Security Testing Journal Entry | w/e Friday January 27, 2023

Highlights for the week - A Spiritual Experience!

Apologies for the lateness of this post, but worth a mention is just how eventful last week was. If I were to take a deep look through a distinct lense of life experiences, everything came together in a spectacular kaleidescope of elements. There were several "blasts from the past" that showed themselves at odd times. Still not sure what to make of it. As the saying goes, "when you pray God hears you, but so does the enemy .. so be mindful."

What We Loved

1. The fish are biting and a few job prospects are in different states in the process. That is to say: applications were filed and interviews have been had.
2. The first of the odd but wonderful events came in the form of working with a QA VP on an Automation Strategy doc - which has lead to a potential job opportunity.
3. Working with the aforementioned VP yielded the chance that we knew the same person(s), people from my first QA job. This lead to reconnecting with that acquaintance.
4. Having connected with this acquaintance, my former manager - the one who forced me to resign - also connected. We exchanged pleasantries .. and I learned something about myself.
5. One of the jobs I'm super interested in has a recruiting assistant who just happens to have the same name of that special someone. What are the odds!
6. Discussing my passion for Cybersecurity lead to another job opportunity, waiting to hear back.
7. And last but not least, another friend from my past presented a job opportunity my way. He forwarded my resume to the recruitment manager, who just happened to be a co-worker from another of my jobs.

What We Learned

1. The biggest thing I took away from the weekend was how indifferent I was to my ex-manager reaching out to me. I felt no joy, but I had no ill-will either. It was a test .. hope I passed!

What We Longed For

1. More time. The chore of moving everything off my emails and the Monday.com kanban to Trello bore some exciting but monumental amounts of work. Gotta keep grinding!!

What We Loathed

1. Nothing to report this week.

Security Testing | Security 4 No0bs - GDPR Basics

A quick n' dirty breakdown of GDPR and why it is important

Hello Reader!

In this installment of Security 4 NoObs we will be discussing GDPR - the General Data Protection Regulation

Anytime you visit a website, be it in the United States, or Europe, you are prompted with a banner to accept/decline cookies. It's a little checkbox (boolean) that carries a lot of value. On the surface, you tick off a box (or not) and the banner goes away. Behind the scenes a vast system of logic rules kicks into gear, the purpose of which is to collect and store "cookie" data as it relates to you when browsing that site.

A cookie can look something like this:

• To learn how cookies are made, visit: Make-a-Tracking-Cookie
• For a quick read on how cookies work, visit: what-are-tracking-cookies

Why this matters

How data is collected is actually a big deal. Users have agency over how their data is to be handled and disseminated. The option to accept/decline tracking cookies gives the user the power to give consent to their data. Below are some quick notes on the specific details of how it works. Some glossary terms to note:

• Member State: any acting government / governing body complying with GDPR
• Controller: the product or service collecting the data
• Collected for an explicit purpose at the consent of the consumer (data subject) visiting said site; not retained longer than necessary
• Minors (~16yrs) require the consent of a parent (adult)

How it works

For a comprehensive reading of GDPR, written in a lot of legal-ese, please visit: gdpr-info.eu. Below are some key take-aways:

1. Users have the right to be forgotten, as requested
2. Users have the right to be informed when their data is being handled/transferred
3. Users have the right to have their information wiped upon request
4. Users have the right to object if their feel their PII is mishandled
5. Processing ensures C.I.A of data
6. If a breach occurs, notice to all impacted users must happen within 72hrs
7. An official is to be appointed:
• The Official will be solely responsible for all particulars of data
• It is expected that this official will cooperate with any other authority figure as the need warrants
• Any necessary investigation will be conducted jointly
8. Reports will be drawn yearly to show the state of application of guidelines
9. A board / committee will be created for the overall governance of said guidelines:
• Any ratifications require 2/3rds vote
• A chairperson will be appointed
• The board will have a proper e-board, incl. A Secretary
10. The board handles any complaints filed against mishandling of info.
11. Users have the right to sue if their data gets mishandled:
• Controller and/or Processor may be held liable, as the evidence warrants
• The fine cannot be crazy excessive, max = $20M
12. Every 4 years starting 5/25/2020, the Commission is expected to send a report on the evaluation and review of the regulation to European Parliament & The Council; available to the public

When it goes wrong

It is important to mention that European regulations for data management are somewhat different than those in the United States. A violation of the GDPR can have major consequences, as in the following issue with TikTok: tiktok-fined-54-million-by-french

Conclusion:

Consumers (visitors to a website) have the right to understand how their information is being used by Companies and how to ensure their privacy is not being violated. Next time you visit a website and get a prompt to accept/decline cookies, you'll know the true power you have over your information and how it should be used.

END OF LINE

Security Testing Journal Entry | w/e Friday January 20, 2023

Highlights for the week

Work to continue personal improvements, one discipline at a time. The best part about this week was the continued emphasis on positive thinking manifesting positive results. In so doing, I had a couple of interviews that went extremely well. I also coordinated efforts with a QA director of a company I'm quite familiar with, and have friends that work there.

What We Loved

1. Making new contacts
2. Finally starting Network+ learnings
3. Finally writing again. Starting a book!
4. 2 successful interviews for QA Lead positions, promsing big $$ for setting up QA from scratch
5. Successful conversation with mentor - new mission to accomplish

What We Learned

1. Started on the fundamentals of Networking: OSI, protocols, different connector types, different cable types
2. Moving through BurpSuite quite nicely - learned about login exploits
3. Set up metasploit on my machine, required another VM but it works .. next is a few tutorials

What We Longed For

1. Miss having connections with people, namely the Security team and Unq
2. The cool job at IBM didn't happen .. but was worth the try!

What We Loathed

1. Nothing really bad happened. Positive vibes this week!!

Security Testing Journal Entry | w/e Friday January 13, 2023

It has been a somewhat productive, mostly fun week

Two weeks of the new year in the bag, and I feel fine!

Unemployment has been a drag. I will go on about this in a separate entry, but for the most part the job search has been rough. Part of me needs a job to pay the bills and what-not, the other part of me is so over everything. What's the point of going through the circle- jerk of looking for a job you'll ultimately end up loosing if you're not playing the game the right way. It's not fair that bad decisions by executives result in job loss.

Regarding the job search, had a great first-round interview with one company, and had something great happen on slack that lead to applying for another job. A really great third opportunity was missed due to the policy of being hybrid (x-days in office, y-days out), with the office being located in Atlanta. I can't wait to hear back from either IBM or BRIGHT .. two potential job leads leaning towards the cybersecurity world. Not quite there yet, but a foot in the door at a Cybersecurity company would be killer! Will need to reign in the learnings and focus on security auditing and risk analysis. Stay tuned!!

I've maded a concerted effort to continue the Cybersecurity learnings. Boy oh boy! has there been a lot learned.

What We Loved

1. Made a couple of new connections, one resulting in a potential job (fingers crossed).
2. Started some Cypress learnings with Typescript. The purpose is for a second job that is in the works!
3. Started on Network+ Learning. Might double-up with Security+ (3rd go-around).
4. Made a lot of progress w. Burp Suite, namely file directory traversal, OAuth hacking, and currently brute-force authentication

What We Learned

1. Network+: Basics of network architecture; topologies, virtual networks, and cabling.
2. Burp Suite: Authentication Bypass.
3. GDPR: completed learning some time ago.
4. Windows Fundamentals: completed the HTB learning module.
5. Cypress w. Typescript (work in progress)
6. Python Practice (need to fix web driver)

What We Loathed

1. Job search hasn't been as fruitful as I'd like. It's been an absolute horror. Closing in on 5 months.
2. The idea of posting my weekly "wins" on Linked In annoys me. I prefer to be the "silent option".

What We Longed For

1. I need a job to subsidise my learning.
2. I need a better mentor to provide some kind of guidance, or at least a gameplan. Current has been "absent" going on 3 weeks.

New Me in 2023

Boy oh Boy!

It has been a crazy-busy-hectic-dramatic-awesome two years since my last post. I fervently propose to renew the discipline of writing and plan to keep this blog refreshed. This is going to be a short post, with a lot of events to unpack in a year-by-year basis, starting from the point of the last post. Here are some topics:

1. July 2020 - December 2020: persistent lock-downs, working from home became the norm, and so on
2. 2021: Lockdowns continued; tons of security breaches; thoughts of return to the office laughable; Qurantine-15 is real; travelled
3. 2022: 2 Jobs lost (personally); mass job loss in tech; a war in Ukraine; Twitter taken over by Elon Musk; and oh so much more

What we longed for

Rest & relaxation!

This is just a super-brief summation (#tl;dr). There is going to be more ... promise! This is just the beginning