MG Profile picture
MG
I was a terror since the public school era. My opinions are your adversary’s. — I also make terrible things: https://t.co/cwueENXhIv
Nov 26 4 tweets 2 min read
When we added C2 capabilities to OMG Cable, people would say “But I’d notice it on my network!”

I said: yeah, but would you notice it on your neighbor’s wifi, free cafe wifi, etc? 😈

Also, here is a free nightmare: when wifi drops due to power loss, those battery powered IOT devices do ALL kinds of useful things if you’re in range. Oh absolutely. Most places won’t notice. Especially with the added MAC spoofing and the C2 traffic looking like misc web traffic. There are lots of options before needing to use a nearby network, or supplying your own.
Sep 17 25 tweets 7 min read
The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down.

🧵1/n First, with over 1000 instances being reported, this is likely supply chain as opposed to a few modified devices. Done either during shipment and/or at the factory.
🧵2/n
Jun 15 16 tweets 4 min read
Lots of news stories about people getting fired for using mouse jigglers & simulated keyboard activity. There is also a LOT of misinformation.

Lets correct:
- why it’s detected
- how it’s detected
- how all commercial jigglers are detectable (even mechanical ones)

🧵1 Image Every large company has security tools running on employee computers. It’s critical for detecting breaches of security & providing trails of evidence to understand how. Employees bypassing inactivity timeouts get caught in the net & are easy to detect IF the company WANTS.
🧵2
Jun 3 22 tweets 7 min read
I like to read replies to posts like this just to remind myself how misinformed the general public is about “USB-C”
So here is a thread looking at a few of them…
🧵1 First, USB-C is a specification for the physical connector. NOT the protocol. And it intentionally supports multiple protocols like USB, USB-PD, Thunderbolt, DisplayPort, HDMI, PCIe, etc.

Some protocols exclusively use USB-c, like USB-4, Thunderbolt 3 & 4, USB-PD.
🧵2
Oct 1, 2023 5 tweets 2 min read
Heads up, for anyone changing an iOS passcode to keep someone out.

For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!

You can manually expire them but..
🧵1/n

support.apple.com/en-us/HT213849 ... but the option to expire the old passcode is not next to the "change passcode" button. So, it's easy to miss this new 72hr mechanism entirely. Not ideal...

Please fix this Apple

🧵2/n Image
May 9, 2023 6 tweets 2 min read
I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”

So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n Then I found a local in China to help navigate the Chinese employees of the carrier. It actually worked! The package was found in one of the carrier’s facilities in China.
🧵2/n
Mar 22, 2023 7 tweets 3 min read
I just did some digging into that “USB Bomb” story.

So here is a quick thread on what it looked like, the damage it did, and the pretext.

🧵1/n

bbc.com/news/world-lat… So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive.

Note reads:

THE INFORMATION IS GOING TO UNMASK THE CORREISMO.

THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART.
🧵2/n Image
Feb 27, 2023 9 tweets 4 min read
New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)

Cool to see that LastPass is sharing support.lastpass.com/help/incident-…twitter.com/i/web/status/1… Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.
Jan 12, 2023 8 tweets 2 min read
How Sex Toys Have Created Support Problems for the OMG Cable (another story of iterative design)

I have just decided on a new revision to the OMG Flasher (aka Programmer) & figured you might be entertained by it.

🧵1/n So, the OMg Flasher is used to flash new firmware to OMG Cables. It’s become a huge strength to the product, especially after we streamline the flashing process to “click next 3 times in Chrome”. It lets us doing lots of cool stuff for customers. But let’s skip over that.
🧵2/n
Sep 16, 2022 4 tweets 2 min read
😂😂😂😂😂😂
I miss when this kind of thing was the norm. Do more of this please! Also, in the 95% chance this was kids: maybe don’t throw the book at them. Realize how bad it could have gone if this was a funded adversary.

Sounds like most of the employees are having just as much fun as whoever got in. Enjoy the chaos y’all!
Sep 14, 2022 6 tweets 2 min read
This is not a good look Apple, but hopefully an oversight? Root cause seems to be that iOS Safari can no longer use local keychain for anything.

That said, if you use FIDO2/Webauth... do not upgrade to iOS16 unless you want Tim Apple to have your keys. It looks like iOS apps do not have this issue, nor does MacOS Safari. They can all use local. So it feels like an oversight, but the optics are not great with the release of Passkey, and the constant push toward iCloud services.
Sep 3, 2022 4 tweets 1 min read
TFW the OMG Cable (Keyser Soze edition) steals all your Bitcoin, despite having uber airgapped security.

🧵1/3

reddit.com/r/CryptoCurren… A day later you casually mention that nasty password re-use habit you have, but buried in a threaded comment.

Note the timing: after multiple people (who actually read the product page) are casting doubt on the claim.

🧵2/3
Mar 23, 2022 15 tweets 4 min read
Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

🧵1/n First, the premise of MFA is that an attacker can’t get in with just your password. Increasing difficulty is always good. Don’t fall into the “it’s not perfect so there is no point” mindset.

🧵2/n
Mar 22, 2022 19 tweets 7 min read
Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. LAPSUS looks to be in everything of Okta’s. JIRA, Slack, Etc. But some of the screenshots seems to show Super User access capable of modifying/accessing customer accounts. 😬😬

This is gonna be a ride. 🔥
Mar 5, 2022 5 tweets 2 min read
So, @adafruit was/is:
- using customer data for testing/training
- allowed it to be uploaded to a public git repo
- decides not to e-mail impacted customers because “reasons”

the first two are classic fails, but the last one is just sketch These are common and fixable mistakes. Whatever. But not notifying does 2 things:
- shows you favor your image over the customer
- opens up a window for malicious phishing to be the first contact your customers receive
Feb 25, 2022 9 tweets 3 min read
If I told you that Type C connectors require green PCBs? Would you believe me?

It’s actually partially true…
1/n Let’s compare the pin density of a common USB Micro connector to the most common USB C connector.

See how much more tightly packed the USB-C is? It makes soldering them quite a bit more difficult.
2/n
Feb 24, 2022 16 tweets 4 min read
Time for a thread on the OMG Programmer!

Most people don’t give it a second thought beyond a tool used to setup the firmware on their OMG Cable, Plug, etc.

I want to show you:
⁃WHY this thing is awesome.
⁃HOW it works (esp for my electronics friends)

1/n So first, let’s run through WHY this is my ideal option for loading firmware, especially for hardware designed for mischief.
2/n
Dec 18, 2021 9 tweets 3 min read
KnowB4 customers are some of the easiest to spearphish. This is just one example of why.

Their official instructions tell customers to setup filter bypasses that any attacker can also use. In the instructions, they include absolutely no cautionary info about it. 🤡 Image Phish Sim like knowbe4 is very often executed horribly, like what is seen below. Most of the time, it’s used to send “gotcha” emails that are nothing like what actual attackers are sending.
Dec 1, 2021 5 tweets 2 min read
Damn, so @briankrebs got played by the ex employee trying to extort his company, and it resulted in billions of dollars in losses for the company.

This is a fun one to add to your Inside Threat profiles. You may remember back in March that Krebs published a story based on what a single "internal whistleblower" said, challenging Ubiquiti's public response to the breach.

That "whistleblower" was the same person trying to extort Ubiquiti :)

krebsonsecurity.com/2021/03/whistl…
Nov 12, 2021 5 tweets 2 min read
Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago?

Guess it wasn't easy to notice under all the loud opinions about ethics. 🤣 Yeah, looks like the fixed version was released on Sept 23, 2020: github.com/noperator/pano…
Nov 11, 2021 4 tweets 2 min read
Is defense in depth so much of a unicorn that nobody can imagine an org that wants to test 0day detections?

There are orgs who’s defense is sophisticated enough to warrant 0day. I promise. But the responses are making me wonder how wide spread the eggshell networks are in 2021 Don’t get me wrong. Using 0day when you don’t need it is silly. But red teams for large/sophisticated defense teams *are* using 0day & doing so is highly valuable to blue team.

0day isn’t implausible. Check the news.

I’m jealous of y’all who test nothing but eggshells all day