Securitum

02/01/2024

🚀 Hakuj, ucz się i baw razem z nami podczas nowego wydarzenia "Hackowanie sieci na żywo"!

📅 Kiedy? 15.01.2024
⏰ Godzina: 19:00 - 22:00
🌐 Format: Online
💰 Koszt: Płać ile chcesz!

Dołącz do nas i poznawaj świat cyberbezpieczeństwa w praktyce!

Zespół ekspertów Securitum w składzie: Michal Sajdak, Tomek Turba, Krzysztof Bierówka, Marek Rzepecki zaprezentuje na żywo rozmaite hakerskie podejścia, rekonesans infrastruktury, ataki na systemy Windows oraz różne aplikacje, poruszanie się po zaatakowanej sieci, a także metody ochrony przed tymi cyberzagrożeniami.

💡 Co zyskasz?
Praktyczną wiedzę o technikach cyberataków i ochronie przed nimi.
Możliwość zadawania pytań ekspertom w trakcie sesji Q&A.
Certyfikat uczestnictwa i szansę na wygranie sekurakowych gadżetów.

🎯 Dla kogo?
Ten live przeznaczony jest dla administratorów, programistów, testerów oraz wszystkich związanych z IT i zainteresowanych realnym cyberbezpieczeństwem.

Hakuj z nami!
Więcej informacji oraz rejestracja na: https://sklep.securitum.pl/hackowanie-sieci-na-zywo

********
🌐 Hacking live with Securitum!

We are excited to share our next cyber security livestream event, which attracted more than 3,000 attendees from Poland during a previous live.
This event, featuring live hacking demonstrations by experienced experts, offers a deep dive into the dynamic world of network security.

Topics covered include infrastructure reconnaissance, attacking Windows systems, navigating in compromised networks and effective cyber defense strategies.
On each session, there's a wide Q&A session with the opportunity to win gadgets, and all participants will receive a certificate after the event.

Although currently held in Polish, English version will be held soon to reach an even wider audience.
Stay tuned for our future events and join our growing international community in exploring the secrets of digital security!

13/11/2023

🔐 New insight from the series: "Unveiling hidden data: a log file's security breach".
Case from 2023 pentest by Robert Kruczek.

🕵️ In our newest case study, a simple .gitignore file led to a surprising find - a log file full of 2FA SMS details.
A deep dive into the client's app revealed phone numbers and tokens meant for two-factor authentication, all because of a log file stored in the wrong place.
This kind of information is valuable for hackers and could let them easily bypass 2FA.

🛡️ Our tip: Anonymize logs and keep them out of the web root with strict permissions. It's a straightforward fix for a big security boost.

📖 Check out our site for the full story and secure your data now!
https://www.securitum.com/unveiling_hidden_data_a_log_files_security_breach

03/11/2023

What should the optimal process of ordering and conducting pentesting look like❓

1️⃣ Send an request to recommended and proven pentesting companies, provide data that may be relevant to the pricing. If you don't have the necessary knowledge, the auditing company should offer the help of a technical consultant to collect this data.

2️⃣ The offer from the auditing firm should include a detailed scope, budget and work schedule. Ask about the service process (including whether your tests will be coordinated by a dedicated Project Manager).

3️⃣ Once the offer is accepted, both parties should sign a purchase order or contract. Also take care of the NDA.

4️⃣ The Project Manager assigned to the project by the auditing company should confirm the technical and organizational details of the audit, as well as the timing.

5️⃣ Before the start of the work, it is a good idea to conduct pretests, during which you confirm whether the application/infrastructure/accounts are working and ready for the audit.

6️⃣ Implementation of security tests by the designated auditor and within the agreed timeframe.

7️⃣ Upon completion of the tests, a security report is provided, including vulnerabilities found and recommendations for their remediation. If significant vulnerabilities are discovered during the course of the tests, such information is sent to the client immediately as a draft report.

8️⃣ After the tests are completed, it is worth doing retests, during which the auditor confirms whether the detected vulnerabilities have been successfully fixed.

*******ontesting

30/10/2023

🚨Read Alert!🚨
Discover the biggest threats of Artificial Intelligence systems: malicious prompts, data poisoning or even instruction injection.
https://www.linkedin.com/pulse/attacking-artificial-intelligence-3-common-ways-securitum-lvfef

🚀📚

20/10/2023

Perfect cooperation with the client is not a fantasy. It really happens!
❤️❤️❤️

That's why we're sharing another public security test report with you!
This time we performed pe*******on tests on a web application and conducted a security analysis of the source code for addy.io.

The result of our tests is a positive assessment of the security status, confirmed during retests.
Check out our testing methodology and what vulnerabilities we were able to find: https://lnkd.in/depV77Kv.

Our client is also happy to publish the report because there is something to be proud of - during the tests, our auditor did not identify any significant security vulnerabilities; only a few low-risk vulnerabilities and information points were reported: https://lnkd.in/dZj5C8FV

17/10/2023

It has just arrived from the printing house! ❤️
Our newest book entitled: "Introduction to IT security" (Polish version).
Still smelling new... 😊

13/10/2023

Securitum tips: Staying ahead of threats

The world of cybersecurity is a constantly evolving battlefield. As a pentesting company, our primary role is detecting vulnerabilities. However, we also dive into the complexities and nuances that define modern security challenges. Our experience extends beyond rigorous pe*******on tests to include valuable training sessions, empowering companies to become their own first line of defense.

What should you know❓
Even the most advanced software can have vulnerabilities, not necessarily within itself, but through third-party integrations. Last year, we observed a recurring pattern: an application might be deemed secure, but the third-party software it uses could be vulnerable, providing potential entry points for attackers. When building a new product, ensure that the third-party software you choose is well-developed and likely to receive ongoing support.

Common oversights we’ve noticed:

1️⃣ Administrative missteps:
Instances where system administrators disable password policies can weaken overall defense mechanisms. Similarly, accounts granted broader permissions than required can become potential entry points for malicious actors.

2️⃣ Third-party vulnerabilities:
Your system's strength is determined by its weakest link. If you use third-party software, ensure they uphold the highest security standards. Vulnerabilities there could jeopardize your primary software.

3️⃣ The human factor:
Despite technological advancements, human behavior can still be a wild card. Continuous training and awareness are paramount. A mere phishing email can bypass state-of-the-art IDS/IPS, leading to ransomware attacks or data breaches.

✔ What we recommend:

👉 Regular pentesting:
Schedule pe*******on tests regularly to uncover potential vulnerabilities, whether they were overlooked during development or introduced later.

👉 Training & awareness:
Invest in educating your team. An informed employee can be a formidable barrier against cyber threats.

👉 Monitor third-party software:
Regularly audit and check any third-party software your systems depend on.

Our mission is to help businesses prosper in a digital environment that's both safe and secure. We advocate a three-pronged strategy: test, train, and stay updated.

For deeper insights and more tips, follow our page and explore our . There, we dissect real-world vulnerabilities and discuss strategies to counteract them.

03/10/2023

Excited to share another story from our , "Demystifying Prototype Pollution and its link to DOM XSS" by Kalina Zielonka❗

A real pentest case shedding light on JavaScript’s inherent vulnerabilities. The article highlights the dangers and offers a step-by-step exploitation scenario, illustrating real-world implications.
A must-read for anyone interested in web security!

👉 Check out the full article: https://www.linkedin.com/posts/securitum_pentestchronicles-pentestchronicles-cybersecurity-activity-7114897968696037376-aLFr

27/09/2023

👉 The Silent Threat of ReDoS: 2023 Real-Life Pentest Case 👈

In our latest deep-dive from the series, we shed light on a intresting vulnerability - the Regular Expression Denial of Service (ReDoS). Discovered during a real-life pe*******on testing session, this flaw can have profound implications for web applications, leaving them vulnerable to DoS attacks.

ReDoS takes advantage of complex regular expressions to overwhelm systems, leading to major slowdowns. It's a clear reminder of the subtle problems hiding in our digital setups.

Dive into the article to explore the technicalities, risks, and mitigation strategies. Learn how to find, exploit and defend your applications.



https://www.linkedin.com/pulse/silent-threat-redos-2023-real-life-pentest-case-securitum

24/09/2023

Real report from real pe*******on test - again 😎

We are presenting a public report of pe*******on security tests performed for another industry.
👉 This time, it is a pentesting report of an e-learning platform that helps medical students prepare for the final medical exam and work as doctors.
👉 During the pentests, we verified the security of the web application, API, and HTTP server.

Check how vulnerabilities are found by skilled professionals - the report is available on our website.

There, you will find the full version of the report including a summary of the most important security findings and recommendations.



https://www.securitum.com/public-reports/Medical_e-learning_platform.pdf

31/08/2023

🔐 Why Trusting Expertise Matters in Cryptography - lesson from 2023 🔐

We recommend an article written by our colleague Mateusz Lewczak on creating your own cryptography.

It's a real-life case in 2023❗

https://www.linkedin.com/pulse/why-you-shouldnt-roll-your-own-cryptography-real-life-case

Author: Mateusz Lewczak In the world of IT, a common practice has emerged where cryptography is developed by a group of researchers possessing a strong mathematical background, while developers implement ready-made solutions and ensure that they are up-to-date and meet the best security practices. T

08/08/2023

🔐 From our PentestChronicles: A minor oversight, a major compromise 🔐

In our latest story, we share a surprising discovery from one of our real-life pe*******on tests: a minor mistake hidden for 7 years that led to the potential compromise of a Domain Controller.

This incident reinforces two critical points in cybersecurity:

1️⃣ Even the smallest oversight can lead to significant vulnerabilities. In this case, user passwords were stored in a visible Active Directory attribute field, leading to an account with "Domain Admin" privileges being compromised.

2️⃣ The importance of a strong password policy. Use phrases composed of several words, numbers, and special characters - they are strong and memorable.

For more details, check out the full story!

Author: Dominik Antończak Have you ever wondered how much information you can glean about others through observation? In the real world, when we're in public places, we're not always conscious of who's watching us and what information they're gathering about us. We often think we live in a good wor...