The whole month of March 2021 has been a crazy one in the world of cybersecurity.
Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China code-named HAFNIUM and these vulnerabilities appear to have been adopted by other cyberattackers in widespread attacks.
I was recently asked which OWASP/DevSecOps/Application Security/Cloud Security-themed podcasts I listen to.
Here’s the list:
(please note that these podcasts are available on all/most podcasts platforms, in this list I only provide the Google Podcasts links):
Application Security Podcast (produced by Chris Romeo/ Security Journey): https://podcast.securityjourney.com/
OWASP Podcast (now known as DevSecOps Podcast Supported by OWASP — produced by Mark Miller — interview format): https://soundcloud.com/owasp-podcast
BeerSecOps — Podcast About Dev, Sec, Ops, and Everything in Between (run be Steve Giguere/AquaSec - Interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9mMzg2Njg0L3BvZGNhc3QvcnNz
DevSecOps Overflow (produced by Michael Man, interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkcy5idXp6c3Byb3V0LmNvbS83MzMwNzAucnNz
Absolute AppSec(produced by Ken Johnson and Seth Law, chat with guests) https://podcasts.google.com/?feed=aHR0cHM6Ly9hYnNvbHV0ZWFwcHNlYy5jb20vcnNzLnhtbA
The Secure Developer Podcast (produced by Heavybit, interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly93d3cuaGVhdnliaXQuY29tL2NhdGVnb3J5L2xpYnJhcnkvcG9kY2FzdHMvdGhlLXNlY3VyZS1kZXZlbG9wZXIvZmVlZA&ved=0CB0Q27cFahcKEwi4kpi8uonpAhUAAAAAHQAAAAAQBw
DevSecOps Talk Podcast (Mattias Hemmingsson, Julien Bisconti and Andrey Devyatkin chat about latest stuff, and ideas): https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkLnBvZGJlYW4uY29tL2RldnNlY29wcy9mZWVkLnhtbA
Follow me on Twitter: https://twitter.com/securestep9
Citrix CVE-2019-19781 vulnerability is the current hot topic in Information Security circles this week, as exploits for this vulnerability are now publicly available and may allow unauthenticated attackers to obtain direct access to the company’s local network from the Internet. Citrix NetScaler ADC and Gateway products are vulnerable.
This post is not Cyber Security related. A lot of my friends (who do work in IT and InfoSec/CyberSecurity fields), live in different countries (and are thinking of moving to the UK before the Brexit hits) keep asking me about the levels of salaries and tax in the UK.
I have therefore compiled this little helper table to help them understand how the annual salary in the UK (in tax year 2019–2020) translates into the monthly amount they will get in the bank after tax deductions (this is also known as “take home monthly” pay):
Since I received many thanks from my friends, I think it will be useful for everyone, so publishing this in my blog.
Data source: listentotaxman.com
Quite often I am being asked the question: which Cyber Security — themed meetups/events/conferences are happening in London and which ones are worth attending?
First of all as a Chapter Leader of OWASP London Chapter of course I need to mention our OWASP London Chapter Meetups (or “Chapter Meetings”) which…
Has @Google gone mad? Legit support page asks to upload a photo of my Government-Issued ID and a photo of my credit card! To Google Cloud?? to “Verify” the account?? Cybercriminals will be thanking Google for this #phishing gift!
Here is the link if you want to try this yourself (real Google Support page, not phishing):
Of course the problem with this approach is that we have been teaching users in security awareness courses for two decades now that a legit website will never use such behaviour do that to “verify” he account, that’s what phishing website do…
Got an interesting and unexpected error message today from Firefox 58 which was running with just the default page — suddenly displayed a popup saying that a script on the following page is running slowly:
I have found some references on Mozilla Developer site, however this does not look good from QA & testing point of view:
While working on a mobile application security project for a client, I had to investigate all HTTPS calls made by an app using a “man-in-the-middle” technique essentially pushing all traffic from the test Samsung Galaxy S5 smartphone through an intercepting proxy. And I stumbled upon something really strange.