Cyber security loopholes, just because you have invested in new “state of the art” defences it does not mean there are not ways round it

When you are researching new technical security controls you need to think like me and think how can it be broken and if it can, keep looking for a plug or new vendor till you have solved all possible eventualities which is of course next to impossible. We have all heard the term next generation security (often firewalls or UTMs) or military/banking grade security (encryption usually). In many cases these products are not amazing. Just look at InfoSec Europe in London and every year there is a “craze”, machine learning, artificial intelligence or threat intelligence crop up most years. How can 100+ products all doing the same thing work?

The problem is many people do not think about these loopholes and even if they did would they spend the extra cash trying to close them? In the past I have spent weeks researching a particular problem and during that time I read up and test out tens of products per category. E.g. email security gateways. Even the ones that do seem good, at times do not do what they are meant to do.

Read more ...

Zone transferable DNSExit.com: probably the most in-secure DNS and hosting provider out there!

I stumbled upon DNS Exit and some of their clients a month or two back, and noticed zone transfer* worked. *This “feature” lets you grab all DNS records, most of which are normally private. It is rare these days for this trick to work and it worked not only on dnsexit.com but all of its tens of thousands of clients! Zone transfer is typically off by default and you can enable it but lock it down to another domain or IP. With this provider it is on with no option to turn it off or restrict it. The use of it is to sync DNS zones (“database”).

Why do exposed DNS records matter? Typically just the records of email settings (MX) and the main web address IP (@/www - A) are visible. Others are hidden and for good reason, they show services used internally and by certain clients. Imagine if anyone knew what the address of your VPN, webmail, document store and client extranet was? They can start attacking, looking for flaws or simply phish their way through. Zone transfer is not the only flaw at DNS Exit…


Zone transfer of themselves. If they can’t even secure themselves how can they be expected to secure clients?

Read more ...

Think your outsourced supplier or method of paper shredding is secure? See these photos and think again!

Whenever I am out on the street, abroad or at home, working or on holiday I always spot funny in-secure situations and take a photo if possible. Below are just four stories on the lines of outsourced shredders and there are many more stories on other topics including photos.

Story #1 outsourced on-site shredding into massive chunks
At a place I was working at in London they had 2-3 shredder bins on each floor and they were always locked though at times overflowing which meant you could pinch paper out of them. Every week or two a lorry would come along and a security guard would escort the driver to collect each shredder bin in the building and take it to the lorry in the gated car park. One day I asked facilities how does this work and they gave me the name of the company. It was a big company with ISO 27001, ISO 9001 and two other ISO’s related to environmental standards. Great I thought – not that I fully respect companies which are certified.

Read more ...