Today in Tim meets old colleagues in random places, bumped into one of our old red team and an old Portcullis customer at the ATT&CK event.

Today in Tim meets old colleagues in random places, bumped into one of our old red team and an old Portcullis customer at the ATT&CK event.

Citations are nice. Thank you anon.

Long old week but 5 happy customers, two commuting to renewals makes it all worthwhile. I shall sleep well tonight.

Stumbled into a channel where everyone is replacing themselves with their AI pets and well, if you're the kind that needs an agent to do anything then no wonder you're having trouble installing an agent...

Copy fail is vibe-arg'ing at its finest...

Copy Fail — 732 Bytes to Root

Copy Fail (CVE-2026-31431): a 732-byte Linux LPE — straight-line, no race, no per-distro offsets. Same Python script roots Ubuntu, Amazon Linux, RHEL, SUSE since 2017. Page-cache write bypasses on-disk file-integrity tools and crosses container boundaries. Found by Xint Code.

Xint (copy.fail)

#threatintel, #linux

This is with respect to "traceroute 2.1.2 - MPLS Extension Out-of-Bounds Read". Feels sloppily written...

Today in CVSS questions:

CVSS v3.1 Score: 5.9 (Medium) — AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector: Network (on-path / rogue router)

Do you mean AV:A?

We welcome ATT&CK v19:

Updates - Updates - April 2026 | MITRE ATT&CK®

(attack.mitre.org)

Blog post here:

Just a moment...

(medium.com)

#redteam, #blueteam, #threatintel, #att&ck

Discuss: x isn't a security boundary because ... (where x is represented in https://attack.mitre.org/datacomponents/ or other control lists).

Counter point: Anything that changes the profile of the attack surface and presents an opportunity for detection can be considered a security boundary. Some may be more effective than others, some may have bugs, others may be configured badly but they all have some boundary value. The point of a security test is to point out the bugs and misconfigurations.

Maybe not you, but *some* people do want persistent access to Cisco devices:

* https://blog.talosintelligence.com/uat-4356-firestarter/
* https://www.cisa.gov/sites/default/files/2026-04/AR26-113A_MAR_FIRESTARTER_backdoor.pdf

#threatintel, #cisco

If like me, you're a fan of Kae Tempest's written word:

https://www.theguardian.com/culture/2026/apr/18/kae-tempest-on-creativity-and-his-gender-transition-im-just-glad-to-be-alive

Forget about the intricacies of the DNS spec. This should have seemed like a bad life choice in any event. Turning user input into a command line when all you really wanted to do was write a 0 byte file:

sprintf(acfcommand, "/bin/touch %s/control/notlshosts/'%s'",
info->pw_dir, partner_fqdn);
fp = popen(acfcommand, "r");

Interesting links of the week:

Strategy:

* https://www.isc.org/blogs/2026-04-16-How-to-report-a-vulnerability/ - @iscdotorg makes some useful suggestions on reporting vulnerabilities
* https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/ - building a GRC framework with Claude
* https://jericho.blog/2026/04/17/nvd-gives-up/ - Jericho from @attritionorg gives us the skinny on the NVD updates
* https://www.usenix.org/system/files/login/articles/login_apr15_12_geer.pdf - Dan Geer predicts...
* https://security.googleblog.com/2025/04/google-launches-sec-gemini-v1-new.html - remembering Sec-Gemini v1 hype
* https://init6.com/papers/Day-Zero-Normal-CISO-Brief.pdf - @mubix comes with another take on AI and LLM
* https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/mythosready-20260413.pdf - the Cloud Security Aliance chip in
* https://cje.io/2026/04/08/offense-scales-with-compute-defense-scales-with-committees/ - as does @cje

Detection:

* https://pub.expmon.com/ - Haifei Li's EXPMON
* https://obdev.at/blog/little-snitch-for-linux/ - @littlesnitch comes to Linux

Bugs:

* https://x.com/Gi7w0rm/status/2042370775546482815 - more on that spike in Adobe Reader bugs chain
* https://rhisac.org/threat-intelligence/bluehammer-windows-local-privilege-escalation-zero-day-publicly-released/ - moar on Blue Hammer #1
* https://www.cyderes.com/howler-cell/windows-zero-day-bluehammer - moar on Blue Hammer #2
* https://www.coresecurity.com/blog/analysis-bluehammer-lpe-exploiting-windows-defender-updates - moar on Blue Hammer #3

Exploitation:

* https://www.slideshare.net/slideshow/how-i-use-ai-for-penetration-testing-teri-radichel-2nd-sight-lab-3fb8/286987132 - @teriradichel

Hard hacks:

* https://hackers-arise.com/scada-ics-hacking-and-security-attacking-the-modbus-protocol-with-rofuzz/ - attacking ICS and other OT with rofuzz
* https://medium.com/@theopenshelf/amazon-is-cutting-kindle-store-access-on-pre-2013-kindles-a7b495cb51ee - Amazon has a Kindle problem and how you can help...

Development:

* https://appsec.guide/docs/languages/c-cpp/lang-c-cpp-bug-classes/ - @trailofbits's security coding guidance with bits'n'pieces from @gsuberland
* https://blog.trailofbits.com/2026/04/09/master-c-and-c-with-our-new-testing-handbook-chapter/ - @gsuberland's accompanying blog post
* https://arxiv.org/html/2603.21852v2 - all elementary functions from a single operator

Data:

* https://cardcatalogforlife.substack.com/p/google-has-a-secret-reference-desk - getting more out of GOOG

It's notable how many of the talking heads on AI and LLM are US based or funded *and* how many of them come from a cloud centric generation of businesses...

#security, #research

@gsuberland Suggestion for Unsafe Warnings: "Body Onboard" stickers for car drivers.