New data shows 90% of NEDs lack confidence in cybersecurity value. CISOs and CIOs must translate cyber risk into business impact.
The post CISOs, CIOs and Boards: Bridging the Cybersecurity Confidence Gap appeared first on Security Boulevard.
How rule-based finance automation reduces manual work and speeds up processing.
The post What are automated workflows in accounting, and how do they save time? appeared first on Digital Trends.
Welcome back, my aspiring cyberwarriors!
Every few minutes an airplane may fly over your head, maybe more than one. If you live close to an airport, the air traffic in your area is especially heavy. Services like Flightradar24 show information about aircraft in the air with surprising accuracy because they get data using the ADS-B protocol. You can collect that data yourself, and here we will show how.
Of course, everyone has flown on a plane or at least seen one. These large metal birds circle the globe and carry hundreds of millions of people to different parts of the world. That wasn’t always the case. Just 100 years ago people mostly moved by land and there were no highly reliable flying machines. After planes were invented and commercial flights began, it became clear that we needed a way to track aircraft in the sky, otherwise accidents would be unavoidable. Radar and visual observation are not enough for this, so radio communication came into use. Now every aircraft has an aviation transponder on board. It makes life much easier for dispatchers and pilots, as the aircraft sends data from onboard sensors and receives instructions from the ground while in flight.
Put simply, an aviation transponder is a two-way radio device that does two things:
1. Answers queries from ground stations: when an air traffic controller requests data, the transponder replies automatically. A query for data is also called interrogation.
2. Acts as an airborne radio beacon: in this mode the transponder periodically broadcasts information about itself, for example position or speed.
There are different generations or modes of transponders. Each was created for different purposes and has its own signal structure. Although newer modes keep the features of the older ones, the signal protocols are not mutually compatible. There are five main modes:
1. Mode A: transmits only the aircraft’s identification code. This code can be hard-programmed into the transponder or assigned by the dispatcher before flight. In practice Mode A was mostly used to track which aircraft was at which airport.
2. Mode C: developed later, it allowed tracking not only the aircraft ID but also flight altitude. Its main advantage was that altitude could be obtained automatically without asking the pilot.
3. Mode S: this is the modern mode used on about 99% of all aircraft today. It allows not only reading sensor data from the aircraft but also sending data back to the plane. In Mode S an aircraft has full two-way communication with ground stations. ADS-B, which we will look at today, is part of this mode.
4. Mode 4 and Mode 5: these are more advanced but used only by the military. Both are much better protected (that is, they have some security, unlike the older modes), so they are not something we can play with.
A careful reader will notice we did not include Mode B or Mode D in the list. Both existed only briefly, so it makes little sense to discuss them here.
If you read the description of Mode S closely, you’ll notice that Mode S messages are normally sent by the transponder in response to a ground station query. All of them except ADS-B. ADS-B stands for Automatic Dependent Surveillance Broadcast. In plain English that means it is an automatic flight-tracking system. The word “Broadcast” means the messages are sent out to everyone, not to a specific recipient, and that lets us receive them.
Many people treat ADS-B as a separate transponder mode on the same level as Mode A, C, or S, but actually ADS-B is just a part of Mode S. An ADS-B message is simply a Mode S message with type 17.
We will focus on ADS-B (type 17) in this article, but it helps to know about other Mode S message types for context:
All-call reply (type 11): the transponder replies to a ground interrogation with a unique 24-bit identifier. This number is usually programmed at the factory and does not change, although in military contexts it may be altered.
ACAS short and long replies (type 0/16): messages used by collision-avoidance systems. If a transponder detects another aircraft nearby it will send alerts to other systems that can prevent a mid-air collision.
Altitude and identity replies (type 4/5): messages containing altitude and the call sign (the so-called squawk code that the pilot enters before flight).
Comm-B (type 20/21): messages with readings from onboard sensors, planned route, and other data useful for aircraft control.
ACAS is especially clever in how it works, but discussing it in detail would take us beyond this article.
All Mode S transmissions to aircraft use 1030 MHz (uplink), and transmissions from aircraft to the ground use 1090 MHz.
The radio transmission itself is not encrypted. It carries a lot of useful information about the aircraft’s position, altitude, speed, and other parameters. That is how services like Flightradar24 started making aircraft information available to everyone for free. These services collect data from many sensors installed by volunteers around the world. You can become one of those volunteers too. All you need is to sign up and get a receiver from a service operator for installation.
ADS-B signals are transmitted by aircraft on 1090 MHz, just like the other Mode S signals. The other frequency, 1030 MHz (uplink), is not needed for ADS-B because ADS-B transmissions are sent without being asked.
Pulse-Position Modulation (PPM) is used to encode the signal. In basic terms, the transmitter sends bits over the air that can be read by sampling the signal every N microseconds. On ADS-B each bit lasts 0.5 microseconds, so you can sample every 0.5 μs, see whether the signal level is high or low at each moment, record that, then convert the result into bytes to reconstruct the original message. That’s the theory, in practice it’s more challenging.
If you take the raw sampled data you first get a bit of a mess that must be parsed to extract useful information. The messages themselves have a clear structure, so if you can find repeated parts in the data stream you can reconstruct the whole packet. A packet consists of a preamble and the data payload. The preamble lasts 8 μs, and then the data follows for either 56 or 112 μs.
The preamble is especially important because all aircraft transmit on the same frequency and their signals can arrive at the receiver at the same time. Loss of overlapping signals is handled simply: if a receiver fails to catch a message, some other receiver will. There are many receivers and they cover all inhabited land on Earth, so if a particular signal is too weak for one receiver it will be loud enough for another. This approach doesn’t guarantee every single signal will be caught, but ADS-B messages are transmitted repeatedly, so losing some packets is not a disaster.
We already said each bit is encoded as 0.5 μs, but to make reception easier a convention was introduced where one real bit is encoded using two half-microsecond elements. A logical one is encoded as “1 then 0”, and a logical zero as “0 then 1”. For example, data bits 1011 would be transmitted as 10011010. This does not complicate the receiver much, but it protects against noise and makes the signal more reliable. Without this doubling, a sequence of zeros would look like silence. With it the receiver always detects activity, even when zeros are sent.
Suppose we decoded the signal and found a message. Now we need to decode the payload and filter out unwanted messages (that is, all Mode S messages except ADS-B).
The ADS-B message length we care about is 112 μs, which corresponds to 112 bits (thanks to the two-half-microsecond coding!). The message divides into five main blocks:
1. DF (Downlink Format) – the format code, 5 bits. For ADS-B this is always 17.
2. CA (Transponder capability) – type of transponder and its capability level, 3 bits. This tells a controller what data can be requested from this transponder. This field can be 0, 4, 5, or 6. Values 1–3 and 7 are reserved for future use. 0 means a first-level transponder, usually without ACAS. 4 means a second-level (or higher) transponder that can send altitude (i.e., supports Mode C and Mode S) but does not have ACAS. 5 and 6 are like 4 but with ACAS support: 6 indicates ACAS may be enabled, 5 indicates ACAS may be present but disabled.
3. ICAO — unique aircraft number, 24 bits. This number identifies the signal sender. It is typically programmed once at the factory and does not change during operation, although some people know how to change it. Military transponders follow different rules, so anything can happen there.
4. ME (Message) – the actual payload with data about altitude, speed, or other information. Length is 56 bits. We will look at this block in detail below.
5. PI (Parity/Interrogator ID) – checksum, 24 bits.
The ME field is the most interesting part for us because it carries coordinates, speed, altitude, and other data from onboard sensors. Since 56 bits are not enough to carry all possible data at once, each message has a type indicated by the first five bits of ME. In other words, there is a nested format: Mode S uses a certain message type to indicate ADS-B, and ADS-B uses its own internal type to say what data is inside.
ADS-B defines 31 data types in total, but we will review only the main ones.
Type 1-4: identification messages. They contain the call sign and other registration/identification information (for example, whether this is a light aircraft or a heavy one). These call signs are shown on airport displays and usually reflect the flight number. A decoded message looks approximately like this:
Type 5-8: ground position. These messages are used to know where and on which runway the aircraft is located. The message may include latitude, longitude, speed, and heading. Example decoded message:
Type 9-19: airborne position (usually transmitted together with altitude). It is important to understand that you will not always find latitude and longitude in the usual long numeric form in these messages, instead a compact notation is used.
Type 19: aircraft velocity.
We could go bit-by-bit through the structure of each message, but that takes a long time. If you are really interested you can find ready ADS-B parsers on GitHub and inspect the formats there. For our purpose, however, diving deeper into the protocol’s details isn’t necessary right now, because we are not going to transmit anything yet.
To describe a location, we usually use latitude and longitude. A 32-bit floating number can store them with about seven decimal places, which is accurate down to a few centimeters. If we don’t need that much detail and are fine with accuracy of just tens of centimeters, both latitude and longitude together could be stored in about 56 bits. That would have been enough, and there would be no need for special “compressed” coordinate tricks. Since an airplane moves at more than 100 meters per second, centimeter-level accuracy is useless anyway. This makes it strange why the protocol designers still chose the compact method.
CPR (Compact Position Reporting) is designed specifically to send coordinates compactly. Part of CPR was already visible in the coordinate example earlier. Because it’s impossible to compress a lot of data into a small field without loss, the designers split the data into parts and send them in two passes with packets labeled “even” and “odd”. How do we recover normal coordinates from this? We will show the idea.
Imagine all aircraft flying in a 2D plane. Divide that plane into two different grids and call them the even grid and the odd grid. Make the even grid 4×4 and the odd grid 5×5. Suppose we want to transmit a position that in a 16×16 grid is at (9, 7). If we had one grid we would just send 9 and 7 and an operator could locate us on the map. In CPR there are two grids, though.
In these grids we would represent our position (9, 7) as (1, 3) on the even grid and (4, 2) on the odd grid. When an operator receives both messages, they must align the two grids.
If you overlay the grids with the received coordinates, the point of intersection is the true location.
We described the algorithm without math so you can imagine how coordinates are reconstructed from two parts. The real grids are far more complex than our toy example and look like the image below.
Now that we understand the main parts of the protocol, we can try to receive a real signal. To receive any such signal you need three basic things: an antenna, a receiver, and a PC.
Start with the most important item, which is the antenna. The choice depends on many factors, including frequency, directionality of the signal, and the environment where it travels. Our signal is transmitted at 1090 MHz, and we will receive it outdoors. The simplest antenna (but not the most efficient) is a straight rod (a monopole). You can make such an antenna from a piece of wire. The main thing is to calculate the right length. Antenna length depends on the wavelength of the signal you want to receive. Wavelength is the distance between two neighboring “peaks” of the wave.
Lambda (λ) is the wavelength. You get it from frequency with the formula λ = C / f, where C is the speed of light and f is the signal frequency. For 1090 MHz it is about 27.5 cm. If you take a metal rod of that length you get a full-wave antenna, which you can safely shorten by half or by four to get a half-wave or quarter-wave antenna, respectively. These different designs have different sensitivity, so I recommend a half-wave antenna, which should be roughly 13.75 cm long.
We won’t build our own antenna here. It is not the simplest task and we already had a suitable antenna. You might use radio handheld antennas if you receive outdoors and there isn’t too much interference. We use a simple vertical coil-loaded whip antenna. It behaves like a whip but is shorter because of the coil.
You can measure antenna characteristics with a special vector network analyzer that generates different frequencies and checks how the antenna reacts.
The output from NanoVNA looks complicated at first, but it’s simple to interpret. To know if an antenna suits a particular frequency, look at the yellow SWR line. SWR stands for standing wave ratio. This shows what part of the signal the antenna radiates into the air and what part returns. The less signal that returns, the better the antenna works at that frequency. On the device we set marker 1 to 1090 MHz and SWR there was 1.73, which is quite good. Typically an antenna is considered good if SWR is about 1 (and not more than 2).
For the receiver we will use an SDR dongle. It’s basically a radio controlled by software rather than a mechanical dial like old receivers. Any SDR adapter will work for ADS-B reception, from the cheap RTL-SDR to expensive devices like BladeRF. Cheap options start around $30, so anyone can get involved. We will use a BladeRF micro, as it supports a wide frequency range and a high sampling rate.
Once you have an antenna and an SDR, find a place with few obstructions and low interference. We simply drove about ten kilometers out of town. Signals near 1 GHz (which includes ADS-B) don’t travel much past the horizon, so if you don’t live near an airport and there are obstacles around you may not catch anything.
To inspect the radio spectrum we use GQRX. This program is available for Linux and macOS. On Windows we recommend SDR#. In Ubuntu GQRX can be installed from the standard repositories:
bash$ > sudo apt update
bash$ > sudo apt install -y gqrx
Then increase the volume, select your SDR as the input source, and press the large Start button. If everything is set up correctly, your speakers will start hissing loudly enough to make you jump, after which you can mute the sound with the Mute button in the lower right corner.
You can choose the receive frequency at the top of the screen, so set it to 1.090.000, which equals 1090 MHz. After that you will see something like the screenshot below.
The short vertical strips near the center are ADS-B signals, which stand out from the background noise. If you don’t see them, try changing the gain settings on the Input Controls tab on the right. If that does not help, open FFT Settings and adjust the Plot and WF parameters. You can also try rotating the antenna or placing it in different orientations.
When you get stable reception in GQRX you can move to the next step.
In practice, people who want to receive and decode Mode S signals usually use an existing program. A common open-source tool demodulates and decodes almost all Mode S signals and even outputs them in a neat table. To verify that our setup works correctly, it’s best to start with something that’s known to work, which is dump1090.
To install it, clone the repository from GitHub and build the binary. It’s very simple:
bash$ > git clone https://github.com/antirez/dump1090
bash$ > cd dump1090
bash$ > make
After that you should have the binary. If you have an RTL-SDR you can use dump1090 directly with it, but we have a BladeRF which requires a bit more work for support.
First, install the driver for your SDR. Drivers are available in the repositories of most distributions, just search for them. Second, you will need to flash special firmware onto the SDR. For BladeRF those firmware files are available on the Nuand website. Choose the file that matches your BladeRF version.
Next, download and build the decoding program for your SDR:
git clone https://github.com/Nuand/bladeRF-adsb
cd bladeRF-adsb/bladeRF_adsb
make
Then flash the firmware into the BladeRF. You can do this with the bladerf-cli package:
bash$ > bladeRF-cli -l ~/Downloads/adsbxA4.rbf
Now run dump1090 in one terminal and bladeRF-adsb in another (the commands below are examples from our setup):
bash$ > ~/Soft/dump1090/dump1090 --raw --device-type bladerf --bladerf-fpga ' '
bash$ > ~/Soft/Blade/bladeRF-adsb
If everything is correct, in the dump1090 window you will see many hexadecimal lines, those are Mode S messages that still need to be decoded and filtered.
If you remove --raw from the dump1090 startup arguments, the program will automatically decode messages and display them in a table.
Now you’ve seen how aircraft transponders work, what ADS-B actually is, and how signals at 1090 MHz can be received and decoded with simple equipment. None of this requires expensive tools, just an antenna, a software-defined radio and some patience. Once it’s ready, you can watch the same kind of live flight data that powers big services like Flightradar24. We kept the heavy math out of the way so it stays approachable for everyone, but still leaves you with something useful to take away. It’s possible to push yourself further and do it the hard way without relying on tools like dump1090, but that path takes a lot more time, patience, and willingness to grind through the details.
The post SDR (Signals Intelligence) for Hackers: Capturing Aircraft Signals first appeared on Hackers Arise.
Last Updated on October 8, 2025 by Narendra Sahoo
In the era where technology plays a core part in everything, fintech and blockchain have emerged as transformative forces for businesses. They not only reshape the financial landscape but also promise unparalleled transparency, efficiency and security as the world move forward to digital currency. That’s when you know being updated about SOX Compliance in Blockchain & Fintech are important than ever.
As per the latest statistics by DemandSage, there are around 29,955 Fintech startups in the world, in which over 13,100 fintech startups are based in the United States. This shows how much business are increasingly embracing technology to innovate and address evolving financial needs. It also highlights the global shift towards digital-first solutions, driven by a demand for greater accessibility and efficiency in financial services.
On the other hand, blockchain technology, also known as Distributed Ledger Technology (DLT) is currently valued at approximately USD $8.70 billion in USA and is estimated to grow an impressive USD $619.28 billion by 2034, according to data from Precedence Research.
However, as this digital continues the revolution, businesses embracing these technologies must also prioritize compliance, security, and accountability. This is where SOX (Sarbanes-Oxley) compliance plays an important role. In today’s article we are going to explore the reason SOX Compliance is crucial for fintech and blockchain industry. So, lets get started!
The Sarbanes-Oxley Act (SOX), passed in 2002, aims to enhance corporate accountability and transparency in financial reporting. It applies to all publicly traded companies in the U.S. and mandates strict adherence to internal controls, accurate financial reporting, and executive accountability to prevent corporate fraud.
To read more about the SOX you may check the introductory guide to SOX compliance.
Blockchain technology and fintech solutions disrupt traditional financial systems by offering decentralized and automated alternatives. While these innovations bring significant benefits, they can also obscure transparency and accountability, two principles that SOX aims to uphold. SOX compliance focuses on accurate financial reporting, strong internal controls, and prevention of fraud, aligning with both the potential and risks of emerging technologies.
Blockchain technology is often touted for its transparency and immutability. However, errors in smart contracts, incorrect data inputs, or cyberattacks can lead to inaccurate financial records. SOX compliance mandates stringent controls over financial reporting, ensuring that organizations maintain reliable records even when leveraging blockchain.
Fintech platforms and blockchain ecosystems often operate without centralized oversight, making it challenging to identify and address fraud or anomalies. SOX’s requirement for management’s assessment of internal controls and independent audits provides a critical layer of oversight, helping organizations address vulnerabilities in decentralized environments.
The trust of investors, customers, and regulators is paramount for fintech and blockchain companies. Adhering to SOX requirements demonstrates a commitment to transparency and accountability, promoting confidence among stakeholders and distinguishing compliant organizations from their competitors.
4. Addressing regulatory scrutiny
As blockchain and fintech solutions gain adoption, regulatory scrutiny is intensifying. SOX compliance ensures that organizations are prepared to meet these demands by maintaining rigorous financial practices and demonstrating accountability in their operations.
Many organizations are integrating traditional financial systems with blockchain-based solutions. This hybrid approach can create gaps in controls and reporting mechanisms. Leveraging blockchain in compliance with SOX helps bridge these gaps by enforcing comprehensive internal controls that adapt to both traditional and innovative systems.
By enforcing stringent controls and systematic processes, SOX compliance encourages better business practices and operational efficiency. This results in more accurate financial reporting, reduced manual interventions, and streamlined processes, which ultimately support better decision-making and resource allocation.
Blockchain and fintech are continuously evolving, and organizations must adapt to new technologies. SOX compliance offers a flexible framework that can scale and evolve with these changes, ensuring that financial reporting and internal controls remain relevant and effective in the face of new technological challenges and opportunities.
In the fast-paced era of blockchain and fintech, SOX compliance has evolved from a regulatory necessity to a strategic cornerstone. By driving accurate financial reporting, minimizing risks, and cultivating trust, it sets the stage for lasting growth and innovation. Companies that prioritize compliance and auditing standards don’t just safeguard their operation, but they also position themselves as forward-thinking leaders in the rapidly transforming financial landscape.
The post SOX Compliance and Its Importance in Blockchain & Fintech appeared first on Information Security Consulting Company - VISTA InfoSec.
CIPHER BRIEF REPORTING – The military government ruling Myanmar designated a significant ethnic rebel group as a terrorist organization on Thursday, just months before December’s planned elections. It may seem like just another headline in a far away land but the move to quell the Karen National Union (KNU) is a sign of what’s at stake in Myanmar, and how what’s happening there is shaping regional dynamics.
The country’s long-simmering civil war exploded after the 2021 coup that saw the military overthrow of the elected government led by Aung Aan Suu Kyi, uniting pro-democracy forces and ethnic militias against the junta.
But Myanmar’s civil war is not just a humanitarian catastrophe—it’s a geopolitical fault line. The protracted conflict has displaced over 2.6 million people, fueled transnational arms and drug networks, and drawn in outside powers like China and Russia—yet it remains largely absent from international policy debates.
Analysts warn that continued neglect could destabilize Southeast Asia for years to come, potentially empowering malign actors across the region.
“The United States has long had an interest in peace, stability and development in Asia and preventing the rise of a regional hegemon. The ongoing conflict in Burma challenges all of these interests,” Derek Mitchell, Senior Adviser at the Center for Strategic and International Studies, tells The Cipher Brief. “War and instability in a country at the cross-roads of Asia have cost the country billions of dollars in lost investment, led to cratering of the domestic economy, and unleashed an explosion of drug, human and weapons trafficking, infectious disease, and a humanitarian crisis that has driven millions into neighboring countries as refugees at the expense of regional stability and development.”
A Country in Collapse
Following the February 2021 coup, Myanmar’s military, known as the Tatmadaw, unleashed a violent crackdown on protestors. When bullets and fear emptied the streets, resistance went underground.
Today, that resistance has evolved into a full-fledged civil war encompassing a patchwork of People’s Defense Forces (PDFs), ethnic armed organizations (EAOs), and local militias.
Some of the most powerful EAOs, such as the Kachin Independence Army (KIA) in the north and the Karen National Liberation Army (KNLA) in the southeast, have aligned with the PDFs, forming temporary alliances against the common enemy. The junta, meanwhile, has regained territory in places like Nawnghkio, but at a high cost — both in casualties and growing resistance.
Just weeks ago, the junta said it transferred power to a civilian-led interim government and allowed the state of emergency in place since the coup, to expire ahead of elections set for December and January. The status quo hasn’t changed though, with coup leader Min Aung Hlaing retaining power. Western governments and several analysts have therefore dismissed the elections as a sham, expected to be dominated by military proxies and just a move to further entrench the military’s power.
The Cipher Brief Threat Conference is happening October 19-22 in Sea Island, GA. The world's leading minds on national security from both the public and private sectors will be there. Will you? Apply for a seat at the table today.
“The conflict in Myanmar undermines ASEAN unity and dilutes U.S. influence in the region because ASEAN is a weaker partner as a result, and more beholden to authoritarian partners in light of the Myanmar junta’s realignment with Beijing,” Hunter Marston, an Indo-Pacific security analyst focused on U.S. alliances, strategy and Southeast Asian geopolitics, tells The Cipher Brief. “At the same time, the conflict has facilitated the proliferation of crime and illicit economies flourishing in Myanmar’s borderlands, which have targeted U.S. citizens as well as other countries around the globe, raking in billions of dollars each year.”
ASEAN, the Association of Southeast Asian Nations, is a key regional bloc that the U.S. relies on to counterbalance China’s growing influence and advance diplomatic, economic, and security cooperation in the Indo-Pacific. The Association, long hampered by internal divisions and non-interference norms, has not intervened in Myanmar. Recent efforts to re-engage with the junta have made little impact and only highlighted the bloc’s diminishing leverage. A fractured or weakened ASEAN, experts caution, not only hampers coordinated regional responses but also complicates Washington’s efforts to engage effectively on shared challenges, from maritime security to transnational crime.
However, this is no longer just an internal fight concerning Myanmar. As the war drags on, it has become a new front in the global struggle between democratic and authoritarian powers.
China, Russia, and the Battlefield of Influence
Myanmar’s geographic position, wedged between China, India, and the Bay of Bengal, makes it a critical node in Southeast Asia’s strategic architecture. It is also a country rich in rare earth minerals, oil, gas, and hydropower — assets that Beijing, in particular, is keen to control.
China, which has long courted the Burmese military, has navigated a delicate balance in the conflict. While officially calling for peace and dialogue, Beijing has supplied the junta with arms and political cover. Meanwhile, its access to rare earth supply chains through northern Myanmar has become even more valuable amid global competition for strategic resources.
“The junta receives direct and indirect financial support from its sales of oil and gas to China and Thailand, limited trade with other ASEAN states such as Thailand, Singapore, Malaysia, and Indonesia, and direct cash transfers and assistance packages from China,” said Marston. “Its state-owned banks and companies also extract a great deal of revenue from natural resources across the country, as well as property taxes to a lesser extent in urban centers like Yangon and Mandalay.”
Russia, too, has deepened ties with the military regime. In recent years, Moscow has become a leading arms supplier and defense partner to the junta, eager to expand its influence in a region where Western alliances have weakened. Myanmar has reciprocated, with junta generals attending Moscow’s military parades and inviting Russian advisors into the country.
“This is no longer just a civil war — it’s an open door for authoritarian powers to gain a foothold in Southeast Asia,” one former U.S. official who worked on Myanmar policy tells The Cipher Brief.
Cross-Border Instability
The conflict’s repercussions are already spilling across Myanmar’s borders. In Thailand, shelling and firefights near the frontier have driven thousands of refugees into crowded border camps. In India’s northeast, cross-border insurgencies and weapons flows have revived longstanding security concerns. Bangladesh continues to shoulder the burden of over a million Rohingya refugees, with little prospect of safe repatriation as the military escalates its violence in Rakhine State.
Illicit arms trafficking, drug production in the Golden Triangle, and human smuggling have surged in tandem with the fighting. Some insurgent groups fund their campaigns through methamphetamine production and jade mining, while the junta leverages state-owned enterprises and military conglomerates to bankroll its war machine.
Mitchell emphasized that this has “also led to the proliferation of ‘scam centers’ along Burma’s border that are bilking Americans and others out of billions of dollars.”
“The violence and absence of an effective international response have created an opening for China to insert itself even further into the internal affairs of the country, corner its rare earths and broader resource market, and attempt to create a client state through which it would have strategic access to the Indian Ocean,” he added.
Washington’s Take
So, what is the United States government doing to address the Myanmar crisis?
The second Trump administration has taken a markedly different approach to Myanmar compared to the Biden era.
“The first Trump administration was slow to condemn the Myanmar military’s violent clearance operations against the Rohingya, which the Biden administration later confirmed met the criteria for genocide and crimes against humanity,” Marston said.
While sanctions against the military junta remain in place, the Trump administration has largely refrained from commenting on the country’s internal dynamics. Broadly, it has sharply reduced U.S. funding for democracy promotion, human rights, and independent media. American-backed outlets such as Voice of America and Radio Free Asia have been significantly affected—a move that Min Aung Hlaing publicly welcomed, expressing his “sincere appreciation” to President Trump.
In a notable diplomatic development in July 2025, President Trump sent a direct letter to Min Aung Hlaing regarding tariffs, which the junta interpreted as a form of public acknowledgment and a diplomatic victory, marking a departure from previous diplomatic isolation.
Furthermore, the Trump administration has enacted new travel restrictions, including a complete suspension of entry for Myanmar nationals as immigrants and non-immigrants, potentially preventing persecuted persons from reaching American soil.
This blend of continued sanctions with reduced democracy aid and a more transactional, direct communication approach with the junta underscores the Trump administration’s “America First” foreign policy, leaving the future of U.S. influence in Myanmar uncertain amidst the ongoing crisis.
There are, however, other efforts to bring Myanmar back into the limelight.
Recent legislative efforts, such as the “No New Burma Funds Act” introduced in July by Rep. Nikema Williams (D-GA), aim to curb indirect financial flows to the regime. These include revenues from natural gas exports involving foreign companies, fees paid to military-controlled infrastructure, and leakage from humanitarian aid operations in junta-held areas.
Additionally, Burmese gems and timber often reach U.S. markets via third countries, and digital platforms may unwittingly monetize content linked to the junta — all contributing to the regime’s financial lifeline.
According to Marston, “western countries could theoretically apply secondary sanctions on any country conducting business with Myanmar’s energy companies or state-owned banks, which would squeeze Thailand and Singapore in particular, along with China, but they have been unwilling to expend the political capital necessary to do so.”
“Furthermore, Washington has refrained from imposing the most comprehensive sanctions on Myanmar’s economy for fear of hurting the entire population and setting the country’s economic recovery back even further after previous rounds of sanctions in the 2000s,” he continued.
In addition, there is the “BRAVE Burma Act,” a bipartisan U.S. House bill introduced on May 5, 2025, by Representatives Bill Huizenga (R-MI) and Betty McCollum (D-MN), among other co-sponsors from both parties. This legislation, which has advanced in the House, aims to increase pressure on Myanmar’s military junta by requiring stronger sanctions on entities like state-owned enterprises and those involved in the jet fuel sector, and by establishing a U.S. Special Envoy for Burma.
“Right now, the administration should appoint a special envoy. Personnel is policy, and without a champion in Washington, US Burma policy will remain adrift,” Marston asserted.
Mitchell concurred that the Trump Administration “should appoint a special envoy based in the region to build closer relations with the (opposition) National Unity Government, ethnic leaders and other legitimate representatives of the Burmese people, and coordinate with our regional allies and partners on a common approach to the conflict.”
“The administration should make it clear that it does not consider the junta legitimate and that its pretensions to rule are unacceptable,” he continued. “To that end, it should tighten sanctions to shut off its access to money, weapons, and international legitimacy. Overall, the administration should recognize that China is taking advantage of our neglect and respond consistently with where developments in the country are trending.”
The Strategic Cost of Indifference
Entire towns have been razed. Schools and hospitals have been bombed. More than 18 million people—nearly a third of Myanmar’s population—now rely on humanitarian aid, according to the United Nations. The war has triggered one of the world’s largest internal displacements and turned Myanmar’s borderlands into a hotbed of organized crime, cyber scams, and weapons trafficking—networks that now reach far beyond Southeast Asia.
“The longer the U.S. stays disengaged, the more space there is for China and Russia to entrench themselves,” says Hunter Marston. “Without high-level diplomatic pressure or punitive measures, the junta will have no reason to pursue a negotiated solution, and the country’s collapse will continue to drag down the region.”
China has already endorsed Myanmar’s planned elections in December, despite ongoing civil war and widespread instability. In contrast, ASEAN has said elections should only follow a return to peace.
“Realistically, the only hope of pressuring the military to pursue peace talks is to win on the battlefield. Thus, it is essential to curb the military’s access to arms,” Marston stressed. “The only way to do that is by imposing secondary sanctions on Chinese weapons companies like NORINCO, which continue to provide munitions to the military. Doing so would put Beijing on notice that it no longer has carte blanche in Myanmar and would align with the goals of U.S. competition with China in checking China’s global military expansion.”
Mitchell also underscored that Washington’s only leverage for positive change lies in directly cutting off the junta’s financial streams. If Myanmar is allowed to fall fully into the grip of autocracy, crime syndicates, and foreign military powers, the consequences will not remain confined to its borders.
“Pressuring foreign banks (in Thailand and Singapore, for instance) into shutting off financial services to the junta, sanctioning Myanmar’s Central Bank, and imposing penalties on other banks inside and outside the country doing business with the junta can help shut off capital to the regime,” he said.
This is exclusive Subscriber+Member content.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts. Subscribe now.
Securing the Browser’s Blind Spot By Victoria Hargrove, CDM Reporter What CSide Does Most security stacks fortify servers, databases, and internal apps. CSide (Client-side Development, Inc. aka c/side) targets the...
The post Innovator Spotlight: CSide appeared first on Cyber Defense Magazine.
CIPHER BRIEF REPORTING -- President Donald Trump said Monday that he is moving forward with plans to arrange a meeting between Russian President Vladimir Putin and Ukrainian President Volodymyr Zelensky in what is being seen as the next crucial step toward bringing an end to Russia’s war in Ukraine.
A meeting at the White House on Monday with President Zelensky and senior European leaders provided a strong show of solidarity, and a striking visual contrast to President Trump’s one-on-one meeting on Friday with President Putin in Alaska, which ended earlier than scheduled and without any public announcements of progress.
On Monday as the White House welcomed Zelensky, along with French President Emmanuel Macron, British Prime Minister Keir Starmer, German Chancellor Friedrich Merz, Italian Prime Minister Giorgia Meloni, and Finnish President Alexander Stubb, European Union President Ursula von der Leyen and NATO Secretary General Mark Rutte, the images signaled a much stronger show of unity among those calling for an end to the killing and a sign that the ball is landing squarely in Putin’s court.
"This looks to me like the beginning of negotiations,” Ambassador Kurt Volker who served as U.S. Special Envoy for Ukraine negotiations from 2017-2019, and as Ambassador to NATO from 2008-2009, told The Cipher Brief. “Putin set out his maximalist position. Now, Ukraine and the European leaders are setting out a much more modest and realistic one and calling for a trilateral meeting to discuss.”
Even though a scheduled press conference between Presidents Trump and Putin was cancelled after the two leaders met on Friday, White House Special Envoy Steve Witkoff characterized the meeting to CNN as a win, saying that the ball had moved forward on convincing Russia to agree to “Article 5-like protections”, describing the guarantees as “game changing.”
Article 5 under the NATO charter, provides for collective defense, meaning an attack against one NATO member can trigger a response by any NATO member - something that has been a non-starter for the Russian president since Moscow’s unprovoked invasion of Ukraine in February 2022. The idea of a U.S.-supported Article 5-type measure is something that the Trump administration has said will largely be shouldered by the Europeans – with U.S. support – and it signals a lot more pressure on the Russian President to concede on some of his most adamant demands to date.
The Cipher Brief Threat Conference is happening October 19-22 in Sea Island, GA. The world's leading minds on national security from both the public and private sectors will be there. Will you? Apply for a seat at the table today.
“Putin is under a lot of pressure,” former senior CIA Officer Glenn Corn told The Cipher Brief. “He's under stress. He understands that he doesn't have the cards.”
Even though the Russian President was not present during talks with Zelensky and European leaders, President Trump made a point to pause talks in order to call the Russian leader, according to European sources. A follow-up meeting between Putin and Zelensky would signal a strong win for President Trump. Not so much for President Putin.
“Putin is unlikely to accept such a meeting if his pre-conditions are not met,” Ambassador Volker told The Cipher Brief. “So, this is just positioning. The real issue will be what happens to Russian supply lines, increasingly targeted by Ukraine, and the Russian economy, which is faltering. I still expect Putin to go along with a ceasefire in place by the end of the year."
In addition to future security guarantees, another key issue on the table is that of land and just how much Ukrainian territory might be ceded to Russia as part of a deal to end the killing.
“Russia is chiefly looking to legitimize territorial gains obtained by force and Ukraine is looking for security guarantees if they are ever to agree to give up territory,” said former 6-time CIA station chief Ralph Goff in an exclusive Cipher Brief interview. “While the Ukrainians will hardly be ready to cede any territory without a Russian boot on it, Zelensky can likely give up territory but only if Russia accepts the Article 5-type" security guarantees.”
While an unpopular realization in Kyiv, some three and a half years into this war, Ukraine lacks the manpower to retake territory that’s been lost to Russia.
“Indeed, they are not able to prevent continuing incremental gains by the Russians albeit at huge cost to the Russians,” said Goff. “Thus, Zelensky can tell his countrymen "Look if you won't allow me to cede territory already lost to the Russians then I need to draft your teenagers to try and get it back."
Some experts, who have long advocated for more – not less – U.S. involvement in helping Ukraine are concerned about just how much land Kyiv will be forced to give up and how that may signal a win for Putin.
“The U.S. and our Allies have not actually even tried to help Ukraine win this war,” said retired Lt. Gen. Ben Hodges (Ret.), who served as NATO Senior Mentor for Logistics. “We never declared it as an objective or created or implemented policies that would make it so – we’ve barely touched Russia’s ability to export oil and gas and we’ve not touched frozen Russian assets, nor moved all of the military resources needed to help them win.”
Still, there is hope that the solidarity seen at the White House on Monday will be enough to pressure Putin to a deal.
“We shouldn't forget that Monday’s meeting didn't happen without White House concurrence,” said Corn. “They were guests of the United States Government and of the President of the United States. So, Europe, the U.S. and NATO seem unified in a way that we haven't seen in a while.”
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.
This tool is licensed under MIT license.
Preview branch introduced
Changes:
Installation now accounts for use of Azure Cloud Shell's updated version in regards to depedencies (Cloud Shell has now Node.JS v 16 version installed)
Checking of Databricks cluster types as per advisory
Content.json is has now key and content based sorting. This enables doing delta checks with git diff HEAD^1 ¹ as content.json has predetermined order of results
¹Word of caution, if want to check deltas of content.json, then content.json will need to be "unignored" from
.gitignoreexposing results to any upstream you might have configured.Use this feature with caution, and ensure you don't have public upstream set for the branch you are using this feature for
Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using var to let in for await -style loops
Login
exec() - While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don't paste launch arguments into command line without reviewing them first.To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)
| package | aesthetics | operation | license |
|---|---|---|---|
| axios | ✅ | MIT | |
| yargs | ✅ | MIT | |
| jsonwebtoken | ✅ | MIT | |
| chalk | ✅ | MIT | |
| js-beautify | ✅ | MIT |
Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don't need to install Azure CLI:
Azure Cloud Shell (BASH) or applicable Linux Distro / WSL
| Requirement | description | Install |
|---|---|---|
✅ AZ CLI | AZCLI USE | curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash |
✅ Node.js runtime 14 | Node.js runtime for EAST | install with NVM |
EAST provides three categories of controls: Basic, Advanced, and Composite
The machine readable control looks like this, regardless of the type (Basic/advanced/composite):
{
"name": "fn-sql-2079",
"resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"controlId": "managedIdentity",
"isHealthy": true,
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"Description": "\r\n Ensure The Service calls downstream resources with managed identity",
"metadata": {
"principalId": {
"type": "SystemAssigned",
"tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",
"principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"
},
"roles": [{
"role": [{
"properties": {
"roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "cb073f1e-03b c-440e-874d-5ed3ce6df7f8",
"scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",
"createdOn": "2021-12-27T06:03:09.7052113Z",
"updatedOn": "2021-12-27T06:03:09.7052113Z",
"createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",
"updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"
},
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ada69f21-790e-4386-9f47-c9b8a8c15674",
"RoleName": "Contributor"
}]
}]
},
"category": "Access"
},Basic controls include checks on the initial ARM object for simple "toggle on/off"- boolean settings of said service.
Example: Azure Container Registry adminUser
| Portal | EAST |
|---|---|
if (item.properties?.adminUserEnabled == false ){returnObject.isHealthy = true } |
Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it's relation to other services.
Example: Role Assignments
Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN's with client secrets)
Example: Azure Data Factory
Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.
Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST
Example: composite_resolve_alerts
EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc
While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff
cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
- given-names: John
family-names: MacFarlane
email: jgm@berkeley.edu
orcid: 'https://orcid.org/0000-0003-2557-9090'
- given-names: Albert
family-names: Krewinkel
email: tarleb+github@moltkeplatz.de
orcid: '0000-0002-9455-0796'
- given-names: Jesse
family-names: Rosenthal
email: jrosenthal@jhu.edu
This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)
Fire and forget prerequisites on cloud shell
curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;
Prerequisites
git clone https://github.com/jsa2/EAST --branch preview
cd EAST;
npm install
Pandoc installation on cloud shell
# Get pandoc for reporting (first time only)
wget "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz";
tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~
Installing pandoc on distros that support APT
# Get pandoc for reporting (first time only)
sudo apt install pandoc# Relogin is required to ensure token cache is placed on session on cloud shell
az account clear
az login
#
cd EAST
# replace the subid below with your subscription ID!
subId=6193053b-408b-44d0-b20f-4e29b9b67394
#
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId
Generate report
cd EAST; node templatehelpers/eastReports.js --doc
cd EAST; node templatehelpers/eastReports.js --doc --asb
Export report from cloud shell
pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx
Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"
Community use
Company use
Non IPR components
If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license
Existing tooling enhanced with Node.js runtime
Use rich and maintained context of Microsoft Azure CLI login & commands with Node.js control flow which supplies enhanced rest-requests and maps results to schema.
View more details
Example:
node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens
| Param | Description | Default if undefined |
|---|---|---|
--nativescope | Currently mandatory parameter | no values |
--shuffle | Can help with throttling. Shuffles the resource list to reduce the possibility of resource provider throttling threshold being met | no values |
--roleAssignments | Checks controls as per microsoft.authorization | no values |
--includeRG | Checks controls with ResourceGroups as per microsoft.authorization | no values |
--checkAad | Checks controls as per microsoft.azureactivedirectory | no values |
--subInclude | Defines subscription scope | no default, requires subscriptionID/s, if not defined will enumerate all subscriptions the user have access to |
--namespace | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope | optional parameter |
--notIncludes | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope are excluded | optional parameter |
--batch | size of batch interval between throttles | 5 |
--wait | size of batch interval between throttles | 1500 |
--scanAuditLogs | optional parameter. When defined in hours will toggle Azure Activity Log scanning for weak authentication events defined in: scanAuditLogs | 24h |
--composites | read composite | no values |
--clearTokens | clears tokens in session folder, use this if you get authorization errors, or have just changed to other az login account use az account clear if you want to clear AZ CLI cache too | no values |
--tag | Filter all results in the end based on single tag--tag=svc=aksdev | no values |
--ignorePreCheck | use this option when used with browser delegated tokens | no values |
--helperTexts | Will append text descriptions from general to manual controls | no values |
--reprocess | Will update results to existing content.json. Useful for incremental runs | no values |
Parameters reference for example report:
node templatehelpers/eastReports.js --asb
| Param | Description | Default if undefined |
|---|---|---|
--asb | gets all ASB results available to users | no values |
--policy | gets all Policy results available to users | no values |
--doc | prints pandoc string for export to console | no values |
Read here Running in restricted environments
Developer guide including control flow description is here dev-guide.md
.appRoleAssignmentRequired
Maps to App Registration Best Practices
✅State healthy - User result example
{
"subscriptionName": "EAST -msdn",
"friendlyName": "joosua@thx138.onmicrosoft.com",
"mfaResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097"
}],
"checkType": "mfa"
},
"basicAuthResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097"
}],
"checkType": "basicAuth"
},
}⚠️State unHealthy - Application principal example
{
"subscriptionName": "EAST - HoneyPot",
"friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"creds": {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity",
"id": "babec804-037d-4caf-946e-7a2b6de3a45f",
"displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69",
"servicePrincipalType": "Application",
"keyCredentials": [],
"passwordCredentials": [],
"OnlySingleFactor": [{
"customKeyIdentifier": null,
"endDateTime": "2023-10-20T06:54:59.2014093Z",
"keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a",
"startDateTime": "2021-10-20T06:54:59.2014093Z",
"secretText": null,
"hint": nu ll,
"displayName": null
}],
"StrongSingleFactor": []
}
}
Following methods work for contributing for the time being:
Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.
This tool is licensed under MIT license.
Preview branch introduced
Changes:
Installation now accounts for use of Azure Cloud Shell's updated version in regards to depedencies (Cloud Shell has now Node.JS v 16 version installed)
Checking of Databricks cluster types as per advisory
Content.json is has now key and content based sorting. This enables doing delta checks with git diff HEAD^1 ¹ as content.json has predetermined order of results
¹Word of caution, if want to check deltas of content.json, then content.json will need to be "unignored" from
.gitignoreexposing results to any upstream you might have configured.Use this feature with caution, and ensure you don't have public upstream set for the branch you are using this feature for
Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using var to let in for await -style loops
exec() - While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don't paste launch arguments into command line without reviewing them first.To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)
| package | aesthetics | operation | license |
|---|---|---|---|
| axios | ✅ | MIT | |
| yargs | ✅ | MIT | |
| jsonwebtoken | ✅ | MIT | |
| chalk | ✅ | MIT | |
| js-beautify | ✅ | MIT |
Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don't need to install Azure CLI:
Azure Cloud Shell (BASH) or applicable Linux Distro / WSL
| Requirement | description | Install |
|---|---|---|
✅ AZ CLI | AZCLI USE | curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash |
✅ Node.js runtime 14 | Node.js runtime for EAST | install with NVM |
EAST provides three categories of controls: Basic, Advanced, and Composite
The machine readable control looks like this, regardless of the type (Basic/advanced/composite):
{
"name": "fn-sql-2079",
"resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"controlId": "managedIdentity",
"isHealthy": true,
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"Description": "\r\n Ensure The Service calls downstream resources with managed identity",
"metadata": {
"principalId": {
"type": "SystemAssigned",
"tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",
"principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"
},
"roles": [{
"role": [{
"properties": {
"roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "cb073f1e-03b c-440e-874d-5ed3ce6df7f8",
"scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",
"createdOn": "2021-12-27T06:03:09.7052113Z",
"updatedOn": "2021-12-27T06:03:09.7052113Z",
"createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",
"updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"
},
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ada69f21-790e-4386-9f47-c9b8a8c15674",
"RoleName": "Contributor"
}]
}]
},
"category": "Access"
},Basic controls include checks on the initial ARM object for simple "toggle on/off"- boolean settings of said service.
Example: Azure Container Registry adminUser
| Portal | EAST |
|---|---|
if (item.properties?.adminUserEnabled == false ){returnObject.isHealthy = true } |
Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it's relation to other services.
Example: Role Assignments
Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN's with client secrets)
Example: Azure Data Factory
Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.
Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST
Example: composite_resolve_alerts
EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc
While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff
cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
- given-names: John
family-names: MacFarlane
email: jgm@berkeley.edu
orcid: 'https://orcid.org/0000-0003-2557-9090'
- given-names: Albert
family-names: Krewinkel
email: tarleb+github@moltkeplatz.de
orcid: '0000-0002-9455-0796'
- given-names: Jesse
family-names: Rosenthal
email: jrosenthal@jhu.edu
This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)
Fire and forget prerequisites on cloud shell
curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;
Prerequisites
git clone https://github.com/jsa2/EAST --branch preview
cd EAST;
npm install
Pandoc installation on cloud shell
# Get pandoc for reporting (first time only)
wget "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz";
tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~
Installing pandoc on distros that support APT
# Get pandoc for reporting (first time only)
sudo apt install pandoc# Relogin is required to ensure token cache is placed on session on cloud shell
az account clear
az login
#
cd EAST
# replace the subid below with your subscription ID!
subId=6193053b-408b-44d0-b20f-4e29b9b67394
#
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId
Generate report
cd EAST; node templatehelpers/eastReports.js --doc
cd EAST; node templatehelpers/eastReports.js --doc --asb
Export report from cloud shell
pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx
Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"
Community use
Company use
Non IPR components
If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license
Existing tooling enhanced with Node.js runtime
Use rich and maintained context of Microsoft Azure CLI login & commands with Node.js control flow which supplies enhanced rest-requests and maps results to schema.
View more details
Example:
node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens
| Param | Description | Default if undefined |
|---|---|---|
--nativescope | Currently mandatory parameter | no values |
--shuffle | Can help with throttling. Shuffles the resource list to reduce the possibility of resource provider throttling threshold being met | no values |
--roleAssignments | Checks controls as per microsoft.authorization | no values |
--includeRG | Checks controls with ResourceGroups as per microsoft.authorization | no values |
--checkAad | Checks controls as per microsoft.azureactivedirectory | no values |
--subInclude | Defines subscription scope | no default, requires subscriptionID/s, if not defined will enumerate all subscriptions the user have access to |
--namespace | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope | optional parameter |
--notIncludes | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope are excluded | optional parameter |
--batch | size of batch interval between throttles | 5 |
--wait | size of batch interval between throttles | 1500 |
--scanAuditLogs | optional parameter. When defined in hours will toggle Azure Activity Log scanning for weak authentication events defined in: scanAuditLogs | 24h |
--composites | read composite | no values |
--clearTokens | clears tokens in session folder, use this if you get authorization errors, or have just changed to other az login account use az account clear if you want to clear AZ CLI cache too | no values |
--tag | Filter all results in the end based on single tag--tag=svc=aksdev | no values |
--ignorePreCheck | use this option when used with browser delegated tokens | no values |
--helperTexts | Will append text descriptions from general to manual controls | no values |
--reprocess | Will update results to existing content.json. Useful for incremental runs | no values |
Parameters reference for example report:
node templatehelpers/eastReports.js --asb
| Param | Description | Default if undefined |
|---|---|---|
--asb | gets all ASB results available to users | no values |
--policy | gets all Policy results available to users | no values |
--doc | prints pandoc string for export to console | no values |
Read here Running in restricted environments
Developer guide including control flow description is here dev-guide.md
.appRoleAssignmentRequiredMaps to App Registration Best Practices
✅State healthy - User result example
{
"subscriptionName": "EAST -msdn",
"friendlyName": "joosua@thx138.onmicrosoft.com",
"mfaResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097"
}],
"checkType": "mfa"
},
"basicAuthResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097"
}],
"checkType": "basicAuth"
},
}⚠️State unHealthy - Application principal example
{
"subscriptionName": "EAST - HoneyPot",
"friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"creds": {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity",
"id": "babec804-037d-4caf-946e-7a2b6de3a45f",
"displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69",
"servicePrincipalType": "Application",
"keyCredentials": [],
"passwordCredentials": [],
"OnlySingleFactor": [{
"customKeyIdentifier": null,
"endDateTime": "2023-10-20T06:54:59.2014093Z",
"keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a",
"startDateTime": "2021-10-20T06:54:59.2014093Z",
"secretText": null,
"hint": nu ll,
"displayName": null
}],
"StrongSingleFactor": []
}
}
Following methods work for contributing for the time being:
