A Threat Based Approach to Penetration Test Reporting
What is the impact to my company if an identified vulnerability is exploited?
At HALOCK Security Labs, (more…)
Managing AI Risks in Organizational Adoption and Usage
The Heist
It started with an email. A routine request from the CFO to the finance department, instructing them to expedite payment to a new vendor. The message bore all the usual signs of legitimacy—familiar language, corporate jargon, and even the CFO’s signature, perfectly replicated. The email security system flagged nothing unusual.
The finance team complied, unaware that the CFO had never sent the request.
Behind the scenes, (more…)
What are DeepFakes?
Before getting too invested in your online connection, ensure it’s not a DeepFake. Advances in technology have taken catfishing to new heights. Bad actors can manipulate their visuals and voice online or phone to impersonate someone else. They use these false identities to find their way to your heart and data.
DEEPFAKES
The mere mention of this should throw you (more…)
Compromised Credential Leads to Major Educational Data Leak Powerschool
Description
K-12 schools manage vast amounts of sensitive personal information about students and educators. Many school districts utilize a cloud service provider to host this data and provide insights and analytics. PowerSchool stands as the leading provider of cloud-based education software for K-12 education in the United States, serving over 55 million students and 17,000 educational institutions across more than 90 countries. On December 28, 2024, PowerSchool (more…)
What Legislation Protects Against Deepfakes and Synthetic Media?
A Deep Look at Legislation
Deepfake legislation in the U.S. is advancing swiftly to combat the rising risks associated with synthetic media, addressing critical areas such as cybersecurity, privacy, election integrity, and intellectual property. Federal and state lawmakers are enacting and refining laws to curb the misuse of deepfake technology, focusing on issues like fraud, defamation, election manipulation, and (more…)
Why Every Organization Needs an Effective Incident Response Plan (IRP)
The Strategic Edge: Why Every Organization Needs an Effective Incident Response Plan (IRP)
There is no doubt that the threat landscape has greatly expanded in recent years. According to the Identity Theft Resource Center 2023 Data Breach Report, 2023 saw a 72% increase in data breaches since 2021. Seventy-five percent of security professionals report seeing an uptick in attacks over the past year, with (more…)
Understanding Access Control: Authentication vs. Authorization
This post will explore two essential components of Access Control for web applications and APIs: Authentication and Authorization. HALOCK Security Labs’ Pen Testing Team has discovered a significant amount of Authentication and Authorization related findings during web application and API penetration testing. While both these concepts are foundational in computing, they are often misunderstood or confused. Although the concepts themselves may seem straightforward, (more…)
Exploiting API Endpoints
Relying on frontend controls for access management can lead to attackers gaining excessive privileges.
HALOCK Security Labs Web Application Penetration Testing can fully identify and evaluate web application vulnerabilities. There are a variety of ways to exploit a web application to retrieve sensitive data. In a recent client engagement, HALOCK Security Team identified a critical vulnerability by exploiting (more…)
More Corporate Giants are Victims to the MOVEit Vulnerability
Description
There is an adage that says, “Old habits die hard.” Exploitable vulnerabilities die equally hard as well. It was May 28, 2023, when the MOVEit vulnerability was first identified. MOVEit is a secure Managed File Transfer (MFT) software developed by Progress Software that securely transfers files and data between servers, systems, and applications. The vulnerability known as CVE-2023-34362 allows hackers to bypass authentication on unpatched (more…)
Toymaker Settles Data Breach Class Action Suit for $500,000
Description
Squishable, a New York based company that makes cute and cuddly companion toys for children, suffered what is referred to as a Magecart attack that affected nearly 16,000 customers back in 2022. These types of attacks are carried out by injecting malicious scripts into e-commerce sites to steal payment information. In Squishable’s case, the malicious code was present on their website from May 26 to (more…)
