🐝 Hive Five 125 - When you lie for a living, AI dark ages, and AppSecSchool

Hi friends,

Greetings from the hive!

I hope you had a good weekend. I’ve spent some time thinking about alter egos.

Adopting an alter ego can be beneficial when facing (intense) pressure, as it can assist in enhancing your performance.

The gist of it is that you take everything you’re not good at, and manifest that into an alternative version of yourself. Now, when it’s time to shine, your alter ego will take over.

Beyonce did it with Sasha Fierce, Kobe Bryant was the Black Mamba, and Marshall Mathers has Slim Shady.

What is the name of your alter ego?

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. When you lie for a living, everyone & everything is hackable. Darknet Diaries Ep. 134 with Deviant, a physical penetration specialist. more

2. Learn bug bounty hunting with these resources. Katie made a new list of resources for 2023 consistent of her favorite newsletters, YouTube channels, blogs, write ups, books and more. more

3. iOS Deep Link Attacks Part 1 – Introduction. In Part 1 of this series on iOS Deep link attacks, they explore how to recognize various types of deep link schemas used in iOS apps and identify potential vulnerabilities associated with them. more

4. How IppSec rebuilds Parrot and uses Ansible to script customizations to his image. more

5. AppSecSchool by PentesterLab covers the less technical aspects of Application Security, especially for people working or wanting to work as an application security enginneer. more

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🏞️ Bee’s Eye View

🔥 Buzzworthy

✅ Changelog

1. Intigriti now integrates with Slack. This feature allows automatic updates to be posted to your Slack channels whenever specified events take place. more

📅 Events

1. Subreddits are going dark or read-only on June 12th and after. more

2. STÖK is presenting at BlackHat US: Weaponizing Plain Text: ANSI Escape Sequences as a Forensic Nightmare. more

3. HackerOne is counting down to some epic Live Hacking Events. One will be in Tokyo! more

4. TomNomNom’s first IRL talk in years and a new tool will be released at BSides Leeds. more

🎉 Celebrate

1. Katie was on BBC news talking about supply chain attacks. So cool! more | video

💰 Career

1. 8 powerful, but often overlooked, LinkedIn features that can significantly enhance your job search. more

2. The Cyber Journey of TCM Security’s Evan Ottinger. more

3. Gitlab is looking for a senior-level Red Team engineer, meaning someone who has 2+ years experience conducting adversary emulation exercises either as an internal Red Team operator or as a consultant. more

⚡️ Community

1. Hussein got his Bugcrowd Belt for submitting over a 100 P1 submissions. more

2. Corey and others wishing they had knew about and started bug bounty sooner. more

3. Jason had some pretty serious family stuff come up. more

📰 Read

1. Account takeover due to insufficient URL validation on RelayState parameter. more

2. RCE via LDAP truncation on hg[.]mozilla[.]org. Their main focus was on pash which is used in place of the shell when handling hg operations via SSH. more

3. Patch Diffing Progress MOVEIt Transfer RCE (CVE-2023-34362). In the last few days, threat actors have been exploiting a critical pre-authentication vulnerability within Progress MOVEIt Transfer. more | Huntress MOVEit Transfer Critical Vulnerability Rapid Response

4. Nuclei beyond HTTP: Using Nuclei to uncover vulnerabilities in raw TCP connections, DNS, files and more. more

5. Dismantling spyware disinformation campaigns. In early 2022, just as the pandemic was beginning to get a bit more manageable, Lukasz spotted a Twitter user sharing misguided information on Pegasus. more

📚 Resources

1. blackarrowsec/redteam-research is a collection of PoCs and offensive techniques used by the BlackArrow Red Team. more

2. Steph shares speaking resources that actually work and it goes by the name of Ultraspeaking. more

3. Advice on starting a YouTube channel. more

4. jsjoeio/indie-university consists of curated courses to help you grow as an indie hacker. more

🎥 Watch

1. The Intruder Alert Podcast - Episode 1: Is TikTok Spyware, ChatGPT Replacing Jobs, Breaking VoiceID. more

2. Tib3rius solves the medium rated “wafwaf” challenge from Hack The Box. more

3. IppSec takes on HackTheBox - TwoMillion. more

4. Trying to Find a Bug in WordPress. While this ends up being failed security research, we still learn a lot along the process. more

5. American Optimist Ep 61: High School Dropout to Building Mr. Beast’s Storefront - the Story of Guillermo Rauch (Vercel). more

🎵 Listen

1. Risky Business #709: Cl0p goes berserk with MOVEit 0day. On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. more

2. Smashing Security 325: Rick Astley and the little birdie scam. Australia’s signal intelligence agency calls upon an Eighties popstar to fight terrorism, and a simple act of kindness leads to a woman being scammed for thousands. more

3. Critical Thinking - Bug Bounty Podcast Episode 22: Chipping Away at Hardware Hacking. They talk about some basic/intermediate concepts related to Hardware Hacking. more

4. The Tim Ferriss Show #668: Derek Sivers — The Joys of an Un-Optimized Life, Finding Paths Less Traveled, and more. more

5. CYBR Podcast - How to get started and breakthrough in Bug Bounty with Hakluke. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.