🐝 Hive Five 76 – Millions of secrets exposed, focus rituals, become a Nmap pro

Hi friends,

Greetings from the hive!

I hope you're doing okay. In these continuously trying times, it can be challenging to get through the day, let alone try to focus. According to Sahil, you should have a focus ritual that consists of:

• Priming—what you do before

• Consumption—what you drink/eat

• Environment—where you are, what you listen to

The ritual becomes a mental trigger that puts you in a focused state.

So, I'm curious, what is your focus ritual?

Let's take this week by swarm!

🐝 The Bee's Knees

1. Security and Privacy Tips for People Seeking An Abortion: Given the shifting state of the law, people seeking an abortion, or any kind of reproductive healthcare that might end with the termination of a pregnancy, may need to pay close attention to their digital privacy and security.

2. Millions of Secrets Exposed via Web Application Frontend – An Internet-Wide Study: Web applications are the cornerstone of anything on the publicly accessible internet. Due to the complexities of the software development life cycle, developers tend to embed secrets within the source code of the applications.

3. Azure Attack Paths - Common Findings and Fixes (Part 1): Learning about cloud penetration testing is nothing new, but it is undoubtedly an area where a lot of people lack knowledge both on the defense and offense side of the house.

4. Hacking a Samsung Galaxy for $6,000,000: With the promise of up to $6 million worth of Bitcoin locked on a Samsung Galaxy phone, it was a challenge Joe Grand couldn't refuse.

5. Android App Traffic Decryption & Defeat Certificate Pinning - Windows Guide by Z-winK.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. tslx is now available in axiom.

2. interactsh v1.0.5: Introducing new features and several bug fixes in the server component. Now it's possible to use multiple domains with a self-hosted interactsh server from the same machine instead dedicated server for each.

📅 Events

1. State of GraphQL: The annual developer survey of the GraphQL ecosystem.

2. Loco Moco Sec - June 27-30, 2022: The Premier Product Security Conference in Hawaiʻi.

🎉 Celebrate

1. Jason et al thanked Jeff Foley for his work on amass and more: As Jason mentions, consider sponsoring Jeff's work!

2. Muhammad contributed 600 Nuclei templates: Impressive!

3. hakluke and family welcomed a second child: Congrats!

4. Stefan's first LHE was amazing: Love to hear it!

5. iQimpz married his best friend: Happy days!

💰 Career Corner

1. Black Wing is hiring a Sr. Security Engineer: RE, vuln research, code audit, crypto, tool dev, etc. Drivers, kernel, firmware, boot loaders, etc.

2. Crowdsourced: How to become a great manager advice.

3. Resume feedback from a hiring manager.

⚡️ From the Community

1. Jake on the Hadnagy situation.

2. Jason got a new banner: Forum signature vibes anyone?

3. Paul asks if people will contribute if he open sources his database of findings.

4. STÖK on hard choices.

5. Binit Ghimire aka WHOISbini passed away on June 25th, 2022: He was a well-known, humble, helpful and influential member of the infosec community who also made it to BlackHat as a speaker and made the Nepali infosec community more well-known on a global scale.

📰 Articles

1. AWS Misconfigurations: Another blog on Deep Dive into AWS Cloud Security from scratch.

2. Writeup - How to download eBooks from Google Play Store without paying for them.

3. Intercepting MS Teams Communication: Looking into the question of how does the communication protocol of MS Teams works. And why has nobody developed a nice Python client for it?

4. How to access paywalled research papers without institutional access.

5. Hack with ‘goodfaith’ - A tool to automate and scale good faith hacking.

📚 Resources

1. Tarah on installing Signal for the first time: "After today's devastating news, you might be installing Signal for the first time. [...]"

2. SOQL injection resources.

3. hakluke on how to become a Nmap pro: Nmap is a port scanner, but it does much more including service/OS detection and even vuln scanning.

4. Awesome Hacker Search Engines: A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty and more.

5. ZAP community scripts: A collection of ZAP scripts provided by the community.

🎥 Videos

1. Ippsec taking on HackTheBox - Phoenix.

2. Linux for Ethical Hackers (2022 - Full Kali Linux Course).

3. Are Resource Packs Safe?: Let's explore how Minecraft can be customized. The knowledge we gain from that is very useful to identify interesting attack surface.

4. Command Injection - Lab #2 Blind OS command injection with time delays: In this video, Rana covers Lab #2 in the Command Injection module of the Web Security Academy.

5. Command Injection - Lab #3 Blind OS command injection with output redirection: In this video, Rana covers Lab #3 in the Command Injection module of the Web Security Academy. This lab contains a blind OS command injection vulnerability in the feedback function.

🎵 Audio

1. The Privacy, Security, & OSINT Show #267 - macOS Privacy & Security Revisited.

2. Breadcrumbs #19 - From the Help Desk to the Red Team With Roei Sherman: In this episode they have the good fortune of sitting down with xFreed0m - AKA Roei Sherman. Roei has been a Trace Labs contributor for several years and they take some time to talk about his journey in to infosec, OSINT and the Trace Labs community.

3. Smashing Security #280 - Hot tub hijinx, and a sentient AI.

4. Risky Business #668 - Microsoft is hiding its Azure security problems.

5. Malicious LIVE: Celebrating 5 Years of Malicious Life.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.