🐝 Hive Five 98 – Car vulnerabilities, hacking on a plane, and AI inception

Hi friends,

Greetings from the hive!

I hope you had an enjoyable weekend. I am seeking my next challenge and would welcome any recommendations or opportunities.

As a seasoned software engineer focused on front-end web development, I have over 11 years of experience. Besides honing my skills in this area, I have also successfully built and led several thriving technical communities. I am passionate about user experience and cybersecurity and always look for ways to improve and stay ahead of the curve.

If you know of a company or project that aligns with my skills and interests, please don't hesitate to reach out. I am eager to explore new possibilities and make a meaningful contribution. Thank you!

Let's take this week by swarm!

🐝 The Bee's Knees

1. The best examples of ChatGPT, from OpenAI: more | essay speedrun | repo | VM inception

2. Sam Curry et al recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. more

3. Hacking on a plane: Leaking data of millions and taking over any account. This is a short write-up about how they could have accessed the personal and financial information for tens of millions of users as well as take over anyone’s account without user interaction. more

4. XSS on account[.]leagueoflegends[.]com via easyXDM (2016) - This post contains a chain of vulnerabilities that were responsibly disclosed to Riot Games in November of 2016. more

5. CTF - Puget Sound write-up by d0nut, the creator. The goal was to make a Rust challenge that defied expectations, and reshaped participants understanding of Rust. more

️💪 Sponsor

Want me to write about your company? Sponsor the Hive Five.

🔥 Buzzworthy

✅ Changelog

1. Burp Suite - Burp Suite 2022.12 released to the Early Adopter channel. Includes improvements to authenticated scanning, a live crawl view for Burp Scanner, and various new DOM Invader features. more

2. j3ssie/osmedeus v4.2.0 - A Workflow Engine for Offensive Security. more

📅 Events

1. Michael Bazzell finished the first draft of the 10th edition of OSINT Techniques and going through final editing. Available in January 2023. more

2. Ben announced this year's NahamCon2020EU speaker lineup. more

3. IWCON 2022 | InfoSec Community has 15+ amazing cybersecurity speakers from around the world. more

4. Nicolas Grégoire is giving his "Mastering Burp Suite Pro" training during @NorthSec_io 2023 (from May 23rd to 26th). more

5. HackTheBox December special coupon code for 50% off. more

🎉 Celebrate

1. Utz got their eJPT. Let's go! more

2. Osirys had a good month in November for hunting. Awesome! more

3. Farah Hawa did an exciting thing. Wow! more

4. bsysop is top 4 in the Bugcrowd leaderboard of November. Amazing! more

5. Nathaniel has - 17 submissions in ~2 weeks. 15 criticals on a mature program. Get 'em! more

💰 Career

1. The Path to Senior Engineer (from a Senior Engineer at Netflix) - It's important to note be a good teammate while trying to achieve personal goals. more

2. BSidesCharm 2022 - Job Hunt Like A Hacker by Jason Blanchard. more

3. Hiring Without Whiteboards is a list of companies (or teams) that don't do "whiteboard" interviews. more

⚡️ Community

1. Nathaniel's favourite part of hacking is immersing himself in a new attack surface and often not finding issues for weeks until he understand what he's working with and begin to chip away at it slowly. more

2. Jack Rhysider is taking a personal break from DarknetDiaries. That means no scheduling for Jan, Feb, or Mar. more

3. Six2dez is refactoring the whole reconFTW code, making it modular, more readable, easier to debug and being able to add your own modules. more

4. People's favorite purchases with Bug Bounty money. more

5. Julien Ahrens hacker con schedule for 2023 currently looks like this, May: OffensiveCon/Berlin June: Recon/Montreal August: BlackHat+Defcon/Vegas. more

📰 Read

1. Another car vulnerability that led to remote commands on every internet connected Nissan & Infiniti. more

2. Sam Curry and co did even more car hacking! Earlier this year, they were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car. more

3. Napkin Ideas Around What Changes to Expect Post-ChatGPT. more

4. HackerOne ambassador spotlight with Emperor. more

📚 Resources

1. People's favorite text editor via renniepak. more

2. Dockerized Bug Bounty Automation Demo! (Automation Series) - This is a short demo video about how to go from code to deployed with docker. more

3. takito1812/web-hacking-playground. Web Hacking Playground is a controlled web hacking environment. It consists of vulnerabilities found in real cases, both in pentests and in Bug Bounty programs. more

4. yeswehack/vulnerable-code-snippets. YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis. The code snippets are beginner friendly but suitable for all levels! more

5. immunefi-team/Web3-Security-Library. This is a collaborative repository that aims to contain all the information you need to start or expand your knowledge in web3 security. more

🎥 Watch

1. Try Hack Me! Advent of Cyber 2022 Day #3 OSINT Walk-Through. more

2. HackTheBox - Carpediem walkthrough. more

3. How to Find MFA Bypasses in Conditional Access Policies - Conditional access policies allow organizations to create fine-grained controls over how MFA is applied during authentication to Microsoft services such as Microsoft 365 and Azure. more

4. 2022 Vegas Bug Bash with Bugcrowd. The worlds top-notch ethical bug hunters travel to Vegas for the 2022 Bugcrowd Bug Bash with two industry leading Bugcrowd customers. Check out their unique stories and what they’ve learned along the way. more

🎵 Listen

1. DAY[0] 171 Bug Bounty Podcast - Tailscale RCE, an SQLi in PAM360, and Exploiting Backstage - Some RCE chains starting with DNS rebinding, always fun to see, a fairly basic SQL injection, and a JS sandbox escape for RCE in Spotify. more

2. Malicious Life - Norse Corp.: How To NOT build a cybersecurity startup. more

3. The Privacy, Security, & OSINT Show #285 - Travel Security Revisited. This week Jason joins me to revisit travel security protocols. If you have travel planned this holiday season, consider our privacy and security tips. more

4. Jammer! He Just Wanted Privacy, But This Little Device Caused Big Trouble. more

Subscribe to the Hive Five to read the rest.