I am a huge fan of the Hacker History podcast by Josh Bressers and really enjoyed chatting with him for this episode. It's a fantastic interview style and I think captures the "why" of the hacker mindset in a unique way: https://hackerhistory.com/podcast/the-history-of-hd-moore/

PSA: If you use GOGS.io (the predecessor to Gitea and friends), please make sure self-registration is disabled. I reported a trivial RCE a couple months ago, received no reply, and it's starting to look intentional.

I am super excited to speak at Black Hat USA this year with Rob King (@lorddimwit) Our work, "Secure Shells in Shambles", dives deep into the Secure Shell protocol, its popular implementations, what's changed, what hasn't, and how this leads to unexpected vulnerabilities and novel attacks. An open source tool, dubbed "sshamble", will be demonstrated, which reproduces these attacks and opens the door for further research.

#BHUSA #vulnerability #infosec

- https://www.blackhat.com/us-24/briefings/schedule/#secure-shells-in-shambles-40393

Some of the announced talks that I am looking forward to include:

* Super Hat Trick: Exploit Chrome and Firefox Four Times: Nan Wang, Zhenghang Xiao, & Xuehao Guo

* Securing Network Appliances: New Technologies and Old Challenges: Vladyslav Babkin

* Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! Orange Tsai

* Listen to the Whispers: Web Timing Attacks that Actually Work: James Kettle

* Project Zero: Ten Years of 'Make 0-Day Hard': Natalie Silvanovich

* Nope, S7ill Not Secure: Stealing Private Keys From S7 PLCs: Nadav Adir, Alon Dankner, Eli Biham, Sara Bitan, Ron Freudenthal, Or Keret

* Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap: Alex Plaskett, Robert Hererra

* Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor: Zisis Sialveras

* Crashing the Party: Vulnerabilities in RPKI Validation: Niklas Vogel, Donika Mirdita, Haya Schulmann, Michael Waidner

* OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe: Vladimir Tokarev

* Surveilling the Masses with Wi-Fi Positioning Systems: Erik Rye

* Terrapin Attack: Breaking SSH Channel Integrity by Sequence Number Manipulation: Fabian Bäumer

For anyone considering "Skip this update" due to ITerm2's silly AI thing - NOT updating means missing patches for this fun bag of exploits: https://vin01.github.io/piptagole/escape-sequences/iterm2/hyper/url-handlers/code-execution/2024/05/21/arbitrary-url-schemes-terminal-emulators.html

Maybe time for a new terminal?

📺 💡 Tune in tomorrow for a special episode of runZero Hour with myself, @lorddimwit , and @blainsmith

We're unpacking the findings from our inaugural Research Report. See what our analysis of millions of assets revealed about the state of asset security. Register here: https://runzero.zoom.us/webinar/register/WN_298GtwnOSj-iJ-4YDw3dVA#/registration

Don't like webcasts? You can find the full research report at: https://www.runzero.com/research-report/

Finding zero-day is great and all, but I really love finding bugs that were silently patched. Less disclosure work and often just as much impact.

PS. Using Ruckus Wireless APs? _Definitely_ apply the latest firmware (5.2.1 or newer).

>Dear Customer. Please sign up to attend our "RSA FOMO Party".

>Thank you for your interest in the RSAC 2024 FOMO Party. Unfortunately, due to high interest, we have reached capacity and will not be able to accept any more registrations. We hope to see you at a future event.

I mean, that's one way to drive FOMO. Thanks vendor!

runZero's first research report is live! https://www.businesswire.com/news/home/20240507167076/en/runZero-Research-Explores-Unexpected-Exposures-in-Enterprise-Infrastructure

In San Francisco this week? Swing by at 10:30am tomorrow for a live presentation on the report and our findings: https://www.runzero.com/runzero-research-report-launch/

A RSA conference story in three photos.

runZero.com (@runZeroInc) is hiring software engineers who love Go! These roles are 100% remote but require residence in the mainland US and a green card or citizenship https://www.runzero.com/about/careers/

Apply through the web site to get started and feel free to DM with any questions.

Wondering what we do? Grab a free trial and a community edition license for your homelab at https://www.runzero.com/try/

#golang #programming #fedihired