Latest News

We are very excited to announce PRIVACON 2020, Privasec's first international summit coming to different regions this October! Join us as we ride the digital skies and cross virtual borders to hear from an incredible diverse lineup of industry speakers.

Congratulations to our Senior Consultant David Roccasalva, for his discovery and responsible disclosure of a MFA Authentication Bypass vulnerability on VMWare Horizon DaaS (9.x, 8.x and 7.x) for VMware earlier this year.

VMWare Horizon DaaS (Desktop as a Service) is a remote desktop and application service used by organisations for working remotely on applications, which is depended by many during the remote work situation as a result of COVID-19.

emergent risk

Privasec had the privilege of being invited on the board panel discussion last week organised by Cyber Data-Risk Managers.

Romain Rallu together with Teresa Dyson, Michelle Beveridge, Meena Wahi, moderated by Shamane Tan discussed the perspective of boards on Super funds, experience of complying with APRA CPS234 to business continuity and lessons learnt from living in pandemic times, all the way through to emerging risks and risk transfer options.

Watch it here now to tap into this jammed packed and insightful exchange if you've missed out!

Cyberrisk 4

With the entire world mostly moving online, our Executive Advisor Shamane Tan has wasted no time in bringing her acclaimed Cyber Risk Meetups (of more than 3,000 cyber security professionals across Australia, Singapore and Japan) to the digital platforms as well. We are proud to be a community supporter as she launched the Mega C-Suite Series, seeking to bring real insights from various C-executives.

Episode 1 featured guest speaker Dan Lohrmann, a renowned government CISO from the US where he shared some stories of his personal failure and successes over the past few decades. The episode covered his Cyber Storm days to how he built the pandemic playbook for H1N1 all the way to how he nearly got fired as a CISO.

Cyber insurance vs security policies privasec

Data breaches are rampant in the world of business today. Hardly a week goes by without a reported breach or fines that range into the millions of dollars. This new age of security has brought about a change in the way that organisations structure their risk, and their insurance. Unfortunately for many, their over-reliance on cyber insurance to bail them out when they suffer a breach leaves them with a “customer last” security policy.

Threat actors around the world have been trying to take advantage of the coronavirus pandemic situation by registering coronavirus related domains and selling them at a discounted price on the dark web. The average number of registrations for such domains have increased almost 10 times over the past few weeks.


Image Source: The Hacker News

Mr Builder: ‘I only had 14 days to build this web app, I don’t have time to keep up with the demands of continuous testing and security.’

Mr Breaker: ‘Your application has insufficient transport layer protection and insecure direct object references and don’t even get me started on the security misconfigurations’.

Mr Builder (Yellow) loves to build, and Mr Breaker (Red) loves to break. It is no wonder why these two do not get along. In many cases, the builders would wait for a penetration test excel sheet from the breakers, google their way to change a few configurations of the code and get back to their job of building more apps/ softwares.

Orange Team

In 2019, attackers are phishing targets to retrieve sensitive information that ultimately leads to data compromise. Phishing is the technique where a malicious actor lures a victim into revealing sensitive information. This can be through large “spray-and-pray” type campaigns involving multiple recipients or, a more targeted approach crafting attacks for specific individuals, known as Spear Phishing. Phishing has been around since the early days of the Internet as one of the oldest vectors of attack.


An ADC (Account Data Compromise) event occurs when a third-party attacker or a group of attackers gain unauthorised access to cardholder data that is held within an organisation in either electronic or physical form. Even though the number of ADC events may vary year by year, it takes only one ADC event to negatively impact an organisation.

Account Data Compromise steps

It is a wrap!

Privasec's DroneSec team had a great time at the Singapore Airshow (Asia' largest Aerospace and Defence event) and Global Drone Security Network (GDSN) last week.

DroneSec CTO