At Dionach we are proud of our well-established research and development program. Our team of consultants are focused on continually uncovering new technical vulnerabilities in software and hardware, raising the bar in security assessment services and sharing our knowledge through whitepapers and various industry channels.
Through the responsible disclosure process we have published numerous vulnerabilities in leading software applications that our team has identified.
As part of our commitment to remaining vendor independent and offering the best technical solution to each client engagement, we also develop proprietary security tools for testing methods including vulnerability scanning, spear phishing and security auditing. In practice, our consultants have a wide range of commercial, open-source and custom tools at their disposal to deliver industry-leading outcomes for our client base.
Some of our custom tools are published as open source on Dionach’s GitHub page: https://github.com/Dionach.
One of the recurring issues in our internal penetration tests is inadequate password management, which in most cases leads to a fast takeover of the Active Directory (AD) domain. Most system administrators consider that just enabling password complexity and setting a sensible password length are enough. However, since “Password1” can
As a networking student I remember reading about IPv6 and its imminent introduction on more than one occasion. Articles predicting the complete depletion of the IPv4 address space were plenty and you could be forgiven for thinking that IPv4 would simply disappear overnight and be replaced with the new protocol.
A new version of the CREST Cyber Essentials questionnaire (part of the Cyber Essentials assessment) has been made available by CREST, with a grace period of until September the 28th 2017 for using the older version for submissions. There are several changes which are summarised as follows. Passwords A major
On Friday, 12th May 2017, an unprecedented ransomware attack, named WannaCry infected more than 230,000 computers in 150 countries and a number of large organisations such as the NHS, Telefónica, FedEx and Deutsche Bahn were among them. WannaCry spreads across local networks and infects systems that have not been updated
Stack traces are commonly used for debugging purposes by software developers in order to find what went wrong in the application they are developing. The traces contain useful information and only occur when something goes wrong, unless someone intentionally causes an error. These errors should be gracefully handled by their
Reposcanner is a Python script designed to scan Git repositories looking for interesting strings, such as API keys or hard-coded passwords, inspired by truffleHog. Sensitive information like this often gets included in the earlier stages of the development process (or accidentally), and is generally removed before the application or source
In a recent engagement, I was working on a fairly secure website and I came across an interesting Umbraco content management system (CMS) package called Umbraco Forms. Umbraco Forms version 4.1.5, 4.2.1, 4.3.2 and earlier minor versions are vulnerable to local file inclusion (LFI) in the “GetExport” web API endpoint
The release candidate (RC1) version of OWASP (Open Web Application Security Project) Top Ten Web Vulnerabilities for 2017 has recently been published and it is currently undergoing a public comment period. OWASP Top 10 2017 has several changes and I deemed this a good chance to discuss the changes as
ISO 27001 heavily uses risk assessments as part of the process of maintaining an Information Security Management System (ISMS). As part of the process, realistic threats to the company are listed, controls implemented, and effectiveness monitored. Below are some ideas for making risk assessments that work in everyday use, and