.Nimrod Kor's allthetalksconf recording is up! 🥳 Check it out to see the unveiling of AirIAM, our newest open-source project that migrates existing AWS IAM to least-privilege IAM Terraform. youtu.be/nFD0e9BNQRg

We chased an attacker in #AWS and want to share the story. Our blog covers: 🔍 Initial lead w/ #CloudTrail 🕵️ Investigative approach 🤖 Use of orchestration "robots" to respond faster ✅ Steps to improve ☁️ #Mitre ATT&CK Cloud Tactics? 👍 Those too! expel.io/blog/finding-e…

We're excited to release TerraGoat, a vulnerable-by-design training tool for #Terraform! 🐐 📑 Read more about why we built TerraGoat: bridge.dev/2XdwAlz ⭐ Check it out on GitHub: bridge.dev/3bLgOUt

I am just watching a great presentation about security & #WardleyMapping by Mario Platt. My notes are here, feel free to add notion.so/kdaniel/Evolut…

From the 15th-19th of June 2020, we will be bringing the best security minds together to take our participants on a unique experience. All sessions will be recorded, LIVE streamed and shared : ) To register, head over to …en-security-summit-2020.heysummit.com/checkout/selec…

A Red Team Maturity Model redteams.fyi

For 327 days, the impostor site privnotes.com has been stealing traffic/privacy/users from privnote.com, a legit encrypted msg service. Worse: KrebsOnSecurity found privnotes.com also will alter bitcoin addresses in messages. krebsonsecurity.com/2020/06/privno…

🛡️ Sensitive data leakage using .json 🛡️ #cybersecurity #infosec #ethicalhacking #bugbounty #bugbountytips #bugbountytip

Without formal access, a college kid got hold of OpenAI's GPT-3 and created a fake, AI-generated blog under a fake name. Within hours, his first post reached #1 on Hacker News Bot. A case study in how people could (ab)use the model in the future. technologyreview.com/2020/08/14/100…

If you don't embrace absurdity, infosec might not be for you.

Security Budgets - Supply and Demand Thinking Think of budgeting as a supply & demand problem. Work both sides to make it a risk management exercise. It will bring clarity of thought and illustrates to your business that you are thinking commercially. bit.ly/3joAqlp

I'm not that great a chess player, but a pretty good hacker...so after watching The Queen's Gambit I of course put my skills to great use and found a board setup I could give to a chess engine to have it segfault when it tries to search for the next best move... take that

Deep link on mobile app ➡️ Host-relative SSRF ➡️ Account takeover 🦾 (affecting Pinterest) dphoeniixx.com/2020/12/13-2/

Scenario: Your CEO is worried about supply chain security and tells you to implement a program to "stop us from being hit with another SolarWinds." What *specifically* do you do to secure your software supply chain? Please RT for reach. I'm interested in diverse opinions.

IoT device browser doesn't let you enter file:///? Use view-source:file:///. It works 80% of the time, every time

Want to learn about GraphQL hacking? A thread ⬇⬇⬇ (1/10)

🕸️Inside the Ransomware Economy🕸️ Ryuk is the biggest Saas unicorn u've never heard of. $150M ARR. 3 yrs old. Maybe it’s taboo to learn business strategy from a cybergang. But the ransomware industry-- from supply chain operations to market microstructures-- is truly genius. 👇

Breaking RSA with a Quantum Computer dlvr.it/SgKgWk

#GhostSec claims to have conducted the first ever #ransomwwre attack against an RTU - remote terminal unit used in ICS environments. Allan “Ransomware Sommelier🍷” Liska Robert M. Lee #cybersecurity #infosecurity #infosec #cyber

The recent WhatsApp accounts takeover is simple and genius. This is how it works: You're sleeping. A "hacker" tries to login to your account via WhatsApp. You get a text message with a pincode that says "Do not share this". You don't share it, yet you still get hacked. How?