Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
MG Profile picture
MG
@_MG_
I was a terror since the public school era. My opinions are your adversary’s. — I also make terrible things: https://t.co/cwueENXhIv
Oct 1, 2023 5 tweets 2 min read
Heads up, for anyone changing an iOS passcode to keep someone out.

For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!

You can manually expire them but..
🧵1/n

support.apple.com/en-us/HT213849 ... but the option to expire the old passcode is not next to the "change passcode" button. So, it's easy to miss this new 72hr mechanism entirely. Not ideal...

Please fix this Apple

🧵2/n Image
May 9, 2023 6 tweets 2 min read
I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”

So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n Then I found a local in China to help navigate the Chinese employees of the carrier. It actually worked! The package was found in one of the carrier’s facilities in China.
🧵2/n
Mar 22, 2023 7 tweets 3 min read
I just did some digging into that “USB Bomb” story.

So here is a quick thread on what it looked like, the damage it did, and the pretext.

🧵1/n

bbc.com/news/world-lat… So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive.

Note reads:

THE INFORMATION IS GOING TO UNMASK THE CORREISMO.

THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART.
🧵2/n Image
Feb 27, 2023 9 tweets 4 min read
New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)

Cool to see that LastPass is sharing support.lastpass.com/help/incident-…twitter.com/i/web/status/1… Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.
Jan 12, 2023 8 tweets 2 min read
How Sex Toys Have Created Support Problems for the OMG Cable (another story of iterative design)

I have just decided on a new revision to the OMG Flasher (aka Programmer) & figured you might be entertained by it.

🧵1/n So, the OMg Flasher is used to flash new firmware to OMG Cables. It’s become a huge strength to the product, especially after we streamline the flashing process to “click next 3 times in Chrome”. It lets us doing lots of cool stuff for customers. But let’s skip over that.
🧵2/n
Sep 16, 2022 4 tweets 2 min read
😂😂😂😂😂😂
I miss when this kind of thing was the norm. Do more of this please! Also, in the 95% chance this was kids: maybe don’t throw the book at them. Realize how bad it could have gone if this was a funded adversary.

Sounds like most of the employees are having just as much fun as whoever got in. Enjoy the chaos y’all!
Sep 14, 2022 6 tweets 2 min read
This is not a good look Apple, but hopefully an oversight? Root cause seems to be that iOS Safari can no longer use local keychain for anything.

That said, if you use FIDO2/Webauth... do not upgrade to iOS16 unless you want Tim Apple to have your keys. It looks like iOS apps do not have this issue, nor does MacOS Safari. They can all use local. So it feels like an oversight, but the optics are not great with the release of Passkey, and the constant push toward iCloud services.
Sep 3, 2022 4 tweets 1 min read
TFW the OMG Cable (Keyser Soze edition) steals all your Bitcoin, despite having uber airgapped security.

🧵1/3

reddit.com/r/CryptoCurren… A day later you casually mention that nasty password re-use habit you have, but buried in a threaded comment.

Note the timing: after multiple people (who actually read the product page) are casting doubt on the claim.

🧵2/3
Mar 23, 2022 15 tweets 4 min read
Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

🧵1/n First, the premise of MFA is that an attacker can’t get in with just your password. Increasing difficulty is always good. Don’t fall into the “it’s not perfect so there is no point” mindset.

🧵2/n
Mar 22, 2022 19 tweets 7 min read
Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. LAPSUS looks to be in everything of Okta’s. JIRA, Slack, Etc. But some of the screenshots seems to show Super User access capable of modifying/accessing customer accounts. 😬😬

This is gonna be a ride. 🔥
Mar 5, 2022 5 tweets 2 min read
So, @adafruit was/is:
- using customer data for testing/training
- allowed it to be uploaded to a public git repo
- decides not to e-mail impacted customers because “reasons”

the first two are classic fails, but the last one is just sketch These are common and fixable mistakes. Whatever. But not notifying does 2 things:
- shows you favor your image over the customer
- opens up a window for malicious phishing to be the first contact your customers receive
Feb 25, 2022 9 tweets 3 min read
If I told you that Type C connectors require green PCBs? Would you believe me?

It’s actually partially true…
1/n Let’s compare the pin density of a common USB Micro connector to the most common USB C connector.

See how much more tightly packed the USB-C is? It makes soldering them quite a bit more difficult.
2/n
Feb 24, 2022 16 tweets 4 min read
Time for a thread on the OMG Programmer!

Most people don’t give it a second thought beyond a tool used to setup the firmware on their OMG Cable, Plug, etc.

I want to show you:
⁃WHY this thing is awesome.
⁃HOW it works (esp for my electronics friends)

1/n So first, let’s run through WHY this is my ideal option for loading firmware, especially for hardware designed for mischief.
2/n
Dec 18, 2021 9 tweets 3 min read
KnowB4 customers are some of the easiest to spearphish. This is just one example of why.

Their official instructions tell customers to setup filter bypasses that any attacker can also use. In the instructions, they include absolutely no cautionary info about it. 🤡 Image Phish Sim like knowbe4 is very often executed horribly, like what is seen below. Most of the time, it’s used to send “gotcha” emails that are nothing like what actual attackers are sending.
Dec 1, 2021 5 tweets 2 min read
Damn, so @briankrebs got played by the ex employee trying to extort his company, and it resulted in billions of dollars in losses for the company.

This is a fun one to add to your Inside Threat profiles. You may remember back in March that Krebs published a story based on what a single "internal whistleblower" said, challenging Ubiquiti's public response to the breach.

That "whistleblower" was the same person trying to extort Ubiquiti :)

krebsonsecurity.com/2021/03/whistl…
Nov 12, 2021 5 tweets 2 min read
Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago?

Guess it wasn't easy to notice under all the loud opinions about ethics. 🤣 Yeah, looks like the fixed version was released on Sept 23, 2020: github.com/noperator/pano…
Nov 11, 2021 4 tweets 2 min read
Is defense in depth so much of a unicorn that nobody can imagine an org that wants to test 0day detections?

There are orgs who’s defense is sophisticated enough to warrant 0day. I promise. But the responses are making me wonder how wide spread the eggshell networks are in 2021 Don’t get me wrong. Using 0day when you don’t need it is silly. But red teams for large/sophisticated defense teams *are* using 0day & doing so is highly valuable to blue team.

0day isn’t implausible. Check the news.

I’m jealous of y’all who test nothing but eggshells all day
Oct 7, 2021 5 tweets 3 min read
Let’s play another round of “your assumptions about USB C are wrong!”

Here is a board I got on Amazon. It claims to be made by @lilygo9. The USB C port is improperly designed and it results in the odd behavior seen in the video.

Guess what the problem is!

Thread 1/n I am confident that most people would immediately blame this on the cable, but that’s not the case!

This is what a proper USB 2.0 Type C receptacle & cable/plug should look like. I’ve grayed out the non 2.0 pins for easier reading. Notice the lack of symmetry on the cable!
2/n
Oct 5, 2021 8 tweets 3 min read
I got $500 worth of Arduino Nano’s from AliExpress from 4 different sources.

50% of them don’t even power on. Want to guess why? You can tell by careful examination of the boards.

Hint: they are all USB-C So each source made their own PCB design modification for Type C. And, clearly, half of the people doing the change incorrectly assumed “USB C is just a different connector” as so many people incorrectly do.

Here is the mini/micro/C picture they they copy from each other:
Aug 27, 2021 6 tweets 3 min read
The Razer & SteelSeries Windows PrivEsc vulns are fun, but there are tons of devices that may be vulnerable.

We have a list of ~2500 possible devices! The easiest way to test is to use something like an OMG Cable or BashBunny to spoof the VID/PID.

1/n You don’t need to buy the devices to test them, just spoof!

On OMG Cable, it’s as easy as typing “VID 1234 PID 5678” in the Web UI, and hitting run!

Here is the list of 2500 possibly vulnerable devices, compiled by @networkgrinch: pastebin.com/k2Hb0bPU

2/n
Aug 22, 2021 7 tweets 4 min read
Windows escalation with an OMG cable: from Guest account to System user!

Razer hasn’t fixed this for over a year now.
o.mg.lol Demo by @KalaniMakutu

People have been trying to report this to Razer for over a year. @j0nh4t & @tifkin_ are at least 2 people who have tried.