🚗💨 Filing an insurance claim has never been this easy! With Maya, you can submit your claim in just minutes—right from WhatsApp!
✅ No paperwork
✅ No long waits
✅ Just scan, chat & get covered!
Try it today! #MayaInsurance#EasyClaims#Insurtech
The skills shortage in cybersecurity is often associated with defensive cyber operators... however, the biggest skills shortage is pentesting talent.
Pentesting Supply < Pentesting Demand
Supply: There are roughly 25,000 OSCP-certified people globally on Linkedin (~6000 in the US), and it takes about 7-10 years of hands-on operational experience to become a senior pentester.
Demand: NIS2, PCI, CMMC, cyber insurance underwriting processes, and other requirements have significantly increased the demand for pentesting.
The lack of supply (not enough qualified pentesters) has caused some market pains and opportunities:
1. Pentest consulting firms are cutting corners. Given how difficult it is to hire, retrain, and grow senior pentesting talent, a growing number of firms use "bootcamp"-like training and a suite of automated tools to get entry-level pentesters up to a basic level of proficiency. Often the pentest results are glorified vulnerability scan with some light probing
2. Expensive consulting engagements lead to limited scope of testing. The few qualified pentesters can, and do, charge a premium for their services. And rightfully so, it took these experts decades to master their craft. As a result, companies can only afford to test a small slice of their network, and this limited testing coverage had led to major blindspots and risk acceptance by CIO's and CISO's
3. The role of AI has a force multiplier. I was frustrated by two experiences:
- I had to endure reading through mediocre pentest reports that were essentially glorified vuln reports
- I then had to pay exorbitant bills when hiring seasoned experts to test < 5% of my network underpinned
The leap of faith was if we could build an autonomous system that executed on par with at least a "Journeyman", but with time could operate at the same level as Craftsman and Masters
To give you a sense of what the training journey looks like for offensive cyber operators in the military, I put together the attached diagram. Pentesters are essentially the same journey. There are no shortcuts to the training, which is why it takes so long to build senior pentesters
The question is not if, but when an autonomous system will give Masters "unlimited" capacity. I'm convinced that NodeZero already outperforms most JourneyMan and some Craftsman, certainly at scale, and with the training data we collect from every pentest I see a path to the autonomous planning of complex cyber operations
#pentesting #infosec #cybersecurity @Horizon3ai
New version of the #Android banking trojan Octo2 spotted
With enhanced Device Takeover (DTO) capabilities, it can remotely control devices to steal financial data & commit fraud undetected.
Read: https://t.co/n5piGT6JMW
#hacking#cybersecurity
JTW Attack & Tools 🧵
1. Check for sensitive data in the JWT
Check if any user info or any sensitive info is there in payload section.
2. None algorithm
Change "alg:" to none "alg:none"
{
"alg": "none",
"typ": "JWT"
}
3. Change algorithm from RS256 to HS256
Get the Public key from the Application
Now generate new JWT token.
Use the generated token in the request and try changing payload.
4. Signature not being checked
Switch to JSON Web Token Tab or JOSEPH.
Change Payload section and Remove the Signature completely or try changing some characters in signature
5. Crack secret key
6. Null kid
Tools -
JWT Tool - https://t.co/YxaFNaNpcV
JWT Editor extension
jwtXploiter - https://t.co/Aua1vTXBf7
Video - https://t.co/u5wjbftWcy by @Farah_Hawaa
#bugbountytip #bugbounty #Pentesting #infosecurity #CyberSecurity #Security
"don't run xz --version to check if you're compromised"
haha, too late
If you have infected version of liblzma in your system, it's already loaded into EVERY process that depends on libsystemd. systemd's dependency on liblzma *was literally* the attack vector.
The xz backdoor was initially caught by a software engineer at Microsoft. He noticed 500ms lag and thought something was suspicious.
This is the Silver Back Gorilla of nerds. The internet final boss.
While others are busy with #WRCSafariRally2024 others are busy downgrading xz versions to 5.4.x & below and understanding the overall impact of #cve-2024-3094.
We’re responding to CVE-2024-3094, a reported supply chain compromise affecting XZ Utils versions 5.6.0 and 5.6.1. XZ Utils may be present in Linux distributions. See our additional guidance at https://t.co/KuS3PW5QKO.
This "xz" and "liblzma" backdoor story is increasingly looking like a sophisticated effort to target FOSS supply chains, getting this backdoor into Debian and Kali etc. It's also not the only library the backdoor author has added code too, libarchive and others may have issues.
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
Hello, we would like to remind all of you that security research, malware development, reverse engineering, and exploit development is not the result of a singular individual or entity. We all collectively learn.
Bernard of Chartres, twelfth-century French Neo-Platonist philosopher and scholar, coined a famous phrase which was later used by Isaac Newton – which we believe accurately describes this field of work.
Isaac Newton wrote his rival, Robert Hooke, in 1675. In the letter he penned: "if I have seen further [than others], it is by standing on the shoulders of giants."
This is a metaphor which means "using the understanding gained by major thinkers who have gone before in order to make intellectual progress" or simply put "discovering truth by building on previous discoveries".
Thank you to everyone who succeeds and releases new research or papers. It inspires us to learn more, evolve, and presents us the opportunity to discover new things ourselves.
"nani gigantum humeris insidentes" – "standing on the shoulders of giants"
Lockbit ransomware group administrative staff have released a lengthy response to the FBI and bystanders.
In summary: they claim they failed to keep their systems up-to-date because they had become 'lazy', and they had become complacent. They believe they were compromised by CVE-2023-3824, but are not totally sure. They also speculate it could have been a 0day exploit. They also speculate other RaaS groups (their competitors) may have been compromised.
They also speculate the reason why the FBI took such aggressive action was because a recent ransomware attack performed by one of their affiliates had sensitive information on former President Donald J. Trump. They state they believe their affiliates should target government entities more often to illustrate government vulnerabilities and flaws.
It is an incredibly long read with lots of speculation and attempts to discredit law enforcement agencies.
You can read the full post here:
https://t.co/wP4CCfiD7N
New critical vulnerability #CVE-2023-20198 affecting Cisco IOS XE devices when Web UI is enabled.
⚠ CVSS: 10
❌ Fixes : not available
Related to the attack:
5.149.249[.]74
154.53.56[.]231
Cisco provided some way to check if the system might be compromised 1/2
Updated TokenDump to get uncovered token information.
Now TokenDump can retrieve information about AppContainer, Security Attributes, TokenFlags and Restrocted Groups.
https://t.co/zMibsXWns7
Germany's BfV warns of ongoing cyber attacks by Charming Kitten, targeting Iranians in Germany. The attacks began in late 2022, targeting dissident groups, lawyers, journalists, and activists in Iran and abroad.
Read details: https://t.co/0GeT0IiSbp
#cybersecurity#technology
We've lost a true pioneer of the digital world, Kevin Mitnick. His ingenuity challenged systems, incited dialogues, and pushed boundaries in cybersecurity. He will remain a testament to the uncharted power of curiosity. #RIPKevinMitnick