Secret’s out: Introducing Just Hacking Training! 🤓

Just Hacking Training is a new venture from me and my friend, Don Donzal, to offer hands-on, affordable training with tons of all-star practitioners, such as…

• Jason Haddix

• Ali Hadi

• seclilc

• Katie Paxton-Fear

• Jake Williams

• Yours truly 😅

We just launched on October 1 with 4 courses, 2 Upskill Challenges (UCs), 2 Hack-Alongs (HALs), and 1 Capture the Flag (CTF) event. There are FREE and Name Your Price options to provide focused technical training for all levels.

Here are the 4 courses available right now:

• Script-Based Malware Analysis by yours truly

• Beginner Level OSINT by Mishaal Khan

• Mastering Active Directory Security Volume 1 - Credentials by Slavi Parpulev

• Ease Me into Cryptography by Ellie Daw

I’ll announce new courses during the first week of each month on my socials. I’ll also give you a heads-up in these newsletters about new UCs, HALs, and CTFs.

Please tell us on Discord what you think as well as what courses you'd like to see. You can engage with the instructors and other students and get support there as well.

We’re in the very early stages of adding courses and content, but I was going to burst if I had to wait any longer to announce the news. 😝

News & Commentary

Microsoft tricks hackers, lures them into honeypots to learn more about them 🎣 

Okay, I know we take a lot of playful (…?) jabs at Microsoft, but this is actually really cool.

The company created fake Azure tenants and used them to lure would-be phishers into honeypots. From there, Microsoft quietly collected intelligence on the “victims” (are unethical hackers ever really victims, though?) to learn more about the tactics and techniques they use during their hacks. And those phishers were none the wiser. 😎

Now, let me tell you about these Azure tenants. These things looked legit. They had domain names, user accounts, and activity — all primed and ready for hackers to explore. And explore they did! In fact, Microsoft claims that they’ve been able to learn more about state-sponsored groups like Midnight Blizzard, which has set Microsoft in its crosshairs multiple times.

How’s that for karma?

Introducing Sir Isaac Newton, Professor of Physics at MIT 🤓

Google Scholar officially recognizes Sir Isaac Newton as a “Professor of Physics, MIT” — even noting his verified .edu email! Turns out, Newton was even further ahead of his time than we thought, as he died in 1727 and Google Scholar wasn’t created til some 277 years later. 🤣

Here’s a snapshot of Professor Newton’s Google Scholar profile:

Okay, jokes aside, how the heck did this happen? Well, as it turns out, it’s not quite as difficult to become a Google Scholar as you might think. Google states that there are 5 steps to creating an author profile, and the only stipulation required to appear in Google Scholar search results is to “enter your university email address.”

So for funsies, I started the process. And, uh, I’m kind of seeing how this happened.

Anyway, this made me think about identity verification and how it works on social media these days. Remember back in the olden days, what the process was like to get verified on Twitter? You all but had to submit a blood sample of your firstborn to get that coveted blue checkmark. Now, you just kind of…pay for it. And apparently, it’s not terribly hard to become a Google Scholar.

Do easy verification processes cheapen the experience? Or do they make it easier to be verified while still requiring some form of identification (e.g., an active university email address), which (arguably) upholds the integrity? 🤔

Bad actors introduce infostealer malware to “fix” Google Meet “errors” ❌

If you use Google Meet, there’s a new social engineering tactic to beware of: ClickFix.

Bad actors are spinning up fake Google Meet pages, displaying an error and directing victims to run malicious PowerShell code. From there, hackers deliver various infostealer malware, such as StealC and Atomic Stealer. And because the end user is tasked with running the code, this attack often evades even solid security tools.

Don’t copy and paste shady-looking code into the PowerShell terminal, folks. 😅

Sponsor

Empowering the Next Generation of Cybersecurity Experts

Project Cyber is a non-profit committed to closing the gender gap in cybersecurity. By providing comprehensive resources and career pathways, Project Cyber empowers girls to excel in the cybersecurity field, building a more diverse and prepared workforce.

Learn more and get involved at Project Cyber.

• October 21: From The Source, hosted by The Volatility Foundation. I’ll give a presentation called Malware ExtravaScamza. 😁

• October 29-31: Security BSides Cayman Islands

Giddy up, friends, and let me tell y’all about the hootenanny that was Wild West Hackin’ Fest.

(Okay, going a lil off brand there. I’ll stop. 😅)

Wild West Hackin’ Fest was awesome. It’s such a stand-out conference to begin with because it takes place in Deadwood, South Dakota — obviously the first place that comes to mind when you think cybersecurity training. 😆

I gave a presentation called When I Grow Up, I Wanna Be a Script Kiddie, where we chatted about why tooling doesn’t really matter.

And then, I got the surprise of my life: I won this year’s Rita Award. 🥹 And what a snazzy-looking award it is.

I’m still shocked about this, but more than anything, I’m honored. It truly warmed my heart to take this home with me. I appreciate this so much!!

Love this thing? Have some pointers on how I can make it better? Please reply to this email and let me know. I really want these newsletters to be worth reading to you, and your feedback makes that possible!

Here’s what I’m wondering this week: Do you prefer news items that are strictly l33t and n3rdy, or do you like more entertaining cybersec news (think “Sir Isaac Newton, Professor at MIT”)? Let me know!