🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

At #DefCamp 2024, you’ll dive into the world of Azure Policy with 🎙 Viktor Gazdag and discover how it can be tweaked to create a backdoor in the cloud. Sounds awesome, right? Grab your ticket today 👉 def.camp/tickets/

I wrote a password spraying tool to use against M365 accounts which relies on the error messaging from Microsoft to gather additional details against a target. github.com/TheresAFewCono…

Full analysis & report here: softwareanalyst.substack.com/p/cybersecurit…

🛡️ Mitigating Attack Vectors in GitHub Workflows Covers: - Running untrusted code in privileged workflows - Code injections - Vulnerable Actions - Malicious releases - Tag-Renaming attacks - Imposter commits - Usafe use of caches By OpenSSF openssf.org/blog/2024/08/1…

The #defcon32 presentations are now live and availablle for your perusal on the #DEFCON media server, free of all commercials, data capture and pesky algorithms. We suggest clearing some disk space and personal time this weekend to snatch up some of the many, many jewels our

🛠️ zizmor A tool for finding security issues in GitHub Actions CI/CD setups Detects template injections, impostor commits, credential leaks, etc. See src/audit for the check implementations. By Trail of Bits' @8x5clPW2 github.com/woodruffw/zizm…

⛓️ Attestations: A new generation of signatures on PyPI Overview of PyPI's new index-hosted digital attestations, which is enabled by default for packages published to PyPI using Trusted Publishing, automatically providing build provenance By Trail of Bits

Dr. Nestori Syynimaa is showcasing token based authentication attacks, breaking down what to steal from the user's endpoint.

Backdooring #Azure policies by Viktor Gazdag at DefCamp

Imagine turning a cloud security tool into a weapon—Viktor Gazdag is currently revealing how Azure Policy, which organizations typically use to enforce compliance, can be twisted to create backdoors in cloud environments.

Day #2 at DefCamp, waiting for the first track #1 talk of the day to begin!

One recent report highlighted that roughly a third of their customers have “at least one cloud workload that is publicly exposed, critically vulnerable and highly privileged.” If you’re this vendor, should I really buy your product? ramimac.me/state-of-cloud…

Time for a Friday read! 📖 Miss that #DefCamp vibe? Want to relive the best moments? We've got you covered with some epic highlights to take you right back. Dive in and enjoy 👉 def.camp/defcamp-2024-h…

I looked at all the AWS OIDC integrations I could find to identify how they might be misconfigured and to understand the variations that different vendors have in how they set these up. wiz.io/blog/avoiding-…

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attack-…

woodspeed's talk on "Creating Azure Policy Compliant Backdoor" is now released on YouTube! youtu.be/gdMx3g62NkE Subscribe and stay tuned for more videos! Happy Hacking. #CloudSecurity #DefCon32

📢ANNOUNCEMENT📢⏳2 months to go! BSidesBUD of Security BSides brings top-tier cybersecurity minds to the stage—don’t miss out! 🔥 🎟 Early bird tickets are still up for grabs! Secure your spot! bsidesbud.com #BSidesBUD2025 #Cybersec #Infosec #securityBSides

New video: 1 hour of Conditional Access design deep dive. I always get asked to share Conditional Access templates, so I roped Nate Hutchinson into the first of a few long forms on thinking about robust, scalable, and customizable CA architecture. Watch: youtube.com/watch?v=NSqfUZ…

The Cloud Village DEF CON 33 schedule is LIVE! ☁ Explore a stacked lineup of comprehensive talks, lightning talks, and tool demos; all focused on real-world cloud security. Line Up: cloud-village.org/dc33#schedule #CloudVillage #DC33 #DEFCON33 #HackerSummerCamp

I am happy to share that I got accepted to speak at Cloud Village at DEF CON! #defcon #defcon33 #azure #azurefabric #cybersecurity #cloudsec