Senior Security Researcher at Sonatype.
Author at CSO Online, BleepingComputer, CIO, Security Report, Hacker Noon, …
M.S. in Computer Science, Georgia Tech.
B.S. in Software Engineering, Drexel University
Endorsed an Exceptional Talent, a recognised leader in Tech by the British Government and frequently featured by leading media outlets like Fortune, The Register, and CIO, Ax Sharma is a Security Researcher, Threat Intel Analyst, and Tech Reporter who holds a passion for perpetual learning. In his spare time, he loves exploiting vulnerabilities, ethically, and educating a wide range of audiences via blogging and vlogging. He’s an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).
Ax’s expertise lies in malware analysis, vulnerability research, threat intelligence analysis, and web app security. Through responsible disclosure, he has previously exposed serious bugs and security vulnerabilities affecting national & global organisations like HM Government, Yodel, U.S. DHS, P.F. Chang’s, Planet Fitness, Comcast/Arris, Ellucian, and the popular restaurant chain, Buca di Beppo.
In early 2018, Ax helped prevent a massive data breach at Georgia Tech by going public with a serious flaw that was left unpatched for over a year. He hence earned himself a place on Tech’s Vulnerability Reporters “hall of fame” page.
To consult Ax for your next big security project or for media source requests, drop him a note here.
Ax’s hobbies include working out, reading, playing piano and developing innovative, upcoming web projects.
- DNS over HTTPS, DNS over TLS explained: Encrypting DNS trafficBeing the backbone of the internet, the Domain Name System (DNS) protocol has undergone a series of improvements and enhancements over the past few years. The lack of stringent protections in the original DNS specification and discovery of security weaknesses over time, such as the decade-old Kaminsky bug, gave birth… Read more »
- 5 tips for a successful penetration testing programWith the rise in enterprise data breaches and ransomware cyberattacks making headlines, conducting thorough security assessments has become an inevitable part of running a business operation that handles customer data. The data protection requirements brought forth by compliance bills, both in the US and around the world have further put… Read more »
- The state of the dark web: Insights from the undergroundLately, dark web actors have one more worry: getting caught by law enforcement. Tracking dark web illegal activities has been a cat-and-mouse game for authorities, but in the end, they often catch their adversaries and seize the dodgy money. On the night of the 2020 presidential election, for example, US… Read more »
- The Windows Bad Neighbor vulnerability explained — and how to protect your networkIn October 2020, Microsoft patched a set of vulnerabilities that included critical networking bugs CVE-2020-16898 and CVE-2020-16899. Known as “Bad Neighbor” or “Ping of Death Redux,” these flaws lurk in the TCP/IP networking implementation in Windows in how incoming ICMPv6 packets are handled under certain conditions.[ Keep up with 8… Read more »
- Windows code-signing attacks explained (and how to defend against them)Code signing is a mechanism by which software manufacturers assure their consumers that they are running legitimate software, signed by its manufacturer via cryptography. This ensures that the software release wasn’t tampered with while making its way from the manufacturer to the end-user and is especially relevant when downloading software… Read more »
- Homomorphic encryption: Deriving analytics and insights from encrypted dataHomomorphic encryption definition What do you do when you need to perform computations on large data sets while preserving their confidentiality? In other words, you would like to gather analytics, for example, on user data, without revealing the contents to the computation engine that is going to calculate the analytics.… Read more »
- 4 best practices to avoid vulnerabilities in open-source codeThis year presented even more challenges for ensuring the integrity and security of open-source ecosystems. Open source has been the greatest boon to developers in that virtually anyone can use and customize it, typically at no cost, and contribute to the community. What has been a means of ensuring greater… Read more »
- RDP hijacking attacks explained, and how to mitigate themRDP hijacking definition One means of compromising systems cherished by malware authors is Remote Desktop Protocol (RDP). It provides a convenient way for system administrators to manage Windows systems and help users with troubleshooting an issue. RDP hijacking attacks often exploit legitimate features of the RDP service rather than purely relying… Read more »
- 5 best practices to secure single sign-on systemsThe recent “Sign in with Apple” vulnerability earned a researcher $100,000 as a part of Apple’s bug bounty program. The flaw itself arose from an OAuth-style implementation that did not properly validate JSON Web Token (JWT) authentication between requests. This would have allowed a malicious actor to “Sign in with… Read more »
- John the Ripper explained: An essential password cracker for your hacker toolkitJohn the Ripper definition First released in 1996, John the Ripper (JtR) is a password cracking tool originally produced for UNIX-based systems. It was designed to test password strength, brute-force encrypted (hashed) passwords, and crack passwords via dictionary attacks.[ Find out how to do penetration testing on the cheap ...… Read more »
- Where did these mysterious PrismJS npm versions come from?In 2015, strange 9000.0.x versions of PrismJS appeared on npm downloads, and nobody had a clue where they came from, or what purpose they served. Roughly four years later, PrismJS 9000.0.1 and 9000.0.2 were removed from npm for the reasons described below. But to date, no one seems to know anything more about this incident. PrismJS is a… Read more »
- NodeJS malware caught exfiltrating IPs, username, and device information on GitHubMultiple NodeJS packages laden with malicious code have been spotted on npm registry. These “typosquatting” packages served no purpose other than collecting data from the user’s device and broadcasting it on public GitHub pages. The findings were spotted by Sonatype’s automated malware detection systems and further investigated by the company’s Security Research… Read more »
- Can a Windows wallpaper really hijack your Microsoft account password?This month security researcher bohops demonstrated a credential harvesting trick that uses Windows theme files. Setting a Windows wallpaper location to a file present at a remote location, for example, a password-protected HTTP(s) page, instead of a locally present image, can be abused for phishing. This happens because the password-protected… Read more »
- A malware alert left hundreds of Bank of America customers panickingAccording to reports, hundreds of Bank of America customers had trouble accessing their bank accounts yesterday due to Avast and AVG antivirus engines flagging the site as “malware.” Naturally, seeing a virus alert when visiting their banking website would worry any customer. “I’m using Home Banking site for Bank of… Read more »
- A peek inside the “fallguys” malware that steals your browsing data and gaming IMsThis weekend a report emerged of mysterious npm malware stealing sensitive information from Discord apps and web browsers installed on a user’s machine. The malicious component called “fallguys” lived on npm downloads impersonating an API for the widely popular video game, Fall Guys: Ultimate Knockout. Its actual purpose, however, was rather… Read more »
- Do airplanes still use floppy disks for updates? Why?Airplanes are a luxury for most people to own, let alone toy with—given all the national security regulations. This year’s DEF CON, however, revealed a fascinating finding leaving many, including myself, surprised. July this year, British Airways announced it would retire its BOEING-747 fleet “due to the downturn in travel… Read more »
- Why don't Hulu or Netflix use 2-factor authentication?Streaming service accounts get compromised all the time either due to data breaches, credential stuffing attacks from leaked databases, or simply because of users employing weak passwords. How accessible a streaming service makes it for a rightful account owner to attempt recovery is what counts. However, in the case of… Read more »
- PlayStation discloses “severe” kernel vulnerabilityPlayStation has disclosed a severe use-after-free vulnerability, after over three months since it was reported. The vulnerability discovered by researcher Andy Nguyen exists in PS4 Firmware versions 7.02 and below. After constructing a demonstrable Proof of Concept (PoC) exploit, the researcher had responsibly reported the flaw to the company in March 2020.… Read more »
- Hacking the antivirus: BitDefender remote code execution vulnerabilityWhat happens when the very antivirus designed to keep you and your organization safe becomes a threat vector for the attackers to exploit? Yesterday, I broke the news story on Bleeping Computer about a remote code execution vulnerability which was recently discovered and disclosed by security researcher and blogger Wladimir Palant. Palant explained how the… Read more »
- NHS contact-tracing app code hints at security and privacy bugs early onNHS recently announced plans to unveil their own coronavirus contact-tracing app, as opposed to joining leagues of Apple and Google, to have better visibility into citizen movements. Suffice to say, the plan has certainly raised eyebrows of privacy activists, lockdown sceptics, and opponents of “big government.” On the bright side, the NHS coronavirus app is… Read more »
- 5 ways cybersecurity awareness trainings can strengthen your organizationAccording to an InfoScales report, 95% of successful cyberattacks have human error as the leading cause – most notably company employees falling for phishing scams. This is an important observation as cybersecurity efforts often intuitively focus largely on strengthening the technical controls in an organization to prevent data leakage, willful… Read more »
- 5 practical ways your organization can benefit from DevSecOpsIt’s right there in the moniker: DevSecOps , a portmanteau of Development, Security and Operations, implies introducing security early on – as a part of a comprehensive, agile Software Development Life Cycle (SDLC) used by your organization, rather than doing so iteratively or waiting until after a release.Given how security… Read more »
- Is our obsession with regulation killing the web?Anybody who’s been paying attention has noticed just how much the internet has changed within the last 10 years.From the humble looks of Google’s homepage to the vast existence old-school message boards and a virtually irrelevant “social” media, the internet largely felt like an accessory, a toy you could play… Read more »
- 7 steps to landing your first IT job, fastIT is a constantly expanding sector with its ever-increasing demand for skilled talent and the projected scope for growth within the next few years. This is especially true for the Information Security subfield for which the vacancies are drastically going up while the workers are struggling to catch up in… Read more »
- 7 ‘don’ts’ of diversity for fostering a healthy office cultureChange at a workplace is hard and often comes with improvements and challenges which cannot be ignored. Change can be a struggle for employees who often need time to gradually adapt themselves to it, rather than feeling forced into it. Even minor changes, for example, changing your company’s choice of… Read more »
- 5 ways a global presence can benefit your tech companyIf you run a successful tech startup or an established business, primarily offering digital products and services, chances are you have a significant customer presence worldwide. There also lies a high probability that you leverage a remote workforce ‘round-the-globe enabling increased collaboration over time zones. While staying local never hurt… Read more »
Medium: Go to Medium blog >