Latest from Techday NZ
Techday NZ
4 hours ago
- Techday NZ
Outpost24 identifies key OAuth risks & best practice solutions
An analysis by Outpost24 has examined seven of the most common vulnerabilities present in OAuth implementations and outlined recommended measures organisations can take to mitigate these risks. OAuth, short for Open Authorization, is a widely used industry protocol that allows users to grant access to their data on one site to another site, without sharing their credentials directly. This delegation of authority involves issuing tokens that provide time-limited and scoped permissions to client applications on behalf of users. Underlying complexity Although OAuth helps reduce direct exposure of user credentials and supports fine-grained access control, its broad flexibility also creates significant opportunities for errors during implementation. The protocol's reliance on strict validation of parameters, endpoints and tokens, as well as correct management of application state, means that mistakes or oversights can introduce vulnerabilities that attackers can exploit. Outpost24's analysis notes that OAuth is not inherently weak, but that its "power (delegated, token-based access) relies on numerous checks and balances. However, OAuth vulnerabilities often arise when developers or architects skip steps, like byte-for-byte URI validation, state verification, or signature checks on ID tokens. These oversights create exploitable gaps that attackers can target. So, OAuth itself isn't inherently 'weak'—but its flexibility and the proliferation of optional parameters and flows make it easy to misconfigure in ways that lead to real-world vulnerabilities." Common vulnerabilities The analysis identifies seven main areas where OAuth vulnerabilities commonly occur: 1. Open redirect and redirect URI manipulation: If the system does not strictly validate redirect URIs, attackers can manipulate authorisation flows to direct tokens or codes to endpoints they control, resulting in unauthorised access to user data. 2. Missing or weak Cross-Site Request Forgery (CSRF)/state protections: Failing to include a robust state parameter tied to each user's session enables attackers to trick users into completing authorisation requests that generate tokens for attacker-controlled clients. 3. Implicit flow and lack of Proof Key for Code Exchange (PKCE): The use of implicit flow, where access tokens are delivered directly via the browser, exposes tokens to interception. Without PKCE, even the more secure code flow can be susceptible if an attacker can access intermediate codes. 4. Inadequate scope validation and overly broad permissions: Applications may request excessive permissions, which can lead to abuse if an attacker acquires the access token. Users can be misled into granting high-privilege access. 5. Token leakage via insecure storage or transport: Storing tokens in browser storage areas accessible to client-side scripts, or transmitting them over insecure channels, can lead to theft through network compromise or browser vulnerabilities. 6. Missing or ineffective token revocation: Without appropriate means to revoke tokens, attackers or malicious clients may retain access indefinitely, even after a user believes they have rescinded authorisation. 7. Homegrown or outdated OAuth implementations: Custom or obsolete libraries may omit essential security checks, such as validating signature fields or all necessary request parameters, making exploitation feasible through replay or impersonation attacks. Mitigation strategies The analysis offers concrete recommendations to address each identified risk. For redirect URI threats, strict, exact matching of registered URIs is advised, along with enforcement of HTTPS. To defend against CSRF threats, the report urges clients to "generate a cryptographically random state value, store it in the user's session, and include it in the request. Strictly validate state on callback," and to make use of SameSite cookie attributes. The deprecation of the implicit flow and the universal adoption of PKCE are recommended for public clients. The analysis recommends the "use of authorization code flow + PKCE for all public clients", which helps bind token requests to verified identifiers, limiting misuse. Limiting scope requests to the minimal set required, alongside server-side validation of access scope, are key principles for scope management. Regarding token storage and transport, the advice is to "use secure, HttpOnly cookies for storing tokens" and to "enforce TLS everywhere… All endpoints (authorization, token, resource) must enforce HTTPS with strong ciphers." Short token lifetimes and refresh token rotation are also recommended to reduce the exposure following a token compromise. For revocation, the report recommends implementing dedicated endpoints that can invalidate access and refresh tokens in accordance with relevant standards, with continuous verification at the resource server layer to ensure revoked tokens remain unusable. On the issue of custom or outdated OAuth implementations, the recommendation is to "adopt well-maintained libraries and frameworks" and to "stay current with RFCs and security advisories," underscored by regular code reviews, threat modelling and attention to emerging IETF best practices. Operational recommendations To build a resilient OAuth deployment, enforce strict validation of redirect URIs, state parameters, and token signatures; adopt PKCE for all public clients; and adhere to least‐privilege scope requests. Ensure secure storage and transmission of tokens (favouring HttpOnly cookies over local storage) and implement token revocation with continuous introspection. Use community‐trusted OAuth libraries, keep up with evolving IETF/OAuth 2.1 guidelines, and maintain robust logging/monitoring to catch misuse quickly. Outpost24's analysis points out that by addressing these common misconfigurations and implementation issues, organisations "significantly reduce the risk of credential theft, unauthorised API access, and large-scale data breaches arising from flawed OAuth integrations."
Techday NZ
12 hours ago
- Business
- Techday NZ
Exclusive: Logistics firms face rising OT cyber threats amid global tensions
Cyber attackers are increasingly targeting logistics and supply chain networks, aiming to destabilise nations and gain strategic leverage without ever crossing a border. According to Leon Poggioli, ANZ Regional Director at Claroty, the recent cyber espionage affecting logistics firms supporting Ukraine is not an isolated trend but part of a broader pattern. "There's two key reasons nation states do this," he explained during a recent interview with TechDay. "One is to disrupt the other nation's defences, and the other is to put political pressure on the general public by interfering with their supply chains." These attacks frequently target operational technology (OT) systems - the core infrastructure behind physical processes in logistics, energy, manufacturing and healthcare. Poggioli said attackers exploit connectivity in these environments to carry out sabotage remotely. "A lot of these environments have some kind of external connectivity, so that gives an attacker an ability to remotely trigger a cyber attack and disrupt those supply chains." In some cases, tactics have extended to disrupting weapons infrastructure, such as drones. "When one nation uses drones, the other will defend itself by trying to jam signals and disrupt that infrastructure," he explained. Compared to IT systems, OT vulnerabilities can be far more complex and risky to remediate. Poggioli noted that in OT, even small changes can impact safety and operations. "In the IT world, it's easy to push patches out," he said. "In OT, even a minor change can disrupt operations, so remediation needs to be more targeted." Claroty's platform is built to help organisations quickly cut through large volumes of vulnerability data to find what really matters. "A site may have 1,000 vulnerabilities, but we can whittle that down to the five that make the most impact," he said. "That becomes a manageable number that a cyber leader and OT asset manager can act on within weeks." Recent data from Claroty's global survey of cybersecurity professionals reinforces the growing financial and operational risks posed by cyber attacks on cyber-physical systems (CPS). Nearly half of respondents (45%) reported financial impacts of $500,000 USD or more from such attacks in the past year, with over a quarter suffering losses of at least $1 million. These costs were largely driven by lost revenue, recovery expenses, and employee overtime. "It's a growing concern across multiple sectors, particularly in chemical manufacturing, energy, and mining – more than half of organisations in those sectors reported losses over half a million dollars," Poggioli said. Ransomware remains a major burden, especially in sectors like healthcare where 78% of organisations reported paying over $500,000 to regain access to encrypted systems. "These are real costs, not theoretical risks," he added. "And they're rising." Operational downtime is also widespread. Nearly half of global respondents experienced more than 12 hours of downtime following an attack, with one-third suffering outages lasting a full day or more. "When operations halt, the financial and reputational damage mounts quickly," Poggioli said. He added that one of the most pressing vulnerabilities is the level of remote access in these environments. "We're seeing around 45% of CPS assets connected to the internet," he said. "Most of that is done through VPNs that were never built for OT security." Third-party access is another growing concern, with 82% of respondents saying at least one cyber attack in the past year came through a supplier. Nearly half said five or more attacks stemmed from third-party connections, yet 63% admit they don't fully understand how these third parties are connected to their CPS environment. Poggioli pointed to this as a critical blind spot. "Legacy access methods and poor visibility are allowing attackers in through the back door," he said. Even more concerning is the risk from insiders. "You want to be able to trust your team, but someone with inside knowledge can do more damage than an external attacker," Poggioli said. "Even air-gapped environments need constant monitoring." A cyber attack on Denmark's power grid in 2023 served as a wake-up call. "One operator didn't even know they had the vulnerable firewall in their system," he said. "That's why visibility is so important. You can't secure what you don't know exists." While preparedness across the logistics sector varies, Poggioli believes the industry is slowly recognising the strategic value of cybersecurity. "It's going to become a point of competitive advantage," he said. "Customers are going to start asking serious questions about cyber security and supply chain integrity." He drew a sharp distinction between cyber criminals and state-backed actors. "Cyber criminals want fast financial gain, but nation states are more focused on political objectives," he said. "They have better resources and longer timelines. That changes the game." Poggioli warned that just because no incident has occurred doesn't mean attackers aren't already embedded in critical networks. "There's growing evidence of adversaries nesting in these systems," he said. "My hypothesis is they're preparing for future conflict. If war breaks out, they're already in position to strike." For logistics firms looking to strengthen their defences, Poggioli said the first step is basic visibility. "Most people I speak to admit they don't know 100% what's out there or how it's connected," he said. "Start with an asset inventory. Once you have that, you can start risk modelling and reduce exposure." There are signs that resilience strategies are making a difference. According to the Claroty report, 56% of professionals now feel more confident in their CPS systems' ability to withstand cyber attacks than they did a year ago, and 72% expect measurable improvements in the next 12 months. Still, Poggioli said complacency is not an option. "If you don't know how big the problem is, you won't know how to solve it," he said. "Once you understand the risks, you can act to protect your operations and show the business the value of cyber security."
Techday NZ
14 hours ago
- Business
- Techday NZ
Commvault & Kyndryl partner to boost cyber recovery services
Commvault and Kyndryl have announced a partnership to deliver incident recovery services for organisations aiming to enhance data security and meet regulatory requirements. The two companies will work in collaboration with Pure Storage to provide services intended to help organisations recover faster from cyber incidents, improve cyber resilience, and address complex regulatory demands. Kyndryl's cyber resiliency services portfolio includes Incident Recovery Services, Managed Backup Services, and Hybrid Platform Recovery. Through this new partnership, it will be supported by Commvault and Pure Storage to assist organisations in adhering to regulations such as the European Union's Digital Operational Resilience Act (DORA), NIS2 Directive, Payment Services Directive 2 (PSD2), New York Department of Financial Services (NYDFS) regulation NYCRR 500, and Australia's Prudential Regulation Authority (APRA) CPS 230 standard. Expanding cyber recovery services Under the collaboration, Commvault and Kyndryl plan to enhance support for enterprise customers facing persistent cyber threats and increasing data management complexity, particularly in multi-cloud environments. "Cyber preparedness is no longer regarded as optional for global organizations; it is mandatory," stated Allen Downs, Vice President of Security and Resiliency Services at Kyndryl. "Through this collaboration with Commvault and Pure Storage, we are further positioned to assist some of the world's most esteemed organizations in completely redefining their data protection strategies." The joint approach leverages Pure Storage technology alongside Commvault's cyber resilience and recovery solutions. This combined offering introduces a four-layer architecture designed to streamline compliance and speed up recovery for hybrid cloud customers. Technology and features The four-layered architecture includes the following components: Cyber Resilient Vault—an isolated, immutable data vault, based on zero-trust, to safeguard backup data from unauthorised access and tampering. Clean Recovery Zone—a controlled setting for forensic review and staged recovery using validated clean backups. Production Rapid Restore—capability for swift, reliable dataset restoration by using Pure Storage FlashBlade, with immutability features such as S3 Object Lock and SafeMode. Immutable Snapshot Recovery—enables quick, application-consistent restoration of key workloads through Commvault IntelliSnap and Pure Storage FlashArray. The services are developed to promote automated and ongoing cyber recovery testing. Support extends to Commvault Cleanroom Recovery within both public cloud and on-premises isolated environments overseen by Kyndryl. Organisations are enabled to validate their recovery processes to comply with DORA Chapter II (Risk Management), Chapter IV (Operational Resilience Testing), and related regulation. Meeting regulatory needs The collaboration is set against a backdrop of increasingly rigorous and complex regulatory landscapes. Organisations are now required to demonstrate not only the protection of their critical data, but also the capability to restore operations swiftly following a digital disruption. "Our partnership with Kyndryl is built to address the biggest challenges facing the enterprise today, such as the persistent threat of cyberattacks, including ransomware, and the increasing complexity of managing massive data growth across multi-cloud environments," said Alan Atkinson, Chief Partner Officer at Commvault. "When combined with the innovative Pure Storage platform, the three companies are together helping organizations stay resilient and prepared to act decisively in the face of disruption." As businesses face mounting pressures from both cyber threats and regulatory scrutiny, integrating compliance with resilience strategies is becoming increasingly necessary. "As regulatory frameworks like DORA set higher standards for operational resilience, organizations are implementing strategies that integrate regulatory compliance with the ability to recover swiftly from cyber disruption," said Maciej Kranz, General Manager, Enterprise at Pure Storage. "Together with Commvault and Kyndryl, we're delivering advanced security features and a scalable foundation of layered resilience that helps organizations meet these mandates and restore critical operations quickly and reliably." The services provided by the three companies are typically available across North America, Europe, and the Asia-Pacific region. Clients and partners will have opportunities to engage through existing partner programmes and access supporting resources aimed at enhancing cyber resilience and compliance capabilities. Follow us on: Share on:
Techday NZ
15 hours ago
- Business
- Techday NZ
Drone Forge secures record Flexrotor order with Airbus in Asia-Pacific
Drone Forge and Airbus Helicopters have signed an agreement for the purchase of six Flexrotor uncrewed aerial systems, totalling 17 aircraft, in the largest single order for the Flexrotor to date. The agreement specifies that the Flexrotor systems will be mission-ready and tailored to support a wide range of operational requirements within the Asia-Pacific region. These include littoral surveillance, high-altitude inland missions, infrastructure monitoring, and maritime environment assessment. Each Flexrotor unit will be equipped with a heavy fuel engine designed for maritime operations. This configuration is intended to enhance safety, ensure widespread fuel availability, and improve interoperability with naval assets in the field. Starlink connectivity will be integrated into the systems to facilitate beyond-line-of-sight operations and enable real-time situational awareness. Furthermore, the Flexrotor will incorporate PT-6 imaging technology. This technology provides stabilised, high-resolution capabilities for intelligence, surveillance, and reconnaissance (ISR) missions, supporting efficient wide-area maritime monitoring. Thomas Symes, Chief Executive Officer of Drone Forge, emphasised the anticipated impact of the Flexrotor in new market segments. "We are fully convinced that the Flexrotor, built on a strong engineering heritage, will allow us to tap into new markets with a proven solution where real-time intelligence, mission flexibility and reliability matters," said Thomas Symes, Chief Executive Officer of Drone Forge. "We look forward to integrating and commercialising the Flexrotor systems in the region." The agreement is the follow-up to a recent Letter of Intent signed between Drone Forge and Airbus, establishing a framework for collaboration in the deployment and integration of the Flexrotor UAS in Asia-Pacific operations. Olivier Michalon, Executive Vice President of Global Business at Airbus Helicopters, highlighted the significance of the order for the company's partnership with Drone Forge. "The landmark order opens a new chapter in our partnership with Drone Forge, reinforcing our shared commitment to delivering cutting-edge crewed-uncrewed teaming capabilities to Asia-Pacific operators," said Olivier Michalon, Executive Vice President of Global Business at Airbus Helicopters. "With strong confidence in the Flexrotor's efficiency and reliability, this force multiplier will drive operational excellence in defence and security applications." The Flexrotor is the latest addition to the Airbus UAS portfolio. It is a modern Vertical Takeoff and Landing (VTOL) uncrewed aircraft with a maximum launch weight of 25 kg. It is designed for Intelligence, Surveillance, Target Acquisition, and Reconnaissance (ISTAR) missions, with an operational endurance of over 12–14 hours under typical configurations. The system supports the integration of varying payloads, including electro-optical systems and advanced sensors that can be tailored to meet the specific needs of individual customers. Its autonomous launch and recovery capability is designed for operation from both land and sea, requiring only a 3.7 by 3.7 metre area for deployment, making it suitable for expeditionary missions that demand a minimal logistical footprint. With the agreement now in place, Drone Forge and Airbus Helicopters will move forward with the commercialisation and regional deployment of the Flexrotor systems in the Asia-Pacific market. The order marks a significant commitment to expanding the scope of uncrewed aerial systems in defence, security, and monitoring missions across the region.
Techday NZ
15 hours ago
- Business
- Techday NZ
Acron Aviation launches Astra app to boost airline efficiency
Acron Aviation has announced the launch of its new iOS application, Astra, which is designed to provide pilots and management teams with personalised performance data and insights before and after each flight. The app is described as a tool for transforming how flight performance data is accessed and used by pilots and airline operators. Astra incorporates modules that focus on safety and efficiency, making use of advanced data analytics and machine learning algorithms to deliver tailored intelligence to end-users. Designed to be customisable, Astra integrates with both Acron Aviation's own Flight Data Monitoring platform and third-party systems, enabling seamless adoption across fleets. Data-driven flight operations Astra's safety module offers pre- and post-flight insights, prioritising safety and fostering continuous improvement for pilots and operations teams. Key features include the monitoring of fuel consumption, aircraft wear-and-tear, and performance metrics, all available through an intuitive dashboard that provides management teams with comprehensive oversight at fleet level. Mitesh Patel, Vice President and General Manager Flight Data Intelligence at Acron Aviation, commented on the launch: "With Astra, we're closing the gap between Standard Operating Procedures (SOPs) and actual flight performance." Patel continued, "by leveraging Machine Learning algorithms and our database of 45 million flights, we're delivering personalised, timely, and engaging feedback directly to pilots. Astra represents a significant advancement in how airlines can monitor and optimise fuel consumption and reduce wear-and-tear. This approach not only enhances safety it also improves operational effectiveness and reduces costs." The comprehensive information provided by Astra empowers both pilots and management. For pilots, critical data is consolidated in one application, aiming to reduce the burden of switching between tools while in the cockpit or during pre-flight preparation. Efficiency partnership Astra was developed through a strategic partnership between Acron Aviation and FuelVision, a company with a focus on flight efficiency and data-driven performance. Elena Escrivá de Romaní Pérez, Chief Executive Officer of FuelVision, explained: "Astra increases awareness and engagement with efficiency programs by providing pilots with individual feedback and coaching, as well as providing detailed analytics on fuel consumption patterns, identifies potential savings opportunities, and offers actionable recommendations to optimise flight operations." She continued, "FuelVision was founded by pilots, which means we do things in a fundamentally different way and our starting point is always through the lens of a pilot." The Efficiency module in Astra enables airlines to benchmark performance, track adherence to Standard Operating Procedures, and tailor training programmes based on observed areas for improvement. Customisable parameters also make it possible to inform and adapt fleet-wide pilot training aligned to the latest performance data and trends. Key features Astra processes over 25,000 flights daily, ensuring that debriefs and feedback are delivered to pilots within 15 minutes of landing. Its features include a dashboard for monitoring fuel usage and wear indicators, machine learning-driven analysis of operational effectiveness, unified performance views covering safety and efficiency metrics, and the development of individualised training plans targeted at specific needs. The app can provide pre-flight briefings to pilots with route-specific operational data, enhancing preparation and situational awareness. Following each flight, pilots receive a debrief based on rapid analysis of flight data. Comparative benchmarking allows crew members to measure performance relative to peers within their fleet, reflecting a commitment to continuous improvement and team-based oversight. For management, Astra adds value by highlighting both strong performance and areas that require additional support or intervention. The ability to monitor adherence to company procedures and assess return on investment is designed to support both efficiency and risk management objectives. Industry integration Astra is compatible with Acron Aviation's Flight Data Connect platform, which processes large volumes of flight information in a matter of minutes. This integration supports broader safety and operational initiatives, including contributions to IATA's Flight Data eXchange programme. The application is available for further demonstrations at key industry events, with Acron Aviation continuing to showcase Astra's capabilities to prospective users from the global aviation community.
