Did you Escape the Haunted Hollow this year?
👻 Boo! Earlier this month we threw open the creaking gates and invited you to Return to Haunted Hollow to take on 9 more spine-chilling labs designed to test your skills and sanity alike... but many of you conjured up your courage and tackled the challenge like ghouls rising at midnight. In total, 535 brave souls dared to venture into the Hollow, but only 47 emerged from the eerie gloom. As of now, we've witnessed over 2500 doomed attempts, with a mere 1200 miraculous escapes... these labs were truly terror-inducing. There are no treats this time around, it was just a bit of spooky fun. But let us highlight a few community members who survived to tell the tale... 🎃 First to Finish The unstoppable steven was the first community member to escape the Haunted Hollow despite giving everyone else a 2 day head start. 🦇 Fastest to Complete en4rab managed to flee in just 9 hours, the quickest of all community members. 🧛 Most Accurate A quick escape was not enough for en4rab! They were clearly unspooked as they managed to achieve a 97% accuracy rate... the highest of all community members. 🧟 Most Persistent A-Rai-Col braved the fear and despair and refused to give up , ultimately escaping after 14 attempts. Congratulations to all of our survivors. For those still trapped in Haunted Hollow, fear not! These labs will be lurking around for you to attempt again and again. Whether you're a seasoned crypt keeper of the cybersecurity world or a curious newcomer, there's a fright waiting for everyone in this immersive capture-the-flag experience! For those souls who embraced the horror and loved every spine-tingling moment, keep an eye on the community next week and be the first to hear the eerie whispers about our brand new Lab Challenge Series launching Monday 4th!Hacking tools
Just (re)entering the space of hacking hardware (I had a flipper, but it went boom after a fallout with a bottle of Coke and the rubbish attached lids we have in the UK. I am getting the stuff to build a Bjorn networking tool as a first project. In a "Oh-I-wonder-if-I-could build-one-educational" activity... Has anyone built one before? What use did you get out of it? What other tools have people built?
CTI: Creating a proof of concept question
This question was asked in the Slido after today's community webinar: Operational CTI: Creating a Proof of Concept. I am posting here so that it can be answered. I understood the SharePoint vulnerability's exploitability to be rated 'easy' or 'low.' However, my experience in generating a Proof of Concept (POC) suggests it's quite difficult. Could you explain why the rating is what it is?CSM Tip: Have A Summer Series! Are YOU Taking Advantage Of Summer?
Being the comedian I am, I was going to title this tip “Have Your Own Personal Summer series” but I didn’t want the core message of this idea to get lost in my wacky humor. Working with customers over the years across the globe, I’ve seen a trend. What is that trend? People on the team take their annual holidays to enjoy the weather, spend time with their families when the kids are out of school, spend more time in the fresh air away from screens, etc. Thus, structured programs and large projects wane a little bit as opposed to the fervor that resumes as autumn hits. One of the ways customers overcome this and stick to their personal growth and development plans as well as the broad organizational/department plans is to host “Summer Series”. What is that you say? Well, it is sometimes a large group activity or challenge over the summer (have you checked out the challenge labs in the Exercise section of Immersive?) Or, it’s a weekly/biweekly/monthly “workshop” drop in session that team members can attend (when they are not on their well-earned annual holidays) to learn more on a topic (come on, I KNOW you want to learn more about cutting edge topics like secure coding in the age of integrated LLM in your apps and systems). So, be the voice on your team to suggest this or, like my wacky idea for a tip topic suggests, implement your own Personal Summer series. You will be glad you did.
Did anyone actually win anything from the Human Connection Challenge?
It's been quite a while since the challenge ended, and still no official announcement about the winners. There was no live prize draw, and it feels like the whole thing just silently wrapped up. Don’t get me wrong, I’m not mad about not winning a major prize or anything. But it seems like nobody won anything ? I haven’t seen a single post from anyone saying “thank you” or mentioning they received something. That’s... odd, right? If you won a PS5, headphones, or any of the big prizes, please let us know. I’ll honestly be happy if I’m wrong and people did get rewarded. 😊 Just curious if there were actual winners
CVE-2024-3094 (XZ Utils Supply Chain Backdoor)
This training was a deep dive into supply chain attacks, focusing on how attackers compromise third-party libraries to infiltrate systems. 🌳 ROOT: The Core Lesson 🔹 Your code is only as secure as its weakest dependency. 🔹 Attackers don’t always target your app—they infect the libraries and tools you trust. 🔹 A single update from upstream can spread malware downstream into thousands of systems. 🌲 BRANCHES: Key Takeaways 1️⃣ Trunk: The Major Incidents (Real-World Cases) 📌 Log4j (CVE-2021-44228) – A simple logging library led to RCE attacks on millions of apps. 📌 XZ Utils Backdoor (CVE-2024-3094) – Attackers planted a hidden SSH backdoor inside a widely used Linux tool. 📌 SolarWinds Attack – A trusted software update infected top enterprises & governments. 2️⃣ Branches: How These Attacks Work? 🌿 Compromised Upstream – Hackers inject malicious code into open-source projects. 🌿 Silent Propagation – CI/CD pipelines & OS distros auto-fetch infected updates. 🌿 Exploitation in Production – The attacker gains remote access, RCE, or data leaks. 3️⃣ Leaves: Defensive Actions You Must Take! 🍃 Pin Dependencies – Use fixed versions instead of "latest". 🍃 Verify Integrity – Check hashes, signatures, and changelogs before updating. 🍃 Scan Your Stack – Use SCA tools like Dependabot, Trivy, or Snyk. 🍃 Restrict CI/CD Auto-Updates – Require manual reviews for third-party updates. 🍃 Monitor for Compromise – Set alerts for vulnerable dependencies. 🌟 TOP OF THE TREE: The Final Takeaway Supply chain security is not an option—it's a necessity! If upstream is compromised, everything downstream is at risk. Never blindly trust software updates—always verify before deploying. Your security is only as strong as the weakest library you import! Be proactive, not reactive—because the next Log4j or XZ Backdoor could already be in your pipeline!🚨 Calling all CISOs and Program Managers! 🚨
We’re looking to connect with security leaders who are passionate about team readiness and resilience. DaveSpencer and our user researcher PamelaSmith are exploring how organisations exercise and prepare their teams for evolving cyber threats. We’re developing a new cyber drills concept and would love to get your insights and feedback. If you're open to having a brief chat to share how you approach team exercises and provide your perspective on our ideas, your input would be invaluable. 👉 Interested or know someone who might be? Get in touch via email or comment below.Phishing != Security Awareness
Dear IL Community, I wanted to express some thoughts about the challenge that organizations may face if they want to establish a cybersecurity culture, especially when individuals within an organization do not prioritize or care about cybersecurity. From my perspective, one of the main reasons it's tough to get a cybersecurity culture going is that people just don't see the potential consequences of cyber threats. They often don't realize how much of an impact a security breach can have or how important it is for them to protect sensitive information. This lack of interest can create a big vulnerability in an organization's security defenses. Would love to get your view and discuss the following things: How can we make cybersecurity feel relevant to every employee? What innovative approaches have you seen in creating a security-minded culture? Are current training methods truly effective, or do we need a radical rethink? Is it about the missing Leadership commitment? Do we struggle to demonstrate the tangible business impacts of cybersecurity? It would be very appreciated if you can share your thoughts and experiences! All the best - NerminHow many 'small' events are there?
Was reviewing Cyber News Live and am amazed at the number of 'small' events out there. They go under the radar and don't make the news. But impact people and their lives every day. Makes me happy to be part of the solution!!! (13) Cyber News Live | December 2024 | Week 49 | LinkedIn
