• Hive Five
  • Posts
  • 🐝 Hive Five 165 - AppSec is fine

🐝 Hive Five 165 - AppSec is fine

Sam Curry and friends hack the planet, Docker Security, and RCEs

Author

Bee
March 18, 2024

Hi friends,

Greetings from the hive.

This weekend was one of gratefulness. I sent out a special thank you email to those who have been on this newsletter journey since day one.

I would also like to welcome the new members of the Hive. Thank you for your support. Want to join? Become a member and thrive with the Hive.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. Sam Curry and friends hack the planet, including a remote hack of millions of cars. Other targets consist of scooters, routers, domain providers, and more. YOUTUBE

  2. Docker Security: Step-by-Step Hardening guide. This article provides practical recommendations for configuring Docker platform aimed at increasing its security. It also suggests tools helpful in the automation of some tasks related to securing Docker. REYNARDSEC

  3. Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762. The exploit described in this post is tailored to the exact version of FortiGate SSL VPN used for testing. ASSETNOTE

  4. AppSec is fine. We're not paying enough attention to corporate infrastructure risks: "The purported basics — meaningful asset inventories, privilege reduction, comprehensive access control — are unsolved problems." SUBSTACK

  5. You can not simply publicly access private secure links, can you? Popular malware/url analysis tools store a large number of links for intelligence gathering and sharing. But, did you also know they store private and sensitive links? GITHUB

💪 Sponsor

Hive Five is the go-to resource for industry professionals, decision-makers, and builders/creators in the security and technology space, providing them with the tools they need to 10x their job to be done.

🍯 Last week on the Hive

🐝 Hive Five 164 - Craftsmanship is timeless

How to become a Wikipedian, Deception Engineering, and Open-Source Software

www.hivefive.community/p/hive-five-164-craftsmanship-timeless

🍯 Bee-side 164 - Becoming Anti-Fragile

Stop letting negative things overshadow your mindset

www.hivefive.community/p/beeside-164-becoming-antifragile

🔥 Buzzworthy

✅ Changelog

  1. Caido plugin EvenBetter v2.0 release introduces quick decode, send to match & replace, and more. TWITTER

  2. Fabric v1.2.0 release: the installer now uses pipx instead of a ./setup.sh bash script, and more. GITHUB

  3. Waymore v3.5 release with some minor non-functional changes. GITHUB

  4. Nuclei v3.2 release with Authenticated Scanning, Advanced Fuzzing, and more. PROJECTDISCOVERY

📅 News

  1. TIL Authy is deprecating desktop support on March 19th. TWITTER

  2. Obsidian announced JSON Canvas: an open file format for infinite canvas data. It has its own site, specification, and open-source resources at jsoncanvas.org. OBSIDIAN

🎉 Celebrate

  1. b33f announced their own online training platform Calypso Heavy Industries (CHI). Congrats! TWITTER

  2. Shubs has been using jswzl for the last year and loves it. Wonderful! TWITTER

  3. Mason is having a wonderful time in his travels in Asia. Love it! TWITTER

  4. Valeriy received a thank you letter from NASA for finding vulns on their VDP. Let's go! TWITTER

💰 Career

  1. From Volunteer IT Jobs to 7 Figure GRC QSA Consultant with Boyd Clewis. In this episode of DayinMyTechLife they discuss how Boyd Clewis broke into tech by volunteering at his local church and leveraging self-taught skills and determination to transition into GRC PCI DSS Auditor roles. YOUTUBE

  2. How to Run a Profitable One-person Internet Business Using AI. Ben Tossell shows how you can build and run a one-person internet business that earns half a million in annual revenue—with AI. YOUTUBE

  3. Sarah on why you should bill weekly when freelancing. TWITTER

  4. 1 piece of advice to make tons of money: focus on creating immense value. YOUTUBE

⚡️ Community

  1. TESS is enjoying the Caido intercept feature. The interface allows you to queue multiple requests and responses in the Intercept table. All requests are visible in one place and can be sorted. TWITTER

  2. Mert shares their monthly bug bounty achievements. The big bounties came from the FIS program on Bugcrowd. TWITTER

  3. Alexandro on bug bounty programs having a VDP and Private program that share the same scope. In my experience, this is also frowned upon and corrected by platforms. TWITTER

  4. Nathaniel shares a story on the importance of human connection, empathy, and the impact of small gestures of kindness.

📰 Read

  1. pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE). SHIELDER

  2. How Mário got an RCE in portugal.gov.pt - tl;dr: Found a very simple arbitrary file upload vulnerability that led to RCE in a CMS widely used in Portuguese government portals. 0DAY

  3. Attacking Android guide — delve deeper into the world of Android security from an offensive perspective, shedding light on the various techniques and methodologies used by attackers to compromise Android devices and infiltrate their sensitive data. HASHNODE

  4. Reply to calc: The Attack Chain to Compromise Mailspring. It is a free and open-source program for Windows, Mac, and Linux operating systems. SONARSOURCE

  5. IAM started out as an easy idea but as more and more services were launched, started to become nightmarish to organize. It's too hard to do the right thing now and it's even harder to do the right thing in GCP compared to AWS. MATDUGGAN

💡 Tips

  1. "You're using Burp Collaborator wrong", says Corben. He mentions that many companies block the default collaborator domain. TWITTER

  2. Configure Neovim for Java Development using KickstartNvim, with nvim-jdtls and nvim-java. YOUTUBE

  3. The best cold sales pitch Wes has ever gotten. TWITTER

  4. x1m on victory: "In general, when you are afraid, victory always escapes you." TWITTER

💪 Become a Premium Member

Hive Five is an authentic, hand-crafted, human-written weekly newsletter that is free, but not cheap. Consider supporting my work by becoming a paid member for just $8.25 p/mo ($99 p/yr).

  •  Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.

  •  Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.

  •  EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.

  •  MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.

  •  Deep DISCOUNTS on paid content.

  •  Experience NEW BENEFITS continuously added.

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @anshuman_bh | Anshuman Bhartiya | I love Security, Automation, Innovation, Challenges, and Changes.

  2. @StijnJans | Stijn Jans | CEO of Intigriti.

  3. @ChevonPhillip | Chevon Phillip | CEO & Founder of RedVault Security | Senior Application Security Engineer.

  4. @fancy_4n6 | Shanna Niggans | Digital forensics & incident response DFIR | Horse and Dog mum | Co-host ComfyConAU | Work Cosiveco | RB member of BlackHatEvents Asia & BSidesMelbourne.

  5. @pauldm | Paul Metcalfe | Building Lettergrowth - Grow your newsletter with cross promotions | Newsletter for online business ideas.

🚀 Productivity

  1. Ali on why perfectionism is ruining your life. YOUTUBE

  2. Jason started a brilliant new series of shorts called "Do it anyways". The first one is called make time. YOUTUBE

  3. Basecamp doesn't do backlogs, and they don't recommend you do either. TWITTER

  4. Some neat features of Apple’s Reminders that can make your life a lot easier. MEDIUM

  5. The work is never just “the work”. A deep dive on why projects always take longer and a framework to improve future estimation. DAVESTEWART

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

  1. FULL Introduction To HTMX Using Golang by ThePrimeagen. This was a live course for FrontEnd Masters. YOUTUBE

  2. 4 web devs had 4 hours to build a viral invite page using Clerk. Michael Jolly, Ben Holmes, and Sara Vieira joined for this one. Technologies used include Astro, TypeScript, .Net, Blazor, Razor, and more. YOUTUBE

  3. 100+ Docker Concepts you Need to Know. Learn everything you ever wanted to know about containerization is the ultimate Docker tutorial. YOUTUBE

  4. The Tailwind team uses a cool homemade Raycast extension that makes it quick for them to check output while troubleshooting or working on internals. TWITTER

  5. Mar​ta is a file manager for macOS. Native. Extensible. Fast. MARTA

🧠 Wisdom

  1. Jason on not following your passion. He advocates for working on skills that give you autonomy and the ability to choose. YOUTUBE

  2. Luke on how weird it is that most humans completely ignore each other. TWITTER

  3. Ray lost a bunch of weight recently and emphasizes to not shame people about their body or weight: "You have no fucking idea what someone else is going through." TWITTER

  4. Sarah on the difficulty to do great work in fear and the necessity of org health. TWITTER

💛 Cross-pollination

  1. The most underrated cardio routine for fat loss. YOUTUBE

  2. What if we can? The incredible comeback of Butterbean. Diamond Dallas Page and his team have continued to believe that "anything is possible" for over a decade, and by doing so, have been blessed to see some remarkable comebacks. YOUTUBE

  3. The Mental State of the World Report is an annual publication of the Global Mind Project (previously the Mental Health Million Project) that provides a view of the evolving mental wellbeing of the global Internet-enabled population. MENTALSTATEOFTHEWORLD

  4. PowerOutage.us is an ongoing project created to track, record, and aggregate power outages across the united states. POWEROUTAGE

  5. How an armored Camaro and a special forces officer kept civilians alive in war-torn Bosnia. Imagine that it’s 1993 in Yugoslavia. Night falls, and the indiscriminate shelling of a brutal civil war echoes in the distance. Amidst the remnants of battle, a flat black shape emerges from the shadows, tires crunching over rubble as it navigates a cratered road. HAGERTY

🐝 I haven't kept track of Diamond Dallas Page (DDP) after his wrestling career, until he popped up while watching the documentary Jake the Snake. Since then, DDP and his team have helped countless people to get back to their former glory. Truly incredible to see.

💭 Quote

"No man ever steps in the same river twice, for it's not the same river and he's not the same man."

Heraclitus

📖 ️Continue reading

That wraps up the website version of the Hive Five. Subscribe now and access the following must-see sections (tools, resources, watch, listen) in the upcoming newsletter straight in your inbox.

Don’t want to miss out? Get access today. Elevate your experience with a premium membership, granting exclusive entry to the Hive Archive, and unlocking additional benefits.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.