Share this page!

Lesley Carhart Profile picture
Twitter logo
9 Feb, 5 tweets, 1 min read
A thing I do at Dragos (not a plug, just thought you might find interesting), is elaborate functional and crown jewel analysis of industrial facilities where I spend days interviewing staff to figure out all the horrible things that could happen and what device could cause them.
Like I literally spend days of my life figuring out what PLC on what shelf could cause places to explode under specific operational and security conditions
It's interesting. I found out how to spoil eggs en masse and also cause cataclysmic chemical chain reactions.
I'm involved in that process as an incident responder along with chemical / electrical engineering specialists and assessors, because it's a complex process. You see a lot of stuff that keeps you up at night, and most of it isn't what everyone else worries about.
Like, let me give you a very minor example - looking at an environment you think that the plethora of XP machines are the meaningful security issue, but really it ends up being the building automation power subnet that regulates power to HVAC that maintains operational temps.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lesley Carhart

Lesley Carhart Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacks4pancakes

Lesley Carhart Profile picture
8 Feb
Fun Fact: The first widely-documented attack against a digital industrial control system which caused a major physical disaster was at a sewage treatment plant in Australia.
Homeboy was mad he didn’t get hired on after his contract and used his insider knowledge to dump a metric shitton of well, shit.
This was years before Aurora and Stuxnet and AyPeeTees.
Read 8 tweets
Lesley Carhart Profile picture
7 Feb
A conversation with pretty much anyone US Air Force in 2021

"Hahaha, *Space Force* man, look at their uniforms; they have to wear giant Star Trek emblem patches"

*looks are exchanged*

"...But wouldn't it have been a little cool if we could have worn giant Star Trek emblems?"
It should have been Stargate, man.
Isn't the point of Space Force that eventually it renders Air Force irrelevant and eats it, though?
Read 4 tweets
Lesley Carhart Profile picture
26 Jan
Good morning to all of you well rested infosec folks who are just now waking up to this newest catastrophe :)
Fine, fine, I’ll be nice. While you were sleeping, Google security notified of a long term (allegedly DPRK) SE campaign targeting infosec researchers on Twitter, ingratiating themselves into the community with minor research and blogs, then sending them malicious links and code.
The list of accounts is in the blog and 3 or 4 accounts were very active, messaged and drew in a ton of researchers, and successfully got some to execute malicious code in the name of exploit research. My thread is full of stories and screenshots. They hit a ton of people.
Read 12 tweets
Lesley Carhart Profile picture
25 Jan
Stop blaming users for security issues caused by *your security team* failing to give them widely usable and secure ways to perform their part of the *mission of your organization*.
*the mission of your organization is likely not keeping malware out.
JFC... with regards to this Facebook phone data leak I see people blaming users for SIM hijacking, even even locks don’t reliably prevent it at carriers, and blaming them for using SMS 2FA, even though most banks still don’t offer another MFA method.
Read 5 tweets
Lesley Carhart Profile picture
25 Jan
So what CTF stuff did I see at @HackingEsports today that I can pass on to other young hackers in training?

1) There is a *fabulous* and global next generation of hackers out there growing up, and we should be really proud of their hard work and sportsmanship. I definitely am!!
2) No matter what, don't give up, and don't quit the CTF.
Nobody knows everything about hacking or cybersecurity. Even if you're struggling with a CTF, just relax and learn what you can. The point isn't to be first place.
3) Learn when to move on. Today's Windows-based challenge stalled all the participants up for a bit. The difference between the people who finally got flags first and those who got them later was a decision to move to a new host or tool when one wasn't working or going anywhere.
Read 9 tweets
Lesley Carhart Profile picture
23 Jan
Gee golly, we just got Illinois back to almost manageable COVID-19 stats, and are keeping our ICUs slightly over a 20% threshold. Guess that means allow high school wrestling again (when a bunch of new mutations are floating around).
BuT LeSleY KiDs CaNT lIve wiTHouT sPOrts
jfc I was supposed to
go
overseas
to test
to become a professional martial arts instructor in 2020
after a decade of intense study
I get what missing out feels like.
Can we please just work together to kick this virus so that then we can do all the athletics?!
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @hacks4pancakes has new unrolls!

Check out other threads from @hacks4pancakes!

Read all threads by @hacks4pancakes