🎓 Vulnerable U | #019

Privacy vs. Security, Meta's Thread App Concerns, MITRE's Top 25 Most Dangerous, and more...

Read Time: 5 minutes

Howdy friends!

Happy Blink-182 eve for those who celebrate. I’ll be reliving my teen years with a bunch of other elder millennials tonight when Blink-182 comes to Austin. I will feel so cool I might even beat this heat wave.

Hope you all had a good July 4th weekend if you’re in the States and got some time off. We had a party at my house with a local tattoo artist setup in my living room doing flash tattoos from this sheet:

Ten people walked out with new ink, and Daddy got himself a new skull with a cowboy hat because why not?

Sneak Peak at the Blog of the Week:

Something true: I knowingly choose to take the risk of talking about my mental health publicly regardless of what current or future employers may think of that.

Not everyone has the same threat model as me, an established cis, white, straight man. Not everyone has that same fortune and might decide privacy IS security.

Privacy, in this sense, directly correlates to livelihood, safety, and security - because many employers have incorrect assumptions about people who experience mental health issues.

However, looking at this situation from a different lens, keeping my mental health private could cause an employer to make assumptions about my performance, attitude, or attendance.

One could argue that sharing this information might lead an employer to access resources for me, improve policies, update workplace culture, give me the professional support I need to accomplish tasks, and generally approach me in an understanding and compassionate way, which would lead me to have a healthier relationship with work overall.

Tricky right? Which side of the fence are you on here? I don’t know if there’s a right or wrong, but I know it’s worth exploring.

So let’s get vulnerable.

In this episode:

  • Privacy vs. Security

  • Meta’s Threads App Won’t Launch in EU on Regulatory Concerns

  • 336,000 servers remain unpatched against critical Fortigate vulnerability

  • MITRE’s Top 25 Most Dangerous Software Weaknesses of 2023

  • OWASP Top 10 for LLM

  • Hackers steal personal information on 8,000+ pilot applicants at American and Southwest

  • Hacking Campaign Actively Exploiting “Ultimate Member” Plugin on WordPress Sites

  • Malvertising Used as Entry Vector for BlackCat Malware

  • Hunting Ducks - A Threat Hunters Take on Ducktail Stealer

ICYMI

🖊️ Something I wrote: I expressed my frustration with how mental health issues can literally steal time you can never get back. It seems a lot of people agreed. [Link]

🎧️ Something I heard: The clashing of two giant minds. What a great long convo by two of the best, Andrew Huberman and Tim Ferriss. [Link]

📽️ Something I watched: Great interview of Ryan Montgomery (aka 0day) on NahamSec’s stream [Link]

🔖 Something I read: This Adam Shostack piece - Microsoft Can Fix Ransomware Tomorrow [Link]

Vulnerable News

If you have a pulse and are online this week, you couldn’t miss everyone rushing to check out the latest Twitter lifeboat alternative - Threads. You’ll also have noticed they ask for about every piece of information they can get from you to sign up. [Read More]

We talked about this Foritnet vulnerability in a previous edition, and I mentioned how tricky hardware patching is. Here is the proof in the pudding. Tons of this stuff is still out there. [Read More]

Love MITRE and all the work they’re doing around ATT&CK. They dropped a list for 2023 that is sort of like the OWASP Top 10 but for all CVE types, not just web applications. Always interesting to use these kinds of stats to help your prioritization efforts of what you’re spending your time addressing. [Read More]

Speaking of the OWASP Top 10! They released their Top 10 for LLM this week. I think most of the security issues surrounding the AI surge are yet to be seen, but it is good to start thinking about the new landscape introduced with this movement. [Read More]

The hackers broke into a recruiting firm to gather this information. Not a lot of details about the hack itself, but an ever-present reminder of the security risks not only in your own organization but also in the vendors that you give info to. [Read More]

WordPress vulns are a dime a dozen and not super interesting to me. However, an active exploit campaign with plenty of victims is worth noting. This one also comes with a good post-mortem from the plugin vendor. [Read More]

We’ve talked about BlackCat (aka ALPHV) malware here in recent weeks. I’ve also got a special place in my heart for ad networks being used by attackers, as I’ve done lots of research in this area. (I gave a BlackHat talk about this kind of stuff over a decade ago, Million Browser Botnet). TrendMicro team did some excellent work tracking down this campaign, and they have lots of details in their report here. [Read More]

“The most reliable, cost effective method to inject evil code is to buy an ad.”

Douglas Crockford

Ducktail Stealer is a known threat actor targeting marketing companies with .NET-based payloads. This is a good write-up of the techniques used in delivering the malware and then unpacking the malware itself to see how it steals the victims’ info. Great writeup! [Read More]

Check Point Research uncovers a targeted campaign carried out by a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities. [Read More]

Miscellaneous mattjay

1. Describe how you’ve perceived yourself in the following situations over the past several months— with your significant other, at work, with the kids or team, in social situations with strangers.

2. Now ask, “Is that who I really see myself being in the future?” How would my future self look, feel, and behave differently in those situations?

3. If you could describe yourself in just three aspirational words— words that would sum up who you are at your best in the future —what would those words be? Why are those words meaningful to you? Once you find your words, put them in your phone as an alarm label that goes off several times per day

Brendon Burchard

Upcoming Appearances

I’ll be giving some free Threat Modeling training at an event in Austin in September alongside a stacked cast of characters. Check out the event, put on for free by Tromzo: Here

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay