Check out my interview with Logan Evans, CEO of @Sugar_Security one of five 4/10/24 @OkVentureForum Pitch Presenters https://t.co/LbxDYGwlFT via @YouTube
################################
CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
################################
now.. first questions...
how many devices in your enterprise do you have running a vulnerable version of SSH?
How many of these are internet facing?
are there in the wild exploitation?
Do you need to patch regardless? (think cyber essentials)
are there even patches available?
At what priority should you patch this vs other vulnerabilities?
#Vulnerability #Management
If you are a software engineer and aren’t paying a measly 20 dollars a month for ChatGPT Plus for assured access to GPT4 you obviously don’t value your time and productivity enough. 20 dollars is like 2.5 coffees.
Bruh. I literally almost just got hacked and the only thing that saved me was my paranoid-ass AppLocker settings 😳
I was in Visual Studio and installed what claimed was an "Official" OpenAI NugetPackage. Which then tried to run a Powershell script but thankfully was blocked by AppLocker because it wasn't whitelisted.
What tipped me off was after I installed the package, Visual Studio said something about an invalid character in the package name. I checked and it had weird Cyrillic characters in there.
I looked at the other packages by that account and there were a few others, all also impersonating popular apps like Xbox and Discord.
I googled "Malicious Nuget Packages" and an article came up which mentioned an "init.ps1" powershell script they download. Sure enough, I found that. But thankfully I saw that AppLocker had blocked it from running.
It would have downloaded a batch file called "Anthrax.bat" and done god knows what.
Now also we MUST remember this:
ISo27001 is about an ISMS!
a MANAGEMENT SYSTEM!
It is not about the delivery of CYBER DEFENSE!
The two on paper might look similar... in reality there are worlds apart!
Governance by spreadsheet is not really governance, it's cooking the books! Governance is about steering and decision making, NOT about a certification.
We must also recognize businesses are dynamic:
There are preasures
There are constraints
There are requirements
There are RISKS outside of PEW PEWS (Digital risks)
I remember when I was working at my 8 hour job and I dreamed of becoming an Independent Smart Contract Auditor, yes I was afraid to take that risk...
But, in the end, I did, I quit my job and why?
- To focus 100% in Web3 Security and give my best!
Was It Worth It?
- Haha that was the Best Decision I ever made in my Life!
Follow your dream, you've got to follow it!
Testing the waters to find #Hackers in @OklahomaCity_OK! Grab a laptop and come make some new friends!
No experience needed, come learn about cyber security, and AI!
@thebigfriendly SW OKC
June, 22nd 5pm - 8pm
#hacktheplanet
A generation ago some people were saying there was no point in learning to program because all the programming jobs would be outsourced to India. Now they're saying you don't need to because AI will do it all. If you don't want to learn to program, you can always find a reason.
Every time there's a big cyber thing, I get an influx of LinkedIn messages from aspiring vuln researchers asking how to get started. Smarter people than me will recommend building all sorts of great technical skills, but here's a big one: You've gotta be able to write.