Jackie Singh 🇺🇸 Profile picture
Jul 10, 2024 18 tweets 6 min read Read on X
I am reviewing this alleged hack of The Heritage Foundation.

I have identified very embarrassing data within this dataset. Why so many Chinese IP addresses? 🤔
The zipped file contains one single file:

"daily-signal_dev_database_new.sql"

This appears to be a combined set of exports from a SQL database. Here are the first lines Image
Because this is a combined export (likely from the command line) of various tables, the file is not readable by a typical SQL editor, and needs to be split into pieces to make it so.

I'd rather just turn it into CSV chunks to start cleaning up the dataset for further analysis
There are 215,000 lines or so in the WordPress Comments table. As you can see, comment_author_IP is available, which is broadly useful to get a sense of where people posting replies to the Heritage blog are coming from in the world.

Earliest date: 2008-01-04. Newest: 2022-11-09 Image
After creating a CSV chunk with only the WP comments table, now I can view columns and extract their content as needed. After extracting IP addresses from the author column, I can eliminate duplicates and work on analyzing their presumed geo origin, which is of interest to me Image
Dataset was a little dirty and a hassle to clean up.

Here are the 60K extracted IPs from the WP Comments table:

#HeritageFoundation defuse.ca/b/PTrmvlbs
Image
Sample geolocations from the first 100 IPs (these are sorted 'low to high', and many Asia-based netblocks start with the number 1) Image
Here are the 69.5K email addresses present within the complete dataset:



🤔 235 .mil and .gov email addresses
🤔 95 .ru and .cn email addresses

#HeritageFoundationdefuse.ca/b/mLXCi0iXsGFj…
Linked below is a statistical breakdown of the domain names associated with all email addresses in the dataset.

Stacking and counting are basic analytical tools which can help analysts identify outliers.

defuse.ca/b/GMCj2uAfvELn…
Image
I have a script running to grab geolocation information and will tweet when it finishes.

Those working at big companies with access to certain commercial tools can do this more quickly than I can.
Because the original host took the file down, you can now find it here:

This is a 368 MB .zip file which uncompresses to a single 1.94 GB flat file.

SHA256: 3dcc258331d9139a654402d20b756b57ca17228aa9e2f80a4b6451b96c8eac70tan-medieval-hornet-252.mypinata.cloud/ipfs/QmVwiYsr4…
The hacker group claiming responsibility for this action has released new information on their Telegram channel. Image
Here is the list of Administrators.

defuse.ca/b/ely6s7iwqpLF…
BREAKING: SiegedSec claims to have officially disbanded.

#HeritageFoundation
Image
Image
@CloudsEdgeArt1 I am the first person covering this.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jackie Singh 🇺🇸

Jackie Singh 🇺🇸 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @HackingButLegal

Mar 29
1/ Musk displayed a troubling disregard for core American values when he told Fox the admin will "go after" those "pushing propaganda" abt Tesla–prioritizing punishment of his critics above respect for the principles which have always defined our republic.
thehill.com/homenews/admin…
2/ Context: Amid the "Tesla Takedown" movement protesting Musk's role in Trump's Department of Government Efficiency (DOGE), dealerships have faced vandalism, including firebombings. Trump purchased a Tesla in support of Musk as stocks fell, calling attackers "terrorists."
3/ Threatening to target those who "push propaganda" rather than just the perpetrators of violence fundamentally conflicts with established American legal principles in several ways. Musk's ideology diverges entirely from modern U.S. legal theory and is not recognizably American.
Read 10 tweets
Mar 25
As an infosec pro who held security clearance for a number of years, I am somewhat surprised by the big public reaction to top brass' use of Signal for unauth transmission of TS/SCI (NOFORN?) info. This is almost certainly the least harmful security error they have made thus far.
I suppose the public really *doesn't* understand what happens when you get rid of qualified & experienced people and tear down regulations associated with safety & quality which may have originally taken much more time & consideration to implement than they will to dismantle
Did people think that agencies led by incompetent fools would continue functioning as intended? 🤔

Each of these ill-intended appointments has caused irreperable harm to the United States. We are in gravest danger so long as this administration remains in place.
Read 5 tweets
Mar 14
1/ 🚨 NEW: Treasury just launched what might be the most sweeping financial surveillance program in U.S. history. In 30 border ZIP codes, ANY money transfer over $200 will trigger automatic government reporting. Previously this threshold was $10,000.

That isn't a typo! #privacy
2/ What does this mean? If you live in affected areas of CA or TX and send money to family in Mexico, your personal details—name, address, ID info—will be automatically sent to the government starting in mid-April.
For undocumented immigrants, this creates an impossible choice.
3/ The timing is striking: This policy arrives just as Trump considers invoking the Alien Enemies Act. It effectively creates a database that could feed mass deportation efforts—while framed as fighting cartel activity.
This fulfills his long-held goal of targeting remittances.
Read 5 tweets
Mar 2
Everyone now understands why I have publicly doxed multiple agents of foreign influence inside the U.S. and why those dudes have attacked me on a near-daily basis for several years as I pointed out their hidden acts of sabotage against the American people
My research on this topic has been ongoing for several years. The more I looked, the more I found.

Slides in description with added content
Most journalists do not have the expertise to untangle these topics and do not feel equipped to report on them.

Even without a cyber nexus, pure espionage stories are difficult to verify, and many will not or cannot do the legwork to verify.

Spies work hard to stay hidden.
Read 13 tweets
Feb 25
Journalists: Adam Ramada, who works for Musk inside DOGE to "help" the Dept of Education and was just blocked by name from accessing our data by a judge, has an interesting resume in finance involving managing foreign funds, and a history targeting the Dept on behalf of private corporate interests.

Entities:
- Purelake Capital LLC (DE, revoked?)
- Palindrome Investment Advisors LLC (CA, filings not up to date, some names wiped from co-founder bios)Image
Image
Image
Judge's order naming him (PDF, pg. 5): democracydocket.com/wp-content/upl…
Read 13 tweets
Feb 8
🚨 NEW: I regret to inform the public the individual blocking @RepMaxineWaters @MaxwellFrostFL et. al lawful entrance to the Dept. of Education today appears to be Tobie Jansen van Rensburg, an offensive cybersecurity expert from South Africa who runs "Grey Owl Cyber Defense". Image
Image
They wiped his face from PimEyes, but I still found him. Image
Image
They are seeding disinformation, seen here possibly using the stolen identity of a Black man on Threads.

This works by seeding lies that aren't verifiable, yet appear highly passable at first blush.

David Fridie does exist, and did work at DoE, but has no Internet presence, including on LinkedIn, so it's impossible to verify without contacting him directly.Image
Image
Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(