The Sisense breach was rooted in an AWS key in Git.

That got me wondering if #TruffleHog was a musical, what would it sound like...

#TruffleHog stickers are 😚👌

TruffleHog: Open-source solution for scanning secrets dlvr.it/T32Yz1

Implement secret scanning in your pipelines with the following 5 open-source tools:

- Trufflehog github.com/trufflesecurit…

- GitLeaks github.com/gitleaks/gitle…

- Semgrep github.com/semgrep/semgrep

- Talisman github.com/thoughtworks/t…

- Yelp Detect-Secrets github.com/Yelp/detect-se…

Aproveitei a #rinhadebackend pra escrever um script que lê todos os forks da rinha-de-backend-2024-q1 e executa o Trufflehog pra ver se alguém hardcodou alguma credencial legal #bolhasec

10th of December: Truffle Security

🤔I was researching how to better secure code in my GitHub repos when I met TruffleHog, who checks for hidden secrets !💡

Let me tell you why this secrets-sniffer is so great for keeping my code safe ⤵️

Since I mentioned it, and others are interested:
github.com/iBotPeaches/Ap…

github.com/trufflesecurit…

Install both, and any dependencies.

Find an Android app you're interested in.

Download it from apkcombo.com.

Decompile it with 'apktool d <filename>'

🤔 Why don’t bug bounty programs reward researchers for finding stolen credentials?
🔍We interviewed #HackerOne ’s CISO about new guidelines including:
🔑 Credential types & vulnerabilities
⚖️ Legal risks
🛠️ TruffleHog tools
trufflesecurity.com/blog/bug-bount…

Going through Steve YARA Synapse Miller 's YARA training and playing with atom matching for speed to find aws keys in files #100daysofyara

Good and bad guys leave secrets in files. Use regex! Go to Trufflehog, copy regex, load in cyberchef and voila

gist: gist.github.com/zmallen/d2305b…

Today's notes include AST analysis for web apps, RustHound for Active Directory, youneverknow00's kernelmode DLL injector, pwndoc-ng for pentest reporting, GraphRunner for Entra IDS, TruffleHog, U-Boot and UART for Android extraction, and remote browser isolation bypass…

oh my

trufflesecurity.com/blog/scan-post…

'So how do you know if you have buried secrets hiding in the vast digital landscape of your organization? Easy. You employ a truffle hog.'

Rooting For Secrets with TruffleHog
by: Chris Traynor
Published: 1/18/2024
Learn more: blackhillsinfosec.com/rooting-for-se…

Heading to BSidesSF this weekend?

🚀 Visit our booth for the latest #TruffleHog updates!

📅 Talks to catch:
🌟 Sat, May 4, 12 PM - 'The Secret Life of Secrets'
🌟 Sun, May 5, 11:15 AM - 'Beyond Code and Clicks'
Check out the schedule: bsidessf.org/schedule

There seems to be a little confusion around our post Friday about TruffleHog now decoding AWS account ID's from Access ID's.

It's a new feature of TruffleHog; it's not a security exploit. It's just meant to make people's lives a little easier after discovering secret key pairs.

STÖK ✌️ Jason Haddix wait until you find out how trufflehog detectors work

**NEW** BHIS | Blog
Are your secrets safe?

Rooting For Secrets with TruffleHog
by: Chris Traynor
Published: 1/18/2024

Learn more: blackhillsinfosec.com/rooting-for-se…

TruffleHog: Open-source solution for scanning secrets: TruffleHog is an open-source scanner that identifies and addresses exposed secrets throughout your entire technology stack. “TruffleHog was originally a research tool I independently authored in… helpnetsecurity.com/2024/02/21/tru…

'Identifying and cleaning up leaked secrets before an attacker can find them is a crucial component to security.'

Rooting For Secrets with TruffleHog
by: Chris Traynor
Published: 1/18/2024
Learn more: blackhillsinfosec.com/rooting-for-se…

Bug Bounty Hint

You can use the Trufflehog Chrome extension for the automated gathering of AWS Keys and Generic/Specific secrets on the visited website.

Later, you can check AWS key validity & permissions using the following GitHub repository:
🔗 github.com/andresriancho/…

Cheers