A mini-rant on the use of murmur3 32-bit hashes for favicon.ico fingerprinting:

1) The canonical implementation is @shodan which uses the Python mmh3 module, so far so good...

2) The Murmur3 hashing algorithms are generally architecture-dependent. Python mmh3 uses the C implementation, which produces different hashes based on architecture and possibly endian-ness.

3) The Go implementations cover 32/64/128 variants, but they also lean on unsafe pointer usage for some silly reason, and although they support byte swap for big endian, it looks fragile.

4) This Shodan (and Censys) hash isn't of the binary data, but rather the base64 of the data.

5) And it's actually more specific. It depends on the variant with 76-character line wrap, using "\n" (but not "\r\n") line wraps, and a trailing "\n", with the base64 `=` padding.

6) If you want to calculate the Shodan/Censys compatible Favicon hash without relying on a C compiler, the native build architecture, or the base64 implementation, use this: https://gist.github.com/hdm/1552cdfad14b32a2d2f44a64468558c5#file-mmh3-go-L78

TL;DR: If you generate some sort of hash or fingerprint, it helps if the generation process isn't defined by build architecture or a stack of implementation-specific defaults.

""?! ANSI Terminal security in 2023 and finding 10 CVEs: https://dgl.cx/2023/09/ansi-terminal-security - awesome research by @dgl

Looking for Cisco IOS-XE devices with an exposed web interface in your environment? (CVE-2023-20198), runZero can help: https://www.runzero.com/blog/finding-cisco-ios-xe-2/

Services query hotlink: https://console.runzero.com/inventory/services?search=%28products%3Anginx%20OR%20products%3Aopenresty%29%20AND%20_asset.protocol%3Ahttp%20AND%20protocol%3Ahttp%20AND%20http.body%3A%22window.onload%3Dfunction%25url%25%3D%25%2Fwebui%22

An actively exploited zero-day in Cisco IOS-XE's web interface is leading to mass compromise and implant (backdoor) installation: https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

CVSS 10.0 and bad enough that Cisco is providing methods to check for the specific implant being installed.

via @dangoodin

The spirit of full-disclosure is alive and well. "Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days" https://megamansec.github.io/Squid-Security-Audit/

Excited to finally participate in #caturday! He likes to hang out like this.

PSA: Some of the "JA" series of fingerprints (HASSH, JARM, etc) are patented by Salesforce. The new JA4 methods are patent-pending by FoxIO. The JA4+ license is commercial ($ for OEM). Nothing wrong with charging for your work, but OSS projects should be careful about adoption.

Happy Monday! Looks like libwebp vulnerabilities expose a massive portion of daily productivity tools to RCE (via Chrome embedding and Electron):

https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/ via @dangoodin

quote of the day: "anything is a server rack if you are brave enough"

This is the article to send to your IT team when they refuse to enforce boot-time PINs for BitLocker:

Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop: https://www.errno.fr/BypassingBitlocker.html by Guillaume Quéré