New Zealand Cyber Security Blog

Thoughts on the cyber security landscape with a pinch of technical insights

When Scanning Isn’t Enough: Practical Tips for Log4j Vulnerability Detection

The Log4j critical vulnerability (CVE-2021-44228) is being actively exploited and is a major concern for organisations worldwide.

Log4j Critical Vulnerability (CVE-2021-44228): Planning for the holidays

The Log4j/Log4Shell incident is continuing to evolve. We have seen both blue teams and red 

Log4j Critical Vulnerability (CVE-2021-44228): Practical Tips to Protect Your Organisations

Over the weekend, the Log4j vulnerability kept security teams across the world at work and

Accellion Kiteworks Vulnerabilities

Adam discusses a set of of Kiteworks flaws, chained into authenticated user to remote root code exec

Fortinet FortiPortal Vulnerability Disclosures

Ben provides details on the recent vulnerability disclosures to Fortinet in the FortiPortal management portal

AirTag Hacking

Jamie shares an improved methodology for dumping the firmware of an
Apple AirTag.

Identifying Gophish Servers

Alain shares a methodology for discovering and identifying Gophish deployments in the wild. How easy is your Gophish installation to spot?

Ghostscript SAFER Sandbox Breakout (CVE-2020-15900)

Tim shares the discovery process of a recent Ghostscript bug, and lessons learned.

Advanced Open Redirection Vulnerability Discovery

Toby discloses advanced methods for detecting open redirection vulnerabilities.

JSON Web Token Validation Bypass in Auth0 Authentication API

Ben discusses a JSON Web Token validation bypass issue disclosed to Auth0 in their Authentication API.

Exploring Users With Multiple Accounts In BloodHound

Alain presents a methodology and Python script for exploring Active Directory users with multiple accounts in BloodHound.

PlayStation Classic Hacking

Ben discusses a method for gaining a root shell on the PlayStation Classic with the use of hardware hacking techniques.

CyberCX Security Report | September 2021

  • Delayed Reporting of Breaches Due to System Faults
  • Cyber Criminals Target GitHub Repositories
  • Top API Vulnerabilities
  • Microsoft Exchange Server Vulnerabilities


ISO 27001 is a risk-based compliance framework designed to help organisations effectively manage information security.

CyberCX Security Report | August 2021

  • Privacy and Universal Jurisdiction
  • Microsoft Warns of New Phishing Campaign
  • Director Responsibility for Cyber Security
  • Joint Advisory by AU, US and UK

CyberCX Security Report | July 2021

  • The Race to Patch
  • Insurance and Ransom Payments
  • Securing VPNs

Enhancing protection of Australian critical infrastructure

Critical infrastructure law reform remains a major focus for the Australian Government in 2021.

CyberCX Security Report | June 2021

  • Securing OT and Critical Infrastructure
  • Government Considering Mandatory Cyber Crime Reporting
  • SolarWinds Phishing Campaign
  • Securing DevOps Pipelines

CyberCX Security Report | May 2021

  • Australian firm unlocks iPhone
  • Supply chain vulnerabilities
  • Public-private partnership
  • Unpatched vulnerabilities

CyberCX Security Report | April 2021

  • Aggressive patching key to limiting your exposure to newly discovered vulnerabilities
  • Acer reportedly facing $50M ransomware attack
  • Ransomware – a unique challenge for small business

Asymmetrical Cyber Security

One challenge many large organisations encounter when developing cyber security strategies is how to adequately protect digital assets from adversaries that are smaller and more agile.

CyberCX Security Report | March 2021

  • Grow your business by investing in cyber security
  • InfoSec training is a business enabler
  • Don’t neglect upgrading legacy systems
  • QR codes expose devices to security risks

CyberCX Security Report | February 2021

  • Boosting Privacy Protections
  • Securing Digital Supply Chains
  • Chrome Updates

LogRhythm Zero Days

As a result of our team’s penetration testing and exploitation activities, we uncovered a series of high-risk vulnerabilities that could be chained together.

CyberCX 2020 AppSec Hackathon roundup

Gamified learning, such as hackathons, are widely seen as one of the most effective ways to develop new skills.

CyberCX Security Report | December 2020

  • New rules for financial sector
  • Don’t neglect physical security
  • Securing your search engine ranking
  • API security for AWS users

CyberCX Security Report | November 2020

  • Research highlights HTTPS and JavaScript security limitations
  • Insecure Third-Party Opens Way for Hackers
  • Password-less IoT devices leave industries vulnerable
  • Keep on top of patching to stop “Bad Neighbour” vulnerability

Top 5 reasons to make hackathons part of your team’s security training program

As managers look for new ways to upskill and motivate their teams, games are emerging as an increasingly popular component in employee security training programs.

CyberCX Security Report | October 2020

  • Critical Vulnerability Allows Attackers to Bypass O365 MFA
  • Insecure Third-Party Opens Way for Hackers
  • Don’t Neglect Patching
  • Zerologon Vulnerability Potentially Allows Attackers Full Administrative Rights in Your Domain