While the utilization of Cloud computing can enhance your overall secure posture, it is also important to mention that the weaponization of the Cloud to gain access to resources is also something that is taking place in many situations and in many different types of attacks.

The diagram that you see represents an attacker gaining access to VMs located in the Cloud provider. It could be any Cloud provider. By leveraging computer resources from VMs that are hosting this Cloud provider they can attack on premises resources. So, the advantage of that attack is that you use the power of Cloud computing resources to send an attack to the limited amount of power that you have on premises. This is one typical scenario. Another one is DDoS attack. Many DDOS distributed denial services attacks  are leveraging Cloud resources.

Another potential attack that it happens is also taking advantage of failures in configuration. There was a flaw in the configurations, a failure in the DevOps process. Public keys, were not stored securely in a Cloud. This event took place in 2015 and there were bots scanning GitHub to steal Amazon EC2 keys. Problem is that those keys were stored in a public Cloud provider and those keys were not encrypted, and were widely open. It was definitely a failure in configuration.

Nowadays, attackers are shifting the efforts to evade detection controls that are provided by Cloud Workload Protection Platforms. Most of the Cloud Workload Protection Platforms utilize agent installed on their ISVM. And one way to evade detection is to kill the agents. Hackers trying to compromise the agent so you don’t have that sensor running. The first occurrence of this type of attack took place in January 2019 and it was reported by Palo Alto networks. It was malware called Rocke, which was uninstalling the agents from CWPP.


It is imperative that before adopting any Cloud computing solution, organizations understand the general security considerations that are already held by the Cloud computing model you should have a Cloud Workload Protection in place as part of your design, it should be part of your design considerations for not only Cloud workloads, but hybrid scenarios as well. Sometimes, customers are not fully aware that if you have a hybrid scenario, it means that you have some sort of computing power running in the Cloud, and you have interaction between you public Cloud provider and computer infrastructure on premises. When thinking about Cloud security considerations, you should think of the following items:

  • Compliance
  • Risk management
  • Identity and access management
  • operational security
  • Endpoint protection
  • Data protection.

When the subject is compliance, you should think of the migration process. Organizations need to retain their own compliance obligations and they need to dictate how those resources that are going to be migrated to the Cloud need to be compliant. Some workloads might need to be PCI compliant. Some other workloads might need to be NIST compliant, HIPAA compliant. You need to evaluate this from different angles from the Cloud workload migration process. Different Cloud workloads might require different compliance mechanisms and you need to take those in to consideration. Usually, most of the cloud solutions provider will give you more details about their compliance platform.

The second consideration is risk management. Customers must be able to trust their Cloud solution providers. Cloud runs on trust, basically. And that’s something that Microsoft says a lot, that Microsoft runs on trust. Cloud solution providers, in general, should have policy and programs in place to manage online security risks. These policy and programs may vary depending on how dynamic the environment is. And customers should work very closely with their Cloud solution providers to demand full transparency to understand the risk decisions.

In regards to identity and access management, this is a very important subject because identity management is a pivotal point in today’s  security. It allows you manage not only your access to the portal for the Cloud provider, but also your entire identity perspective to access resources in the Cloud. So, make sure that your Cloud provider offer different options and also use multi factor authentication which is very important now a days.

Operational security, when you are migrating to the Cloud, you should adjust your internal processes to the Cloud. Do not bring old processes from on premises scenario and try to just fit it into your Cloud deployment. Make sure that your secure monitoring, your auditing, instant response, your forensics, everything is adapted to the Cloud environment. And when I say adapt to the Cloud environment, many times it means re-engineering some of the aspects. For example, forensics in the Cloud is different from forensic on premises.

Endpoint protection. Endpoint protection is about how you gonna access those Cloud resources because, in a share responsibility model, which is what the Cloud providers will always tell you, the endpoint, the machine that is accessing the Cloud resource might be compromised. And that’s not up to the Cloud provider to secure. That’s your responsibility to secure. So you are going to continue to monitor your endpoint solution to not compromise your Cloud resources. You must ensure that you have that in place. You need to ensure that you have some sort of EDR (endpoint detection and response) in place.

And last but not least, data protection which is very important. Most of the attacks, most of the threat actors, are going after the data itself. So, you need to ensure that you have protection for data at rest on the user device, which is very common in BYOD scenarios that user is accessing a Cloud data from their mobile device. You need to make sure the data is secure at rest. In other words, that you have encryption at rest on the user’s device. You have to be sure that the data is encrypted in transit between the user device and the Cloud provider. The data is encrypted at rest from the Cloud provided data center itself. So, you need to have fully awareness of how this process work. You must think about data entrance points between the Cloud and on computers premises. All these points have to be encrypted


*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lectures

In order to understand the Azure security infrastructure first of all you have to step back and think outside of Azure itself, you have to look at a multi layer approach, so called defense in depth. This approach is critical for the modern security.

Think about large enterprise where you have to protect the entire platform that consists of the data center, the multi-tenancy network, the data encryption, the key management.

Then we have the operations on top of the platform. You have to have secure controls in place for the operations which includes the access policies and control, and ensuring that you are developing software using the security development lifecycle approach, operations security assurance, patch management, configuration management, anti malware application, and vulnerability scanning. These are part of the operational security layer.

And then you go to a higher layer, to the strategic standpoint, which is what we call the advanced cyber defense, security monitoring and analytics, and cyber defense operations center or SOC. It’s important to understand that at some point your system will be compromised. So you need to have in place a strategy and written procedures for rapidly response to that breach, because if you think that you have enough security controls in place and you create that false idea that you are so secure that no one will ever be able to penetrate in your environment, then you are creating a mentality that if something bad happens, you really don’t know what to do first, and second, you don’t even know why it happened because you don’t have the detection controls in place to identify potential breach.

Now let’s talk about the different controls. Let’s say you have a subscription, and you start to onboard some resources in your subscription. The first resource that you might onboard is the virtual machine. So when you are deploying virtual machine, you gotta think about the different security controls that you need to put in place for the virtual machine. You need to configure monitoring and export events for analysis. Events that are happening on that machine needs to be gathered so you can have analytics on top of those events.

The very first thing to achieve it is to enable Security Center. Second thing is make sure you configure a Microsoft anti malware solution, or anti malware solution from a partner. If you don’t have endpoint protection Azure Security Center will warn you about that. Then you should apply a corporate firewall using site-to-site VPN and configure endpoints.

This is applicable to situations where you have endpoints that are on-premise and they need to have connectivity to the cloud, or if you are deploying a VM to the cloud and that VM needs to have continued access to a different location, obviously then you need to have a VPN to protect that communication.

Make sure that you define access control between tiers and provide additional protection via the OS firewall. Do not think that only the network-level firewall is enough, you should also hardening the ports of communication from the host itself. And make sure that based on those analytics, that you are collecting, those events are being sent to your monitoring system.

After this part is done we can continue to the next layer, which is the network protection. We need to ensure that our network topology is secure, which a lot of customers miss, because they do not have the habit of hardening the Azure Virtual Network.

Unfortunately I’ve seen many scenarios where the network is not well-designed, it’s fully exposed to the Internet, so make sure that when you’re talking about networking that you can apply some important practices, which include hardening network traffic for Internet facing endpoints. You don’t want to leave your network widely open to the Internet.

  • Properly configure network security groups.
  • Use a network firewall, such as Azure Firewall. Ensure that if you need to expose services to the Internet that are available in Azure, that they are protected by Azure Firewall.
  • Isolate network segments, make sure that you use some of the principles that are very well-established over the years, and network isolation is one of those.
  • Ensure that you have NSGs between subnets.
  • Ensure that you have isolated networks for different assets, for different level of privilege.
  • Create your VLANs to operate in isolation mode.
  • Use Azure Security Center Network Map to have full visibility of your Azure network topology.

Remember that one of the most common attacks against cloud resources is a DDoS, so make sure that you are utilizing the Azure DDoS.By default, Azure provides continuous protections against DDoS attacks as part of the Azure DDoS Basic, which is free of charge.

It’s very important that when you plan and you design your Azure security infrastructure, you take into consideration those different layers, and that you are applying those things that are built in Azure. Leverage those things. Protection of the data at rest is very important, and this can be accomplished via Azure protection of the storage via encryption.

So, ensure that you are using Azure Disk Encryption when you are encrypting the VM disk for your Azure VMs. Ensure that you also leverage Azure Storage Service Encryptions for the data at rest on the Azure Storage perspective, and that you are using Advanced Threat Protection for Azure Storage.

If you have storage accounts, and you want to make sure that you are monitoring against threats that are trying to take advantage of your storage account, you should enable advanced threat protection, ATP. If you want to do that for the entire subscription, the best way to do is your Azure Security Center. Identity is a part of Azure that is extremely important. You should be monitoring your identity very closely, and leveraging the capability that you have in Azure, which includes the Azure Identity Protection part of Azure AD. Make sure to use that, because it will give you some extremely useful analytics in threat protection for identity. Azure Identity Protection has a series of capabilities to detect potential identity-related vulnerabilities, suspicious actions related to users, related to the access, to the authentication pattern.

Azure AD Identity Protection will also stream the alerts to Azure Security Center, so there is a native integration there. Last but not least, logging. Well, logging is a very interesting subject, because throughout the years it has become more and more important to always have logs available, and when you are migrating to the cloud, you realize that the amount of logs can be gigantic, because there are so different dimensions, so it’s very important to understand what you are looking for.

This diagram here explains the different levels of logging, so let’s start from bottom to top. At he bottom there is the Azure Active Directory logs, this is a tenant-level log. That’s where you’re gonna obtain that information, from the tenant itself. Then you have a subscription, because remember, within a tenant you can have multiple subscriptions, so within the subscription itself, you have logs related to the resource manager, you have logs related to service health, and you have the Azure Security Center logs, which are based on the threat detections and prevention.

You go a little bit higher on the Azure resource itself, then you have the VMs that you are deploying, the storage accounts, the network security groups, and each one of those will have also its own series of logs. Now when you go inside the VM, which is the guest operating system, which could be Linux or Windows, then you have the logs within the VM itself. If you go even higher on this stack, on the application layer, then you have telemetry of the application, have the application logs.

Azure provides different sets of logs, and these logs will reflect different types of actions. Do not ever think that because you are collecting, let’s say, the Azure Security Center logs, that you cover all the scenarios. No, you will also have things that are happening on a different layer.

One question that is very common is, hey, “I would like to see who changed my Azure Security Center policy, which log should I look at”?

Well, the answer is that in this particular case we’re gonna look to the activity log that is looking to things on the subscription level.


*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lectures


When we are talking about Incident Response, the first and probably the most important standard that comes to mind is Computer Security Incident Handling Guide from NIST. And in this guide, there are a series of events and actions that comprise the incident response life cycle.

 We have number one, preparation. That leads into detection and analysis, which then is followed by containment eradication and recovery, but possibly used in a cycle with detection analysis. And finally, we have post-incident activity, which is really just a mixture of Sections Three and going back to Section One, Preparation.

The first section of the Incident Response Life Cycle, is Preparation. And within Preparation, there are a number of different tasks that you’re going to want to know about from a security perspective. And we’re gonna start with Limiting the Blast Radius. And for this particular step, there are a couple of different concepts that are pretty straightforward and that you can associate with this. First of these, is deploying your accounts using AWS Organizations. Next, is to deploy your networks using multiple VPCs. Both of these can help you when there is a security event and you need to restrict the amount of resources that the actor can possibly have access to. Next, is Self-Documenting Infrastructure. And AWS gives you a couple of different ways to go about this. There are different services and features that can help you document your infrastructure without having to explicitly open a text editor. First of these is AWS Config. This is great from an inventory perspective. CloudFormation, where you’re actually defining infrastructure elements using text files and then creating them from those text files. And third, AWS SSM. The system’s manager service gives a number of features for inventorying at a deeper level including, network information, installed software, and license usage. The next step is creating Procedures and Run Books.

Our next task is to generate a Normal Behavior Baseline, and AWS provides a couple of ways to make this happen. The first of these is pretty straightforward. Just using the monitoring service, called CloudWatch. GuardDuty is an excellent tool and can be used to identify an abnormal behavior in your account.

There are three specific services that are going to be very helpful to the AWS customer in Assessing Risks. The first of these is Amazon Inspector. Next, we have GuardDuty, and the last one Amazon Macie. This is a service that can help you assess whether or not permissions on S3 buckets are too permissive.

Next we have Network Security.There are a number of different features that you can use to help improve the security from a network perspective. You can you Network Access Control Lists, Security Groups, both of these are going to be part of the VPC context and used together. You can use VPC Flow Logs for auditing the network traffic flow within VPC. And finally, you can use the AWS Web Application Firewall service. This is used in conjunction with CloudFront, and applies to web traffic, where you have the ability to identify and potentially drop abnormal requests.

Our next step, is the ability to Store Relevant Event Information. This is absolutely a proactive step that should be done as part of your strategic planning for security in AWS. And there are a range of features that you can use here as well. CloudWatch Logs is a great way to store log files durably with excellent ways of accessing them for analysis purposes. You have AWS Config streams, where you can create snapshots of the metadata configuration for your resources. You can use CloudWatch Events to keep track of what’s happening in your AWS account. You can store access logs in S3 in addition to CloudWatch Logs. And you can use CloudTrail Logs, that are stored in either Cloudwatch Logs or S3 to help correlate between behavior and actions that were taken to create that behavior.



*This article is based on Pearson IT Education materials and Chad Smith lectures

In this article I would like to discuss Abuse Notice Strategies. Let’s assume you need to evaluate the suspected compromised instance. Where should we start? If your account has a suspected compromise, either at the key level or at the EC2 level, AWS will send an email with some details around that suspected compromise activity. From a customer perspective, it is up to you to then evaluate that compromised resource, such as an EC2 instance, to see if you can figure out whether or not you are truly being subject to a security event. You can start with GuardDuty, there’s a feature called VPC flow logs that allows you to view the incoming and outgoing traffic at different contexts. You can isolate your resource from the network using features like security groups. And you can even launch a replacement using backups in the form of an AMI.

If it is an access key that has been compromised, you have different strategies for mitigating this. You can look at the access advisor reports to determine which services have been accessed using that key and at what time.You can look at GuardDuty, or CloudTrail logs. Just these two options are going to provide a full audit trail of everything that’s happening in your AWS account. And you can take action in a form of disabling keys or creating new keys that replicate the functionality.


*This article is based on Pearson IT Education materials and Chad Smith lectures

In this article we will discuss how to build a strong cyber defense through the enhancement of your secure posture, and understanding the different phases of the cyber kill chain. To build a strong defense, you need to understand the different stages of an attack. It is very important to understand those stages, because you want to add detection in the different areas and different moments of the attack. The core idea is that you can and should mitigate an attack early in the cyber kill chain phase. Ideally you should be able to detect that there is something happening in the reconnaissance phase, because the attacker was not able to perform a lot of malicious activity inside of network yet. Let’s go through some of the main aspects of each one of those phases.

The reconnaissance phase, as the name says is the phase in which the attacker gathers information about the target before the attack actually takes place. This is a very important phase, because it’s understanding the target that they build the campaign to perform malicious activity. That can be scam phishing email or phishing email, something along those lines.

Which leads us to the weaponization. This is the stage then you are already using the information that you gathered in the reconnaissance, and weaponizing that information. You can utilize that information in a malicious way. So it’s basically creating the artifact that will be used to compromise the victim. Which goes to the next phase, which is the delivery phase. Which is the transmission of the attack itself to the victim. In this case, you gather information, you create your phishing campaign, and now it is time to send it out to the victim.

But maybe the phishing email is just the entry point to something else that is going to happen in the next phase, which is the exploitation. So in the exploitation, something is going to happen, for example, let’s say that the phish email has a link to download a piece of malicious code. And that piece of malicious code is going to try to exploit the build. So that is already part of the exploitation phase, and when it is doing that then it is time to move on to the next phase, which is now I’m going to install that exploit into the destination computer. So you see that very smoothly, the attackers gain more and more access to the target’s system, and that is what the attacker wants.

When the attacker is already there then he can start doing other things such as contacting the command and control, which is the C2 phase. At this stage he will try to extract more information or perhaps to even download more malicious codes and install on private systems. Between the C2 and the actions on the objectives, there will be some other things that they will try to accomplish.

Stronger Defense

Microsoft created variation of the cyber kill chain to put in practice, which puts a slightly different amount of steps. Here it is:

Because we start with the external recon, which is basically the reconnaissance. Then we compromise the machine via some sort of exploitation, taking advantage of a vulnerability. Then we start internal reconnaissance, notice that there’s the external reconnaissance and the internal reconnaissance. That’s very common because once hacker establishes his footprint in the target machine, then he can start doing some internal recon in the network because now he has access to that internal machine. Then he is going to do some malicious actions such as, lateral movement, local privilege escalation, harvesting domain credentials until he gets to the point where he has full domain dominance.

Most likely that during C2 stage hacker is going to place Trojan.

What you really need to do is to build a better security posture, and this is not only for cloud, but on premise infrastructure as well. Security posture consist of three stages. Detect→Response→Protect.


*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lecture

The days of hacking for status and pride are way behind us. Nowadays the main motivation behind cyber attacks is financials gains. Of course there are other reasons, nation state, threat actors, and things like that. But from the commercial perspective, attackers are going towards the money. The data that will generate money, the identity which can be exchanged by money, ransomware, these type of things. Hackers almost always looking for financial gains. This is the main motivation nowadays.

It’s important to understand that company of any size can be a target. The rationale that only large organizations will be the target is completely untrue. Attackers often go towards mid and small-sized companies, because it easier to hack into their system and hijack and they don’t have the security controls in place. For example in 2017 companies losses related to tech support fraud raised to 15 million. The number of losses related to ransomware attacks raised to 2.3 million. And if we look at the cost prediction from 2015 to 2021, we’re gonna to double the amount of cost with cyber crime.  It is important that every single customer that is migrating to the cloud, have this mindset that they need to leverage cloud resources to enhance their secure portion overall.

In this slide you have a structure of a criminal infrastructure that can be used globally. These guys shouldn’t be in the same physical location, usually they don’t even know each other, for the most part they communicate through the dark web, different criminals have different activities and responsibilities. For example the developer is the one that we are creating malware, this guy has a very specific skill. He knows programming language and he will pieces of malicious code and then sell to hacker that will buy that malware. Sometimes hacker buy a whole kit and this kit can be used to perform a series of actions not just steal a credentials or perform a brute force attack. And then there is cyber criminal himself which will buy from the hacker the credentials that were stolen. This guy for the most part is the one that is going to receive the cash from the organization that hired him to do this whole thing.

Now it is a global enterprise, it is not one single person that it used to be 20 years ago. That’s why it’s so hard track it down. Stolen data is very inexpensive, compromised accounts come in bulk and in very large blocks, prices can as ow as $1 per account.

So, as more and more sophisticated cyber threats come along, the best approach is constant vigilance. You should assume that most likely you will be the victim of a big data breach or major hack attack.



*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lecture

Email is everywhere and vital to both business and personal communication. You’ve no doubt used email to share important documents with others both internal to your organization and beyond. And you’ve probably received many documents as well over email. Unfortunately common files like Word documents, Excel spreadsheets, and PDFs, are also typically used to spread malware or other nefarious programs. And it’s not just the attachments you need to be wary of. Hackers and others also use email to try to get users to click on spoofed emails, or as phishing attempts to trick users into clicking on an infected link or share sensitive information. You might’ve seen an email of this type that includes a line like we need your updated bank account information or something similar. Even though most IT departments have installed software to scan every incoming email and document, malicious messages can still get through. Why? Because new and more sophisticated versions of these attacks are created everyday, and our security software is often reactive, that means it’s not enough to rely on only your software. Instead try to practice these proactive habits. Never open an attachment that looks suspicious. Pay attention to the sender’s email address and ensure that it’s legitimate. Make sure the attachment is a known file type. Also be careful of running macros in Office documents as they can contain viruses. Don’t click on a link from an unknown sender. It’s often harder to identify malicious links so hover over the link and look at the URL or the address of the link. If it seems odd, for example, if it looks like an actual company name but it’s slightly misspelled, don’t click on it. Or if you don’t know the sender, don’t click on it. When in doubt ask your IT department for help. Never respond to an email or a link asking you to verify account information. A real company would never do this as they know malicious senders are doing this. This scam is know as phishing. And here’s an example, an HR employee was asked by email for all employee information including partial social security numbers. Unfortunately the employee sent the information without verifying that it was a legitimate request, it was not. The company then had to spend lots of time and money helping employees protect themselves after the breach was discovered. Never respond to spam or junk email. All you’re doing is showing the sender that your email address is a legitimate verified address. Now they will only double their efforts in sending you emails and may even sell your email address to other spammers. If you do find malicious emails be sure to mark them as spam or junk, and let your IT department know about them. If you think you’ve clicked on something by mistake, immediately call your IT department. These viruses can spread quickly and time is of the essence when it comes to fighting them. On your personal computer make sure your security software is up to date and run it immediately. Once you get into the habit of following these practices, it’ll become common place. And it’s absolutely worth it to take those few extra moments to look for possible issues. A stitch in time saves nine as they say. And the clean up and aftermath from one bad click will not be pretty.

Just two days ago I received three different Facebook messages from three different people about a minute apart. Already intrigued at my newfound popularity I looked at them and found that each message was exactly the same: a link to an image file. The similarities of the messages continued in that they were sent from very mild acquaintances, ones who I’ve spoken to only a couple times, but who I’ve added as friends on social media just to be nice. Obviously, this was not some sort of practical joke as, for two of them, this was the very first Facebook message they’ve ever sent to me.

Fifteen minutes later they made a public post announcing to all of their friends to disregard any messages they may have sent and that they were not sent with their intention. They, we can conclude, fell unfortunate victim to hackers were most likely trying to replicate the Myspace Samy worm fiasco using an image file as the payload. 

Have you ever wondered what the point was of your email not showing any image file from new senders and forcing you to whitelist every single new person that wanted to contact you? It wasn’t to save your face in the event of an unflattering or offensive picture. An image file, which logically shouldn’t hold any scripts on it, can still leak personal information into the wrong hands if one was to open it. 

First off, it’s important to remember that the more content an email client loads, the wider the area of vulnerability, the more chance there is of a malicious party gaining access to your information. For example, in October of last year, Talos found a vulnerability in JPEG 2000 that allows a cyber criminal to run arbitrary code when a picture is opened. The full details are at this  link but essentially when the OpenJpeg library, used by many popular PDF renderers, parses records in a JPEG 2000 file, it is possible to force it to make an array-out-of-bounds error. This error, if abused enough times, allows the attacker to execute arbitrary code on the machine, which can include shutting it down or opening files on the drive. 

Apart from this, if the image file has to be downloaded, it has to be done from a web server. Because your machine makes a request to download the image file, the web server is able to see a number of things. The first is your email address, which not only confirms to the hacker its existence but that it is used frequently as well. The second is your IP address and your email client, giving the hacker your general geographic location as well as your internet service provider and workplace.

The last way, which is what the Facebook worm did to my colleagues, is simply a double extension. A person looking at a file named img34e66p3528(and so one for another twenty random characters).jpg.exe will not realise the .exe extension makes it an executable file, not an image. Clicking on the link no doubt showed some image, but it also allowed a script to take over one’s Facebook account and re-send the worm to a new batch of victims. For those curious, a friend who opened it on an iPhone showed me the image, and here’s what it looks like:

Don’t worry, it’s safe to look at. I wouldn’t do that to you.

As our technology improves and horizons widen, so too do our everyday objects make progress. It’s an undisputable fact! How far back in human civilisation was a person able to unplug their book from a wall socket to charge their cigarette instead? Our lives are becoming more and more convenient every day.

Or are they? Are we really becoming smarter, better people from buying e-watches, e-toasters, e-thermostats? Or are we just trying to prove our progress as a species to ourselves by buying needlessly complicated gadgets? After all, everyone wants to live in The Future, and The Future can’t be The Future unless it looks like how it looked on The Jetsons. I’m not writing this to mock those who say humanity as a whole has improved, I agree with the sentiment; our quality of life now is as diamonds are to stones compared to ten, fifty, one hundred years back.

What concerns me is our, dare I say, reliance on gadgets that we think facilitate our daily lives. Things like fans that turn off at certain times and fridges that let you order food from them facilitate our lives the way crying in the ocean contributes to rising sea levels. The problem isn’t even that they make us lazy and apathetic, or distanced from how things were done before, the problem is that they can be extremely dangerous, and offer little to no functional pro to their perilous con.

About a month ago, Dyn Inc, a DNS provider for big names like Airbnb, Amazon, and Paypal, suffered and had to restart all of its servers because of a powerful denial-of-service attack. The Wall Street Journal, Twitter, and the Government of Sweden had to restart their websites, shutting them down for several hours. This attack, wherein a computer sends junk requests to a server with the intention to clog it up and prevent it from functioning, was done not by a group of highly sophisticated super-computers, but by a tonne of cameras and toasters.

Mirai, the malware responsible, infected the things that people never even thought of protecting.Owners of “Internet of things” objects such as smart fridges and webcams that connect to home routers usually don’t bother changing the default password, and often forget to install additional security patches after they first buy the device. This makes the CPU on a toaster the easiest access point to the rest of the home and beyond.

The biggest problem though is that there is no solution. Companies will almost never bother to write and install fortresses of code on things like smart watches because it reduces functionality and costs more with almost nothing to show for it. This means that “Internet of things” items will always be the weakest point of entry for hackers. Changing the default password and always updating patches will just breed smarter hackers. The only real resolution is to save oneself the hassle and not buy the things in the first place, which is also a very unlikely option.

All in all, if you take one thing away from this article, it’s to go update your DVR right now, and hope it isn’t already infected.

Today I’m going to be writing about one the most, if not the most, common yet dangerous vulnerabilities that hackers can take advantage of, called cross-site scripting. Cross-site scripting is similar to SQL injections in that it takes advantage of the fact that a developer wasn’t one hundred percent careful when creating their web application. Basically, it is the injection of malicious code into a website through its user input fields. 

Here’s how it works. Let’s suppose you have a website with a commenting functionality. All a user has to do to leave a comment is to type it into the comment box and press “submit”. Your website was most likely created with HTML. HTML is a tag-based language, where text is written in between specialised tags that dictate how the text is interpreted by the site. For example, writing text between a <b> and a closing </b> tag would make the text in between appear bolded. There is also a specialised <script> tag that will execute any JavaScript command inside it, and that is invisible to users. If your website’s commenting functionality isn’t written to escape the tag so that the script can’t run, the website will essentially belong to the malicious hacker.

Since cross-site scripting attacks rely on the host website in order to harm its users, it can be said that there are two broad types of attacks: Persistent Scripts and Non-Persistent Scripts. Non-Persistent Scripts only run once and are usually done for test purposes to see whether or not a vulnerability exists. Persistent Scripts, however, are the ones that actually do the damage. If someone was to write a persistent script on your website’s comment section, it would be completely invisible, and it can do anything from stealing cookie information in order to gain access to a user’s account, to setting a worm in a user’s MySpace account, which would make any other MySpace user add the first as a friend, and then bring the worm over to their own account, resulting in a user gaining millions of friends overnight. The latter really happened, and the perpetrator got three years probation and a twenty thousand dollars fine. Just goes to show the importance of being careful as a security professional (or criminal).