Header smuggling is not as cool as budgie smuggling but lighttp was allowing it anyway.

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks.\n\nSuccessful exploitation may allow an attacker to:\n\n * Bypass access control rules\n * Inject unsafe input into backend logic that trusts request headers\n * Execute HTTP Request Smuggling attacks under some conditions\n\n\nThis issue affects lighttpd1.4.80

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1

Also, if your management has seen the widely reported "80% of Ransomware Attacks are AI-Driven" headline published by MIT, it was paid for by a vendor.

The paper is absolutely ridiculous. It describes almost every major ransomware group as using AI - without any evidence (it's also not true, I monitor many of them). It even talks about Emotet (which hasn't existed for many years) as being AI driven.

It cites things like CISA reports for GenAI usage.. but CISA never said AI anywhere.

Two months ago I started a project of passion. That journey has taken me a long ways in a short time!

I am excited to announce the first major milestone of my MUD, Chatsubo!

https://blog.chatsubo.io/release/2025/10/31/november-update.html

#MUD

@SecureOwl wow

  <meta data-n-head="1" data-hid="description" name="description" content="```bash
     # install dependencies
     $ npm install">

When the data yer gonna leak is too big to lose in the back of an airplane seat [1] and you don't have a spare laptop laying around [2] then you need S3 buckets..

https://www.theregister.com/2025/10/29/ey_exposes_4tb_sql_database/

1. https://www.infoworld.com/article/2184262/auditor-loses-thousands-of-mcafee-employees-data.html

2. https://www.theregister.com/2006/02/25/ernst_young_mcnealy/

@cR0w @saraislet I'd expect it to trip up curl / Invoke-WebRequest but really only if it was run from a host with AV so I guess just those LOL from inside a compromised network.

Austin Hackers Anonymous (AHA) is TONIGHT (2025-10-30) https://takeonme.org/ - Have some zero-day to share? AHA is an official CNA and will issue CVEs for vulnerabilities disclosed at the meeting. I'm planning to demo more SSHamble.com findings along with BloodHound OpenGraph stuff. See yall soon!

@saraislet @cR0w Hurm, I wonder what would happen if you did return EICAR to common ../ requests. Like, nothing should happen due to the rules for how EICAR should be flagged but we live in the real world right?

Well.. likely a Variant of the timeline that the TVA will cull but that doesn't change anything.

NTLMSSP encapsulated in TLS encapsulated in TDS 7

If you have experienced the above then know that you are not alone and that I too think it is stupid.

@tychotithonus MIBs for frelling pure breds would probably make you register with AKC and pay a fee to get it..

@tychotithonus If there were a MIB it would probably be breed specific.

I have Wind Rose's Diggy Diggy Hole running on loop in my head after posting it in Slack yesterday for a joke. I guess that's much better than some other options..

@ryanc @cR0w @kajer @Viss Dayum, hat's just evil.

@Viss @cR0w You forgot the double ROT13

@cR0w Time for a nap

@cR0w Still the case as of 18:15 Central / 23:15 UTC

Maybe PAN should have paid more attention to their ops than to their marketing. What a fucking joke.

https://threatvault.paloaltonetworks.com/

@skryking Many years ago I used to use Nmap's arg to take input from a file nmap -iL targets.txt and combine that with the -exclude arg. When used with -sL it should just emit the results though I think this just emits IPs and not CIDR blocks.

🎃 Our Halloween Sale is brewing. Get 31% off sitewide from 10/28 to 11/1 with code HALLOWEEN31.
Grab your favorite titles before they vanish into the night.

https://nostarch.com/

#books #bookstodon #cyberSecurity #hacking #hardware #stats #datascience #lego #design #engineering

doing one more cybersecurity awareness write-up on IoT devices for work.

I don't know when it happened, but I decided to start caring when I noticed that embedded device security is still god-fucking-awful, and it never seems to change.

I think what radicalized me to paying more attention to it, was the rapid conversion of vulnerable devices to ORBs/relays, or initial access devices.

It is fucking astounding in this day and page that there are devices with full-on buffer overflows, no ASLR, no PIE, no user input validation for stuff passed to system commands, nothing, and that it is considered acceptable that vendors keep using these god awful frameworks and Linux kernels that don't support better security features.