Hive Five

By securibee 🐝

Hi friends,

Greetings from the hive!

Merry Christmas and happy holidays.

As I reflect on the the recent passing of Maxi Jazz, I’m reminded of the carefree days of my youth. Memories of the joy and simplicity of dancing to Faithless’s hits like Insomnia and God is a DJ. Those were simpler times, and this loss emphasized my commitment to living a more minimalistic life, focused on doing less but doing it better, as Marcus Aurelius advised.

Among other projects, I want to declutter my space and simplify my schedule so that I can focus on what’s truly important. I want to live with intention and purpose, striving to be my best self every day.

What about you? What are your current goals and how are you working to achieve them?

Let’s take this week by swarm!

🐝 The Bee’s Knees

  1. RTFR (Read The Bleeping RFC), a talk by securinti @ NahamCon 2022 EU. Find out how to read RFC’s to find unique vulnerabilities. more | thread
  2. Meth to Netflix: ThePrimeagen story. One of Twitch’s most entertaining streamers shares his background and lessons learned. more
  3. I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS. When is copy-paste payloads not self-XSS? When it’s stored XSS. Recently, spaceraccoon reviewed Zoom’s code to uncover an interesting attack vector. Along the way, they dived into the ClipboardEvent and DataTransfer web APIs and learned a lot about dynamic drag-and-drop internals. more
  4. Twelve Days of ZAPmas: Day 1 - Setting Up ZAP. A run down some of the ins and outs of working with OWASP Zed Attack Proxy (ZAP). more
  5. Better Make Sure Your Password Manager Is Secure. As part of a security analysis, kuekerino (T / M), ubahnverleih (T / M) and parzel (T / M) examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). more

🔥 Buzzworthy

✅ Changelog

  1. v1.12 of waymore is available featuring a new argument -𝘤 / –𝘤𝘰𝘯𝘧𝘪𝘨 added to specify the full path of a YML config file. If not passed, it looks for 𝘤𝘰𝘯𝘧𝘪𝘨.𝘺𝘮𝘭 in the same directory more
  2. Taborator update added keyword search on IP and payload and mark all as read and clear req/res. The amount of req/resp stored are now limited to reduce memory consumption when using the $collabplz placeholder. more

📅 Events

  1. Lupin’s Xmas challenge! Can you solve our Xmas Challenge and trigger the alert on the page? more
  2. PenTester Nepal Christmas special final infosec quiz for the year 2022. This quiz is designed to test your knowledge and skills in the field of cybersecurity, and upon completion, you will receive an official certificate of completion. more

🎉 Celebrate

  1. Bug Bounty Hunter latest Hackevent winners: IamVictorTeh and AyushSingh1098. Congrats! more
  2. Andy is 731 days sober. Let’s go! more
  3. 4n6lady finished the year with their newest accomplishment and are now SAA certified. Woohoo! more
  4. Vegeta passed eLearnSecurity’s eWPTXv2 exam. Hooray! more
  5. BugBountyHQ’s daughter was born. Awesome! more

💰 Career

  1. Marcus J. Carey’s 12/22/2022 Cybersecurity Job Thread. more
  2. The TMCF Resume template. more

⚡️ Community

  1. sw33tLie on how much quick payouts impact the overall results of a bug bounty program. more
  2. chompie on being in the security industry for 5 years, but still feeling like a noob. more
  3. People’s goals for 2023 via Louis. more
  4. Jason Haddix is moving on from leading Ubisoft’s security team for the last 4 years. more

📰 Read

  1. How Monish hacked a company. more
  2. AD manager Plus Remote Code Execution. At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. more
  3. Shennina Framework - Automating Host Exploitation with AI. more
  4. Speedrunning Web3 Bug Hunts. more
  5. Daniel’s philosophy and recommendations around the lastpass breaches. more

📚 Resources

  1. Information security newsletter suggestions via Rami. more
  2. Advice on how to start with RFID Hacking. more
  3. AWS CIRT announces the release of five publicly available workshops. more
  4. JavaScript for hackers book by PortSwigger researcher Gareth Heyes, who is probably best known for his work escaping JavaScript sandboxes, and creating super-elegant XSS vectors. more

🎥 Watch

  1. Securing Open Source Dependencies: It’s Not Just Your Code That You Need to Secure. The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. more
  2. Marcus talking cybersecurity/infosec, and answering viewer questions. more
  3. Do You Have What it Takes to be Gone in 60 Seconds? more
  4. How to RecoverRemoved Website Content Using Maltego in 5 Minutes. more
  5. Sun introduces Superbacked, possibly the world’s most advanced backup and succession planning app. more

🎵 Listen

  1. Malicious Life: How Netflix Learned Cloud Security. Jason Chan was hired by Netflix at its pivot point back in 2011, to lay the foundations for its cloud security protocols. more
  2. Smashing Security 303: Secret Roomba snaps, Christmas cab scams, and the future of AI. Beware your Roomba’s roving eye, the Finns warn of AI threats around the corner, and watch out when hailing a cab in Dublin. more
  3. JRE #1908 - Erika Thompson. Erika Thompson is the owner and founder of Texas Beeworks, an organization promoting public awareness and education about the valuable work bees and beekeepers do. more

🧰 Tools

  1. z3dc0ps/BBSSRF is a powerful tool to check SSRF OOB connection. The testing field must contain “BBSSRF” and this tool will automatically change it to dynamically generated payloads. more
  2. 4ra1n/jar-analyzer is a GUI project for analyzing jar files, especially suitable for code security analysis. Multiple jar files can be analyzed at the same time, and you can easily search methods in them. more
  3. mzfr/takeover is a tool for testing subdomain takeover possibilities at a mass scale. more
  4. 0x4ndy/clif is a command-line interface application fuzzer. Pretty much what wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that for some reasons, Google’s afl-fuzz doesn’t allow for unlimited argument or option specification. more
  5. ax/ is a Bash script that makes reverse engineering Android apps easier. Automating some repetitive tasks like decoding, rebuilding and patching. more

💡 Tips

  1. Mike Takahashi favorite Google dork flow. more
  2. renniepak’s Discord keylogger XSS payload. more
  3. Demon shared some SQLi insights. They discovered SQLIs that occurred when requesting data from a specific date and when editing users/groups etc. more
  4. Matthew’s CyberChef tips. more
  5. What your favorite hackers would tell themselves before ever starting bug bounty. more

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. tpope: Tim Pope | Vim plugin artist.
  2. katherinecodes: Katherine Oelsner | Senior Software Engineer @github.
  3. simonw: Simon Willison | Creator @datasetteproj, co-creator Django. PSF board. @nichemuseums. Hangs out with @natbat + @cleopaws. He/Him.
  4. shad0wbits: ΔĐVΔŇƀРƤ€ŘŞƗŞŦ€ŇŦ Ŧ€ΩỮƗŁΔ is in beast mode | Hacker. Rule breaker. Thought criminal. Lupus non timet canem latrantem. Non ducor duco. Live and let live. Do no harm, take no shit.
  5. fancy_4n6: Shanna Niggans 🦄 | Digital forensics & incident response. Horse and Dog mum. DFIR forensicfemmes SydneyHax4n6 @ComfyConAU @cosiveco she/her.

🚀 Productivity

  1. Alex Hormozi on how to stay poor. more
  2. Visual atomic note taking with Obsidian Excalidraw. more
  3. Danny Talks Tech’s extended brain setup in Obsidian. more
  4. Constraints make us stronger. Growth comes from exposing ourselves to challenges. Constraints, however, is a special type of challenge in that it’s about not having enough of something, be it time, money, health, status, attractiveness, or ability. more

🌐 Programming

  1. Recommended resources for learning Go. more
  2. Some really cool tech that Tobi Lutke thinks is underrated right now and that has proven very useful to him this year. more
  3. Wes Bos shares 4 JavaScript console tips. more
  4. The Nuxt 3 Crash Course. A 3 hours of a 9-hour course hosted on Udemy. You will learn everything you need to become a Nuxt 3 expert. more
  5. Comprehensive Rust. A four day Rust course developed by Google’s Android team. The course covers the full spectrum of Rust, from basic syntax to advanced topics like generics and error handling. It also includes Android-specific content on the last day. The goal of the course is to teach you Rust. more

🧠 Wisdom

  1. Sahil Bloom shares 22 ideas from 2022. more
  2. Nathaniel on the importance of doing researcher and JIT learning. more
  3. Not caring lets us perform better. There’s a common trap that gets in the way of our natural abilities. That trap is to care too much about achieving an outcome. more
  4. Daniel Cuthbert on the upside of security when using a Google Pixelbook. more
  5. How comparison ruins your mental health (and how to stop). more

💛 Cross-pollination

  1. My Internet: Jane Manchun Wong. Embedded is your essential guide to what’s good on the internet, by Kate Lindsay and Nick Catucci. Most weeks, they quiz a “very online” person for their essential guide to what’s good on the internet. more
  2. People share their thoughts on the best corporate swag they’ve ever received. more
  3. Talib Kweli interviews hip hop group Coast Contra. They talk about Apt. 505, Never Freestyle, JID, Ras Kass, Biggie. more
  4. Lupe Fiasco presents “Rap Theory & Practice: an Introduction” at MIT. An exploration into the underlying fundamental functions, structures, and principles of rap. more
  5. A documentary a came across: General Magic. In 1990, at a secretive Silicon Valley startup, a small and passionate group of engineers and visionaries formed one of history’s greatest tech teams to build a magical device that would enable anyone to connect everyone, everywhere to everything. more

🐝 Fact

A biannual honey harvest takes place in the foothills of the Himalayas in central Nepal, demonstrating that various taboos and rituals associated with honey-hunting remain, including sexual abstinence and appeasement of the gods. Here, the honey harvest is preceded by offerings of fruit, flowers, and rice as well as prayer.

Only then will a honey-hunter commence his ancestral descent of the rugged cliff face to plunder the nests of one of the world’s largest species of honeybee, Apis laboriosa.

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

🐦 Tweet


🙏🏻 Thank you for reading

Was this email forwarded to you? Sign up here.

If you enjoyed this email you can support me by sharing the newsletter with your friends (you can also forward the email). Lets keep in touch, follow me on Twitter (or Mastodon) and let me know what excites you!

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter can contain affiliate links that help support the cost of running the newsletter. They are for tools, courses, and resources that I have found useful myself.

This was issue #101 of Hive Five. You can subscribe or unsubscribe.

This email brought to you by Buttondown, the easiest way to start and grow your newsletter.