Latest News

Privasec and its subsidiary DroneSec are excited to sponsor the inaugural BSides Melbourne conference to be held on 16th and 17th February. BSides Melbourne provides a great platform for first-time speakers, students, new and experienced professionals to share their work and learn from others. If you are attending the conference, do check out our DroneSec Tshirts. See the full event details here:


The Privasec team in Brisbane, Queensland is very excited to be working with one of Australia’s most exciting payments providers as they finalise their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants and service providers across Australia are increasingly being asked by their acquiring banks and customers to provide evidence of their compliance. PCI DSS QSA’s at Privasec have been helping clients for many years to understand how the standard impacts their business, how to adopt the security controls required by the standard and how to achieve this in in the most productive, cost effective and timely manner. If you are not sure how PCI DSS might impact your business Privasec’s PCI DSS health check can provide the answers.

Privasec’s Consultant, Sajeeb Lohani has been invited to speak at the OWASP Conference in Auckland, New Zealand on 22nd February. OWASP New Zealand conference provides a great platform for security professionals, developers and software testers to discuss development techniques for building more secure applications. Sajeeb will be addressing core threat modelling concepts to identify edge cases in software, prior to releasing them publicly. Come and say hello if you are attending the conference. Check out the event details here:

In March 2018, a non-profit cybersecurity organization in Switzerland launched project URLhaus with the aim of detecting, collating and sharing URLs that contain malware. In the 10 months since its inception, over 265 security researchers helped takedown nearly 100,000 websites which were distributing malware.

The URLhaus project has been a massive success and is assisting network administrators and security analysts with protecting their environment. Averaging 300 new detections per day, this feed is freely available to anyone via their API, feeds or can be downloaded and imported into non-programmatic protection systems. The URLhaus detections are also being distributed to prevalent blacklisting services such as Google Safe Browsing, Spamhaus DBL and SURBL.

There are some interesting trends that can be identified from analysis of their published statistics. The notable standout from the list of detected malware is Emotet, a banking trojan derived from an earlier banking trojan Feodo. Discovered in June 2014, Emotet has become one of the most costly financial malware infections and, as can be seen from the URLhaus data, is still rampant today.

Almost every week, an ever-growing list of data breaches occurs around the world. In a lot of cases, attackers gain access to sensitive information such as a hashed password database. An alarming observation of recent attacks is how credentials are stored.

Many of the recent breaches (small and large), are using old, outdated and insecure methods for today’s standards such as MD5, unsalted SHA variations and even plain-text passwords. These methods can be trivial for an attacker to retrieve the plain-text passwords through brute-force attacks.

The ISM and NIST provide guidance and recommendations of storing passwords. As a summary:

• ISM: As per control 1252, agencies must store credentials in a hashed format using a strong hashing algorithm that is uniquely salted. For example, a hashing algorithm from at least the SHA2 family.

• NIST: Passwords must be hashed (SHA1-3) and salted with at least 32-bits of data.

It’s recommended to ensure best-practices and hardening guides are followed to protect such sensitive information. In addition, layering security controls such as implementing MFA provides an extra level of protection. The goal here is to ensure that if a breach occurs, brute-force type attacks would prove impractical.

Author: David Roccasalva

How are you stroing your passwords