People were concerned that gov record retention laws were being broken due to the use of Signal. This picture shows that’s not the case!

See the “TM SGNL” on screen? That’s a Signal wrapper specifically for maintaining archives of the messages.

telemessage.com/mobile-archive…

I can’t comment on security implications of the wrapper, but I suspect my prior criticism of “probably not using Signal securely” are fairly off base considering how this alters the threat model. Yes. I’d love to know what “I have confirmation … its turned off” refers to as well :p

I have a slightly different take on these leaked signal messages of the Trump admin planning the attack on Houthis…

Once again, it’s that nobody seems to use Signal SECURELY. If they had, this leak would have been less likely.
🧵1/n

The Atlantic article on this touches on policy of where & how these comms should happen, but completely misses the Signal failure that started this.

It starts right at the beginning. A new connection request was made by Mike Waltz, and then immediately added to a signal group. Waltz did NOT do anything to verify the identity of the person (else he’d quickly notice it was a journalist), and clearly did not verify the Signal Safety Number over a trusted channel (which means it’s susceptible to interception).

I doubt they are using things like Registration Lock either, which means anyone can hijack their Signal accounts with a simple SIM swap… which should be assume an automatic threat when the telcos have admitted China has access to everything.

The failure to do this also points to a strong indication that this is likely a recurring pattern of OPSEC failure when using Signal. The consequences could be much more severe than this leak.

🧵2/n

Anyone can track the physical location of Bluetooth devices across the earth, & it flew under the radar.

All you need is the MAC, which is trivial to get by just using a BT scanning app neatly the target.*

Then you guess (90% success rate) a matching key that makes Apple’s FindMy network think this device happens to be a lost AirTag.**

That’s it! The FindMy Network then tells you the latest location. It was discovered by George Mason University & called nRootTag. Apple has started to roll out some sort of change, but it’s unclear how impacting it will be or how long it will take. GMU researchers worry it could take years to be effective.

*unless it’s Bluetooth 4.2+ and is using the optional privacy features.
**requires running the MAC address through a GPU cluster, which can also be done in advance by building a rainbow table. Details are a bit sparse, but more will come in August, according to the GMU post:

cec.gmu.edu/news/2025-02/f…

“recognized as malware” is the end of the analysis? Bruh…

At least share the exe so others can check it out and either validate this or put the nail in the coffin.

There are so many ways something gets flagged without it being malicious itself. Down to being simply unsigned.

The chances of this being intentionally malicious are very low. And you haven’t done nearly enough to demonstrate otherwise.

That doesn’t mean it’s necessarily safe. You paid pennies above the cost of the hardware via AliExpress. That gets you the lowest effort software too, where security is not a concern. Imagine buying DIY canned food from an alley and then pearl clutching when it’s not FDA approved… and then acting like the makers are spies trying to poison you. 🙃
Prove it!

When we added C2 capabilities to OMG Cable, people would say “But I’d notice it on my network!”

I said: yeah, but would you notice it on your neighbor’s wifi, free cafe wifi, etc? 😈

Also, here is a free nightmare: when wifi drops due to power loss, those battery powered IOT devices do ALL kinds of useful things if you’re in range. Oh absolutely. Most places won’t notice. Especially with the added MAC spoofing and the C2 traffic looking like misc web traffic. There are lots of options before needing to use a nearby network, or supplying your own.

https://twitter.com/uk_daniel_card/status/1861451286937280804

The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down.

🧵1/n First, with over 1000 instances being reported, this is likely supply chain as opposed to a few modified devices. Done either during shipment and/or at the factory.
🧵2/n

Lots of news stories about people getting fired for using mouse jigglers & simulated keyboard activity. There is also a LOT of misinformation.

Lets correct:
- why it’s detected
- how it’s detected
- how all commercial jigglers are detectable (even mechanical ones)

🧵1 Every large company has security tools running on employee computers. It’s critical for detecting breaches of security & providing trails of evidence to understand how. Employees bypassing inactivity timeouts get caught in the net & are easy to detect IF the company WANTS.
🧵2

I like to read replies to posts like this just to remind myself how misinformed the general public is about “USB-C”
So here is a thread looking at a few of them…
🧵1

https://twitter.com/nottscooterr3/status/1796645988439826922

First, USB-C is a specification for the physical connector. NOT the protocol. And it intentionally supports multiple protocols like USB, USB-PD, Thunderbolt, DisplayPort, HDMI, PCIe, etc.

Some protocols exclusively use USB-c, like USB-4, Thunderbolt 3 & 4, USB-PD.
🧵2

Heads up, for anyone changing an iOS passcode to keep someone out.

For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!

You can manually expire them but..
🧵1/n

support.apple.com/en-us/HT213849 ... but the option to expire the old passcode is not next to the "change passcode" button. So, it's easy to miss this new 72hr mechanism entirely. Not ideal...

Please fix this Apple

🧵2/n

I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”

So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n Then I found a local in China to help navigate the Chinese employees of the carrier. It actually worked! The package was found in one of the carrier’s facilities in China.
🧵2/n

I just did some digging into that “USB Bomb” story.

So here is a quick thread on what it looked like, the damage it did, and the pretext.

🧵1/n

bbc.com/news/world-lat… So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive.

Note reads:

THE INFORMATION IS GOING TO UNMASK THE CORREISMO.

THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART.
🧵2/n

New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)

Cool to see that LastPass is sharing support.lastpass.com/help/incident-…… twitter.com/i/web/status/1… Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.

How Sex Toys Have Created Support Problems for the OMG Cable (another story of iterative design)

I have just decided on a new revision to the OMG Flasher (aka Programmer) & figured you might be entertained by it.

🧵1/n So, the OMg Flasher is used to flash new firmware to OMG Cables. It’s become a huge strength to the product, especially after we streamline the flashing process to “click next 3 times in Chrome”. It lets us doing lots of cool stuff for customers. But let’s skip over that.
🧵2/n

😂😂😂😂😂😂
I miss when this kind of thing was the norm. Do more of this please!

https://twitter.com/samwcyo/status/1570583182726266883

Also, in the 95% chance this was kids: maybe don’t throw the book at them. Realize how bad it could have gone if this was a funded adversary.

Sounds like most of the employees are having just as much fun as whoever got in. Enjoy the chaos y’all!

This is not a good look Apple, but hopefully an oversight? Root cause seems to be that iOS Safari can no longer use local keychain for anything.

That said, if you use FIDO2/Webauth... do not upgrade to iOS16 unless you want Tim Apple to have your keys.

https://twitter.com/jrozner/status/1570112245077807105

It looks like iOS apps do not have this issue, nor does MacOS Safari. They can all use local. So it feels like an oversight, but the optics are not great with the release of Passkey, and the constant push toward iCloud services.

TFW the OMG Cable (Keyser Soze edition) steals all your Bitcoin, despite having uber airgapped security.

🧵1/3

reddit.com/r/CryptoCurren… A day later you casually mention that nasty password re-use habit you have, but buried in a threaded comment.

Note the timing: after multiple people (who actually read the product page) are casting doubt on the claim.

🧵2/3

Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

🧵1/n First, the premise of MFA is that an attacker can’t get in with just your password. Increasing difficulty is always good. Don’t fall into the “it’s not perfect so there is no point” mindset.

🧵2/n

Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. LAPSUS looks to be in everything of Okta’s. JIRA, Slack, Etc. But some of the screenshots seems to show Super User access capable of modifying/accessing customer accounts. 😬😬

This is gonna be a ride. 🔥

So, @adafruit was/is:
- using customer data for testing/training
- allowed it to be uploaded to a public git repo
- decides not to e-mail impacted customers because “reasons”

the first two are classic fails, but the last one is just sketch

https://twitter.com/Ax_Sharma/status/1499764199618228227

These are common and fixable mistakes. Whatever. But not notifying does 2 things:
- shows you favor your image over the customer
- opens up a window for malicious phishing to be the first contact your customers receive

If I told you that Type C connectors require green PCBs? Would you believe me?

It’s actually partially true…
1/n Let’s compare the pin density of a common USB Micro connector to the most common USB C connector.

See how much more tightly packed the USB-C is? It makes soldering them quite a bit more difficult.
2/n

Time for a thread on the OMG Programmer!

Most people don’t give it a second thought beyond a tool used to setup the firmware on their OMG Cable, Plug, etc.

I want to show you:
⁃WHY this thing is awesome.
⁃HOW it works (esp for my electronics friends)

1/n So first, let’s run through WHY this is my ideal option for loading firmware, especially for hardware designed for mischief.
2/n