VayFul Security - July 30 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

Microsoft technical breakdown of CrowdStrike incident- Microsoft Unveils Best Practices for Integrating Security Tools on Windows -  The article from Microsoft discusses best practices for integrating and managing security tools within Windows environments. It emphasizes the importance of a layered security approach, the integration of security tools for enhanced protection, and the need for continuous monitoring and updating of security measures. #crowdstrike #outage #incident

CrowdStrike Disruption Costs Fortune 500 total $5.4 Billions - A new report by Parametrix sheds light on the significant financial impact of the recent CrowdStrike outage on Fortune 500 companies. The analysis estimates total direct financial losses reaching $5.4 billion, with an average of $44 million per affected company. #crowdstrike #outage #financial #loss

Global Reconnaissance Campaign Exploits Critical ServiceNow Vulnerabilities (CVE-2024-4879 & CVE-2024-5217) - Researchers from Resecurity have uncovered a global campaign exploiting critical vulnerabilities (CVE-2024-4879 and CVE-2024-5217) in ServiceNow, a widely used business platform. These vulnerabilities allow attackers to remotely execute malicious code and potentially access sensitive data. #recon #rce 

Secure Boot Flaw Exposes Hundreds of Devices: "PKFail" Undermines Security in the UEFI Ecosystem - A critical security flaw dubbed "PKFail'' has been discovered by the Binarly Research Team. This vulnerability affects hundreds of devices in the UEFI (Unified Extensible Firmware Interface) ecosystem and compromises the effectiveness of Secure Boot, a key security feature. #secure #boot #os #flaw

🔥 INTERESTING WRITEUPS

Improper Access Control + Financial fraud allows attacker to disclose + add arbitrary products to another's user's order -  [3900$ Bounty] 

Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the - [1666$ Bounty]

📝 BLOGS & ARTICLES

Secrets in Source Code Are Not A Code Security Problem:Leaked Secrets Need IAM Fixes - Truffle security blog argues that leaked API keys and other secrets are not primarily a code security problem. Instead, they highlight Identity and Access Management (IAM) as the solution. Blog suggests that fixing leaked credentials involves resetting them within the relevant IAM platform, not revising the code itself. #secrets-management #appsec

Why the Bitcoin Security Model Is Broken:A Deep Dive into its Decentralized Strength - Dan Held founder of Radix delves into the unique security model that underpins Bitcoin. It argues that Bitcoin's security stems not from centralized control, but rather from its decentralized design. The piece explores key factors like proof-of-work, economic incentives, and the absence of a single point of failure. #bitcoin #security

How to review code effectively: A GitHub staff engineer’s philosophy - A GitHub staff engineer shares their philosophy, outlining key practices and strategies to elevate the code review process.The focus is on fostering collaboration, identifying potential issues, and ultimately enhancing code quality. #code #review

The Linux Kernel Module Programming Guide - This free resource, maintained by sysprog21, keeps pace with the ever-evolving kernel, offering guidance on developing modules that work seamlessly with recent 5.x and 6.x kernel versions. #linux #kernel #programming

🛠️TOOLS

Unleashed-firmware - Flipper Zero Unleashed Firmware. #flipper #zero #jailbreak

Openshield - OpenShield is a firewall designed for AI models. #firewall #AI 

Managarm - Pragmatic microkernel-based OS with fully asynchronous I/O. #kernel #os

🧠 TUTORIALS & SKILL-BUILDING

A Free, Comprehensive Reverse EngineeringTutorials For Everyone - The tutorial covers various architectures, including x86, x64, ARM 32-bit, and 64-bit, providing a well-rounded foundation in this critical cybersecurity skill. #security #reverse #engineering 

How to Crack Software (Reverse Engineering) - In this video I showcase techniques for cracking different types of CrackME, which are educational reverse engineering puzzles designed to teach reverse engineering skills. #reverse #engg #crackMe

DSPy Explained! - A video explains the new framework DSPy. It is a super exciting new framework for developing LLM programs! Pioneered by frameworks such as LangChain and LlamaIndex, we can build much more powerful systems by chaining together LLM calls! #LLM #AI #framework

🎁 MISCELLANEOUS

GPT4All -  Chat with Local LLMs on Any Device GPT4All runs large language models (LLMs) privately on everyday desktops & laptops. No API calls or GPUs required. #LLM #chatgpt 

AI crawlers need to be more respectful - Blog post highlights the excessive data downloads and disregard for basic anti-abuse protocols by these crawlers. This behaviour disrupts normal operations and incurs significant costs. The article emphasizes the need for AI developers to implement respectful crawling practices that consider rate limiting and proper user-agent identification. #AI #rate-limit

AI-Driven Test-Driven Development - This article explores the emerging concept of AI-assisted Test-Driven Development (TDD). ILUSTR dives into the potential of AI to automate certain aspects of unit test creation, potentially streamlining the development process. #AI #software #testing #TDD

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team