MG Profile picture
MG
I was a terror since the public school era. My opinions are your adversary’s. — I also make terrible things: https://t.co/5HhKqfxtda & https://t.co/9flQ1nSPZ2
Mar 24 7 tweets 3 min read
I have a slightly different take on these leaked signal messages of the Trump admin planning the attack on Houthis…

Once again, it’s that nobody seems to use Signal SECURELY. If they had, this leak would have been less likely.
🧵1/n Image
Image
Image
The Atlantic article on this touches on policy of where & how these comms should happen, but completely misses the Signal failure that started this.

It starts right at the beginning. A new connection request was made by Mike Waltz, and then immediately added to a signal group. Waltz did NOT do anything to verify the identity of the person (else he’d quickly notice it was a journalist), and clearly did not verify the Signal Safety Number over a trusted channel (which means it’s susceptible to interception).

I doubt they are using things like Registration Lock either, which means anyone can hijack their Signal accounts with a simple SIM swap… which should be assume an automatic threat when the telcos have admitted China has access to everything.

The failure to do this also points to a strong indication that this is likely a recurring pattern of OPSEC failure when using Signal. The consequences could be much more severe than this leak.

🧵2/nImage
Feb 27 4 tweets 2 min read
Anyone can track the physical location of Bluetooth devices across the earth, & it flew under the radar.

All you need is the MAC, which is trivial to get by just using a BT scanning app neatly the target.*

Then you guess (90% success rate) a matching key that makes Apple’s FindMy network think this device happens to be a lost AirTag.**

That’s it! The FindMy Network then tells you the latest location. It was discovered by George Mason University & called nRootTag. Apple has started to roll out some sort of change, but it’s unclear how impacting it will be or how long it will take. GMU researchers worry it could take years to be effective.

*unless it’s Bluetooth 4.2+ and is using the optional privacy features.
**requires running the MAC address through a GPU cluster, which can also be done in advance by building a rainbow table. Details are a bit sparse, but more will come in August, according to the GMU post:

cec.gmu.edu/news/2025-02/f…
Jan 12 7 tweets 4 min read
“recognized as malware” is the end of the analysis? Bruh…

At least share the exe so others can check it out and either validate this or put the nail in the coffin.

There are so many ways something gets flagged without it being malicious itself. Down to being simply unsigned.

The chances of this being intentionally malicious are very low. And you haven’t done nearly enough to demonstrate otherwise.

That doesn’t mean it’s necessarily safe. You paid pennies above the cost of the hardware via AliExpress. That gets you the lowest effort software too, where security is not a concern. Imagine buying DIY canned food from an alley and then pearl clutching when it’s not FDA approved… and then acting like the makers are spies trying to poison you. 🙃
Prove it!
Nov 26, 2024 4 tweets 2 min read
When we added C2 capabilities to OMG Cable, people would say “But I’d notice it on my network!”

I said: yeah, but would you notice it on your neighbor’s wifi, free cafe wifi, etc? 😈

Also, here is a free nightmare: when wifi drops due to power loss, those battery powered IOT devices do ALL kinds of useful things if you’re in range. Oh absolutely. Most places won’t notice. Especially with the added MAC spoofing and the C2 traffic looking like misc web traffic. There are lots of options before needing to use a nearby network, or supplying your own.
Sep 17, 2024 25 tweets 7 min read
The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down.

🧵1/n First, with over 1000 instances being reported, this is likely supply chain as opposed to a few modified devices. Done either during shipment and/or at the factory.
🧵2/n
Jun 15, 2024 16 tweets 4 min read
Lots of news stories about people getting fired for using mouse jigglers & simulated keyboard activity. There is also a LOT of misinformation.

Lets correct:
- why it’s detected
- how it’s detected
- how all commercial jigglers are detectable (even mechanical ones)

🧵1 Image Every large company has security tools running on employee computers. It’s critical for detecting breaches of security & providing trails of evidence to understand how. Employees bypassing inactivity timeouts get caught in the net & are easy to detect IF the company WANTS.
🧵2
Jun 3, 2024 22 tweets 7 min read
I like to read replies to posts like this just to remind myself how misinformed the general public is about “USB-C”
So here is a thread looking at a few of them…
🧵1 First, USB-C is a specification for the physical connector. NOT the protocol. And it intentionally supports multiple protocols like USB, USB-PD, Thunderbolt, DisplayPort, HDMI, PCIe, etc.

Some protocols exclusively use USB-c, like USB-4, Thunderbolt 3 & 4, USB-PD.
🧵2
Oct 1, 2023 5 tweets 2 min read
Heads up, for anyone changing an iOS passcode to keep someone out.

For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!

You can manually expire them but..
🧵1/n

support.apple.com/en-us/HT213849 ... but the option to expire the old passcode is not next to the "change passcode" button. So, it's easy to miss this new 72hr mechanism entirely. Not ideal...

Please fix this Apple

🧵2/n Image
May 9, 2023 6 tweets 2 min read
I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”

So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n Then I found a local in China to help navigate the Chinese employees of the carrier. It actually worked! The package was found in one of the carrier’s facilities in China.
🧵2/n
Mar 22, 2023 7 tweets 3 min read
I just did some digging into that “USB Bomb” story.

So here is a quick thread on what it looked like, the damage it did, and the pretext.

🧵1/n

bbc.com/news/world-lat… So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive.

Note reads:

THE INFORMATION IS GOING TO UNMASK THE CORREISMO.

THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART.
🧵2/n Image
Feb 27, 2023 9 tweets 4 min read
New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)

Cool to see that LastPass is sharing support.lastpass.com/help/incident-…twitter.com/i/web/status/1… Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.
Jan 12, 2023 8 tweets 2 min read
How Sex Toys Have Created Support Problems for the OMG Cable (another story of iterative design)

I have just decided on a new revision to the OMG Flasher (aka Programmer) & figured you might be entertained by it.

🧵1/n So, the OMg Flasher is used to flash new firmware to OMG Cables. It’s become a huge strength to the product, especially after we streamline the flashing process to “click next 3 times in Chrome”. It lets us doing lots of cool stuff for customers. But let’s skip over that.
🧵2/n
Sep 16, 2022 4 tweets 2 min read
😂😂😂😂😂😂
I miss when this kind of thing was the norm. Do more of this please! Also, in the 95% chance this was kids: maybe don’t throw the book at them. Realize how bad it could have gone if this was a funded adversary.

Sounds like most of the employees are having just as much fun as whoever got in. Enjoy the chaos y’all!
Sep 14, 2022 6 tweets 2 min read
This is not a good look Apple, but hopefully an oversight? Root cause seems to be that iOS Safari can no longer use local keychain for anything.

That said, if you use FIDO2/Webauth... do not upgrade to iOS16 unless you want Tim Apple to have your keys. It looks like iOS apps do not have this issue, nor does MacOS Safari. They can all use local. So it feels like an oversight, but the optics are not great with the release of Passkey, and the constant push toward iCloud services.
Sep 3, 2022 4 tweets 1 min read
TFW the OMG Cable (Keyser Soze edition) steals all your Bitcoin, despite having uber airgapped security.

🧵1/3

reddit.com/r/CryptoCurren… A day later you casually mention that nasty password re-use habit you have, but buried in a threaded comment.

Note the timing: after multiple people (who actually read the product page) are casting doubt on the claim.

🧵2/3
Mar 23, 2022 15 tweets 4 min read
Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

🧵1/n First, the premise of MFA is that an attacker can’t get in with just your password. Increasing difficulty is always good. Don’t fall into the “it’s not perfect so there is no point” mindset.

🧵2/n
Mar 22, 2022 19 tweets 7 min read
Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. LAPSUS looks to be in everything of Okta’s. JIRA, Slack, Etc. But some of the screenshots seems to show Super User access capable of modifying/accessing customer accounts. 😬😬

This is gonna be a ride. 🔥
Mar 5, 2022 5 tweets 2 min read
So, @adafruit was/is:
- using customer data for testing/training
- allowed it to be uploaded to a public git repo
- decides not to e-mail impacted customers because “reasons”

the first two are classic fails, but the last one is just sketch These are common and fixable mistakes. Whatever. But not notifying does 2 things:
- shows you favor your image over the customer
- opens up a window for malicious phishing to be the first contact your customers receive
Feb 25, 2022 9 tweets 3 min read
If I told you that Type C connectors require green PCBs? Would you believe me?

It’s actually partially true…
1/n Let’s compare the pin density of a common USB Micro connector to the most common USB C connector.

See how much more tightly packed the USB-C is? It makes soldering them quite a bit more difficult.
2/n
Feb 24, 2022 16 tweets 4 min read
Time for a thread on the OMG Programmer!

Most people don’t give it a second thought beyond a tool used to setup the firmware on their OMG Cable, Plug, etc.

I want to show you:
⁃WHY this thing is awesome.
⁃HOW it works (esp for my electronics friends)

1/n So first, let’s run through WHY this is my ideal option for loading firmware, especially for hardware designed for mischief.
2/n
Dec 18, 2021 9 tweets 3 min read
KnowB4 customers are some of the easiest to spearphish. This is just one example of why.

Their official instructions tell customers to setup filter bypasses that any attacker can also use. In the instructions, they include absolutely no cautionary info about it. 🤡 Image Phish Sim like knowbe4 is very often executed horribly, like what is seen below. Most of the time, it’s used to send “gotcha” emails that are nothing like what actual attackers are sending.