Red Tail Report

Welcome to the first Red Tail Report!

I’m putting these together to help share information about what I’m working on at Akimbo and any interesting cybersecurity news that comes up throughout the month!

Payback: Cybersecurity Edition

We’ve recently been contacted by an education body to put together some content to assist those looking to break into cyber security to cover two groups – those in secondary schools and those who are just about to graduate university. Of course, as a Penetration Tester myself, I can put together some guidance on those looking to break into breaking in (in fact, I wrote something about this a few years ago) – but we want to go bigger and better. I can talk about Pen Testing but we’re hoping to cover a broader view of the industry than that!

So, the plan is to put together a few profiles of people working in the industry and talk about the work they do, how they got into that role, and any guidance they’d give to younger folks looking to follow in their footsteps.

We’d love some of you to get involved. So, if you’ve got 30 minutes free to answer five or six questions about your career in IT or Cybersecurity, please reach out and we’ll get something set up!

What's New?

The big story at the moment for me is CVE-2024-3094: a backdoor found in XZ Utils. Not only is this story fascinating due to how the threat actor managed to get the malicious code in place, but it’s a great story of a developer busting down a backdoor because “he noticed something peculiar”…SSH logins with unusually high CPU usage.

The original disclosure is here, but if you just want the “short story version”, you can read about it here.

What's Old?

I’ve been working in Cybersecurity since 2007, but I’ve been working exclusively as a Penetration Tester since about 2013. When I started my career things were pretty bad from a cybersecurity point of view and although we do complain about companies failing “the basics” like patching and passwords, I do think we’ve come a long way.

For my first few years of testing, internal infrastructure assessments were very easy because we’d just exploit MS08-067 on every network, although it was a five year old vulnerability at that point, we found it somewhere on almost every network. Now due to that it holds a special place in my heart, but even if you’re not nerdy enough to have a “favourite” unauthenticated remote code execution vulnerability, the backstory to this vulnerability is still fascinating – and I recommend you check it out: The Inside Story Behind MS08-067.

What's New at Akimbo?

This week I’ve been continuing to work on our Knowledge Base, the intention here is to build a stack of useful security articles as a “Quick Reference” to cover key cybersecurity topics that are often overlooked or deserve a deeper look. Like the gritty details of getting Account Lockout right without just building in a convenient denial of service feature for attackers.

We’ll be covering a wide range of topics in the Knowledge Base, but of course with a focus on Web Application Security, Infrastructure Security, and foundational cyber security topics. These entries often start life as an overly detailed answer to a customer question – and instead of being locked away in the Sent Items of my email account, I plan to share them more widely.

Account Lockout

This was the original entry that started our Knowledge Base; with a customer going a little rogue on their web application’s account lockout policy I wanted to give them a quick reference guide to some of the pitfalls of this security feature and it was more than I could fit in a quick email – so I wrote it all down here.

HTTP Security Headers

This is the latest entry in the knowledge base and no doubt the one that’s going to frustrate me the most. HTTP Security Headers are a great addition to a web application to enforce more rigorous protections in the browser. That said, it’s one of the features I most often see abused by web developers – from setting invalid header options just to get vulnerability scanners to stop complaining about missing headers, to making simple mistakes in the config but never double checking it, leading to a false sense of security.

The aim of this entry is to be a quick introduction to the topic and hopefully getting more people using these great features (and a few warnings about some of the not so great ones). You can read it here.

That's it!

Hey! It’s Holly here, I hand write each of these reports. If I’m not hitting the mark, or you’ve got other feedback to give me, drop me a message on LinkedIn!