HACK ISSUE 007: Top 10 web vulns of 2021 voting, gnarliest pentest stories, and Leadership according to Marcus Aurelius

Happy weekend everyone!

One day late this week, the universe didn't want me sending a newsletter yesterday. Got blocked on computer issues and feeling the effects of my COVID booster shot from Thursday afternoon.

But Onward...

Security tweets and links

There's still time to vote for your favorite top 10 web security vulns of 2021. Help Emile out or choose your favorites from the list.

Peter, aka @p4fg shared some of his bug bounty stats on time to triage and time to bounty. Peter is a full time hunter and even teams up with other hackers where they share resources and collaborate together.

How hard can a password manager really be? Love this thread by the head of product over at 1Password.

I had fun reading all the responses from my twitter post asking hackers what is the gnarliest pentest story they have. Here are a few of my favorites.

I once was contracted to test a elderly panic alarm wearing device. You know the kind that if you fall to can hit a button and emts will come. They had a random (not named well) public api and I hit it with burp. Caused them all to go off and a city wide elderly panic. 😰
— Jason Haddix (@Jhaddix) January 21, 2022

Escorted on to an army base to test a segment of one of their networks. Two hours and I had compromised everything, but during I could see tanks being brought in to be patched and helicopters flying close to the ground up and down fields out of the window.
— Daniel (@ImpetuousDanny) January 21, 2022

Pwned a bank. Full account takeover within a day for 2 accounts, able to steal all money and view all transactions coming in and out within those accounts by attacking the customer support flow, posing as 2 different users and taking over their accounts immediately.
— Rachel Tobac (@RachelTobac) January 22, 2022

pwned before i arrived

"All Users" group had been placed in the Enterprise Admins AD group
— Chris Gates (@carnal0wnage) January 21, 2022

I once popped few dev boxes, found out that they were playing tetrinet. I joined the game. They instantly left the game.
— Louis Nyffenegger (@snyff) January 21, 2022

Marketing story of the week

People love education. Nothing is more central to creating good content for your target personas than education. Make it useful, make it relevant, and make it easy to consume. When possible, make it entertaining. This last week I wrote a post breaking down the Offensive Hacking Education Landscape, next week I'll share some of the trends I see happening around the space. Exciting and necessary for people to learn about hacking. Hats off to all the creators and platforms.

Inspirational thought of the week

I aspire every day to be a better leader. There probably isn't too many better leaders in history than Marcus Aurelius. Here's stoic writer Ryan Holiday's short synopsis of good leadership traits shared by Marcus:

Good leadership according to Marcus Aurelius:

-Never be overheard complaining...even to yourself
-Find a mentor
-Consult experts for advice )
-Never stop learning
-Ignore the mob
-Journal about where you can improve
-Be merciful to your opponents
-Always do the right thing
— Ryan Holiday (@RyanHoliday) January 16, 2022

What is the difference between happiness, meaning, and true psychological richness? I like this cheat sheet shared by Julian

One of the most important images I've seen.

The difference between happiness, meaning, and true psychological richness.

From research by @ErinWestgate pic.twitter.com/tsvU1PuYOp
— Julian Shapiro (@Julian) January 16, 2022

Be prosperous, be well, be challenged, be encouraged, be curious, be honest with yourself and other this next week and every week.