Threat Intel
Imagine this, you setup a server and it has a really weak administrator password! Now let’s imagine you expose RDP to the internet. How long would it take to get pw3nd?
Well we did this, using a custom configuration to make this safe, we setup a Windows Server, setup an administrator account with the password of ‘password’ and monitored the logs! So let’s see what we found.
Read more “Administrator:password”
Threat Intel
‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’
https://www.fortiguard.com/psirt/FG-IR-25-772
This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):
Read more “FortiSIEM CVE-2025-64155 Exploitation Analysis”
Leadership
There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.
Read more “The danger of internet exposed RDP”
Guides
Phishing, Brute Force, Data Breaches, Info stealers etc. are all ways in which people steal credentials. We’ve had this problem for decades, stealing something or guessing something people know is relatively trivial over the internet. This leads to a huge volume of the breaches we have seen over the last 20+ years. Whilst people seem to understand this, they don’t seem to know how to change to fix this…. (it’s not that we don’t know it’s that change is hard for lots of reasons). So there might be a solution with the adoption of passkeys! So what are passkeys?
Read more “What are passkeys and how do they work?”
Defense
This weekend at BSIDES London it was great to have the UK National Cyber Security Center (NCSC) (the UK’s technical authority on cyber security) give a talk about passkeys!
Leadership
If someone asked you how much the cost of a task is, I bet you would struggle to given them an accurate response, the default position of most people is to underestimate a cost of doing something (but estimation science show’s us that it tends to vary based on role e.g. project managers are risk averse, engineers think they can solve things faster than they can and executives often just want it to be cheaper for the sake of it being cheaper – Parkinsons Squeeze I think that is called)
Years ago I stared looking at total cost of ownership (TCO) and Return on Investment modelling (I mean a lot of years ago….) and I’ve created a range of models for organisations for:
Threat Intel
A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.
Read more “Analysing 1 Million Honeypot events with Defused Cyber Deception”
Defense
This weeks been an interesting one, I’ve been doing quite a bit of research recently with my friend Simo from Defused defusedcyber.com. Simo has built a new emulated honeypot platform, and anyone that know’s me knows I love honeypots, deception and intel sharing to help defenders and to impose cost on the baddies! (technical terms here ok!)
Read more “Suspected Fortinet Zero Day Exploited in the Wild”
Education
Detecting ‘Dark Tunnels’ is an important element to corporate security, much like detecting unauthorised RMM usage. But what is a dark tunnel?
according to GROK:
Read more “Detecting ‘Dark Tunnels’ with Microsoft Defender using KQL”A dark tunnel (sometimes called a “dark pool tunnel” or simply a secure reverse tunnel in networking contexts) refers to a type of secure, outbound-only tunneling technology that allows private access to internal services, devices, or networks without exposing them to the public internet. The “dark” aspect emphasizes that the tunnel is hidden or invisible from external scanners—there’s no inbound port forwarding, firewall holes, or public IP exposure required. Instead, it relies on encrypted outbound connections from the internal resource to a cloud-based relay or peer-to-peer mesh, enabling zero-trust access (e.g., via authentication tokens or keys).
This approach is popular in DevOps, IoT, remote work, and cybersecurity for bridging on-premises or edge devices to the cloud securely, often bypassing NAT traversal issues or legacy VPN complexities.
Education
I was doing some testing with Cloudflare tunnels this weekend and I woke up this morning to see if funny honeypot messages I had, I quickly checked if the site was online and found a cloudflare error message. This is a just an IIS instance running on a windows 11 PC (with no WIFI or Bluetooth) plugged into a test network (so if it gets pwn3d, it’s not going to impact anything important).
Read more “Windows Defender at my tunnel”