Penetration testing is one of our renowned core services. A penetration test involves attempting to attack and infiltrate your applications or networks the same way as a malicious individual. For every penetration test we carry out we apply a commonly used and industry standard formula. What makes us unique, however, is we also design an approach specific to your scenario. It means you can be sure that all your key business and security considerations relevant to the system being tested have been addressed.
Red Team testing involves simulating an attack against your organisation as a whole, rather than restricting the scope to a given application or service. Red Teaming will challenge your systems, processes, 3rd parties and staff. We're experts in Red Teaming and the team loves it! They work incredibly hard to come up with outrageously creative ways to bypass your digital or human controls using genius hacking or sometimes cunning social engineering. You'll be blown away.
Having a practical mobile device management strategy will keep your team connected, mobile and importantly your data secure. Securing your organisation’s infrastructure, systems and data has become increasingly difficult with the introduction of internet connected phones, portable smart devices and Bring Your Own Device (BYOD) policies.
Wi-Fi networks are a key target for any attacker without the need for full physical access to your environment. We also find more and more "guest" networks being provided inside corporates today. Our Wi-Fi testing will identify your risk of unauthorised access to your networks, systems and of course your data.
The Aura VSO (Virtual Security Officer) in general fulfils the functions and tasks of an organisational CISO (Chief Information Security Officer) and to some extent the tasks of an IT Security Manager, Risk and Compliance Manager and Privacy Officer. So it's pretty clever.
There is no one thing that will solve all your IT Security issues. True security is achieved through a long-term, holistic approach. To help, we have developed a unique Complete Information Security Programme (CISP). This is a value-added, bundled, master service agreement which covers all of our point-in-time consulting services as well as our ongoing managed services.
IMMEDIATE RESPONSE: If you're under attack now or have an urgent security incident then call 24/7 on +64 4 894 3755 and ask for the incident response team.
We will deliver to you a full explanation of issues and vulnerabilities. Yes that will be in easy to understand language. We’ll provide you with examples of how any vulnerabilities may be exploited and an outline of any potential impact(s). All vulnerabilities will be categorised with a threat level and we will recommend the very best way to mitigate your risk.
Our approach to helping you become secure or preventing and resolving incidents follows our unique belief that all results and deliverables should be transparent, easily understood and repeatable by your own staff. Where applicable our security specialists will provide you with additional context and understanding by assuming multiple personas during engagements to demonstrate how a system is likely to be attacked.
The most secure place in the world to put any web-application is behind RedShield. Built on our massively scalable and functional F5 platform RedShield is a world-leading cloud web application. It provides DDoS defence and full WAF capabilities - and that's just for starters.
Our team live and breath the latest web attacks, we know how to recognise them, how to fix them in your code and how to shield you against them. We recommend you don't buy a web shielding service from anyone other then web security experts. That's what we are - and we are absolutely world class.
RedEye is a managed scanning service, that can scan your information assets, internal and external, every day. RedEye ensures that you are notified on a regular basis about potential vulnerabilities in your systems through our web portal. Our knowledgeable staff are always on hand to make recommendations for prioritising, fixing and mitigating vulnnerabilities. RedEye provides you with a clear picture of your vulnerabilities over time.
There is no question that the combination of RedEye scanning and RedShield defence is the best possible protection available. So once we have these in place there's just one test left to carry out - we enter the mind of a hacker and launch a controlled 3DoS attack. We call it BlackEye.
In a real live DoS attack, excessive numbers of application and network requests are made to overwhelm your available system resources and cause interruption to normal service. In recent years, DoS attacks have become widely distributed in their source and highly diverse in nature, hence the term 3DoS, or Diverse Distributed Denial of Service (DDos).
Why are systems attacked, how are they attacked and who are the attackers? Do you have problems with passwords, pin codes, passphrases and phishing? This course focuses on why information security matters and how you can protect yourself and your business with effective operational security and creating sane security policies.
Managing security correctly goes well beyond the technical; understanding the governance of information security is essential to managing information and security risks. This course focuses on the fundamentals of information security governance, risk and compliance concerns.
These days websites are under constant attack and it's incredibly easy for a developer or administrator to make seemingly minor mistakes that have catastrophic consequences. In this two day course the latest attacks and defenses in use today will be explained and discussed. The course focuses on attendees gaining an understanding of the OWASP top ten with plenty of practical, hands on lab exercises attacking web applications using industry standard security testing tools and advice on mitigating those same attacks.
Confused with all the three letter acronyms? RSA, DSA, AES, SHA, RC4, CBC, ECB…. During this course we will introduce fundamental cryptographic concepts, discuss details of the various algorithms and protocols including hashing, symmetric ciphers, public key cryptography and hybrid cryptographic systems. Also real world cryptographic systems with weakness will be discussed to highlight important decisions that need to be made when designing and implementing cryptography.
Aura Information Security is one of New Zealand’s leading and fastest growing information security consulting companies offering penetration testing, security reviews and secure development training.
Our customers include many of New Zealand’s largest government agencies as well as local and international banks and corporates.
Our team consists of experts across a spectrum of Information Technology. We hold some of the top security qualifications in the industry and have tested many large scale applications, systems and infrastructure both locally and internationally.
Chief Executive Officer
Practice Manager, New Zealand
CISO / Head of Research
Principal Consultant, Australia
Chief Technology Officer
Service Delivery Manager
Chief Operating Officer
Our specialists are committed to providing the best possible service. They are constantly researching new methods and developing custom tools to assist in our engagements. This dedication to ongoing process improvement means you have our assurance that your systems will be both resilient and robust should they be subject to a malicious attack.
— May 2014 | Sam Pickles
Aura's Sam Pickles presents his experiences defending real world web applications from attacks. Sam discusses all the different types of attacks and presents techniques to protect your systems from these attacks.
— 13 May 2014 | Matthew Daley
— 19 March 2014 | Vladimir Wolstencroft
Aura's Vladimir Wolstencroft presents his research, "The 3 Billion Dollar App", at the Troopers infosec conference in Germany.
Mobile social applications are proliferating through our society and are starting to take the lime light away from traditional social networks such as Facebook. Younger people especially, are moving towards applications such as WhatsApp and SnapChat. Incumbent companies are eager to exploit this new user base and are willing to offer billions to purchase these apps. Clearly the value is driven by access to this user base and the ability to collect information about users or deliver ads direct to users. But do we need to spend billions to gain access to this user base? What if we don’t need to spend anything….what if there was a way to deliver content to all the users just by using the app…? This talk details what is possible after reverse engineering the SnapChat app and will show how you don’t have to spend billions of dollars to deliver content to SnapChat users.
— 6th September 2013 | Andy Prow and Kirk Jackson (Xero)
Andy and Kirk take their infamous Hack-Ed series over to Aussie to see if they can knock some security spidey-sense into the Aussies at Microsoft TechEd on the Gold Coast... Good luck with that!
— 19th November 2012 | Graeme Neilson and Shingirayi Padya
Graeme Neilson and Shingirayi Padya presented at Kiwicon 6 about cracking Audio One Time passwords.
— 19th November 2012 | Mike Haworth
Mike Haworth presented Demonic Possession of Browsers BeEF Issue #666 at Kiwicon 6
— 7th November 2011 | Mike Haworth and Kirk Jackson
Mike Haworth and Aura associate Kirk Jackson talked at Kiwicon 5 about issues where the boundary between web apps and native apps gets blurry.
— 24th August 2011 | Andy Prow and Kirk Jackson
Andy Prow and Kirk Jackson presented at Microsoft Tech-Ed NZ 2011 - the largest tech conference in New Zealand. They have compiled a "Cheat Sheet" of defenses for the common web risks for ASP.NET, MVC and SharePoint developers.
— 7th July 2011 | Kirk Jackson
Kirk Jackson presented at OWASP New Zealand Day 2011 on File Upload Considerations.
— 4th May 2011 | Andy Prow
Andy Prow gave a presentation at the Cloud Security Summit on what's happening in the Cloud Infrastructure as a Service (IaaS) space, including the pros and cons of using a Cloud provider and the security implications and risks. He also explained how to mitigate these risks by implementing specific cloud security policies.
— 30th March 2011 | Scott Fletcher
cott Fletcher presented at the Australia & New Zealand Testing Board on 30 March 2011 on beginner testing strategies for five of the OWASP Top Ten web security threats. These strategies will help testers ensure the security of web applications.
— 1th March 2011 | Graeme Neilson and Kirk Jackson
Graeme Neilson presented with Kirk Jackson from Xero on cryptography at the OWASP Day New Zealand 15th July 2010.
Does the thought of SSL, HTTPS and S/MIME make you squeamish?Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.
— 11th March 2011 | Graeme Neilson
Graeme Neilson presented at the CanSetWest Conference in Vancouver (March 11 2011) on developing rootkits for the top ten firewall / UTM manufacturers.
— 2008, 2009 | Graeme Neilson
Graeme Neilson presented at RuxCon in Sydney Australia (2008) and BlackHat, Las Vegas USA (2009). The presentation covered Graeme's research on how he's developed a trojan ScreenOS operating system that when loaded onto any Juniper Firewall turns it into a ZOMBIE, giving Graeme full access to the underlying firewall, bypassing all rules and passwords
We must of cause mention Juniper at this point - "we express our appreciation for your pragmatic and careful handling of this case" (Juniper, 28 Nov 08). They also released a tech bulletin: PSN-2008-11-111, "ScreenOS Firmware Image Authenticity Notification" which states: "All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed."
Hack our challenge website. Show us what you’ve got. The challenge site is a dedicated hackable web-site spun up just for you that will live for 3 hours and then self-destruct. It’s been built entirely by the Aura crew to test our new recruits, so you won’t be able to Google the answers, you’ll actually have to think! The challenges go from ’walk in the park’ as warm-ups to ’ohhhh now that’s cool’ for those who can really hack-it.
You will have up to 48 hours to write us your "A-Game" report. Using your findings from stage 1 write a report in a style that is appropriate for presenting to a customer, submit this together with your CV to firstname.lastname@example.org Our office elves will sort through your application! Our security ninjas will vet through your report! Magic happens!
As one of New Zealand’s largest security consultancies, we offer our staff the opportunity to work with a wide range of government organisations and private companies. The work we do is challenging, meaningful and ground-breaking.
We offer our staff opportunities to grow and develop in their chosen field. Technical staff have their own development projects, tackling new and interesting problems in information security. On the basis of their research, our staff also attend and speak at local and international conferences.
Our team environment is supportive, collaborative and professional. We work closely together to provide our customers with the best results we can offer. Our main offices are in Wellington, with other offices in Auckland and Melbourne. Does this sound like somewhere you’d like to work? Then contact us.
We'll be in touch real soon!
(Close this thing)