#Netflix Fined €475 Million for Privacy Violations

https://undercodenews.com/netflix-fined-eur475-million-for-privacy-violations/

@Undercode_News

🚨 #Ransomware Threat Looms Large: Funksec Targets US Sectors

https://undercodenews.com/ransomware-threat-looms-large-funksec-targets-us-sectors/

@Undercode_News

🌐 Emerging #Ransomware Group Funksec Targets Chilean Website

https://undercodenews.com/emerging-ransomware-group-funksec-targets-chilean-website/

@Undercode_News

⚡️ New #Ransomware Attack: Funksec Targets Brazilian Engineering Institution

https://undercodenews.com/new-ransomware-attack-funksec-targets-brazilian-engineering-institution/

@Undercode_News

🛡️ Securing the Cloud: CISA Mandates Stricter Federal Cybersecurity

https://undercodenews.com/securing-the-cloud-cisa-mandates-stricter-federal-cybersecurity/

@Undercode_News

📱 #Apple Seeks Chinese #AI Partners: #Tencent and #Bytedance in the Spotlight

https://undercodenews.com/apple-seeks-chinese-ai-partners-tencent-and-bytedance-in-the-spotlight/

@Undercode_News

🎤 The Memo-First Meeting Revolution: A Deep Dive

https://undercodenews.com/the-memo-first-meeting-revolution-a-deep-dive/

@Undercode_News

🛠️ Urgent Patch Required! Fortinet Warns of Critical Vulnerabilities in FortiWLM and FortiManager

https://undercodenews.com/urgent-patch-required-fortinet-warns-of-critical-vulnerabilities-in-fortiwlm-and-fortimanager/

@Undercode_News

🦑𝐄𝐥𝐞𝐯𝐚𝐭𝐞 𝐘𝐨𝐮𝐫 𝐓𝐞𝐜𝐡 𝐉𝐨𝐮𝐫𝐧𝐞𝐲: 𝐄𝐬𝐬𝐞𝐧𝐭𝐢𝐚𝐥 𝐑𝐞𝐬𝐨𝐮𝐫𝐜𝐞𝐬 𝐟𝐨𝐫 𝐆𝐫𝐨𝐰𝐭𝐡 𝐚𝐧𝐝 𝐂𝐞𝐫𝐭𝐢𝐟𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐮𝐜𝐜𝐞𝐬𝐬
Whether you’re looking to break into tech, grow your expertise, or prepare for certifications, use these resources to help you level up:

🎯 Microsoft Learn: https://lnkd.in/ge973G3j
Explore interactive, self-paced modules on Azure, Microsoft 365, Power Platform, and more.

🎯 Microsoft Virtual Training Days: https://lnkd.in/g2B_2Yq3
Free, instructor-led events with opportunities to earn free certification exam vouchers!

🎯 GitHub Learning Lab: https://lab.github.com/
Dive into Git basics, open-source contributions, and DevOps workflows.

🎯 Microsoft Educator Center: https://lnkd.in/gFcX5xdm
Focused on education technology, this resource is excellent for educators learning Teams and Office 365 tools.

🎯 Azure DevOps Labs: https://lnkd.in/gi4uekjB
Get practical experience with CI/CD pipelines, infrastructure as code, and governance—all for free!

🎯 AI for Good & Responsible AI Training: https://lnkd.in/gtXfexiY
Learn about cutting-edge AI applications and ethical AI practices.

Ref: Mohamad Hamadi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑𝐇𝐨𝐰 𝐀𝐭𝐭𝐚𝐜𝐤𝐞𝐫𝐬 𝐇𝐚𝐜𝐤 𝐂𝐈/𝐂𝐃 𝐏𝐢𝐩𝐞𝐥𝐢𝐧𝐞𝐬 👇

I recently watched one of DEFCON's talk of this year "Your CI CD Pipeline Is Vulnerable, But It's Not Your Fault" by Elad Pticha, Oreen Livni and was really impressed by the attack vector (link in comments)

𝐋𝐞𝐭'𝐬 𝐬𝐞𝐞 𝐡𝐨𝐰 𝐢𝐭 𝐰𝐨𝐫𝐤𝐬

Github workflows are part of the CI/CD (Continous Integration/Continous Deployment) ecosystem that lets developers automate their workflow

For example: once a commit is made to the repo -> the code is scanned with a tool -> if the tests pass -> code is pushed to test/production

Now the interesting part is that (if the repo maintainer uses input that you control) inside the workflow, this can lead to command injection in the pipeline

𝐖𝐡𝐢𝐜𝐡 𝐦𝐞𝐚𝐧𝐬 𝐲𝐨𝐮 𝐦𝐚𝐲 𝐛𝐞 𝐚𝐛𝐥𝐞 𝐭𝐨 𝐭𝐚𝐤𝐞 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐫𝐞𝐩𝐨

In the example bellow, the pipeline uses the title of an issue as part of a bash echo command

That means anyone can create a issue named $(𝐰𝐡𝐨𝐚𝐦𝐢) and execute commands in the CI/CD

If you can do that -> you can abuse the command injection to steal the repo's Github token, read secrets or push malicious code

Ref: Andrei Agape
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

💻 #AMD's RX 7900 GRE: A Short-Lived Graphics Card Champion

https://undercodenews.com/amds-rx-7900-gre-a-short-lived-graphics-card-champion/

@Undercode_News

Pornhub to Exit Florida Due to Strict Age Verification Laws

https://undercodenews.com/pornhub-to-exit-florida-due-to-strict-age-verification-laws/

@Undercode_News

Generalist Advantage: Why a Broad Perspective Trumps Specialization

https://undercodenews.com/generalist-advantage-why-a-broad-perspective-trumps-specialization/

@Undercode_News

🎮 Alienware m16 RTX 4070 #Gaming #Laptop: A Black Friday Deal Worth Recapturing

https://undercodenews.com/alienware-m16-rtx-4070-gaming-laptop-a-black-friday-deal-worth-recapturing/

@Undercode_News

🦑🔐Cracking the Secrets of JWT Hacking 🔍

Are you ready to uncover the vulnerabilities in JSON Web Tokens (JWTs) and learn how to secure them effectively? 🌐 Here’s a detailed guide on JWT hacking and best practices to safeguard them:

💡 Common JWT Vulnerabilities:

1️⃣ Weak Signing Algorithm (e.g., none): Exploiting algorithms like HS256 or RS256 with insecure configurations.
2️⃣ Key Disclosure: Using predictable or publicly exposed keys for token signing.
3️⃣ JWT Manipulation: Modifying the header or payload to escalate privileges or bypass authentication.
4️⃣ Lack of Expiration: Tokens without expiry enable unauthorized access for extended periods.
5️⃣ Insufficient Signature Validation: Failure to properly validate JWT signatures.

🛠️ JWT Hacking Techniques:
• Header Tampering: Altering the algorithm to “none” to bypass signature verification.
• Key Cracking: Brute-forcing weak or mismanaged secrets.
• Replay Attacks: Reusing captured tokens to impersonate users.
• Payload Tampering: Modifying claims (e.g., admin: true) to escalate privileges.
• Algorithm Downgrade Attacks: Switching from a strong algorithm (RS256) to a weaker one (HS256) if the server mishandles keys.
• Client-Side Storage Exploitation: Stealing tokens stored in localStorage or sessionStorage via XSS.

✅ How to Secure JWTs:

🔒 Use Strong Algorithms: Always use strong algorithms like RS256 with secure key management.
⏳ Set Expiry Times: Define short-lived tokens with the exp claim to reduce exposure.
📜 Enforce Algorithm Validation: Ensure the server validates the specified algorithm and rejects “none.”
🔑 Implement Secure Key Storage: Store signing keys securely (e.g., in environment variables or vaults).
🔍 Monitor Token Usage: Log and monitor API requests for anomalies or unusual token behavior.
🔄 Rotate Secrets Regularly: Frequently update your keys to limit exposure in case of leaks.
🧱 Protect Client-Side Storage: Use HTTP-only, Secure cookies instead of localStorage or sessionStorage.

💻 Top Tools for JWT Testing:

🛠️ jwt.io – Decode, debug, and test tokens.
🛠️ Burp Suite – Intercept API requests and test JWT-based flows.
🛠️ Postman – Manual testing for API endpoints using JWT.
🛠️ HackTools – A browser extension with JWT cracking utilities.
🛠️ John the Ripper – Brute-force JWT secrets.
🛠️ JARM Tool – Analyze JWT for misconfigurations and vulnerabilities.

🔗 Additional Tips:

🔵 Avoid storing sensitive data directly in the JWT payload, even if encrypted.
🔵 Validate tokens at every API endpoint.
🔵 Beware of Cross-Site Scripting (XSS) attacks that could expose JWTs.

🔐 JSON Web Tokens (JWTs) are powerful tools for modern applications, but they come with risks. Whether you’re a developer or penetration tester, mastering JWT security is critical for keeping your systems safe. 🚀

Ref: in pdf
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🔧 Sennheiser Profile Wireless: A Versatile Audio Solution

https://undercodenews.com/sennheiser-profile-wireless-a-versatile-audio-solution/

@Undercode_News

🦑OSINT Tools for the Dark Web:

Dark Web Search Engine Tools
Katana - https://github.com/adnane-X-tebbaa/Katana

OnionSearch - https://github.com/megadose/OnionSearch

Darkdump - https://github.com/josh0xA/darkdump

Ahmia Search Engine - ahmia.fi, https://github.com/ahmia/ahmia-site

Darkus - https://github.com/Lucksi/Darkus

Tools to get onion links
Hunchly - https://www.hunch.ly/darkweb-osint/

Tor66 - http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/fresh

Darkweblink - darkweblink.com, http://dwltorbltw3tdjskxn23j2mwz2f4q25j4ninl5bdvttiy4xb6cqzikid.onion

Tools to scan onion links
Onionscan - https://github.com/s-rah/onionscan

Onioff - https://github.com/k4m4/onioff

Onion-nmap - https://github.com/milesrichardson/docker-onion-nmap

Tools to crawl data from the Dark Web
TorBot - https://github.com/DedSecInside/TorBot

TorCrawl - https://github.com/MikeMeliz/TorCrawl.py

VigilantOnion - https://github.com/andreyglauzer/VigilantOnion

OnionIngestor - https://github.com/danieleperera/OnionIngestor

Darc - https://github.com/JarryShaw/darc

Midnight Sea - https://github.com/RicYaben/midnight_sea

Prying Deep - https://github.com/iudicium/pryingdeep

Miscellaneous
DeepDarkCTI - https://github.com/fastfire/deepdarkCTI

@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🚨 BeyondTrust Patches Critical Remote Access Vulnerability

https://undercodenews.com/beyondtrust-patches-critical-remote-access-vulnerability/

@Undercode_News