Tuomo Makkonen

Cloud WAFs in 2024: How do they stack up? We've updated our comparison of leading cloud-based Web Application Firewalls, testing their ability to block common and bespoke web attacks. blog.fraktal.fi/comparing-clou…

A few thoughts / hypotheses prompted by Anthropic’s report on Chinese use of AI to automate attacks and other similar threat profiles. 1. Attackers have always been more resource constrained (“attackers have bosses and budgets too”) than vulnerability constrained. 2. Many breaches are at targets of opportunity vs. explicitly targeted organizations. 3. Many attacks go after the easiest to exploit / chain vulnerabilities. 4. AI is going to keep profoundly adjusting the productivity of attackers and make them less resource constrained. 5. Additionally, we will see a wall of vulnerabilities coming from there being more software produced (courtesy of AI) with a greater density of vulnerabilities coupled with more capabilities (courtesy of AI) to find more vulnerabilities. 6. So, attackers will have more ability to exploit more vulnerabilities in more targets of opportunity. The outlook is pretty grim. But, while being short term pessimistic, I am still long term optimistic if we keep adapting: A. Relentlessly implement strong baselines of control (e.g. strong perimeters, strong authentication, software allow-listing, relentless patching of easy to exploit vulns, etc.) B. Implement architectural choices to reduce whole classes of vulnerability (e.g. binary authorization, memory safety, supply chain controls, etc.) C. Aggressively and quickly focus on being totally defended against known exploitable / exploited vulnerabilities. D. Adopt approaches to disrupt the economics of even AI-driven attacker productivity (e.g. deception tech, moving target defenses etc.) E. Defensive adoption of AI technology to drive productivity and open up new economic possibilities for continuous finding and fixing of vulns (e.g. automated red-teaming, automated vuln remediation etc.) F. Double down on a “digital immune system” to keep working towards attackers spending their “bullets” once, by automating the effects of information sharing. What else?

Good read aff-wg.org/2025/09/26/ana…

@16footcatgirl 2021: smug swe to crying blue collar: learn to code 2024: smug blue collar to crying swe: learn to weld 2025: smug LLM to crying vibe coder: learn to code

We analyzed 800k web apps for risks related to external script dependencies and found all sorts of issues like expired domains, abandoned cloud infra, and embedded malicious JavaScript. blog.fraktal.fi/examining-exte…

Well at least the issue is settled.

We misunderstood the concept of afterlife. What the religious texts meant to say is that the essence of your online life will be preserved as the weights of an LLM that handles airline customer support and prescribes Viagra in a telehealth app.

Android Apps Full Storage Attack. Introduction The Full Storage Attack… | by Toni Huttunen | Nov, 2024 | Fraktal blog.fraktal.fi/android-apps-f…

We are releasing an affordable, open-source laser injection technology for security testing of semiconductors. Now, this technology is accessible to hobbyists, educators, and professionals everywhere. blog.fraktal.fi/laser-fault-in…

The cloud security paradox: any single tech company is probably capable of safeguarding your data 10x better than you can. But if 500 tech companies all have your data, the math doesn't work out in your favor.

You: *pronounces Regex as it's written* Most annoying guy you know, barely able to conceal his delight: what did you just say

🔺New on the Apple Security Research blog: introducing PQ3, a groundbreaking post-quantum cryptographic protocol for iMessage. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world. security.apple.com/blog/imessage-…

As 2024 dawns, I feel I have no choice but to deliver a stern warning about reliance on computer algorithms we don't understand, such as fast Fourier transform, Huffman coding, or heapsort

Our first speaker is @svitlanaExe from @FraktalCyber, with the "LLM Wizardry in a Muggle World of Security Consultancy " talk! #TurkuSec #CitySec #meetup

Some new hardware hacking related stuff fresh out our lab: blog.fraktal.fi/ubi-or-not-ubi…

Red teamauksessa yritetään käyttää oikeiden hyökkääjien menetelmiä kohdeorganisaation tietoturvallisuuden testaamiseen. Tähän salaisuuksien, uhkien ja suljettujen ovien maailmaan sujahdetaan tämänkertaisessa podcastissa, jossa vieraana on @TMakkonen. koodarikuiskaaja.fi/podcast/tietot…

AI is just someone else's algorithm.

OSDP is becoming increasingly pivotal in the realm of access control systems. Fraktal's Knud recently gave a talk in #BruCON0x0F where he delves deep into the current state of physical #AccessControl, and ways to ensure secure #OSDP installations. m.youtube.com/watch?v=uwKBKx…

🛠️ Exploring advanced #Kubernetes security? Check out our new post, where we delve into integrating Falco for threat detection, CRIU for container snapshotting, and OpenFaaS for automated incident response. 👉 blog.fraktal.fi/navigating-kub…

Results of Major Technical Investigations for Storm-0558 Key Acquisition msrc.microsoft.com/blog/2023/09/r…