Whoa, just checked out the latest GitGuardian report. It's wild how many secrets popped up *again*! We're talking millions of credentials just floating around out there.

And here's the kicker: it's not *only* about human slip-ups anymore. You've got more and more 'Non-Human Identities' (NHIs) – think bots, scripts, AI agents – churning out secrets too. And honestly? Those NHI secrets often get way less attention than the ones people handle.

As a pentester, I bump into this constantly. Find an old, forgotten API key lying around, and *boom* – system's compromised. Yeah, automated scans are definitely helpful, but nothing beats having solid secrets management in place. It's absolutely crucial.

So, how's everyone else keeping their secrets locked down? Got any killer best practices to share?

Heads-up from CERT-UA: they're flagging Excel phishing campaigns targeting Ukraine right now. Honestly, it's a pretty classic tactic we've seen before, right?

Still, reverse shells and data theft are absolutely no joke. This whole situation really takes me back to my pentesting days – it always hammers home that user awareness is crucial. More often than not, those sneaky macros are the exact gateway attackers use to get in.

So, how are you all keeping your users safe on your end? Are you leaning more on specific tools, or is it all about the training? Curious to hear your strategies!

AI Security & Compliance - whew, that's a tough one, right?

No doubt, AI can seriously level up security efforts. But then there's that whole GRC (Governance, Risk, Compliance) headache... Sound familiar?

Picture this: Your client's hyped about deploying a new AI-powered firewall, but then Legal and Data Protection slam on the brakes. Classic scenario! It really is a tricky balancing act.

Honestly, AI isn't just an 'install and forget' kind of deal. You've *gotta* stay proactive and really bake security in right from the beginning – thinking 'security by design' is crucial. Otherwise, you get stuck in that frustrating loop: no budget means skimping on security, but weak security makes getting that budget approved way harder...

So, let's talk real challenges. What are *your* biggest pain points when dealing with AI security? Spill the beans below!

Top #hashcat tip:

Want per-position duplication in your rules to leverage your GPU?

It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters

This whole #FediverseChick thing smells like penetration testing to me.

New Open-Source Tool Spotlight

CrackMapExec is a post-exploitation tool for penetration testers. It automates tasks like credential validation, lateral movement, and Active Directory enumeration on Windows environments. Built on Python, it supports SMB, WinRM, and other protocols. Extremely useful for red team assessments. #CyberSecurity #PenTest

Project link on #GitHub https://github.com/byt3bl33d3r/CrackMapExec

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

Hey everyone, does this sound familiar? You install a Python package and suddenly feel like you've been robbed blind?

Right now, there's a nasty campaign going on targeting PyPI, and it's misusing "time" utilities to swipe cloud credentials. Get this – it's already had over 14,000 downloads! The malware hides in packages that are *supposed* to just check the time. But instead, they're snatching cloud keys (AWS, Azure, the works) and sending them straight to the bad guys.

Honestly, it reminds me of a pentest we did where we *almost* missed a similar camouflage trick. Seriously creepy! So, heads up: Double-check your dependencies, run those scans, review your cloud configurations, and above all, be suspicious! And hey, just a friendly reminder: automated scans are no substitute for a manual pentest!

Have you run into anything similar? What tools are you using to beef up your security? Let's chat about it!

Hey #redteam and #pentest ers, what security controlsnon endpoints and servers make your life miserable on an engagement?

App allow listing?
DEP?
Powershell execution policies?
Hostbased firewall?

Attack graphs, cool stuff, right? They basically map out potential attack pathways into your network. Think of it as an interactive GPS, but for cyber attackers navigating your system.

A lot of folks figure a simple pentest is enough... Wrong! Attack graphs are way more dynamic. They show you the possible attack paths *before* an incident even happens. It’s preventative pentesting, essentially.

Here's a crucial point: don't *just* look at CVSS scores! Attack graphs reveal which vulnerabilities are truly dangerous *because* they can be chained together. *That's* where the real value lies!

So, are you already leveraging attack graphs? Or are you sticking with more traditional vulnerability scans?

Hey Android folks, listen up! Google just dropped a crucial security update that you seriously need to check out. It might just be relevant to your phone. Word on the street is, two of the patched vulnerabilities are already being exploited in the wild. Crazy, right?

This reminds me of those chats I have with clients: "So, Android's secure, yeah?" Well... Privilege Escalation basically means an attacker can snag more permissions on your device. In short: hackers can potentially grab your data!

They've squashed a whopping 44 vulnerabilities in this March update. CVE-2024-43093 & CVE-2024-50302 are seriously critical. Apparently, CVE-2024-50302 was even leveraged by Cellebrite to get into an activist's phone. Wild stuff!

Go ahead and check your Android version and smash that update button ASAP (look for 2025-03-01 or 2025-03-05)! Also, be extra careful with apps from sources you don't know. Regular security checks are a must, even on your smartphone.

Have you already installed the update? Any thoughts or experiences with Android security?

Looking for a good Canadian pen tester for a web application. Specifically one who bills in CAD.

Any recommendations?

Så er der opdateret lidt på materialet til på mandag, Workshop hos PROSA.

DDoS simulering hvor vi samles om noget netværksudstyr og lærer at sende netværkspakker, MANGE MANGE netværkspakker

https://github.com/kramse/security-courses/tree/master/presentations/pentest/simulated-ddos-workshop

Materialet må som altid deles og kopieres, og samme workshop plejer jeg at holde på BornHack, så måske skal du skrive det i kalenderen

I published my WriteUp of MagicGardens box from @hackthebox_eu

https://v0lk3n.github.io/writeup/HackTheBox/Box/MagicGardens/HTB-MagicGardens_WriteUp

I hope that you will like it :)

While refitting my workshop/shed I'm going to fit a microswitch behind the strike plate (mortice lock - something similar to the https://eshop.assaabloyopeningsolutions.nz/microswitch-keep-8400-100000-5f88b6e1cbcf7 ) to feed into #homeassistant.
Q for @deviantollam / #pentest people tho - what % of places you enter 1) actually have this kinda monitoring in place 2) use / observe / log it?

I suspect _very_ small numbers, esp for 2

We're hyped to announce our first snapshot of february! SecBSD 1.6! Synced with #OpenBSD -current

This is the result of the hard work of our team and the amazing contributions from the open-source community.

MIRRORS:
https://mirror.secbsd.org/pub/SecBSD/snapshots/packages/amd64/
https://mirror.laylo.nl/pub/SecBSD/snapshots/packages/amd64/
http://zqsjg25lnx7zratmne3dhbcqt5paehitom3qp2rjmwttuy7gzbzqwayd.onion/pub/SecBSD/snapshots/amd64

SECBSD MEMBERS:
@h3artbl33d
@Banshee
@dw
@bsdbandit
Purple Rain

SPONSORS:
@laylo
@OpenBSDAms

Parrot 6.3 has landed

Reinforced security
Improved performance
Updated tools

Click the link and read more on the changelog

parrotsec.org/blog/2025-01-3…

I think our security auditor love us. We ask for audit several months ahead (it looks like it's not an habit, the general case is more "we need it for yesterday").
And they have access to the whole code (which is open source), and to a lab with all access on everything.
The qualification call was 3'30" :)

Thank you, @cobalt_io, for your incredible support as an #OWASP Silver Corporate Supporter! We truly appreciate your commitment and are excited to collaborate with you throughout the year. https://owasp.org/supporters/list #AppSec #Cybersecurity #nonprofit #pentest

DORA y los TLPT: un paso hacia una ciberseguridad financiera más robusta #ciberseguridad #dora #esma #pentest #riesgos #rts #tlpt
https://www.hackplayers.com/2025/01/dora-tlpt-ciberseguridad-financiera.html

Parrot Security + Caido = next-level web security testing

We’re happy to announce our new collaboration with @caidoio, click the link down below to find out more

https://parrotsec.org/blog/2025-01-11-parrot-caido/