on-prem active directory to cloud based Microsoft 365. I’ll be presenting on Essential 8 for schools, why they might use it and what it’s trying to protect.

A while ago I talked about how healthcare has extremely specific security requirements and limitations around how they can approach security. Really, though, every industry faces their own unique challenges. For schools, they have the rather unique requirement of having to provision and secure devices that are going to be used by children. Imagine asking a primary school child, for example, to get out their phone and type in a multi-factor authentication code to get access to their learning platform? The way of “locking down” their systems must be approached in a very different way to enterprises.

In this post I’ll be giving my opinion on it. There’s no “right way” to secure the laptops of school kids and even amongst individual schools they may have to have different approaches for different year groups, but hopefully I can give out some ideas.

Continue reading

We got phished! (but it was just a test)

Posted on 2024-05-17 by Alexei Doudkine in Volkis News

Over the last couple of weeks, we had a fellow security consultancy perform a penetration test on us! That’s right, even though we can do it ourselves, it’s always best to get someone independent to look at your security. We believe in following our own recommendations, so here we are. What did we learn?

Continue reading

What do you really need to authenticate?

Posted on 2024-04-30 by Matt Strahan in Business Security

I was working on a penetration test for a gym company a while ago and found a vulnerability. When looking at the profile I found you could change the number in the URL and view other profiles. “Unfortunately” you couldn’t change the other user’s password, but wait! There’s a forgotten password function and I’m able to change the user’s email address! How about I just change the email address, submit the forgotten password page, and then…great I’ve got access to the account!

For the pentesters who are reading this, this is not a particularly interesting story. It’s just the exploitation of a stock standard IDOR vulnerability using a pretty well known technique. They’d put the recommendation to require the user’s password for changing email address and oh don’t forget to fix the IDOR.

But for some reason this story was rolling around in my head not long ago and it made me think. For this company the email address ended up being just another way of authenticate. In terms of authentication it was equivalent to just having the username and password. In other words, you could have either a username and password to access the account or access to the email.

We all kind of know this when we think it through, but did the company treat email this way? Did they treat access to email as a method of authentication in the same way as a password?

Continue reading

CARTP Course Review

Posted on 2023-11-30 by Nathan Jarvie in Certifications

So, what does a certification addict do when he’s bored? He starts a new one!

This time I completed the Attacking and Defending Azure Lab and the accompanying Certified Azure Red Team Professional (CARTP) exam by Altered Security. Working my way through the provided labs, watching all the videos, learning all the things.

Was it worth it? (spoiler alert) Absolutely!

Let’s dive into the good, the bad and the ugly of pentesting Azure!

Continue reading

"Why test what we know is bad?"

Posted on 2023-08-01 by Nathan Jarvie in Industry

“Why bother getting a penetration test when we already know they will compromise us? “

“We already know our security sucks, we don’t need someone to tell us that.”

We occassionally hear this sentiment from our clients. Penetration testing is much, much more than just “getting pwned” by your friendly neighbourhood hacker-man. This article goes through the benefits of getting a network penetration test done even when you know there are problems.

Continue reading

How many vulnerabilities does it take to hack a system?

Posted on 2023-05-23 by Matt Strahan in Industry

If you see penetration testing reports for two different systems, one with 10 vulnerabilities and one with 20, which system has worse security?

Unfortunately in this case, the answer is “I don’t know”. How many vulnerabilities does it take to hack a system? One is usually enough.

Continue reading


Posted on 2023-05-05 by Nathan Jarvie in Certifications

Late last year I was looking into “What happens next?” after OSCP and PNPT certifications, and it is common to hear from those in the industry that the next step for network penetration testing is to complete Certified Red Team Operator (CRTO) or Certified Red Team Expert (CRTE).

But what I discovered is that while there are many blogs about each one, there are surprisingly few that compare the two directly. So I set out to remedy this issue.

I will try to keep it brief…

Continue reading

Initial impressions of the NIST Cybersecurity Framework version 2.0 draft

Posted on 2023-04-27 by Matt Strahan in Compliance

The latest draft of NIST Cybersecurity Framework (NIST CSF) has just been released! This is the first preview of the new 2.0 version of the framework that updates the hugely successful framework. The draft follows from a Concept Paper released at the beginning of the year. The final version is due to be released in 2024.

This post will go over the main changes that I can see and gives my initial impressions on the good and the bad.

Continue reading

Penetration test, red team, vulnerability assessment... what???

Posted on 2023-04-20 by Alexei Doudkine in Industry

You’re probably here because, like many others, you’ve gone out looking for offensive cyber-security services only to be give a bunch of buzz words that don’t really describe what they are or what they mean for you. Fear not; in this post I hope to demystify the most common ones, in simple terms and explain the benefits and shortcomings of each. I’ll also give a few examples of when each one would be useful.

Continue reading