🐝 Hive Five 104 – 2022 High-Profile Breaches & 2023 Security Recommendations

Hi friends,

Greetings from the hive!

I’ve been slowly honing my knowledge management system Obsidian. It’ll probably end up in a blog post series at some point.

Why am I saying this? Well, I recently learned that gratitude practice doesn’t work the way most people think (me included). The positive effects come from receiving gratitude or observing others receiving it.

With this knowledge, I’ve started a new “gratefulness practice” consisting of a markdown file with gratitudes and the Obsidian plugin Templater. A random one is then selected and displayed in my daily note.

What does your gratitude practice look like?

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Live Recon Sundays is a series of interviews with hackers, and in this episode, the guest is @gf_256 discussing smart contract security more

2. The video team from Le Monde conducts open-source investigations using various techniques such as image analysis, OSINT, 3D reconstructions, and geolocation. (French with English subtitles.) more

3. Exploiting Application Logic to Phish Internal Mailing Lists. more

4. A thread by Jason Haddix discussing the lessons that can be learned from the high-profile breaches of 2022 and recommendations for security programs in 2023. more

5. Hacking Redis for fun and CTF points. This post will go through an exploit that achieves code execution in the Redis server via a memory corruption issue. It works for Redis 6.0.16, the Ubuntu 22.04 repos’ current version at the time of writing. more

️💪 Sponsor

Reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry. Sponsor the Hive Five

🔥 Buzzworthy

✅ Changelog

1. Simon Willison has released a stable version of his datasette-openai plugin, which adds custom SQLite SQL functions for composing and executing API calls against OpenAI to the Datasette project. more

2. Soroush Dalili has updated the Sharpener extension to support the latest Burp Suite early adaptor version (2023.1) more

3. Jobert Abma announces that H1 is expanding its support for in-app translation to English, German, Spanish, Hindi, and Dutch, to improve data security and reduce language barrier. more

4. Montoya v1.0, a tool for writing extensions for Burp Suite, has been released. more

5. Jobert Abma talks about how H1 is improving understanding of vulnerability reports by clicking on a CVE ID in a H1 report, and how it allows to provide intelligence from other hackers and customers to everyone, including anonymous visitors. more

📅 Events

1. Blue Team Con is back for 2023, and they are looking for amazing presentations to give at the conference. The Call for Proposals (CFP) opens today at 2:00 PM CST. more

🎉 Celebrate

1. itsecurityguard started bug bounties 10 years ago. Amazing! more

2. Ben finally crossed 2 Million views on YouTube. Let’s go! more

3. Masonhck357 reached 10k followers on Twitter. Nice one! more

4. sumgr0 crossed 2k points on intigriti. Yes! more

5. Akita and team moved onto the 2nd round of the HackerCup. Congrats! more

💰 Career

1. Perks people value most. more

2. Blogging regularly about CVEs is a great way to learn new things and have something to show for it. more

3. How to spot the signs that a startup is going bad. more

4. Senior System Administrator position at the Electronic Frontier Foundation (EFF). more

⚡️ Community

1. STÖK and semlan (his dog) drove 2 hours to competed in their first Nose Work class 2 competition. more

2. TCM youtube update: two new content creators and an office tour. more

3. Remon is looking for resources to learn about money management and asks for suggestions on Twitter.more

📰 Read

1. Optimizing Wordlists with Masks, Jake’s methodology for creating new password-cracking wordlists and benchmark them against other popular ones. more

2. A new way to sell NPM packages, a suggestion for creators to earn money and in return make better software for buyers. more

3. Image Stacks and iPhone Racks - Building an Internet Scale Meme Search Engine. more

4. Prototype Pollution in Python research main objective is to prove the possibility of having a variation of Prototype Pollution in other programming languages, including those that are class-based by showing Class Pollution in Python. more

📚 Resources

1. netspooky/notes is a repo where they keep track of little notes, tips and tricks, and other stuff that they’ve shown people or found. more

2. Most used native hacking tools besides curl and sed/awk/grep. more

3. 2023 guide to web3 data tools. This year’s guide covers the same three pillars as 2022 but with new perspectives. more

4. 0xmaximus/Galaxy-Bugbounty-Checklist contains tips and tutorials for bug bounty and also penetration tests. more

5. SQL injections thread by Intigriti. more

🎥 Watch

1. $1 mln bounty in Aurora blockchain for no input sanitisation bug. more

2. She hacked a billionaire, a bank and you could be next. An interview with Rachel Tobac. more

3. HackTheBox - Shoppy walkthrough. more

4. Attacking Wide Scopes by Hussein98d at NahamCon 2022 EU. more

5. This video is for those folks that are gearing up to start their bug bounty journey in 2023. g0lden goes over the basics, and some of my recommendations for getting going and staying motivated on your bug bounty journey. more

🎵 Listen

1. Binary exploitation podcast 178 - Attacking Bhyves and a Kernel UAF. more

2. Risky Business #690 - 2023 will be a rough year for critical online services. On this week’s show Patrick Gray and Adam Boileau discuss the news they missed while on break. more

3. Smashing Security 304 - Oxford’s dating disaster, cheap security robots, and faking a suicide. more

4. Critical Thinking S01 E01 - Introductions, Bug Bounty Reports, and BB Tips. more

5. Malicious life - Cyberbunker, Part 2. Spamhaus’s decision to add Cyberbunker to its list of Spam sources led the Stophaus coalition to initiate a DDoS attack later dubbed “The attack that almost broke the Internet.” more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.