🐝 Hive Five 155 - Adversarial Machine Learning

Hi friends,

Greetings from the hive!

I hope you’re doing awesome. Thank you for all the well wishes. I’m feeling significantly better again.

As I’ve mentioned several issues ago, I’m in the process of moving the Hive Five to a new home. So, stay tuned.

My 2024 goal is to create for myself. As Rick Rubin puts it, approach things as a diary entry.

Let's take this week by swarm!

🐝 The Bee's Knees

1. OTW's 2024 Roadmap to become a Master Hacker. YOUTUBE | Top 10 Hacking Tools to Learn

2. Best Technical Content from Year 1 of the CTBB Podcast. Watch these highlights of some of the best technical moments from the past year. YOUTUBE

3. NIST released a 106 page long AI Security publication. It's aptly named Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. NIST

4. A disclosed report of a Yelp ATO via XSS + Cookie Bridge. TWITTER

5. Panic!! At the YAML. An overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects. GREYNOISE

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. DOMPurify 3.0.8 is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. GITHUB

🎉 Celebrate

1. Corben found the craziest vulnerability of his life. Can't wait to see what it is! TWITTER

2. bsysop is the #1 hacker on Bugcrowd's December leaderboard. Let's go! TWITTER

💰 Career

1. Opportunity: Steve's team is hiring two experienced pentesters soon. You must live in the USA and it's 100% remote. TWITTER

2. Caitlin shares what an average week of a SOC Lead in a larger 24x7x365 SOC looks like. TWITTER

3. From $14/hr at Best Buy to 269k/yr Overseas Cybersecurity Analyst ft David. YOUTUBE

4. Opportunity: Technical Product Marketing Leader at Oxide. OXIDE

⚡️ Community

1. People share which hacker they've learned the most from. TWITTER

2. Intigriti interviewed leorac, a part-time hacker and full-time software engineer from Italy. YOUTUBE

3. Daniel (Curl maintainer) shares his bad experiences with security researchers that use AI to report fake bugs. He would like to ban these reporters from further communication, and states that these kinds of reports will become more common over time. HAXX

4. Taelur writes her first HTB write-up on Broker w/o Metasploit, an easy-level Linux machine that utilizes CVE-2023-46604. She even includes a remediation section. TAELURALEXIS

📰 Read

1. Bitwarden Heist: How to Break into Password Vaults without Using Passwords. Sometimes, making particular security design decisions can have unexpected consequences. REDTEAM-PENTESTING

2. metatrapd is a canary service for cloud metadata end-points. Quietly monitors and alerts on attempts to access the cloud metadata service. GITHUB

3. Identity-Aware Proxy Misconfiguration, a Google Cloud Vulnerability. First, you need to know what Identity-Aware Proxy (IAP) is and how it works. IAP is a Google Cloud Platform service which helps to control access to apps deployed on cloud and only lets the requests through if they come from a user you authorize. MEDIUM

4. Bypassing Asymmetric Client Side Encryption Without Private Key. With the help of the PyCript burp suite extension, we can make manual and automated pentesting or bug bounty much easier on applications with client-side encryption. INFOSECWRITEUPS

5. GitLab's 2023 bug bounty year in review. Each year, their Application Security team recaps the highlights from the GitLab Bug Bounty Program. GITLAB

💡 Tips

1. TIL ctrl-b + f allows you to search through your tmux sessions. TWITTER

2. A CyberChef pipeline that parses Google Authenticator export QR codes and generates TOTP with them. TWITTER

3. Justin shares some alternative bug bounty goals you can consider instead of earning oriented ones. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @almroot | Fredrik N. Almroth | Co-Founder & Security Researcher at @detectify. I code things to hack stuff.

2. @ADITYASHENDE17 | Aditya Shende | Bugcrowd Top 100 | Bounty Hunter | Trainer | Admin @HackersMarathi | @uniofeastanglia MS Cyber Security.

3. @codecancare | todayisnew | May you be well on your side of the screen.

4. @fransrosen | Frans Rosén | Dev/Security/Founder at @centrahq/@detectify/@poweredbyingrid. I do not advertise doing hacking services, do not trust the ones telling you I do.

5. @xnyhps | Thijs Alkemade | Security researcher @ Computest @sector7_nl. Master of Pwn @ Pwn2Own 2021 & 2022.

🚀 Productivity

1. The Terminal Sunday allows you to start each new terminal session with a thought-provoking reminder of the time you have to make the most of your life. GITHUB

2. Zero to IDE with LazyVim — I used this video, among other ones, to redo my neovim config. YOUTUBE

3. Joel shares 2 iphone shortcut automations for winding down using black and white colors. TWITTER

4. How to Plan 2024 in 24 Minutes with Jesse Itzler — If you're not familiar with Jesse, you're in for a ride. Enjoy! YOUTUBE

5. Sam's 2023 End of Year Review: Finance, Fitness, Family, Fun. He looks back on some of the highlights and lowlights of his 2023 — I dig these categories, the 4 Fs. THEANTIMBA

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. Is 2024 finally the time to learn go? Bashbunni shows you how. YOUTUBE

2. Do we think of git commits as diffs, snapshots, or histories? Julia breaks it down. JVNS

3. Simon rounds up and highlights the stuff we figured out about AI in 2023. It was the breakthrough year for Large Language Models (LLMs). SIMONWILLISON

4. NotebookLM is an experimental AI-first notebook by Google. It's the Copilot for Google Docs. NOTEBOOKLM

🧠 Wisdom

1. Peter reminding us that our path is not set in stone: "if you don't like the script of your life, rip out those pages... your life is the pen, not the paper." TWITTER

2. Dr. Julie on facing your fears: "Those who confront the Dragon get the Gold." TWITTER

3. Non-obvious lessons from Shaan on becoming a creator or building an audience. Here's one: You want to be "known well", not "well known". TWITTER

4. Ray on doing more of what you're already doing: "[...] Because you might not just be breaking the rules. You might be rewriting them. " TWITTER

5. Throttle Therapy is a video series in which Accidental CISO talks about mental health and burnout in the ranks Information Security and Cybersecurity professionals. YOUTUBE

💛 Cross-pollination

1. A primer on bee decline in the USA and what we can do about it. TWITTER

2. This one made me chuckle, business talk translated. TWITTER

3. Toastmasters International 2015 World Champion, Mohammed Qahtani, on "The Power of Words". YOUTUBE

4. Alex Hormozi shares his diet — More than anything, I like real people and actionable resources. YOUTUBE

🤲 Quote

Subscribe to the Hive Five to read the rest.