Securitum

🔍 Real-World Pentest Insights: What Companies Need to Know About Their LANs 🔍 In our newest report, we’re sharing serious findings from a REAL PENTEST in the LAN of an e-commerce company. No fillers, just 20 pages of high and critical vulnerabilities that reveal where real-world security issues exist and how attackers can exploit them in practice. Some highlights from the report: ❗ Default admin password to MSSQL: This is more than a minor oversight. It enabled remote code execution with system-level privileges, demonstrating how an attacker can escalate privileges from basic network access to a domain level account. ❗ EternalBlue in action: This exploit still continues to surface in outdated systems, leading to unauthenticated remote code execution. It’s a reminder that unpatched vulnerabilities, especially on deprecated systems, often have serious consequences. ❗ Path Traversal: A vulnerability that allowed access to sensitive files on the device, could be overlooked, but one that can be very dangerous when exploited. This isn’t theoretical! It’s a practical look at vulnerabilities impacting real organizations. If you want valuable insights and details, check out our report to learn how to identify and address these risks in your own infrastructure. Link to the article in first comment. #CyberSecurity #PenetrationTesting #InfoSec #DataProtection #VulnerabilityManagement 

📱 Security Mechanisms vs Application Logic: Findings from Mobile App Penetration Tests 📱 Mobile applications come with various built-in security mechanisms. However, these layers are only part of the security puzzle. In our latest article, Martin Matyja describes a real-world vulnerability where application logic flaws allowed child mode restrictions to be bypassed, even with all security measures in place. In this article, we cover: 🔍 A case study on weaknesses in application logic 🔍 Key recommendations for a layered security approach that integrates application logic with traditional security mechanisms 🔍 The importance of testing logic integrity in tandem with API security 🔍 How to prepare your mobile applications for effective penetration testing 🔗 Link to the article in first comment 🔗 #Cybersecurity #MobileAppSecurity #PenetrationTesting #InfoSec #MobileDevelopment 

🔒 New Insight from #PentestChronicles!🔒 🔒 Accessing Internal Network by WiFi Hacking – 2024 Pentest Case 🔒 In our latest article, Aleksander Wojdyła examines a WiFi misconfiguration discovered and exploited in a real penetration test conducted LAST MONTH, highlighting how attackers can infiltrate internal networks through often overlooked entries, such as corporate WiFi. While many organizations focus on securing traditional access methods, wireless networks remains a potential risk, allowing attackers to attempt network breaches simply by being nearby, for example sitting in a café within the same building. Our article, "Accessing Internal Network by Hacking WiFi – 2024 Pentest Case," covers: 👉 Methods attackers use to exploit WiFi configurations to gain access to internal networks. 👉 How improper setups can lead to credential interception. 👉 Essential defenses to safeguard WPA/WPA2-Enterprise networks. 📖 Read the full article: https://lnkd.in/dbQqhEee #CyberSecurity #WiFiSecurity #PenetrationTesting #InfoSec #NetworkSecurity #EthicalHacking #CorporateSecurity 

🔓 New #PentestChronicles: SOQL Injection – How to Exfiltrate Sensitive Data in Real-World Pentests 🔓 In our latest article, Adam Borczyk describes a vulnerability found during a security audit! Exposing Salesforce Object Query Language (SOQL) functionality without proper restrictions rresulted in a serious security risk that could lead to data breaches. In this case study, we walk you through: 👉 Identifying and exploiting SOQL query vulnerabilities. 👉 The risks of misconfigured Row-Level Security (RLS) permissions. 👉 Lessons learned and key steps to protect your applications. 📖 Read the full article in first comment 👇 #CyberSecurity #PentestChronicles #WebAppSecurity #Salesforce #DataSecurity #PenetrationTesting #InfoSec

🔓 New #PentestChronicles: Bypassing Host Validation - Real Pentest Case of Sensitive Data Exposure 🔓 Discover how a single special character can bypass security mechanisms and expose sensitive data!  In our latest PentestChronicles, Mateusz Kowalczyk uncovers how a small misconfiguration in host whitelisting led to serious vulnerabilities. In this case study, we walk you through: 👉 How to identify potential vulnerabilities during penetration tests. 👉 Finding ways to bypass filters using special characters. 👉 The risks of data exfiltration to attacker-controlled servers and the consequences of exploiting vulnerabilities like one we found. Don’t miss out on the valuable lessons learned from real penetration tests! 📖 Link to the full article in first comment. #CyberSecurity #PentestChronicles #DataSecurity #Infosec #PenetrationTesting #ApplicationSecurity #WebSecurity

🔓 New #PentestChronicles: Hacking IBM AS/400 in 2024 - QShell and Remote Code Execution 🔓 Just two days ago, we published our latest public report, but we’re not slowing down! Our expert, Mateusz Lewczak, presents a new PentestChronicle, uncovering vulnerabilities in the IBM AS/400 platform, which is still in use by some companies. In this detailed article, we reveal how a simple led to Remote Code Execution. In this article, you’ll find: 👉 A step-by-step breakdown of the attack using dedicated tools. 👉 Key insights into the root cause of these critical vulnerabilities. 👉 Recommendations on securing these systems against similar attacks. Don’t miss this in-depth analysis. Stay informed and see how we help our clients protect their systems. 📖 Read the full article here: https://lnkd.in/g826cMpB #CyberSecurity #PentestChronicles #RedTeam #Infosec #DataSecurity #PenetrationTesting #VulnerabilityAssessment

🚨 Real penetration tests + vulnerabilities that matter = NEW PUBLIC REPORT! 🚨 Today we’re want to share our public report from a penetration test of the password manager percpass.com by Perceptus! During these tests, our expert @Dariusz Tytko discovered several interesting vulnerabilities, including: 🔒 How to decrypt user data without knowing the main password (5 pages of step-by-step cryptography hacking!). 🔒 The ability to perform internal network reconnaissance using SSRF. ...and much more! In the report, we detail how we identified and exploited the vulnerabilities, providing a clear understanding of the methods used, as well as detailed recommendations for fixing each vulnerability. All vulnerabilities and issues were fixed after the test, making the software more secure for users in their daily use. Both English and Polish versions of the report are available here: https://lnkd.in/dzhkXADr #CyberSecurity #PenetrationTesting #Vulnerability #Infosec #DataSecurity

Startujemy z MEGA Sekurak Hacking Party! www.hackingparty.pl #Securitum #Sekurak

[ENGLISH below] Przypominamy! Już w najbliższy poniedziałek, 30. września, w centrum kongresowym ICE w Krakowie odbędzie się wyczekiwane MEGA Sekurak Hacking Party. Czego można oczekiwać od MSHP? 👉 16 wyjątkowych prelegentów – czołowi eksperci z branży, którzy dzielą się swoim praktycznym doświadczeniem. 👉 Pokazy hackowania na żywo – zobacz na własne oczy, jak hackują doświadczeni pentesterzy. 👉 3 ścieżki tematyczne – każda dostosowana do poziomu wiedzy uczestników: ✅ Ścieżka główna – dla osób doświadczonych w IT security. Usłysz o najnowszych zagrożeniach, ciekawych exploitach oraz skutecznych metodach obrony przed cyberatakami. ✅ Ścieżka intro – idealna dla osób, które dopiero zaczynają swoją przygodę z IT security. Poznasz podstawy hakowania, testowania zabezpieczeń i najlepsze praktyki w zakresie zwiększania bezpieczeństwa. ✅ Ścieżka „Hacking Depot” – sekcja dla prawdziwych pasjonatów cyberbezpieczeństwa! Tutaj nie tylko posłuchasz, ale też zobaczysz ekspertów w prawdziwym hackowaniu na żywo. Chcesz być na bieżąco z trendami w cyberbezpieczeństwie? Sekurak Hacking Party to wydarzenie, którego nie można przegapić! 👉 www.hackingparty.pl Relacja z tego wydarzenia już wkrótce! 🔥 ---- This upcoming Monday, September 30th, the MEGA Sekurak Hacking Party conference will take place in Kraków. What can you expect at our conference? 👉 16 exceptional speakers – leading industry experts sharing their practical experience. 👉 Live hacking demonstrations – see firsthand how experienced pentesters perform real-world hacks. 👉 3 thematic tracks – each tailored to the knowledge level of participants: ✅ Main track – for those experienced in IT security. Hear about the latest threats, intriguing exploits, and effective methods for defending against cyberattacks. Topics include: a discussion of security vulnerabilities related to formats parsing, protecting organizations through a well-designed training program from a bank's perspective, NFC card cloning, Artificial Intelligence used in malicious macros, and much more! ✅ Intro track – ideal for those just starting their journey in IT security. You’ll learn the basics of hacking, security testing, and best practices for enhancing security. This track will cover topics such as: an introduction to OSINT, effective methods for system intrusions, network traffic filtering, and even hacking in the automotive industry. ✅ Hacking Depot track – a section for true cybersecurity enthusiasts! Here, you won’t just listen – you’ll also witness experts performing live hacking. Two sessions will take place where step by step you will be shown how to effectively exploit security vulnerabilities in example applications or networks. 👉 www.hackingparty.pl A report on this event will follow soon! 🔥 #securitum #PenetrationTesting #sekurak #CyberSecurity #Pentest #Infosec #Vulnerability #DataSecurity #CyberConference 

On September 30, 2024, the next MEGA Sekurak Hacking Party will take place! We invite everyone interested in the topic of cyber security to the ICE Congress Center in Krakow. More info at www.hackingparty.pl #securitum #PenetrationTesting #sekurak #CyberSecurity #Pentest #Infosec #Vulnerability #DataSecurity