VayFul Security - August 20 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

Windows Zero-Day Vulnerability Exploited  by the Lazarus APT Group -  Gen Digital's security team has identified and reported a critical zero-day vulnerability (CVE-2024-38193) affecting Windows users. This security flaw in Windows Ancillary Function Driver for WinSock Elevation of Privilege, exploited by the Lazarus APT group, could potentially allow unauthorized access to user systems. #0-day #windows #APT

10,000 WordPress Sites Arbitrary File Read and Delete Vulnerability in InPost PL and InPost Plugins - This "Arbitrary File Read and Delete" vulnerability allows attackers to access and delete sensitive files, including the core WordPress configuration (wp-config.php), potentially granting them complete control of the website. #wordpress #vulnerabilities

iVerify Discovers Serious Android Vulnerability Impacting Millions of Pixel Devices - Security firm iVerify has uncovered a critical vulnerability impacting millions of Pixel devices worldwide. The vulnerability, present in an app package called "Showcase.apk," grants excessive system privileges to attackers. This could allow them to remotely execute code, install malicious apps, and potentially steal sensitive user data. #google #pixel #vulnerability

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifact - Unit 42 research team raises concerns about security vulnerabilities in GitHub repositories. The report highlights the potential for access tokens to be inadvertently leaked through misconfigured artifact files. These tokens, used for authentication with cloud services and GitHub itself, could be exploited by attackers to compromise repositories and steal data. #github #hacking

The Curious Case of QUEENCREEK: Malware Mimics Complex Techniques to Confuse Security Tools - Mobeigi's security blog delves into the "Curious Case of QUEENCREEK," a malicious program that employs unusual tactics to evade detection. QUEENCREEK leverages a chain of scripts - VBScript, batch file, and executable - mimicking techniques often associated with sophisticated malware. #VBScript #malware

🔥 INTERESTING WRITEUPS

Authentication Bypass with usage of PreSignedURL - [2000$ Bounty]

http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attack -  [3495$ Bounty]

📝 BLOGS & ARTICLES

AI Systems Security: Tools for Preventing Prompt Injection - The author emphasizes the importance of safeguarding AI systems from vulnerabilities and attacks. Author explores a range of essential tools available to enhance AI security, including vulnerability scanners, threat detection models, and explainability techniques. #AI #attacks #prevention

Announcing New Default Simplifies Security Policies -  Socket, a popular security scanning platform, just announced new default security policies aimed at reducing alert fatigue for users. These customizable policies offer three options: "Low Noise" (traditional SCA), "Default," and "Higher Noise."  #security #policies #sca 

PyPI's Safety and Security Engineer Reflects on a Year of Progress - The blog post, published on the official PyPI blog, highlights key achievements in enhancing the security and user safety on the Python Package Index (PyPI).Fiedler details his work on improving package analysis, collaborating with the open-source community, and promoting responsible development practices within the Python ecosystem. #PyPI #security #improvements

Security Issues in Matrix’s Olm Library - Security researcher Soatok raises concerns about vulnerabilities in the Olm library, a core component of the Matrix messaging platform's encryption. The post details flaws that could theoretically allow attackers to recover cryptographic keys. #crypto #aes #encryption #vulnerabilities

🛠️TOOLS

Kdbx - A secure hole for your passwords (Keepass CLI). #cli #password

SurfSense - A Knowledge Graph 🧠 Brain 🧠 for World Wide Web Surfers. Never forget anything you see on the Internet. #AI #websurf #graph #snapshots

Anteon - Anteon (formerly Ddosify) - Effortless Kubernetes Monitoring and Performance Testing. Available on CLI, Self-Hosted, and Cloud. #Kubernetes #monitoring

Osint_stuff_tool_collection - A collection of several hundred online tools for OSINT. #osint #tools

🧠 TUTORIALS & SKILL-BUILDING

The AI Bubble: Will It Burst, and What Comes After? - Gary Marcus criticized current large language models (LLMs) and generative AI for their unreliability, tendency to hallucinate, and inability to truly understand concepts. #AI #LLM #criticism

How I cracked an impossible DEFCON challenge - The Music Box puzzle for Goldbug was insane. Huge shoutout to crypto village for the work on these puzzles. #defcon #village #challenge

Will We Survive the Transitive Vulnerability Locusts? Exploring Supply Chain Attacks - BH-USA’24 presentation talks about transitive vulnerabilities as the most hated type of security issue by developers, and for a good reason: transitive dependencies are the most common source of vulnerabilities in software projects. However, yet still, only a tiny number of them are exploitable. #transitive #dependencies #security

Low Energy to High Energy: Hacking Nearby EV-Chargers Over Bluetooth - BH-USA’24 by Thijs Alkemade and Khaled Nassar explores a novel hacking technique targeting electric vehicle (EV) chargers. #BLE #ev-charger #hacking 

🎁 MISCELLANEOUS

Raspberry Pi Security Camera Module Setup - The article explores various applications of the RPi Camera, from capturing images and videos to creating time-lapses and implementing computer vision projects. #Pi #security #camera

"Reverse Turing Test" Text based AI Game - "Reverse Turing Test" challenges you to flip the script on classic AI evaluations. Instead of evaluating a machine's ability to seem human, you'll take the reins and try to convince an AI that you're not a human. #AI #ML #game

How to Interview and Hire ML/AI Engineers - Eugene Yan, a seasoned writer and interviewer, shares valuable tips for acing your next ML/AI interview. #AI #ML #interview #hiring

Decentralized and Verifiable Cloud Service on Ethereum Blockchain - A research paper published on Ethereum Research explores the potential of blockchain technology in creating secure and verifiable cloud services. The paper proposes a system where service providers leverage Ethereum smart contracts to deliver on-demand computing resources. #ethereum #blockchain #cloud

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team