| Website | https://iosifache.me |
| GitHub | https://github.com/iosifache |
| https://www.linkedin.com/in/iosifache | |
| http://x.com/iosifache |
vulnz.ch's first edition will take place on Thursday, March 5th at HeadsQuarter The Historic in Zurich. Yusuf will present on Android userspace exploitation and Jannis will cover reverse engineering black-box binaries with symbolic and concolic execution techniques. If you're into appsec, pentesting, vulnerability research, or anything in between, come join us!
vulnz.ch is a meetup I've been thinking about for a while. It's something I wanted to exist but couldn't find.
The idea is simple: bring together Zurich-based folks for a space dedicated to sharing knowledge about software security. That could mean presenting your analysis of an academic paper you've read, demoing a fork of an open source project you've been experimenting with, or showing off a tool you built during late-night coding sessions.
The first meetup is now being shaped, and the website is up and running. Check out vulnz.ch and sign up if you're interested in joining.
Judging by the 2020s cadence, there is a 50% chance of having another @phrack Magazine release next year.
Why not have all the articles in the new issue directly piped into your favourite RSS reader?
The previous Monday, @troyhunt the creator of @haveibeenpwned made another stop on his Have I Been Pwned Alpine Grand Tour, visiting countries like Germany, France, Italy, and Switzerland to discuss his work. Several Zurich user groups were fortunate to hear him speak on various topics and join him for drinks afterward. His presentation covered his experience testifying before the U.S. Congress, some of the most significant breaches tracked on the platform, and insights into how Have I Been Pwned operates
After discovering that the data is accessible via the API and noticing the lack of a visualization tool, I dedicated a few evenings to building haveibeenpwned.watch. This single-page website processes and presents data on leaks from Have I Been Pwned, with daily updates.
The site provides details on the total number of recorded breaches, the number of unique services affected, and the total accounts compromised. Charts break down the data by year, showing the number of breaches, affected accounts, average accounts breached per year, accounts by data type, and accounts by industry. Additionally, tables highlight the most recent breaches, the most significant ones, and the services with the highest number of compromised accounts.
Though simple, the website can be a useful resource for use cases like strategic security planning, cybersecurity sales, risk assessment, or simply tracking trends in the security landscape.
The website is open source, with its repository hosted on GitHub.
Feel free to share any feedback or submit a pull request if you’d like to contribute.
Troy, thank you for hosting these in-person talks and for creating this essential service that the internet relies on!
[1] https://haveibeenpwned.watch
[2] https://github.com/iosifache/haveibeenpwned.watch
In war, proselytism, and business:
Cover the basic needs of neutral parties or enemies, and they will become your allies by their own will.
> you publishing this kind of information without our approval can be interpreted as confidential information disclosure, favoring cyber attacks or even complicity in the case of an incident
She calmly dropped this line during our WhatsApp call when I asked about sharing details on a vulnerability on my blog or on this platform. The call came after I emailed them the day before about a flaw in a publicly accessible, open-source security solution deployed by an institution. I tried to change her mind for a few minutes, but her position was clearly locked in at the institutional level.
I suggested a few ways they could step up their game:
• Clearer reporting process: Their website had no security contact or security.txt file. I had to hit up an acquaintance just to figure out who to reach.
• Deploying fixes: They said the vulnerability was a known issue and just one of many defences they had, so they wouldn’t fix it. Next time, they might hear about it from a shady, ill-intentioned actor hiding behind Onion proxies and VPNs.
• Securing open source: They were using a lesser-known open-source codebase with no hardening or obfuscation. A quick OSINT search revealed the exact repository they used, turning my impromptu black-box audit into a white-box review of a vulnerability-prone codebase.
• Community collaboration: The gov'ts should set up reputation-based bug bounty platforms with identity-verified volunteers. It’d need legal changes, but trusted civilians with diverse backgrounds flagging issues beats finding out during a breach.
We talked about other stuff, and I gave props to their hard work. After hanging up, I zoned out, struck by how their approach clashed with the classic vulnerability disclosure process from the open-source and bug-bounty worlds I know:
• Confidentiality and forced disengagement: Did they really know about the issue already? She told me that, yes, but I have no clue if this is true. Are there other defences in place? She says so, but I can’t see past the edge system I tested. Will I know if they fix it? Not officially, though I could check online. It felt almost like gaslighting.
• Legislation as a defensive layer: She played the legal trump card, citing specific laws that boxed me in. I was checkmated with no counter move.
A few seconds later, I snapped out of it, brewed another coffee, and got back to my day’s tasks.
