Security Queens Hello World!
April Newsletter

How in tarnation is it May already?! The temperature is warmer, the sun is out, and we are very tempted to call it beer garden weather... or is it to early in the year for that?!

First thing's first, we are super happy to announce that both the Queens have recently passed their CREST Registered Tester exams (yippee!). With hopes to specialise in their own niches, CRT has been a great stepping stone in embracing the profession #notstudentsanymore. 

A follow up from our previous newsletter, you can now also purchase tickets for this year's Cheltenham Science Festival - if you have the time, Sophia will be speaking about car hacking in the Helix Auditorium @ 7pm on 07/06 with both the Queens featuring in a STEM panel for school students on Saturday morning. 

Sophia has also recently been nominated for this year's Cyberjutsu awards in the "Cyber Rising Star" category. The shortlist hasn't been released yet, but she is nevertheless incredibly humbled to have been nominated. 

Now moving onto industry news...

One of the biggest things to hit tech-news recently was Elon Musk purchasing Twitter. Elon has also called for adding support for end-to-end encryption to the direct message feature, similar to messaging clients like Signal.

Earlier in the month, a ransomware attack on Swissport caused huge delays at Zurich Airport. Fortunately, security teams were able to identify the attack and restore the systems swiftly.

At least five APTs are believed to be involved with attacks designed to damage Ukraine's infrastructure. According to the Microsoft published research, all the APTs involved in the campaigns were state-sponsored by Russia in an act of "hybrid war". 

A few weeks ago Google removed more than a dozen apps from it's Play Store after learning they were harvesting phone data. The applications contained code which harvested location data, numbers and email addresses. The applications that were removed include a QR code scanner and a weather app - some of which had been downloaded more than 10 million times. 

The Internet Engineering Task Force (IETF) has recently published a new RFC for a security.txt file. RFC 9166 was published in an attempt to make security vulnerability disclosure easier for researchers, and currently holds an "informational" status. The RFC recommends that the text file should be placed in an easily accessible location, and must include an email of which security flaws can be reported. 

To round things off, researchers have discovered that millions of Java applications remain vulnerable to Log4Shell. This comes four monthsafter the flaw was discovered in the Apache Log4j library, that is easily exploited and can allow remote code execution. 

Whilst the sun is still shining (at least here in the UK!) - go grab a few rays and pints this fine bank holiday weekend, and as always you can find our most recent posts below... 

Lots of love,

The Security Queens xxx


Understanding Unix File Permissions
Estimated difficulty:  πŸ’šπŸ€πŸ€ If you are a newbie in security and want to start learning about Unix, then this is a great post for you. This will be a quick…
Zoning Out: An Introduction to DNS Zone Transfers
Estimated difficulty: πŸ’œπŸ’œπŸ€πŸ€πŸ€ DNS (Domain Name System) zone transfers are used to help replicate databases across different domain servers, allowing administrators to modify or edit records easily by implementing the…
Deauth Yourself: How to Build a Deauthenticator
Estimated difficulty: πŸ’œπŸ€πŸ€πŸ€ 🀍 Welcome to the wonderful world of hardware. This blog post is a walkthrough of how to build a deauthenticator; a pocket-sized tool that you can create…
Twitter LinkedIn Youtube Instagram
Modify your subscription    |    View online