Story image

Inside NZ's 'ethical hacking' firm and its quest to make systems safer

26 Jun 2017

New Zealand's first ethical hacking company has issued a critical warning to those using Microsoft Edge and Internet Explorer after it discovered zero-day vulnerabilities back in May.

Attackers are able to exploit the vulnerabilities and gain access to sensitive information. They could also run malicious code on victims' machines, Security-Assessment reports.

The company's principal consultant Scott Bell discovered the vulnerabilities in May, and Microsoft patched them in the same month.

“Security-Assessment follows responsible disclosure guidelines. This means alerting the vendor to the vulnerabilities immediately and not releasing information about the vulnerabilities until they are fixed. This is to prevent malicious actors from actively exploiting the vulnerabilities," Bell explains.

Despite being patched by Microsoft, the company is urging users to apply the patches or face being attacked.

Practice lead Phil Doole says there could be worrying repercussions for those who do not apply the patches.

“The ability for an attacker to run malicious code on a victim’s machine could have dramatic and severely damaging impact for both organisations and individuals,” he says.

"These vulnerabilities are known as 'memory corruption'. The vulnerabilities allow a malicious user to craft a special web page which, when visited, can download a payload to allow access to the victim's machine. This is typically delivered via a technique called spear phishing. Such vulnerabilities are often used by state-sponsored actors (APT) to gain a foothold in the target network," the company adds.

This year the company has facilitated seven security advisories, the most of any New Zealand security firm, it claims.

In one case, the company helped to provide incident response and forensics after a state-sponsored APT group infiltrated a client's network.

The company says that with a 100% hit rate in penetration test this year alone, it means there hasn't been one engagement in which it hasn't identified vulnerabilities.

"User awareness is key. Educating users on the dangers of clicking unsolicited links in emails can help to prevent spear phishing attacks from succeeding. For organisations running Windows 7 or older, upgrading to Windows 10 will bring additional enhancements that help to protect against such vulnerabilities," the company says in a statement.

Security-Assessment was established in 2002. In 2007, it became a wholly-owned subsidiary of Dimension Data and continues to operate as a vendor-neutral offensive security consultancy, providing security, assessment and assurance services for organisations. Dimension Data has offices in Auckland, Wellington and Singapore.

Chillisoft rounds out portfolio with file integrity vendor
Tripwire is the fourth vendor for Chillisoft in six months, adding critical security controls, vulnerability management and file integrity monitoring.
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Optic Security Group celebrates Axis accolade
Auckland-based business security systems provider Fortlock has picked up an award at Axis Communications’ annual Oceania Axis Partner Summit 2019.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.