Cyber Security Insights

Posted: 2022-05-21 by Peter Bassill

Posted: 2022-04-28 by Peter Bassill

Every company starts its cybersecurity journey somewhere, and some can jump right in and hire a full-time CISO. For many, this is not the right choice.

Posted: 2022-04-25 by Peter Bassill

Pipedream ICS targetted malware framework affecting Schneider Electric and Omron ICS systems. Referred to as Pipedream and Incontroller, the malware is targeting industrial control systems (ICS). We took a look at the malware.

Posted: 2022-04-18 by Peter Bassill

Penetration Testing or Simulated Cyber Attack. One of them will be the right solution for your business or organisation, and both will help in achieving essential cyber security improvements and objectives.

Posted: 2022-04-15 by Peter Bassill

Penetration testing can deliver widely different results depending on which standards and methodologies they leverage. New and updated penetration testing standards provide an excellent, structured guide and methodology for companies and individua

Posted: 2022-03-31 by Peter Bassill

Maritime cyber security is a problem that, despite getting increasing attention, is still a significant cause for concern. The size of the cyber security problem was recently highlighted, which accentuated the costs and potential impacts on re

Posted: 2022-03-27 by Peter Bassill

Penetration testing is the art/science mix of identifying weakness, misconfiguration and vulnerabilities in People, Process and Technology. Also known as ethical hacking, penetration testing has many other shortenings. These include pen test

Posted: 2022-02-24 by Peter Bassill

Whats does Russia's invasion mean for Cyber Security? In the shadows of the internet, we have been monitoring Russia’s formidable cyberwarfare force in their preparations to unleash a new wave of cyber-attacks on Ukrainian targets.%3

Posted: 2022-01-29 by Peter Bassill

A new exploit against Unify network devices, of which there is a large number within Gibraltar, was observed on the 20th of January of this year.

Posted: 2022-01-27 by Peter Bassill

The UK's National Cyber Security Centre has published urgent guidance to organisations in light of the activities undertaken by the Russian military's Cyber Warfare teams.

Posted: 2021-12-31 by Peter Bassill

How to achieve Cyber Essentials certification in 2022, without getting a headache.

Posted: 2021-07-07 by Peter Bassill

The current Ransomware situation is growing at an alarming rate, and yet there are some things that businesses and families can do to protect themselves. In this I am going to go through the steps that we at Hedgehog have implemented, so you can

Posted: 2021-06-02 by Peter Bassill

Well, that is the first half of 2021 almost over. We are into summer and it has been a somewhat rough 18 months for everyone. Things are starting to settle down and businesses are now well versed in their new normal of remote working mixed with a small num

Posted: 2021-06-01 by Peter Bassill

Peter, our CEO, talks about why he uses Tor in his day to day lif

Posted: 2021-05-21 by Peter Bassill

IASME asked us to write up our Kali Linux build after a lot of firms were having issues getting their Kali builds through the Cyber Essentials Plus standard. So here I have documented how to build and configure our base Kali Linux machines.

Posted: 2021-03-13 by Peter Bassill

Sat enjoying my early morning cup of coffee, as is my want most mornings, when I got an article alert through Linkedin that piqued my interest.

Posted: 2021-02-25 by Peter Bassill

With penetration testing, you are purchasing the skill of a professional tester, not a toolset or a license code. So I thought it might be useful to explore what happens when you want to pay less for a test.

Posted: 2021-01-29 by Peter Bassill

3 reasons why you should talk about penetration testing, without any Fear, Uncertainty or Doubt.

Posted: 2021-01-26 by Peter Bassill

Cache Creek Casino Resort, in northern California, has been offline since late September due to what it calls a systems infrastructure failure. Their computer systems were the target of an outside attack and that the incident is under investigat

Posted: 2021-01-26 by Peter Bassill

Technology has been progressing faster and faster over the years. What was a critical vulnerability in 2005 is now a redundant memory in the security industry keeping a “gentle” reminder of how important security is in the cyber

Posted: 2021-01-26 by Peter Bassill

Peter demonstrates how to gain access to a domain joined PC and then spawn a reverse shell back to our command and control system.

Posted: 2021-01-26 by Peter Bassill

Over the years that have been a lot of casinos operating online that have been hacked, but it is the smaller operators that tend to be the ones hit hardest.

Posted: 2021-01-26 by Peter Bassill

When cybercriminals are successful in their attacks, not only is money and time lost, but also your data security. Your clients trust you to keep their data safe, and if there is a security breach, all that hard-earned trust can be gone in a

Posted: 2021-01-26 by Peter Bassill

Null cipher suites is where a zero level of encryption is acceptable. This is totally unacceptable in any environment and should be fixed as soon as possible.

Posted: 2020-10-27 by Peter Bassill

We get a lot of people who are looking to understand what it takes to become a penetration tester. We asked our CEO to provide some answers.

Posted: 2020-10-26 by Peter Bassill

October is National Cyber Security Awareness Month, and in this series of blogs we will be providing simple tips and tricks to help you and your staff remain ever vigilant against the threats that criminals pose to our digital lives.

Posted: 2020-10-06 by Peter Bassill

Lets get down and dirty installing Metasploit. One of the most common complaints I receive from my students is that they can not get Metasploit to install so revert to Windows. If you have been following along in my Pentest Workstation series you will have

Posted: 2020-10-05 by Peter Bassill

In this 5 part series, I will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI.

Posted: 2020-10-01 by Peter Bassill

The great Gibraltar government has been struck by a cyber attack with the end result of being capable of editing overseas territory laws on their website.

Posted: 2020-08-26 by Peter Bassill

What are the Current Cyber Security Trends? By 2021, damages from cyber crime will cost the world a staggering $6 trillion per year. Shocking.

Posted: 2020-08-12 by Peter Bassill

Cybersecurity mistakes happen. Hackers attack roughly every 39 seconds, or thousands of times per day. Everyone is at risk.

Posted: 2020-07-20 by Peter Bassill

In the last year, cyber security analysis has shown that almost half of all British businesses suffered a cyberattack. Cybersecurity is of vital importance for all businesses today, especially those that deal with confidential customer informati

Posted: 2020-07-06 by Peter Bassill

Cybersecurity best practices keep you and your business safe. According to recent statistics, one small business in the UK is hacked every 19 seconds. The average cost of a data breach for British companies is an astronomical $3.88 million. Coul

Posted: 2020-06-11 by Peter Bassill

Wifi Hacking prevalent. Wifi the rapid adoption of remote working, more users are connecting to wifi hotspots than every before. Businesses operate online more than ever in 2020, with it being a necessity for many to properly trade within their sector. But

Posted: 2020-05-28 by Peter Bassill

How to Know if Your Business Has Been Hacked? The internet’s one almighty boon for business, but also for criminals.

Posted: 2020-04-30 by Peter Bassill

Penetration testing is an emerging data protection method. It requires a proper penetration testing methodology.

Posted: 2020-04-29 by Peter Bassill

Another small business in the UK gets hacked every 16 seconds. There are 65,000 attempts to hack small to medium businesses per day.

Posted: 2020-04-16 by Peter Bassill

Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

Posted: 2020-04-16 by Peter Bassill

Cybersecurity is the use of technologies, controls, and processes to protect data, devices, networks, programs, and systems from cyber-attacks. These attacks against businesses are on the rise. Yet it seems not many companies are doing enough t

Posted: 2020-04-10 by Peter Bassill

In our "How to securely" series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to he

Posted: 2020-04-07 by Peter Bassill

The UK's highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not "vicariously liable".

Posted: 2020-04-04 by Peter Bassill

With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind's eye on the security and safety of the businesses information assets

Posted: 2020-04-01 by Peter Bassill

A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

Posted: 2020-03-31 by Peter Bassill

On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

Posted: 2020-03-31 by Peter Bassill

Life has a habit of throwing curve balls at us. Unexpected events that change our daily lives. Businesses try to reduce the impact of these events and put in place contingency budgets, insurance and emergency planning documents. But what happens when those

Posted: 2020-03-26 by Peter Bassill

In a surprising announcement Fortune 500 technology giant General Electric (GE), an organisation that should have this all sown up, disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in

Posted: 2020-03-25 by Peter Bassill

Cisco has recently uncovered hidden flaws which if exploited could lead to privileged code execution. These flaws are found within Cisco's SD-WAN devices which include their vBond and vSmart controllers.

Posted: 2020-03-20 by Peter Bassill

NutriBullet has become the latest Magecart victim with skimmer code planted within their domain in order to steal customer financial data. RiskIQ published their research on Wednesday of this week, and it make very good reading.

Posted: 2020-03-02 by Peter Bassill

I was engaged in a penetration test for a client who had put significant energy into ensuring that their environment was solid and free from attack vectors. Over three days of passive and active surveillance of the client's environment, the most

Posted: 2020-02-30 by Peter Bassill

A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Posted: 2020-02-17 by Peter Bassill

Malware is known as ‘Blackout’ was found in Ukraine in 2015 affecting power plants and in turn causing blackouts. This specific malware target SSH keys to gain access to the victim’s machine unnoticed.

Posted: 2020-02-17 by Peter Bassill

Intel is warning users of a high severity flaw found within their firmware of its Converged Security and Management Engine (CSME) which is used to power Intels Active Management System hardware for the purpose of remote out-of-band management to consumers.

Posted: 2020-02-13 by Peter Bassill

A recent vulnerability was found by researchers from a German security firm. Fixes are available via the Android February 2020 Security Bulletin. The bug is identified as CVE-2020-002; when exploited can result in remote-code-execution without any user int

Posted: 2020-02-12 by Peter Bassill

A recent vulnerability found in Dell's SupportaAssist software found that if exploited correctly can lead to code execution for unprivileged users. This is known as an uncontrolled search path vulnerability (CVE-2020-5316).

Posted: 2020-02-07 by Peter Bassill

A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read p

Posted: 2020-02-05 by Peter Bassill

It has recently been reported that not long ago, last Thanksgiving, Google had a bug which caused personal photos to be shared to complete strangers. 'The Chocolate Factory' made note of this issue and began notifying users that there is a bug in Google Ph

Posted: 2020-01-16 by Peter Bassill

Intel is a very large corporation most known for their processors. A recent flaw within Intel's VTune Profiler software could enable anyone to upgrade their privileges if exploited correctly.

Posted: 2020-01-08 by Peter Bassill

There has been a recent security issue at the end of 2019 within Twitter that enabled malicious users to attack Twitter Android app users to potentially gain sensitive information like Direct Messages, Protected Tweets, etc.

Posted: 2020-01-07 by Peter Bassill

Airdrop, Apple's file-dropping/file-swapping feature was found with a vulnerability which basically rendered the victims iPad & iPhones unusable.

Posted: 2020-0-18 by Peter Bassill

The CISO Evolution/Revolution. There has been a lot of change for the CISO over the last few months. It is no secret that the last six months have brought about a revolution in businesses change and transformation.

Posted: 2019-12-30 by Peter Bassill

Juice Jacking is an attack-type that involves plugging your phone into public sockets for “charging purposes”. The truth behind these sockets is the installation of malware on your phones and other electronic devices of unsuspecting users.

Posted: 2019-09-11 by Peter Bassill

There has recently been a number of security vulnerabilities in the Pulse Secure Connect SSL-VPN appliance published.

Posted: 2019-07-29 by Peter Bassill

This vulnerability will allow an attacker on a connected network to view any of the files contained within the file share. In some circumstances, it may be possible to add new files and modify existing files within the file share.

Posted: 2019-07-18 by Peter Bassill

Having worked for both Blue Teams and Red Teams, I am automatically paranoid that everything is a potential threat. But I never expected malware on a new laptop.

Posted: 2019-07-10 by Peter Bassill

The second post in my series from the darkened room; sometimes I walk away

Posted: 2019-07-09 by Peter Bassill

A very sophisticated cyber phishing attack targets Gmail users through fraud and unwelcome Google Calendar notifications. This campaign takes advantage of a single common default feature for people using Gmail on their smartphone.

Posted: 2019-07-01 by Peter Bassill

On many vulnerability scans we see SSH being reported as a medium risk vulnerability due to insecure ciphers and poor configurations. In penetration tests we often find we are able to use SSH once we have a set of user credentials, especially where the ser

Posted: 2019-07-01 by Peter Bassill

Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Ba

Posted: 2019-02-06 by Peter Bassill

On Monday the 21st of January an issue was identified with Apples FaceTime application. How serious was the risk?

Posted: 2019-01-31 by Peter Bassill

Lets explore, as the CEO of a pentesting company, which emails and letters make it through my filters and which ones dont.

Posted: 2019-01-28 by Peter Bassill

A significant proportion of company leaders see Cyber Security as their biggest risk. Understanding the importance of good Cyber Security practices is relatively easy, determining how best to implement those practices isn't. That is where sometimes you nee

Posted: 2019-01-22 by Peter Bassill

Recently, a database comprising of over 200 million Chinese CVs was discovered online in a compromised position where it was laid bare for the dark web to devour. Naturally, it spilled explicitly detailed information

Posted: 2019-01-18 by Peter Bassill

A security vulnerability in Fortnite, the online game with more than 200 million users, exposed players to being hacked and even secretly recorded during play, a security research firm said.

Posted: 2019-01-04 by Peter Bassill

Throughout 2018 I kept a note of all the passwords encountered across 103 onsite penetration tests I was engaged on or peer-reviewed. From all the passwords, two were extremely memorable.

Posted: 2019-01-02 by Peter Bassill

The majority of penetration tests will invariably reveal passwords of some sort from the user base, especially where that penetration test is done on a Windows network. So, as with last year we continue our annual review of the state of passwords.

Posted: 2018-12-18 by Peter Bassill

In my last post I gave you an insight into how I perfect SSL security. In this post I am going to run through how I harden a production apache instance.

Posted: 2018-12-17 by Peter Bassill

I often get asked for the best way to ensure perfect A or A level of SSL security on Apache web servers. So to answer that particular question, here is how I go it.

Posted: 2018-11-07 by Peter Bassill

I work with a fair few ladies and gents who do bug bounties and while sitting on the beach during one of our hack on the beach sessions, I posed the question 'How friggin evil is clickjacking, PoC or GTFO.' The challenge was set, and here is what we decide

Posted: 2018-06-25 by Peter Bassill

Digital technology has infiltrated every aspect of our lives and opened up our homes to hacking and other forms of criminal activity

Posted: 2018-06-02 by Peter Bassill

We might have had two years to prepare for the introduction of the new General Data Protection Rules (GDPR) but it seems every business left it to the last possible minute before bombarding us all with opt-in emails and if you’re anything like me you use

Posted: 2018-04-15 by Peter Bassill

According to new research by mobile security firm Lookout, mobile phishing attacks have risen by 85% every year since 2011!

Posted: 2018-04-03 by Peter Bassill

The data of millions of users has been exploited by the British firm on behalf of political clients but surely it was only ever a matter of time before we were all used and abused by the highest bidders?

Posted: 2018-03-22 by Peter Bassill

As technology gets more advanced we all think about products that can make our life easier and more secure

Posted: 2018-03-08 by Peter Bassill

When Equifax first announced, in September 2017, that they had been breached no one quite knew the full scale of the incident.

Posted: 2018-03-05 by Peter Bassill

75% of councils do not provide any mandatory cyber-security training despite being hit by 98 million cyber-attacks over a five-year period.

Posted: 2018-03-03 by Peter Bassill

With 2018 just days old it's time to reflect on what proved to be another busy year in the world of cybersecurity.

Posted: 2018-02-15 by Peter Bassill

We knew 2017 was a big year in terms of identity fraud, with headlines being made week after week and month after month. Now it's official, it hit an all-time high in 2017 up 8% on the previous year.

Posted: 2018-02-15 by Peter Bassill

We knew 2017 was a big year in terms of identity fraud, with headlines being made week after week and month after month. Now it's official, it hit an all-time high in 2017 up 8% on the previous year.

Posted: 2018-02-08 by Peter Bassill

inding out you've been hacked is a scary prospect, not least because most people don't really know what it means, just that it sounds serious.

Posted: 2018-01-08 by Peter Bassill

Over the past few days, you will have heard of the new vulnerabilities affecting Intel and AMD processes, but what does it really mean?

Posted: 2017-12-17 by Peter Bassill

New research by Apricorn, into USB use, found that 80% of workers use non-encrypted USB drives on their work computers, which got us thinking about the potential dangers that could be lurking in your office every day.

Posted: 2017-12-08 by Peter Bassill

2017 has been quite a year for hacking headlines and data breaches and it seems that despite all the warnings and advice some people, who really should know better, are still putting themselves and others at risk.

Posted: 2017-02-12 by Peter Bassill

It seems that every day there’s another story about a data breach, with innocent people the world over having their personal information released online – so would you know what to do if you were a victim?

Posted: 2017-01-05 by Peter Bassill

Throughout 2017 I kept a note of all the passwords encountered across 71 onsite penetration tests I was engaged on or peer-reviewed.

Posted: 2016-11-08 by Peter Bassill

On Sunday, Tesco Bank confirmed that 9000 customers had had funds removed from their accounts, in an attack which the banking regulator has described as "unprecedented in the UK".

Posted: 2016-05-16 by Peter Bassill

Research, released by the UK government, found that 43% of all businesses have been hit by a breach in the last 12 months, with that number rising to 66% among larger companies.

Posted: 2016-01-16 by Peter Bassill

In 2009, back when I was the Chief Information Security Officer for Gala Coral Group, I wrote that one of the hot topics for many Chief Information Security Officers was reducing the potential for Data Loss.

Posted: 2015-10-05 by Peter Bassill

Standard monitoring script for Linux servers.

Posted: 2015-06-28 by Peter Bassill

The Payment Card Industry Data Security Standard, commonly shortened to PCI-DSS, was introduced to provide a minimum degree of security when it comes to handling customer card information. While the standard has been around for over a decade, specific requ

Posted: 2015-06-22 by Peter Bassill

Passwords are key to good Cyber Security. October is National Cyber Security Awareness Month, and in this series of blogs we will be providing simple tips and tricks to help you and your staff remain ever vigilant against the threats that criminal

Posted: 2015-01-18 by Peter Bassill

We are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers

Posted: 2015-01-01 by Peter Bassill

Fixing RSA Keys Less Than 2048 bits

Posted: 2014-02-26 by Peter Bassill

The Contact Form 7 vulnerability was discovered by Hannah Sharp during a routine penetration test of our own website following the deployment of the latest plugin updates.

Posted: 2009-06-14 by Peter Bassill

This vulnerability is cased by a RC4 cipher suite present in the SSL cipher suite. Fixing this is simple.

Posted: 2009-03-24 by Peter Bassill

This vulnerability is cased by a weak strength cipher being present in the SSL cipher suite. Weak strength is defined within Nessus as any cipher that is less than 64-bit. Fixing this is simple.

Posted: 2009-03-22 by Peter Bassill

There are a number of reasons why Penetration Testing is important. In this article we will explore why penetration testing is important.

Posted: 2009-01-01 by Peter Bassill

This vulnerability is cased by a medium strength cipher being present in the SSL cipher suite. Medium strength is defined within Nessus as any cipher that is between 64-bit and 112-bit or is 3DES.

Posted: 2009-01-01 by Peter Bassill

A very common issue seen in vulnerability scan reports and to an extent, on Penetration Tests. The risk posed by clickjacking varies by who you talk to. For example, Hacker1 say it isn't important at all and can be ignored. We believe that as