UPDATE: I reached the person who claims to have hacked Optus. I've also been contacted by a second, separate source who says the hacker's version of events is approximately correct. Here's what they said. #OptusHack #infosec #auspol
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol Image
The API endpoint was api[dot]optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data. Image
That API address was passed to me by a second source. That was hosted in Google Cloud/Apigee. When the hacker started hitting that API hard, it triggered a security alert. In other words, a suspiciously high volume of data was coming from that API. #OptusHack
The hacker says they enumerated the customer records via the "contactid," which is a field that appears in the leaked data samples. Not sure exactly what the contactid is. By enumerating, the hacker means they accessed the records sequentially by the contactid. #OptusHack Image
Here's a tidy news story that wraps up all my Optus data breach tweets. I've tried to make this understandable for everyone. It's important we understand how our personal data is at risk if not protected. #OptusHack #auspol #infosec bankinfosecurity.com/optus-under-1-…
Sorry I made a slight error when writing the URL for that API endpoint. It was: api.www[dot]optus.com.au.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jeremy Kirk (@jkirk@infosec.exchange)

Jeremy Kirk (@jkirk@infosec.exchange) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jeremy_Kirk

Feb 10, 2023
Before an F-22 destroyed China's balloon, a U-2 spy plane took photos of it. The U-2, now 70-year-old high-altitude surveillance plane, is still proving its utility. I did a story on it in 1999 whilst in South Korea. This is me with one after it came back from a mission.
This is pre-mission. Pressurised space suit, pre-flight plans.
The U-2 is tricky to fly and land. The wide wingspan allows it to fly to where the air is very thin (70K feet, 21K meters - China's balloon was around 18K meters) It's a single-seater, so I waited while it was on a mission.
Read 6 tweets
Feb 9, 2023
Short 🧵on Trickbot. Vitaly Kovalev's (aka "Bentley") indictment was originally filed 13 years go. It shows: 1) He was ID'd IRL long ago 2) Name and shame is now favored and 3) Maybe more old sealed indictments will be released? #infosec
US alleges Trickbot actors "are associated with Russian Intelligence Services." Conti leaks and other tidbits and data over the years pointed to potential ties between the state and cybercriminals. home.treasury.gov/news/press-rel… #infosec
It's also interesting that the indictment against Kovalev is for alleged banking and fraud crimes from the era before ransomware really took off. I wonder why they didn't release a fresh indictment related to Conti? #infosec #trickbot
Read 4 tweets
Jan 21, 2023
My younger brother was found dead in his apartment. He was 46 years old. His story is a family tragedy. It illustrates the importance of recognising mental health issues early. My parents and I are devastated. In the pic, he's in the middle. #mentalhealth #mentalillness
My brother was a handsome, blonde haired-kid. He was two-and-a-half years younger. Our relationship was typical. Sparring siblings but friends in the same household. We were never close, but united in an upbringing from loving, caring parents. But we were different.
Teachers noticed. I abided by rules, did well in school. He started to have behavioural issues. When he was in second or third grade, teachers began asking an odd question to my parents: Is he from your family? To them, the difference between us was stark.
Read 14 tweets
Jan 19, 2023
The multinational arrests in December aimed at DDoS for-hire services was quite a strike, and law enforcement revealed some interesting trends around DDoS services and those purchasing them. An analysis by @Intel471Inc here: intel471.com/blog/will-rece… #infosec
The FBI made some key points in an affidavit. LE seized a half-dozen DDoS customer databases, which should unnerve past customers. Also, payment for DDoS has shifted from PayPal, Google Wallet, etc. to crypto after LE pressure.
Bitcoin of course is highly traceable, so it's another avenue for investigation, particularly if DDoS crypto purchasers use exchanges practicing KYC.
Read 5 tweets
Nov 18, 2022
Just after @FTX_Official collapsed, I received a small post card from Japan. The sender was Mt. Gox. Here's how I bought a bitcoin for $12, got stung in the first big crypto exchange collapse plus some thoughts about cryptocurrency and its future. #infosec #ftx #cryptocurrency ImageImage
A decade ago, I bought a bitcoin for $12. I was intrigued to investigate how it worked. The blockchain and bitcoin's shadowy architect, Satoshi Nakamoto, was fascinating. It felt mysterious, somewhat rebellious and was a technological marvel. #cryptocurrency
I bought more bitcoins. I was interested in how trading worked. Mt. Gox, the exchange in Tokyo, was king. It felt wild and exciting: Buying private keys for cash wired to Japan, which are then sent by open-source software. I had 300 bitcoins at one time.
Read 12 tweets
Nov 10, 2022
How we got here with @medibank. It initially said compromised login credentials were used (that may have involved VPN access). The attackers claim they accessed Redshift - an Amazon data warehousing product - via jump servers. #auspol #infosec (1/4)
The @medibank attackers said they spent a month digging around @medibank's systems and then eventually dumped the tables with personally identifiable information, eventually putting them in .csv files that were supplied to Medibank as proof. #infosec #auspol (2/4)
The attackers also claim access to @medibank's Confluence server (Atlassian's collaboration software) and grabbed source code from Stash, a source code management tool. #infosec #auspol (3/4)
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(