Security Beat: Writing on application security with a bit of rhythm now and then.

My thoughts on programming, security, percussion, leadership and more.

Microsoft vs. Storm-0558

Last week Microsoft disclosed how China-based threat actor Storm-0558 managed to the secret keys for access to OWS and Outlook.com. There were 3 things that lead to the breach.

How to set up NodeZero Host on MacOS with UTM

I first heard about Horizing3.ai through a reddit post on /r/cybersecurity. They are a security vendor that takes an interesting angle on security...

TunnelCrack Can Leak VPN Data

An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device. We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable

Real World Code Review Vulnerability in a Next.js App

I recently worked on a Next.js codebase that had a vulnerability in an API endpoint called update-profile that would allow any authenticated user to modify the details for any other users...

Malware Payload Delivered Via DNS

The attackers delivered the payload (a redirect URL to a malware site) via a dynamic TXT record in the DNS records as a way to get around a web application firewall traffic detection system.

New npm Malware Aims to Steal Cryptocurreny Secrets

Recently, Phylum's risk detection platform flagged a series of malicious npm packages. Ten "test" packages were uploaded that clearly intend to extract source code and confidential data, like environment variables.

Drummers Gotta Eat

Drummers need to eat and this is the perfect solution.

Automated Prompt Injection Discovery

Prompt injection is kind of like SQL injection in that you can trick an AI chatbot into revealing information in it's database it's not supposed to reveal.

Kevin Mitnick has died

Kevin Mitnick has died. His book, The Art of Deception, was one of books that started me on the path to application security.