Mateusz Olejarka

Ops I did it again… see you all at @CONFidenceConf 🔥😎🫡

@ljachowicz Fajna książka 👍

Spoiler. Więcej informacji - wkrótce.

🚨The new unauthenticated RCE affecting Aviatrix Controllers (CVE-2024-50603) is the real deal - with a single POST request 🫠 and a super trivial exploit, it takes less than 30 seconds to: 1. Collect all Aviatrix Controllers over the internet 2. Validate exploitability with nuclei template that fetches /etc/passwd 3. Fetch IMDSv2 token 4. Extract AWS Credentials 5. GG If your company uses Aviatrix Controller I'd advise patching immediately & assume compromise since January 7th. Original blog: securing.pl/en/cve-2024-50… @wiz_io exploitation in the wild: wiz.io/blog/wiz-resea… POC for extracting IMDSv2 token & AWS Keys - Stay Safe & until the next one 🫡

🛡️ We added #Aviatrix Controller OS command injection vulnerability CVE-2024-50603 to our Known Exploited Vulnerabilities Catalog. Visit go.dhs.gov/Z3Q & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec

@tonyszko Well, it’s not an investment advice… i.blackhat.com/asia-21/Thursd…

It was easy guess even with a simple, anecdotal poll among users. Knowing enterprise space, you know that (almost) nobody will drop such purchase on a minor hickup. Too much of credits, procurement and compliance at stake. Also … choosing alternative doesn’t address the risk and costs 💰

Uwierzytelnienie użytkownika to sprawa trudna. Ostatnie lata przyniosły nam wysyp i coraz większą adopcję rozwiązań Single Sign On. 🔒 To i dobrze, i źle. Dlaczego? O tym dokładniej opowie Mateusz @molejarka! Jego wykład zobaczycie już 26 listopada 🔜 omhconf.pl

@BlackDuck_SW Are they confident about human-generated code? 🤔

🚨 #BigNews: New Black Duck research finds majority of #DevSecOps teams are not confident about securing AI-Generated code in their latest publication of the "Global State of DevSecOps 2024". Read the full press release here: bit.ly/3zYata7

@prywatnik Imho rozwiązano już dawno 🙃. Programisto pisz bezpiecznie 🤷‍♂️😜

Wreszcie rozwiązano problem bezpieczeństwa webowego.

@nnwakelam Pentest may be dull, but you get stable income, no bad triage experience and no discussion about payout amount, you get money when you tested the scope and it does not matter when you found something or not 😎😜

@nnwakelam I stopped doing bug bounty some time ago. For me personally it was few cases, when 1. I had to wait a long long time for triage 2. I hit P1 but got money as for P2 3. I got silent fix and duplicate/unable to reproduce. 🤷‍♂️

@naugtur Sure, most apps do have an existing session assuming that the phone unlock is enough, some apps require auth anyway, it depends what app you write

@molejarka In most cases if they have your unlocked phone there's sessions there all over the place. I could always add a second factor later 😂

Today's shower thought: Use TOTP tokens (2FA apps) for the first and only factor in authentication. Somebody tell me why it's a bad idea 🫣

@naugtur Assuming a low probability event that someone has your phone unlocked they may log into the app 🧐🤷‍♂️

And the starting secret is sha512(username+supersecret_salt) so my auth is stateless and doesn't need a database or registration 🤣

wait serverless applications run on WHAT??

@ITSecurityguard bcrypt? 2b suggest that, 10 iterations?

anyone? $2b$10$1xzN8GcLBMPi7FuwiS5fX.9vV13g5HiJW4sexWYiaLwJWI.rrTmIC $2b$10$dDyqndGKvy.1LlWIxWH.Z.ZvEQ6EXn.Q.KPhuxtnWaonl7uxB9vWe $2b$10$4Ozc9niyNKc8fAMeX9ITZuR9/NPYdLK7aqisitT/8yKODnCwBh.ma $2b$10$rWm3RrquC8ttmwRQJnW1ieQkuRBgE/O9k9nianIkFiZtreeotMBnO

Ever wondered how experts tackle real-world security issues? 💡 Join us at @CONFidenceConf and bridge the gap between theory and practice!

That’s hard - stopping the #pentest because you have the deadline and not being sure that you did everything and checked everywhere. Detailed scope and checklists help a bit but it’s still hard.

Lol 🤪

Join us at @TyphoonCon in Seoul on May 27-31! @_r3ggi will talk about broken isolation and draining credentials from popular macOS password managers. #typhooncon #itsec #cybersec typhooncon.com/blog/conitems/…

@gynvael @CONFidenceConf Well well well, I got few inspirations, thanks 🙏

@molejarka @CONFidenceConf In that case I believe we share a hobby 😊

Authentication was always hard. Mateusz @molejarka will present recent examples of security problems related to OAuth and OpenID Connect and issues in GCP and Azure. 📣 “CAse study of Recently DIscovered vulNerAbiLities in Single sIgn oN mechaniSms” 🎫 confidence-conference.org

@gynvael @CONFidenceConf I collect old school data storage devices, I can borrow you some…

@CONFidenceConf @molejarka I am officially envious of the photo. I need to schedule a photo shoot...