🐝 Hive Five #17 – GitHub policy change, zines, and staying healthy

Hi friends,

Greetings from the hive!

I hope you're doing well. As we're all in this together I'll once more ask you to help India.

I wrote some logic that pulls metadata (name, links, etc.) from a json file for my beelog posts, such as How To Start Bug Bounty for Beginners. That way everything is consistent and I'll always have everyone's correct links listed.

In other news, I'm in the process of moving my home office. For entertainment I thoroughly enjoyed d0nut's last stream, and rumor has it that he's doing more in the upcoming weeks. Can't wait!

Let's take this week by swarm!

🐝 The Bee's Knees

1. A call for feedback on our policies around exploits and malware: We’re calling for feedback on our policy around security research, malware, and exploits on the platform so that the security community can collaborate on GitHub under a clearer set of terms.,

2. Interactsh: Open-Source Solution for OOB Testing: What is Interactsh? Interactsh is a server-client implementation that allows users to identify blind Out-of-Band (OOB) vulnerabilities that may not be detected by conventional testing methods.,

3. Ba​ttle Pr​ogra​m​mer Yu​u: This is the exact vibe I like to see. People who have been doing RE since before I was born, people who are just getting started, questions and answers that respect the listener, no ego trips / gatekeeping / discouraging language.,

4. Home – TCM Security Certifications: Designed to be practical, our training and certifications help level up your hacker skills without teaching you fluff or burning a hole in your bank account. Stop spending thousands on training when you can prove your skillset to HR and hiring managers at a fraction of the cost.,

5. I put all of my comics online!: Hello! As you probably know, I write a lot of comics about programming, and I publish collections of them as zines you can buy at https://wizardzines.com. There are 273 comics right now which is a lot, so I’ve added a very simple search using list.js. Here’s what it looks like.,

💌 Sustain-A-Bee

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

👉 Want your message here?

🔥 Buzzworthy

✅ Changelog

1. Release v1.1.9 · honoki/bbrf-client: Latest release Bug fixes and various improvements for #58; Bug fix: bbrf domains --view resolved --all now also only returns domains of active programs, unless --show-disabled is used.

2. Burp Professional / Community 2021.5: This release includes several improvements to Intruder, one of which allows you to save Intruder attacks to project files.

3. Bugcrowd added Draft Submissions & Autosave: No longer will you have to endure losing your submission details due to a connection, browser, or computer failure!

📅 Events

1. The Certified Practical Ethical Hacker (CPEH) exam is here: It simulates a real-world external/internal pentest, requires a written report, and a live debrief.

2. CHPO/STÖK colab signature blueglass / UV adaptable Smokey glasses: drop in June! Designed for late nights hacking and hungover afternoons.

3. Help out Operation Safe Escape: Eva asks pen testers, are you looking to do a good deed? Help survivors of intimate partner violence.

4. DigitalOcean says customer billing data accessed in data breach: DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

5. SentinelOne - Hack Chat Season 2 is NEXT WEEK: Tune in weekly and dive deeper into how cybersecurity practitioners around the globe can refine their craft - guests @evacide @stokfredrik, @carnal0wnage, @runasand, @pedramamini and @marcusjca.

🎉 Celebrate

1. Jobert Abma: became father of 1 daughter. Congratulations!

2. rez0: congratulates todayisnew for passing 100,000 reputations points on HackerOne. Absolutely incredible!

3. Hacksplained joins Intigriti to further enable their community: Pascal Schulz, better known under his pseudonym ‘Hacksplained’ is joining the community team as hacker enablement manager. Awesome!

4. Leo Rac: found their first bug. Great work!

5. Dr Katie Paxton-Fear: is now InsiderPhDone, after 5 hours of her viva/thesis defense.

💰 Jobs

1. Eric's: team is hiring! They're looking for someone with Splunk Enterprise Security experience to come join us in finding the bad guys and showing them the door.

2. Viking Sec: is looking for work and is very interested in offensive security roles, whether they be R&D, pentesting or offsec tool development.

3. How to land your first job as a bootcamp grad: A video about getting your first job in tech.

4. Cyber Security Consultant (Associate) Job in Melbourne: Volkis has an opening for an associate to mid-level security consultant role.

5. Pfizer is looking for an Associate Cyber Hunting: You will help Pfizer safeguard its robust information technology systems.

📰 Articles

1. A software bug let malware bypass macOS’ security defenses: Old malware, new tricks.

2. Infosec Bugbounty AMA with Ricki Burke: Founder of CyberSec People, cybersecurity recruitment across Australia and NZ.

3. 10 Years at Netflix - Security and Swag: reflecting on a decade at the same employer by looking back at some of the fond memories and swag they'v accumulated over the years.

4. Exploiting memory corruption vulnerabilities on Android: discussing memory corruption vulnerabilities in Android apps and how they can be exploited.

5. Facebook account takeover due to unsafe redirects after the OAuth flow: This bug could allow a malicious user to takeover the Facebook account after stealing a first-party access_token issued to apps.

📚 Resources

1. A tale of Html to Pdf converter ssrf and various bypasses: a SSRF through the html to pdf converter functionality allowing reading of internal files, AWS metadata, and some internal debug ports.

2. meg AMA: A Cybersecurity Incident Response Manager at a F100 company, specializing in Incident Response and blue teaming.

3. Exploiting Race conditions with Nuclei: A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously.

4. Ways to alert(document.domain): How many ways can you alert(document.domain)?

5. A script to enumerate how many CVEs were found per component in Apple's recent iOS security content updates by robre.

🎥 Videos

1. Why Pick sudo as Research Target?: Let's talk about why we would want to look for vulnerabilities in sudo, and how we could do that.

2. Workshop: Scaling your AppSec Program with Semgrep Nancy Gariché: Between Agile, DevOps, and infrastructure as code, development is happening faster than ever, semgrep can help a security team keep up.

3. Live Recon and Distributed Recon Automation Using Axiom with @pry0cc.

4. TryHackMe! Bypassing Upload Filters & DirtySock: Walkthrough by John Hammond of the "year of the jellyfish" box from a recent TryHackMe event.

5. Pwnfunction's XSS Challenges: Lupin solving XSS challenges.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.