Mastodawn

Quentin Rhoads-Herrera

Jan 13, 2023

Been a good minute since I posted here, so I wanted to share some thoughts I had about today.

Thank goodness it's Friday!!!!

That is all!

Quentin Rhoads-Herrera

Nov 20, 2022

Let’s not forget our own mental health! I had an abused women tell me PTSD was only for soldiers, and those soldiers who saw war.

Lies! Many victims of domestic violence, rape, and other crimes can cause PTSD.

If you see someone in need please reach out to them and left them know it is ok. The world moves on. Life changes. Memories become faded.

If you are in an abusive relationship, reach out for help!! Being weak means giving up.

Quentin Rhoads-Herrera

Nov 20, 2022

The best junior assessors who have made it to more senior assessor positions have one quality I have seen:

1. They all hate to lose and continue trying to win.

For those managing this type of personality, force breaks on them so they don’t burn out. Remind them that they can break that box Monday! That the bad code won’t change in 48 hours!

If you are a leader, and that with that type of personality… welcome to the chaos! Just don’t forget about your people!

#redteamtips #redteam #infosec

Quentin Rhoads-Herrera

Nov 16, 2022

Selene Xenia Nov 16, 2022

if you hack a mastodon server does that mean you’re rootin’ tootin’?

Quentin Rhoads-Herrera

Nov 11, 2022

Can’t sleep. So let me begin a #ff on this #fediverse.

@charlesdardaman
@colemankane
@hacks4pancakes
@HackingLZ
@alyssam_infosec
@frichetten

Quentin Rhoads-Herrera

Nov 10, 2022

anthony weems Nov 10, 2022

Two fun #Kubernetes CVEs were published today!

CVE-2022-3294 [1] is a bypass for the node proxy restrictions (related to the TOCTOU found in CVE-2020-8562 [2].

CVE-2022-3162 [3] is a very cool authorization bug that was caused by URI path traversal in the etcd client.

[1] https://github.com/kubernetes/kubernetes/issues/113757
[2] https://github.com/kubernetes/kubernetes/issues/101493
[3] https://github.com/kubernetes/kubernetes/issues/113756

CVE-2022-3294: Node address isn't always verified when proxying · Issue #113757 · kubernetes/kubernetes

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clus...

GitHub

Quentin Rhoads-Herrera

Nov 10, 2022

Wow.

https://twitter.com/thezedwards/status/1590761985050046464?s=46&t=w6AZ-Va2TRbkVINlvVyLZA

Zach Edwards on Twitter

“I have some really disappointing & horrifying news about how Twitter ads is ingesting + storing advertiser credit cards. They have a ~new "reviewData" field that is a plain text ingestion (CC fields are encrypted) which includes the "firstSix" and "lastFour" #'s of your CC.🌩️⚖️🧵”

Twitter

Quentin Rhoads-Herrera

Nov 10, 2022

Over staffing is a huge problem with growth focused companies vs. profit focused ones. But the answer to fix this issue is not for employees to be more “hard core”… whatever the hell that means.

https://www.nytimes.com/2022/11/10/technology/elon-musk-twitter-employees.html

Musk Paints Bleak Picture for Twitter as Executives Depart

In his first communications with Twitter’s staff, the company’s new owner painted a bleak picture as more executives resigned.

The New York Times

Quentin Rhoads-Herrera

Nov 10, 2022

Show thread

Vlad Ionescu Nov 10, 2022

And RCE as SYSTEM due to a poorly designed cryptosystem which became evident once the sample was decompiled :)

https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-vmc4-wm3f-w3fr

ControlUp Agent (cuAgent) Unauthenticated Remote Code Execution as "NT AUTHORITY\SYSTEM"

## Vulnerability Description: A remote, unauthenticated attacker can send a specially crafted payload to a computer running Smart-X ControlUp cuAgent. The cuAgent software will receive the payload...

GitHub

Quentin Rhoads-Herrera

Nov 10, 2022