- Hive Five
- Posts
- 🐝 Hive Five 165 - AppSec is fine
🐝 Hive Five 165 - AppSec is fine
Sam Curry and friends hack the planet, Docker Security, and RCEs
Hi friends,
Greetings from the hive.
This weekend was one of gratefulness. I sent out a special thank you email to those who have been on this newsletter journey since day one.
I would also like to welcome the new members of the Hive. Thank you for your support. Want to join? Become a member and thrive with the Hive.
Let's take this week by swarm!
🐝 The Bee's Knees
Sam Curry and friends hack the planet, including a remote hack of millions of cars. Other targets consist of scooters, routers, domain providers, and more. YOUTUBE
Docker Security: Step-by-Step Hardening guide. This article provides practical recommendations for configuring Docker platform aimed at increasing its security. It also suggests tools helpful in the automation of some tasks related to securing Docker. REYNARDSEC
Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762. The exploit described in this post is tailored to the exact version of FortiGate SSL VPN used for testing. ASSETNOTE
AppSec is fine. We're not paying enough attention to corporate infrastructure risks: "The purported basics — meaningful asset inventories, privilege reduction, comprehensive access control — are unsolved problems." SUBSTACK
You can not simply publicly access private secure links, can you? Popular malware/url analysis tools store a large number of links for intelligence gathering and sharing. But, did you also know they store private and sensitive links? GITHUB
️💪 Sponsor
Hive Five is the go-to resource for industry professionals, decision-makers, and builders/creators in the security and technology space, providing them with the tools they need to 10x their job to be done.
🍯 Last week on the Hive
🔥 Buzzworthy
✅ Changelog
Caido plugin EvenBetter v2.0 release introduces quick decode, send to match & replace, and more. TWITTER
Fabric v1.2.0 release: the installer now uses pipx instead of a ./setup.sh bash script, and more. GITHUB
Waymore v3.5 release with some minor non-functional changes. GITHUB
Nuclei v3.2 release with Authenticated Scanning, Advanced Fuzzing, and more. PROJECTDISCOVERY
📅 News
TIL Authy is deprecating desktop support on March 19th. TWITTER
Obsidian announced JSON Canvas: an open file format for infinite canvas data. It has its own site, specification, and open-source resources at jsoncanvas.org. OBSIDIAN
🎉 Celebrate
b33f announced their own online training platform Calypso Heavy Industries (CHI). Congrats! TWITTER
Shubs has been using jswzl for the last year and loves it. Wonderful! TWITTER
Mason is having a wonderful time in his travels in Asia. Love it! TWITTER
Valeriy received a thank you letter from NASA for finding vulns on their VDP. Let's go! TWITTER
💰 Career
From Volunteer IT Jobs to 7 Figure GRC QSA Consultant with Boyd Clewis. In this episode of DayinMyTechLife they discuss how Boyd Clewis broke into tech by volunteering at his local church and leveraging self-taught skills and determination to transition into GRC PCI DSS Auditor roles. YOUTUBE
How to Run a Profitable One-person Internet Business Using AI. Ben Tossell shows how you can build and run a one-person internet business that earns half a million in annual revenue—with AI. YOUTUBE
Sarah on why you should bill weekly when freelancing. TWITTER
1 piece of advice to make tons of money: focus on creating immense value. YOUTUBE
⚡️ Community
TESS is enjoying the Caido intercept feature. The interface allows you to queue multiple requests and responses in the Intercept table. All requests are visible in one place and can be sorted. TWITTER
Mert shares their monthly bug bounty achievements. The big bounties came from the FIS program on Bugcrowd. TWITTER
Alexandro on bug bounty programs having a VDP and Private program that share the same scope. In my experience, this is also frowned upon and corrected by platforms. TWITTER
Nathaniel shares a story on the importance of human connection, empathy, and the impact of small gestures of kindness.
📰 Read
pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE). SHIELDER
How Mário got an RCE in portugal.gov.pt - tl;dr: Found a very simple arbitrary file upload vulnerability that led to RCE in a CMS widely used in Portuguese government portals. 0DAY
Attacking Android guide — delve deeper into the world of Android security from an offensive perspective, shedding light on the various techniques and methodologies used by attackers to compromise Android devices and infiltrate their sensitive data. HASHNODE
Reply to calc: The Attack Chain to Compromise Mailspring. It is a free and open-source program for Windows, Mac, and Linux operating systems. SONARSOURCE
IAM started out as an easy idea but as more and more services were launched, started to become nightmarish to organize. It's too hard to do the right thing now and it's even harder to do the right thing in GCP compared to AWS. MATDUGGAN
💡 Tips
"You're using Burp Collaborator wrong", says Corben. He mentions that many companies block the default collaborator domain. TWITTER
Configure Neovim for Java Development using KickstartNvim, with nvim-jdtls and nvim-java. YOUTUBE
The best cold sales pitch Wes has ever gotten. TWITTER
x1m on victory: "In general, when you are afraid, victory always escapes you." TWITTER
️💪 Become a Premium Member
Hive Five is an authentic, hand-crafted, human-written weekly newsletter that is free, but not cheap. Consider supporting my work by becoming a paid member for just $8.25 p/mo ($99 p/yr).
✅ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
✅ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
✅ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
✅ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
✅ Deep DISCOUNTS on paid content.
✅ Experience NEW BENEFITS continuously added.
🍯 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@anshuman_bh | Anshuman Bhartiya | I love Security, Automation, Innovation, Challenges, and Changes.
@StijnJans | Stijn Jans | CEO of Intigriti.
@ChevonPhillip | Chevon Phillip | CEO & Founder of RedVault Security | Senior Application Security Engineer.
@fancy_4n6 | Shanna Niggans | Digital forensics & incident response DFIR | Horse and Dog mum | Co-host ComfyConAU | Work Cosiveco | RB member of BlackHatEvents Asia & BSidesMelbourne.
@pauldm | Paul Metcalfe | Building Lettergrowth - Grow your newsletter with cross promotions | Newsletter for online business ideas.
🚀 Productivity
Ali on why perfectionism is ruining your life. YOUTUBE
Jason started a brilliant new series of shorts called "Do it anyways". The first one is called make time. YOUTUBE
Basecamp doesn't do backlogs, and they don't recommend you do either. TWITTER
Some neat features of Apple’s Reminders that can make your life a lot easier. MEDIUM
The work is never just “the work”. A deep dive on why projects always take longer and a framework to improve future estimation. DAVESTEWART
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
🌐 Technology
FULL Introduction To HTMX Using Golang by ThePrimeagen. This was a live course for FrontEnd Masters. YOUTUBE
4 web devs had 4 hours to build a viral invite page using Clerk. Michael Jolly, Ben Holmes, and Sara Vieira joined for this one. Technologies used include Astro, TypeScript, .Net, Blazor, Razor, and more. YOUTUBE
100+ Docker Concepts you Need to Know. Learn everything you ever wanted to know about containerization is the ultimate Docker tutorial. YOUTUBE
The Tailwind team uses a cool homemade Raycast extension that makes it quick for them to check output while troubleshooting or working on internals. TWITTER
Marta is a file manager for macOS. Native. Extensible. Fast. MARTA
🧠 Wisdom
Jason on not following your passion. He advocates for working on skills that give you autonomy and the ability to choose. YOUTUBE
Luke on how weird it is that most humans completely ignore each other. TWITTER
Ray lost a bunch of weight recently and emphasizes to not shame people about their body or weight: "You have no fucking idea what someone else is going through." TWITTER
Sarah on the difficulty to do great work in fear and the necessity of org health. TWITTER
💛 Cross-pollination
The most underrated cardio routine for fat loss. YOUTUBE
What if we can? The incredible comeback of Butterbean. Diamond Dallas Page and his team have continued to believe that "anything is possible" for over a decade, and by doing so, have been blessed to see some remarkable comebacks. YOUTUBE
The Mental State of the World Report is an annual publication of the Global Mind Project (previously the Mental Health Million Project) that provides a view of the evolving mental wellbeing of the global Internet-enabled population. MENTALSTATEOFTHEWORLD
PowerOutage.us is an ongoing project created to track, record, and aggregate power outages across the united states. POWEROUTAGE
How an armored Camaro and a special forces officer kept civilians alive in war-torn Bosnia. Imagine that it’s 1993 in Yugoslavia. Night falls, and the indiscriminate shelling of a brutal civil war echoes in the distance. Amidst the remnants of battle, a flat black shape emerges from the shadows, tires crunching over rubble as it navigates a cratered road. HAGERTY
🐝 I haven't kept track of Diamond Dallas Page (DDP) after his wrestling career, until he popped up while watching the documentary Jake the Snake. Since then, DDP and his team have helped countless people to get back to their former glory. Truly incredible to see.
💭 Quote
"No man ever steps in the same river twice, for it's not the same river and he's not the same man."
📖 ️Continue reading
That wraps up the website version of the Hive Five. Subscribe now and access the following must-see sections (tools, resources, watch, listen) in the upcoming newsletter straight in your inbox.
Don’t want to miss out? Get access today. Elevate your experience with a premium membership, granting exclusive entry to the Hive Archive, and unlocking additional benefits.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.