Taggart :ifin:
-
New #Ringspace release! A bug fix in multiple sites on the same database joining the same ring led to a solution to a long-standing problem: ring key rotation! Now, when a ring has to rotate keys, it can issue new invite codes to member rings, which will handle ring rotation upon redemption.
https://codeberg.org/mttaggart/ringspace/releases/tag/v0.2.6
-
Interested in #Ringspace? I'll be doing a live demo today at 12:00 PDT. Details available for TTI community members. Come join us!
-
Interested in the #Ringspace webring protocol? I'm doing a "Ringspace 101" live session this Friday, at 11:00 PDT. Open to all, but you can join TTI and RSVP/engage in the conversation!
-
Some exciting news! #Ringspace finally has browser extensions in browser stores! This means folks operating Ringspace webrings and member sites can use these extensions to validate their membership and standing.
Chrome: https://chromewebstore.google.com/detail/ringspace-extension/dhnifdbjepgpcnhoofjfeieimlaaomea
Firefox: https://addons.mozilla.org/en-US/firefox/addon/ringspace-extension/
-
I submitted this last week but didn't get a notification it was approved. Anyway, here's this! This is what you need to detect and validate #Ringspace ring members. You can test it out on my blog.
https://chromewebstore.google.com/detail/ringspace-extension/dhnifdbjepgpcnhoofjfeieimlaaomea
Firefox is submitted, awaiting approval.
-
Believe it or not, I am still working on #Ringspace. And here's a new release!
This version of the protocol employs JWKS format for key exchange, and uses Base64URL formats for all encoded data. Plus.env support and resources for Docker deployment!
https://codeberg.org/mttaggart/ringspace/releases/tag/v0.2.5
What's Ringspace? It's a proposal for a human web protocol that combines mutual trust and reputation.
-
RE: https://front-end.social/@henry/115821514406578583
It's this exact instinct that led to the creation of #Ringspace. Webrings were a convivial tool, and can be again.
-
Check out this awesome #Ringspace homepage built with PHP! It's still early days, but I think we're on to something here with bringing back webrings.
-
Here's my go-to cheatsheet for troubleshooting issues in Fedora:
- Disable SELinux
Thanks for reading!
#linux #fedora #productivity #wow #disruption #hyperscale #ai #innovation #quantum #nextgen #cybersecurity #business #numbers
-
I've been waiting for this writeup for a long time. Great dive on #Gootloader: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
Of particular note is the 24-hour timeout for any IP that receives a Gootloader download prompt, frustrating research attempts. But the whole research process here is excellent.
-
@briankrebs Me before opening: Hahaha it's probably LASD; they're literally a gang.
Me, opening the story: welp.
#GoogleLASDGangs -
Hey, it's summer, which means my #k12ed friends are refreshing things like #Chromebooks. Here's your reminder that any security system that uses browser extensions in Chrome is inherently user-exploitable.
github.com/S-PScripts/chromebook-utilities/
If I were deploying these things in 2024, they'd never see a raw network connection. It would be Tailscale or something everywhere, with a proxy that I control. -
Some thoughts on what a #HumanWeb might look like: taggart-tech.com/human-web/
-
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359 -
The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359 -
Nice writeup by @TalosSecurity on a suspected Chinese APT campaign using two new 0-days, and an unknown initial access vector.
We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
Well...yikes!
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
WIRED story with more: www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/
#ThreatIntel #InfoSec #CyberSecurity #CVE_2024_20353 #CVE_2024_20359 -
This analysis of #APT28 aka #ForestBlizzard methodology is being reported all over as though it were special. And while it may be "unique" to the group, it's just...not that special.
Everything I see here should be detected by modern standard defenses. This attack chain doesn't even read like an APT to me; it reads like a cybercrime group.
What am I missing? -
The list of known #SpyPet accounts has been published. Recommend mass-banning them ASAP: gist.github.com/Dziurwa14/05db50c66e4dcc67d129838e1b9d739a
#Discord -
-
Okay so the folks who said the LLM-generated "PoC" repos for #CVE_2024_3400 were just claiming the space were dead-on. This repo, which was fake, is now using the known exploit. I expect the others have done the same.
So the lesson here is that we have a PoC ParkingCrew. -
Real or not real? github.com/0x0d3ad/CVE-2024-3400/
#CVE_2024_3400 -
This is in theory a sample of the UPSTYLE backdoor used by attackers exploiting the #CVE_2024_3400 Palo Alto 0-day.
As always, use extreme caution when handling malware samples.
bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/ -
Threat brief with workarounds and #ThreatHunting targets for #CVE_2024_3400: unit42.paloaltonetworks.com/cve-2024-3400/
#ThreatIntel #CyberSecurity -
A great day at #BSidesSD! Was super glad to be able to share some #RustLang hacking with folks!
But it wasn't recorded. So I'll be turning this into a streamed/recorded talk as well.
And for now, here is the code/slides from the talk: github.com/The-Taggart-Institute/blue-crab-shells -
-
-
#MyFirstDistro was Jolicloud, an Ubuntu derivative for netbooks, which went on my trusty eeePC. From there, Ubuntu Netbook, and then, there was no turning back.
-
Good morning! Have a fairly gnarly RCE in #Jenkins:
Jenkins uses the
www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314args4jlibrary to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.
#CVE_2024_23897 -
And there's the PoC for the #CVE_2024_0204 GoAnyWhere vuln: github.com/horizon3ai/CVE-2024-0204
-
Here's the writeup on #PixieFail, 9 vulns in the UEFI reference architecture that could enable exploitation over PXE network boot using IPv6. As near as I can tell, what has been demonstrated is underflow/overflows, but no successful exploitation.
blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -
Full list of all known #CitrixBleed exploiters, care of @[email protected] and @[email protected].
https://viz.greynoise.io/query?gnql=tags%3A%22Citrix%20ADC%20Netscaler%20CVE-2023-4966%20Information%20Disclosure%20Attempt%22
#CVE_2023_4966 -
I don't usually love CTFs for learning, but a few of the #HuntressCTF challenges very skillfully placed me at my Zone of Proximal Development and got me to learn some new, powerful skills. Well done to @[email protected], HuskyHacks, and the entire the Huntress team.
-
Hoooly crap today's #HuntressCTF challenge was a beast. Still under 100 solves, and I'm one of 'em.
-
It was pretty funny to see my own code pop up in today's #HuntressCTF.
-
Apparently #CVE_2023_4966 is "undergoing reanalysis." Wonder if it'll be higher or lower... 👀
https://nvd.nist.gov/vuln/detail/CVE-2023-4966 -
IT IS DONE.
The new Electron App Tracker is now tracking #CVE_2023_4863 and #CVE_2023_5217, and has the capability to track future vulnerabilities.
The code deeply scrapes repositories looking forpackage.jsonfiles, and we've already picked up some new patches!
Get the data here, in both CSV and JSON format for your convenience. https://github.com/mttaggart/electron-app-tracker -
Microsoft says they've patched #Teams, among others, for #CVE_2023_4863 and #CVE_2023_5217, but that doesn't track with their published Update History. Or at least, it's unclear how the patch was applied. I guess not with a patched Electron version!
-
Working on an update to the #CVE_2023_4863 tracker that
- Searches repo subdirs forpackage.json
- Automatically updates the CSV List
- Dates access for clarity
- Tracks #CVE_2023_5217 as well
- Creates both CSV and JSON
It's time to hold Electron apps accountable. The architecture of this will allow it to track further CVEs as appropriate. -
I've updated the #CVE_2023_4863 Google Sheet to allow anyone to comment (gulp). That way, if you know of a version that is missing or has changed, you can take action!
https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit#gid=1774064991
Comments are of course also enabled on the Gist version:
https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec -
So Discord is having a meltdown this morning.
In addition to earlier API trubz, now it appears that desktop clients are showing "blocked" by Cloudflare.
Updated desktop Electron app and Chromium browsers don't appear to work, but Firefox does.
Is this a weird #CVE_2023_4863 mitigation attempt? -
Wait what? Now it's not a valid CVE anymore?
#CVE_2023_5129 -
Okay, a continually-updated list of Electron apps and their Electron versions, and whether they're vulnerable to #CVE_2023_5129, aka #CVE_2023_4863.
https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit?usp=sharing
And for those of you who refuse to click on Google links: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec -
For those tracking CVE-2023-5129 CVE-2023-4863, aka the #Libwebp fiasco, here's how to validate if your Electron app is vulnerable.
The patched version of Electron isv26.2.1. To confirm what version of Electron your app is using, you need to runstringsagainst the executable. The version is in the app's User-Agent, so:strings app.exe | grep "Electron/"
Will do the trick. The attached image shows this method for Teams, which tracks with their published version listings.
I'd love it if folks who try this with updated apps post their results as replies here, so we can collect this #ThreatIntel.
Edited to add that backports also are patched:22.3.24,24.8.3, and25.8.1.
#CVE_2023_4863 #InfoSec #CyberSecurity -
Still searching for any IoCs of active exploiters of #CVE20233519, if you got 'em. The ones I've seen so far are pretty lame.
-
Aaand there's the PoC for CVE-2023-3519, courtesy of @BishopFox:
https://bishopfox.com/blog/citrix-adc-gateway-rce-cve-2023-3519
-
Hey all, the recommended hunts for potential exploitation of CVE-2023-3519 involve searching for webshell-like files that are newer than the last patch of the system.
That's cool, and you should do it, but also be aware that timestomping is a very common technique used by attackers targeting *Nix systems with 0-days.
A more considered approach to hunting webshells may be valuable, such as entropy analysis within web-facing directories. And of course log analysis for abnormal commands post-exploitation.
-
Has anyone seen IoCs yet from CVE-2023-3519? Like actual known exploiters?
-
The gnarly thing about CVE-2023-3519 is that it comes on the heels of CVE-2023-24488, an open redirect/XSS vuln on the same dang hardware.
Why does this matter?
It was trivial to go searching for this vuln, and there are already scanners aplenty for it. Even without a PoC for the new vuln yet, would-be attackers have a ready-made tool to populate their target lists, because Citrix has rolled the patches up together, meaning if an appliance is vulnerable to one, it is very likely vulnerable to the other.
#CVE20233519 #CVE202324488 #ThreatIntel #InfoSec #CyberSecurity
-
Whoah a hashtag meme on Masto? Aight.
1. Newborn finger grabs
2. Paid family leave
3. The state of California
4. My employer
5. The amazing TTI community
6. This dope new ThinkPad
7. Obsidian
8. Wing Chun
9. Fedi
10. Mallsoft -
I'm watching #SleuthCon and I'm just so happy to see all these amazing women/non-dude presenters! More of this, please.