Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Bill Demirkapi Profile picture
Bill Demirkapi
@BillDemirkapi
Security @ Microsoft. Passionate about Windows Internals. Opinions are my own.
7 subscribers
Oct 21, 2023 โ€ข 13 tweets โ€ข 5 min read
Okta was breached via their support infrastructure yet again. This time, they only found out because of a customer escalation, which they failed to act on for at least 16 days ๐Ÿคฏ. A ๐Ÿงต of my takeaways... 1/n sec.okta.com/harfiles
Image ๐—•๐—ฎ๐—ฐ๐—ธ๐—ด๐—ฟ๐—ผ๐˜‚๐—ป๐—ฑ: In March 2022, Okta experienced a breach of a third-party "customer support engineer", granting attacker's privileged access to customer environments. See the thread below for more details. 2/n
Nov 8, 2022 โ€ข 7 tweets โ€ข 1 min read
Excited that with today's Patch Tuesday, the results of an effort I've been leading to address frequently abused Mark-of-the-Web problems are finally starting to rollout to millions of our customers worldwide! Here are some deets ๐Ÿ‘‡ 1/7 Background: Mark-of-the-Web (MotW) is a security feature designed to tag files downloaded from the Internet and treat them with an extra layer of caution. This can include security warnings when the file is opened or applications disabling certain features for the file. 2/7
Sep 16, 2022 โ€ข 30 tweets โ€ข 10 min read
The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we've seen so far ๐Ÿ‘‰ 1/N Let's talk about how they were compromised. The attacker has been quite upfront about how they compromised Uber's corporate infrastructure. Uber appears to use push notification MFA (Duo) for their employees. How can an attacker get around MFA? 2/N Image
Mar 28, 2022 โ€ข 13 tweets โ€ข 4 min read
New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N We can see how LAPSUS$ originally began investigating their compromised host on January 19th, 2022. With little regard for OPSEC, LAPSUS$ searched for a CVE-2021-34484 bypass on their compromised host and downloaded the pre-built version from GitHub. 2/N
Mar 22, 2022 โ€ข 17 tweets โ€ข 8 min read
The LAPSUS$ ransomware group has claimed to breach Okta sharing the following images from internal systems. ImageImageImageImage The screenshots are very worrisome. In the pictures below, LAPSUS$ appears to have gotten access to the @Cloudflare tenant with the ability to reset employee passwords: ImageImageImage
Sep 3, 2021 โ€ข 14 tweets โ€ข 5 min read
Rant about how @Bugcrowd and @Hacker0x01 setup their platforms to let vendors who host private programs abuse researchers. Entirely based on a true story with @Bugcrowd in my case. This is for my #bugbounty friends out there. 1/n Let's say you are a researcher invited to a private program. You spend 10-20 hours looking for vulnerabilities and you finally find one! You report it to the vendor and... they say it's not applicable. 2/n