Defence
Why defend harder won’t work in the long run and what to do instead – arrest criminals
The whole of information/cyber security is founded on the idea that we can defend ourselves into security. But in the history of competitive endeavours nobody has won by playing defence alone. We have this idea that we can wrap our users and systems in enough padding to protect them in a world where guns exist. We’ve leaned so hard into this idea that we’re on the floor and it’s time to look up.
NotRuler – Turning Offence into Defence
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool. The goal behind the project was to highlight the command execution potential around weak credentials when combined with Exchange and Microsoft Outlook. That goal has largely been met, with the ability to now demonstrate that compromising user credentials can be much more than “just” reading email. Microsoft has also been great in their response to the issue, with both client-side rules and forms having been effectively mitigated through patches to Outlook.
Page 1 of 1