home.social
  1. New #Ringspace release! A bug fix in multiple sites on the same database joining the same ring led to a solution to a long-standing problem: ring key rotation! Now, when a ring has to rotate keys, it can issue new invite codes to member rings, which will handle ring rotation upon redemption.

    codeberg.org/mttaggart/ringspa

  2. Interested in #Ringspace? I'll be doing a live demo today at 12:00 PDT. Details available for TTI community members. Come join us!

    taggartinstitute.org

  3. Interested in the #Ringspace webring protocol? I'm doing a "Ringspace 101" live session this Friday, at 11:00 PDT. Open to all, but you can join TTI and RSVP/engage in the conversation!

    taggartinstitute.org/t/ringspa

  4. Some exciting news! #Ringspace finally has browser extensions in browser stores! This means folks operating Ringspace webrings and member sites can use these extensions to validate their membership and standing.

    Chrome: chromewebstore.google.com/deta

    Firefox: addons.mozilla.org/en-US/firef

  5. I submitted this last week but didn't get a notification it was approved. Anyway, here's this! This is what you need to detect and validate #Ringspace ring members. You can test it out on my blog.

    chromewebstore.google.com/deta

    Firefox is submitted, awaiting approval.

  6. Believe it or not, I am still working on #Ringspace. And here's a new release!

    This version of the protocol employs JWKS format for key exchange, and uses Base64URL formats for all encoded data. Plus.env support and resources for Docker deployment!

    codeberg.org/mttaggart/ringspa

    What's Ringspace? It's a proposal for a human web protocol that combines mutual trust and reputation.

    ringspace.net

  7. RE: front-end.social/@henry/115821

    It's this exact instinct that led to the creation of #Ringspace. Webrings were a convivial tool, and can be again.

    ringspace.net

  8. Check out this awesome #Ringspace homepage built with PHP! It's still early days, but I think we're on to something here with bringing back webrings.

    ringspace.pnpde.social

    codeberg.org/nesges/looping

  9. I've been waiting for this writeup for a long time. Great dive on #Gootloader: news.sophos.com/en-us/2025/01/

    Of particular note is the 24-hour timeout for any IP that receives a Gootloader download prompt, frustrating research attempts. But the whole research process here is excellent.

  10. @briankrebs Me before opening: Hahaha it's probably LASD; they're literally a gang.

    Me, opening the story: welp.

    #GoogleLASDGangs

  11. Hey, it's summer, which means my #k12ed friends are refreshing things like #Chromebooks. Here's your reminder that any security system that uses browser extensions in Chrome is inherently user-exploitable.

    github.com/S-PScripts/chromebook-utilities/

    If I were deploying these things in 2024, they'd never see a raw network connection. It would be Tailscale or something everywhere, with a proxy that I control.

  12. Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

    If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

    blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

    #CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

  13. The #Cisco vulns today smack a little of the Barracuda ones last year.

    I really hope we don't end at "Toss these ASAs into a volcano."

    #CVE_2024_20353 #CVE_2024_20359

  14. Nice writeup by @TalosSecurity on a suspected Chinese APT campaign using two new 0-days, and an unknown initial access vector.

    We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
    Well...yikes!

    blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

    WIRED story with more:
    www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/

    #ThreatIntel #InfoSec #CyberSecurity #CVE_2024_20353 #CVE_2024_20359

  15. This analysis of #APT28 aka #ForestBlizzard methodology is being reported all over as though it were special. And while it may be "unique" to the group, it's just...not that special.

    Everything I see here should be detected by modern standard defenses. This attack chain doesn't even read like an APT to me; it reads like a cybercrime group.

    What am I missing?

  16. Do you run a #Discord? Here's how to get #SpyPet out of your house.

  17. Okay so the folks who said the LLM-generated "PoC" repos for #CVE_2024_3400 were just claiming the space were dead-on. This repo, which was fake, is now using the known exploit. I expect the others have done the same.

    So the lesson here is that we have a PoC ParkingCrew.

  18. This is in theory a sample of the UPSTYLE backdoor used by attackers exploiting the #CVE_2024_3400 Palo Alto 0-day.

    As always, use extreme caution when handling malware samples.

    bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/

  19. A great day at #BSidesSD! Was super glad to be able to share some #RustLang hacking with folks!

    But it wasn't recorded. So I'll be turning this into a streamed/recorded talk as well.

    And for now, here is the code/slides from the talk:
    github.com/The-Taggart-Institute/blue-crab-shells

  20. Whoo! My #BSidesSD training was accepted! See you in Sandy Eggo for some Offensive #Rust learnin'

  21. #MyFirstDistro was Jolicloud, an Ubuntu derivative for netbooks, which went on my trusty eeePC. From there, Ubuntu Netbook, and then, there was no turning back.

  22. Good morning! Have a fairly gnarly RCE in #Jenkins:

    Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.
    www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

    #CVE_2024_23897

  23. Here's the writeup on #PixieFail, 9 vulns in the UEFI reference architecture that could enable exploitation over PXE network boot using IPv6. As near as I can tell, what has been demonstrated is underflow/overflows, but no successful exploitation.

    blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html

  24. I don't usually love CTFs for learning, but a few of the #HuntressCTF challenges very skillfully placed me at my Zone of Proximal Development and got me to learn some new, powerful skills. Well done to @[email protected], HuskyHacks, and the entire the Huntress team.

  25. Hoooly crap today's #HuntressCTF challenge was a beast. Still under 100 solves, and I'm one of 'em.

  26. It was pretty funny to see my own code pop up in today's #HuntressCTF.

  27. Apparently #CVE_2023_4966 is "undergoing reanalysis." Wonder if it'll be higher or lower... 👀

    https://nvd.nist.gov/vuln/detail/CVE-2023-4966

  28. IT IS DONE.

    The new Electron App Tracker is now tracking
    #CVE_2023_4863 and #CVE_2023_5217, and has the capability to track future vulnerabilities.

    The code deeply scrapes repositories looking for
    package.json files, and we've already picked up some new patches!

    Get the data here, in both CSV and JSON format for your convenience.
    https://github.com/mttaggart/electron-app-tracker

  29. Microsoft says they've patched #Teams, among others, for #CVE_2023_4863 and #CVE_2023_5217, but that doesn't track with their published Update History. Or at least, it's unclear how the patch was applied. I guess not with a patched Electron version!

  30. Working on an update to the #CVE_2023_4863 tracker that

    - Searches repo subdirs for
    package.json
    - Automatically updates the CSV List
    - Dates access for clarity
    - Tracks
    #CVE_2023_5217 as well
    - Creates both CSV and JSON

    It's time to hold Electron apps accountable. The architecture of this will allow it to track further CVEs as appropriate.

  31. I've updated the #CVE_2023_4863 Google Sheet to allow anyone to comment (gulp). That way, if you know of a version that is missing or has changed, you can take action!

    https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit#gid=1774064991

    Comments are of course also enabled on the Gist version:

    https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec

  32. So Discord is having a meltdown this morning.

    In addition to earlier API trubz, now it appears that desktop clients are showing "blocked" by Cloudflare.

    Updated desktop Electron app and Chromium browsers don't appear to work, but Firefox does.

    Is this a weird
    #CVE_2023_4863 mitigation attempt?

  33. Okay, a continually-updated list of Electron apps and their Electron versions, and whether they're vulnerable to #CVE_2023_5129, aka #CVE_2023_4863.

    https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit?usp=sharing


    And for those of you who refuse to click on Google links:
    https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec

  34. For those tracking CVE-2023-5129 CVE-2023-4863, aka the #Libwebp fiasco, here's how to validate if your Electron app is vulnerable.

    The
    patched version of Electron is v26.2.1. To confirm what version of Electron your app is using, you need to run strings against the executable. The version is in the app's User-Agent, so:

    strings app.exe | grep "Electron/"

    Will do the trick. The attached image shows this method for Teams, which tracks with their
    published version listings.

    I'd love it if folks who try this with updated apps post their results as replies here, so we can collect this
    #ThreatIntel.

    Edited to add that backports also are patched:
    22.3.24, 24.8.3, and 25.8.1.

    #CVE_2023_4863 #InfoSec #CyberSecurity

  35. Still searching for any IoCs of active exploiters of #CVE20233519, if you got 'em. The ones I've seen so far are pretty lame.

  36. Hey all, the recommended hunts for potential exploitation of CVE-2023-3519 involve searching for webshell-like files that are newer than the last patch of the system.

    That's cool, and you should do it, but also be aware that timestomping is a very common technique used by attackers targeting *Nix systems with 0-days.

    A more considered approach to hunting webshells may be valuable, such as entropy analysis within web-facing directories. And of course log analysis for abnormal commands post-exploitation.

    #ThreatIntel #CVE20233519

  37. Has anyone seen IoCs yet from CVE-2023-3519? Like actual known exploiters?

    #CVE20233519 #ThreatIntel

  38. The gnarly thing about CVE-2023-3519 is that it comes on the heels of CVE-2023-24488, an open redirect/XSS vuln on the same dang hardware.

    Why does this matter?

    It was trivial to go searching for this vuln, and there are already scanners aplenty for it. Even without a PoC for the new vuln yet, would-be attackers have a ready-made tool to populate their target lists, because Citrix has rolled the patches up together, meaning if an appliance is vulnerable to one, it is very likely vulnerable to the other.

    #CVE20233519 #CVE202324488 #ThreatIntel #InfoSec #CyberSecurity

  39. Whoah a hashtag meme on Masto? Aight.

    #10ThingsILikeRightNow

    1. Newborn finger grabs
    2. Paid family leave
    3. The state of California
    4. My employer
    5. The amazing TTI community
    6. This dope new ThinkPad
    7. Obsidian
    8. Wing Chun
    9. Fedi
    10. Mallsoft

  40. I'm watching #SleuthCon and I'm just so happy to see all these amazing women/non-dude presenters! More of this, please.