#Hetty: #OpenSource #HTTP toolkit for security research

https://www.helpnetsecurity.com/2025/03/10/hetty-open-source-http-toolkit-security-research/

Alright, Go developers, listen up! Seriously crazy stuff is happening in the Go world right now. We're talking major typosquatting issues. Attackers are slithering in and spreading malware via fake packages, can you believe it?

So, for goodness sake, pay super close attention to the names of your modules! One little typo and bam! You've got yourself a nasty infection. As a pentester, I see this kind of thing all the time, sadly. Tiny mistakes, HUGE consequences. This malware then installs a backdoor. Totally not cool, right?

Therefore, check your imports, folks! And make sure you're getting your devs trained up on security. Automated scans? Nice to have, sure, but they're absolutely no substitute for a manual pentest! What are your go-to tools for fighting this kind of attack? Oh, and yeah, IT security *has* to be in the budget, that's just the way it is.

Hey everyone, what's cooking in the open-source universe? I just stumbled upon something that's seriously mind-blowing.

So, there's this Python library pretending to be a music tool (automslc), but get this – it's actually illegally downloading songs from Deezer! And the worst part? It turns your computer into an accomplice in a huge music piracy operation. Seriously, a digital pirate cove.

And then there's this npm saga with @ton-wallet/create... Crypto wallet emptied, just like that!

The moral of the story? Open source rocks, but blindly trusting everything is a recipe for disaster. Always double-check those dependencies! Automated scans are cool, but a real penetration test? That's pure gold.

Clients are always so appreciative when we can spot and fix this kind of stuff beforehand!

Now, I'm curious: What are your go-to methods for keeping your codebase squeaky clean and secure? Any tips or tricks you'd like to share?

Hackers Call Current #AI Security Testing 'Bullshit'

https://it.slashdot.org/story/25/02/11/191240/hackers-call-current-ai-security-testing-bullshit

True Story, bruh:

Back in the 90's people would go on about how superior emacs is as an editor. And some cheerleaders would hound me about why I "still" used (and still do today) vi... vim actually. Even for doing things like Usenet news, and the email client. Joe was in a lot of email readers, which is pretty much slobberproof, BUT...

My answer was and still is simple. I hack and break things for a living. I've never seen emacs installed on a bridge, router, or frankly any other network device. Hell, when the web came around, emacs was only rarely on those servers, either. But ed and vi is (was?) on pretty much all of them.

So that's what I learned. And my personal ecosystem and workflow is all about vi(m) and nothing about emacs.

Even though I'm a Lisp cheerleader, lol.

Do I hate emacs? No, but I do very much dislike the overpowering smell of religion that seems permeate it's very existence, like those dirty air lines fuming from the Peanuts character Pigpen.

Some call me a space cowboy. Some call me a gangsta of #Lisp

The website is live!

https://www.bashcore.org/

Soooooo I found a massive vulnerability today, the day before Thanksgiving.

Buuuuuuut it's looks like its existed for a couple of years.

So, should I report it RIGHT NOW!!!! The day before thanksgiving? Or wait until next week.

On one hand, they'll have to react to it as its huge. And it could interrupt their time with family and a major holiday.

On the other hand, it's been around for so long, what's another couple of days going to change anything?

On the third hand, if this gets exploited over the holiday weekend, it's on me and could affect even more people.

Hmmmmmmm.... choices choices.

I’ll stick with my Devious Decoder Card (from @deviantollam) but this is still cool and better than nothing, something else to try besides taking a picture of the key and trying to decode with a line/depth overlay.

Kwikset as shown in the video is pretty easy to almost sight read anyway but I wonder if the Flipper app would be harder to use with finer depth increments like Schlage or Best SFIC.

Still cool to think they could add many more key depths over time though.

https://www.youtube.com/watch?v=RPrd-S5Cmxo #FlipperZero #locksport #locksmith #keys #pentesting

Just finished up another fun SE/physical onsite pentest.

Physical security at this location was TIGHT. Some of the best I've ever seen. iClass SEOS with Elite Keys; downgrade disabled, Mantrap-style turnstiles with reverse-tailgate detection, ADA doors require manual unlock from security (Is that even legal? ). Two layers of 8 foot high anti-trespass fencing around the whole perimeter. Mirrored windows. Security cameras everywhere with 24-7 on-site monitoring.

ESPKey was basically my only shot at a technical/physical bypass. I couldn't get them to agree to let me try it, but I honestly wouldn't be surprised if they were actually using OSDP.

So I showed up carrying a cardboard box and security just buzzed me in.

Στο παρακάτω άρθρο της ESET και κατ' επέκταση του Lukas Stefanko, οι επιτιθέμενοι εξαπατούν τους χρήστες να κατεβάσουν μια ψεύτικη εφαρμογή που μοιάζει με τραπεζική. Η εφαρμογή αυτή ζητάει τα στοιχεία της κάρτας τους και χρησιμοποιεί την τεχνολογία NFC προκειμένου να κλέψει τα δεδομένα της κάρτας και να τα στείλει στους Χάκερς.

https://hacks.gr/%cf%84%ce%bf-%ce%ba%ce%b1%ce%ba%cf%8c%ce%b2%ce%bf%cf%85%ce%bb%ce%bf-%ce%bb%ce%bf%ce%b3%ce%b9%cf%83%ce%bc%ce%b9%ce%ba%cf%8c-ngate-%ce%b3%ce%b9%ce%b1-android-%ce%bc%ce%b5%cf%84%ce%b1%cf%86%ce%ad%cf%81/

https://en.hacks.gr/%cf%84%ce%bf-%ce%ba%ce%b1%ce%ba%cf%8c%ce%b2%ce%bf%cf%85%ce%bb%ce%bf-%ce%bb%ce%bf%ce%b3%ce%b9%cf%83%ce%bc%ce%b9%ce%ba%cf%8c-ngate-%ce%b3%ce%b9%ce%b1-android-%ce%bc%ce%b5%cf%84%ce%b1%cf%86%ce%ad%cf%81/

#infosec #cybersecurity #hacking #pentesting #security #nfc #eset #android #malware #phishing