Analysing industry for the year ahead
Edward Farrell It’s been a few weeks since we’ve done a write up; November through to Christmas was a bit of a rush, and our retooling & reorientation in our team of January and the rush of work in February has taken most of our team away from doing any write ups. In previous years, […]
Advocatus Diaboli: 5 rules for effectively employing a red team
In 2002 the United states Armed forces conducted a war game exercise called the Millennium Challenge. The challenge involved a number of exercises, computer simulations and table top activities to test and validate the capability and weaknesses of the US Military as it transitioned to network centric warfare with more effective command and control of […]
Why we should stop “pen testing” COTS
The team & I had a few engagements recently where we’ve been asked to conduct penetration testing against a common off the shelf solution (COTS) such as Office 365, Oracle applications and palo alto firewalls. When I questioned organisations why, it becomes apparent that pen-testing is the narrative that is getting pushed throughout the industry. […]
We’re hiring a senior consultant!
Great news! we’re looking to hire a senior consultant in the next few weeks and have put together a bit of a job description below, as well as details on how to apply. Who are we? Mercury Information Security Services (just Mercury) are a leading provider of information security services, advice and consulting in Australia. […]
Conducting a penetration test if not ethically than at least lawfully
Whilst I assert ethics are subjective and can often lead to misguided notions of what is ethical hacking (IE, some audiences believe that hacking coal mines in the name of the environment is ethical) I wanted to put together an article providing guidance on if not ethical, then certainly legal considerations during penetration tests and […]
The fight for easy hardening scripts
Several years ago, most cyber security practices maintained a series of easy, straight forward windows scripts that could be run to extract security configurations or execute hardening. The difficulty we’ve encountered a lot of is that readily accessible scripts that are regularly maintained are now the remit of venture capital backed software as a service […]
Wardriving/crochunting for rogues- an exploration of Sydneys mobile telecommunications infrastructure
With some 80 items on my research list from the past two Defcons, I thought it would be a great idea to have a go at one of them in whatever spare time I had. The first one on this list was using the EFFs software, crochunter, for a war-drive around the city for rogue […]
Part 2: A weekend dive into the attack
Thankfully a bit of free time on the weekend has given me an opportunity to form a bit more of a detailed analysis of the information provided and hopefully put together a more comprehensive analysis. A rough schedule of events To draw out the events on a timeline from what has been provided, I reviewed […]
19th of June 2020: A brief analysis on the “cyber attack” and its artifacts
Earlier this morning The Prime Minister of Australia announced that Australia is currently being targeted with a massive cyber attack by a sophisticated foreign “state-based” hacker. The ACSC released the indicators of compromise that can be employed by a security operations centre (SOC) or internal IT team to defend against as well as query historical data […]
COVIDSafe Part 4: Deeper analysis, activities post pandemic, and a call to “hack the data”
I’ve gone a little deeper and let COVIDSafe run for a while in the following environment setup below. I wanted to validate and reassure that the data sent is limited, but also wanted to have a deeper exploration into bluetooth. Needless to say, I think this experiment validated some assumptions, identified some information gaps and […]