🐝 Hive Five 52 – Tools & Craft

Hi friends,

Greetings from the hive!

First of all, I want to wish a warm welcome to all the new subscribers. I hope you had a wonderful weekend.

I have some personal knowledge management news. I'm finally leveling up my Obsidian game. I've started leveraging the Templater and Dataview plugins more.

Doing so allows me to do more with my notes and facilitate a birds-eye view for (weekly) reviews.

Theme-wise, I'm using Sanctum with custom CSS colors.

What does your PKM look like? I'd love to know.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Digital Forensics Classroom by 4n6lady: This open and free classroom will be used to share content, and labs that you can do at home and deep dive into Digital Forensics. It is suited for all.Class will begin January 10th, 2021.

2. The Breach They Kept Secret: Andy shares the details of a social media company that experienced a breach and never fully shared the details.

3. Remote Code Execution in Google Cloud Dataflow: After some work, Mike identified an unauthenticated Java JMX service running on Dataflow nodes that, under certain circumstances, would be exposed to the Internet allowing unauthenticated remote code execution as root, in an unprivileged container, on the target Dataflow node.

4. Solidity Security - Comprehensive list of known attack vectors and common anti-patterns: This post aims to be a relatively in-depth and up-to-date introductory post detailing the past mistakes that have been made by Solidity developers in an effort to prevent future devs from repeating history.

5. The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console: the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading).

🙏🏻 Support the Hive

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

sponsor the hive five

🔥 Buzzworthy

✅ Changelog

1. ippsec.rocks now has negative searching: If there is a term you do not want to include just prefix the word with a hyphen (-).

2. PentesterLab released 3 videos for the RECON badge.

3. Six2dez translated their talk slides: Two talks about subdomains and recon: Gotta catch'em all (HacktivityCon 2021 en Español) and Subdominions (@bitupalicante 2021).

📅 Current events

1. 9th Edition OSINT book is now available: Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information by Michael Bazzell.

2. CactusCon 10: It will take place February 4-5, 2022. Join them for two days of hybrid talks, workshops, CTF, and events.

3. d0nut is looking to give a talk on an authorization framework: What would be a good security conference to give it at? He's looking for suggestions.

4. Top 10 web hacking techniques of 2021 - nominations open: Seen an outstanding piece of web security research in the last year? You can get it some well-deserved limelight by nominating it.

5. Andy Gill is working on his next book LTR102: There will not be any blog posts till that is published. Here's a teaser.

🎉 Celebrate

1. Jason Haddix is back: Delighted to have you with us!

2. Nagli ended 2021 as #2 on Bugcrowd's December leaderboard: Well deserved!

3. Recorded Future Acquires SecurityTrails. Congrats!

4. 4n6lady got a promotion: Let's go!

5. Patrik joined Shopify as a security engineer: Awesome!

💰 Career Corner

1. Advice - Alyssa Miller on job negotiation: "If you've heard my talks on this, you know I'm a huge advocate for knowing your worth, getting paid, and asking for what you need."

2. Hiring - IBM X-Force IR: X-Force IR is looking for people with experience in Incident Response that have lead large IR projects, have existing skills in a senior-level role, and looking for a new leadership/executive consultant position.

3. Discussion - How did you decide what path to take in tech? casey asks.

4. Hiring - IBM Red Team Lead: As a Lead Red Team Operator, you will work closely with multiple departments, including development, architecture, and compliance, to perform red team exercises against various system(s) and application(s).

📰 Articles

1. Meet the hacker - GangsterSquad.

2. How To Think Real Good: This site concerns ways of thinking about some particularly important things - purpose, self, ethics, authority, and meaning, for instance.

3. Exploiting Redash instances with CVE-2021-4119: A while ago, Ian stumbled upon Airflow instances being vulnerable to stateless session issues, which allowed them to log into any Airflow instance which had a misconfigured secret key.

4. Expert Advice You Don’t Want to Miss: An interview with Bugcrowd's TeamHunt2021 challenge winners, Retired Hackers.

5. Gophish Setup – Part 1: The first of a series of posts diving into the functionality and usage of the tool – Gophish. This tool allows users to quickly deploy phishing engagements or user awareness training exercises.

📚 Resources

1. What is your favorite security vulnerability or writeup that was disclosed in 2021, asks Jobert Abma.

2. InsecureShop: An Android application that is designed to be intentionally vulnerable. The aim of creating this app is to teach developers and security professionals about the vulnerabilities that are present in modern Android applications.

3. hacker-laws: Laws, Theories, Principles and Patterns that developers will find useful.

4. Cloud Service Provider security mistakes: This page lists security mistakes by cloud service providers (AWS, GCP, and Azure).

🎥 Videos

1. How file upload vulnerabilities work: In this video, are going to learn about ways on how to exploit file upload vulnerabilities.

2. Introduction to GraphQL | GraphQL Exploitation - Part - 1 | DVGA.

3. Ethical Hacking in 12 Hours - Full Course - Learn to Hack: TCM Security released the entire first half of their best-selling Practical Ethical Hacking course for free on YouTube. Learn Linux, Python, and Hacking all with no strings attached. All Course Resources/Links.

4. HackTheBox - Previse walkthrough by IppSec.

5. OWASP Global AppSec US 2021 Virtual playlist.

🎵 Audio

1. Avasdream infosec playlist: The song "SQL Injection" is their favorite so far.

2. Risky Business #649 - Java being a fiddly mess saves the day.

3. Malicious Life - How the Internet Changed the NSA (ML BSide): Jeff Man, was one of the first people at the NSA to make the transition from hardware to software, and he shares his experiences from that period.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.