The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down.

🧵1/n First, with over 1000 instances being reported, this is likely supply chain as opposed to a few modified devices. Done either during shipment and/or at the factory.
🧵2/n

Lots of news stories about people getting fired for using mouse jigglers & simulated keyboard activity. There is also a LOT of misinformation.

Lets correct:
- why it’s detected
- how it’s detected
- how all commercial jigglers are detectable (even mechanical ones)

🧵1 Every large company has security tools running on employee computers. It’s critical for detecting breaches of security & providing trails of evidence to understand how. Employees bypassing inactivity timeouts get caught in the net & are easy to detect IF the company WANTS.
🧵2

I like to read replies to posts like this just to remind myself how misinformed the general public is about “USB-C”
So here is a thread looking at a few of them…
🧵1

https://twitter.com/nottscooterr3/status/1796645988439826922

First, USB-C is a specification for the physical connector. NOT the protocol. And it intentionally supports multiple protocols like USB, USB-PD, Thunderbolt, DisplayPort, HDMI, PCIe, etc.

Some protocols exclusively use USB-c, like USB-4, Thunderbolt 3 & 4, USB-PD.
🧵2

Heads up, for anyone changing an iOS passcode to keep someone out.

For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!

You can manually expire them but..
🧵1/n

support.apple.com/en-us/HT213849 ... but the option to expire the old passcode is not next to the "change passcode" button. So, it's easy to miss this new 72hr mechanism entirely. Not ideal...

Please fix this Apple

🧵2/n

I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”

So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n Then I found a local in China to help navigate the Chinese employees of the carrier. It actually worked! The package was found in one of the carrier’s facilities in China.
🧵2/n

I just did some digging into that “USB Bomb” story.

So here is a quick thread on what it looked like, the damage it did, and the pretext.

🧵1/n

bbc.com/news/world-lat… So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive.

Note reads:

THE INFORMATION IS GOING TO UNMASK THE CORREISMO.

THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART.
🧵2/n

New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)

Cool to see that LastPass is sharing support.lastpass.com/help/incident-…… twitter.com/i/web/status/1… Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.

How Sex Toys Have Created Support Problems for the OMG Cable (another story of iterative design)

I have just decided on a new revision to the OMG Flasher (aka Programmer) & figured you might be entertained by it.

🧵1/n So, the OMg Flasher is used to flash new firmware to OMG Cables. It’s become a huge strength to the product, especially after we streamline the flashing process to “click next 3 times in Chrome”. It lets us doing lots of cool stuff for customers. But let’s skip over that.
🧵2/n

😂😂😂😂😂😂
I miss when this kind of thing was the norm. Do more of this please!

https://twitter.com/samwcyo/status/1570583182726266883

Also, in the 95% chance this was kids: maybe don’t throw the book at them. Realize how bad it could have gone if this was a funded adversary.

Sounds like most of the employees are having just as much fun as whoever got in. Enjoy the chaos y’all!

This is not a good look Apple, but hopefully an oversight? Root cause seems to be that iOS Safari can no longer use local keychain for anything.

That said, if you use FIDO2/Webauth... do not upgrade to iOS16 unless you want Tim Apple to have your keys.

https://twitter.com/jrozner/status/1570112245077807105

It looks like iOS apps do not have this issue, nor does MacOS Safari. They can all use local. So it feels like an oversight, but the optics are not great with the release of Passkey, and the constant push toward iCloud services.

TFW the OMG Cable (Keyser Soze edition) steals all your Bitcoin, despite having uber airgapped security.

🧵1/3

reddit.com/r/CryptoCurren… A day later you casually mention that nasty password re-use habit you have, but buried in a threaded comment.

Note the timing: after multiple people (who actually read the product page) are casting doubt on the claim.

🧵2/3

Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

🧵1/n First, the premise of MFA is that an attacker can’t get in with just your password. Increasing difficulty is always good. Don’t fall into the “it’s not perfect so there is no point” mindset.

🧵2/n

Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. LAPSUS looks to be in everything of Okta’s. JIRA, Slack, Etc. But some of the screenshots seems to show Super User access capable of modifying/accessing customer accounts. 😬😬

This is gonna be a ride. 🔥

So, @adafruit was/is:
- using customer data for testing/training
- allowed it to be uploaded to a public git repo
- decides not to e-mail impacted customers because “reasons”

the first two are classic fails, but the last one is just sketch

https://twitter.com/Ax_Sharma/status/1499764199618228227

These are common and fixable mistakes. Whatever. But not notifying does 2 things:
- shows you favor your image over the customer
- opens up a window for malicious phishing to be the first contact your customers receive

If I told you that Type C connectors require green PCBs? Would you believe me?

It’s actually partially true…
1/n Let’s compare the pin density of a common USB Micro connector to the most common USB C connector.

See how much more tightly packed the USB-C is? It makes soldering them quite a bit more difficult.
2/n

Time for a thread on the OMG Programmer!

Most people don’t give it a second thought beyond a tool used to setup the firmware on their OMG Cable, Plug, etc.

I want to show you:
⁃WHY this thing is awesome.
⁃HOW it works (esp for my electronics friends)

1/n So first, let’s run through WHY this is my ideal option for loading firmware, especially for hardware designed for mischief.
2/n

KnowB4 customers are some of the easiest to spearphish. This is just one example of why.

Their official instructions tell customers to setup filter bypasses that any attacker can also use. In the instructions, they include absolutely no cautionary info about it. 🤡 Phish Sim like knowbe4 is very often executed horribly, like what is seen below. Most of the time, it’s used to send “gotcha” emails that are nothing like what actual attackers are sending.

https://twitter.com/hackingbutlegal/status/1471640905673236484

Damn, so @briankrebs got played by the ex employee trying to extort his company, and it resulted in billions of dollars in losses for the company.

This is a fun one to add to your Inside Threat profiles.

https://twitter.com/BleepinComputer/status/1466181293285249028

You may remember back in March that Krebs published a story based on what a single "internal whistleblower" said, challenging Ubiquiti's public response to the breach.

That "whistleblower" was the same person trying to extort Ubiquiti :)

krebsonsecurity.com/2021/03/whistl…

Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago?

Guess it wasn't easy to notice under all the loud opinions about ethics. 🤣 Yeah, looks like the fixed version was released on Sept 23, 2020: github.com/noperator/pano…

Is defense in depth so much of a unicorn that nobody can imagine an org that wants to test 0day detections?

There are orgs who’s defense is sophisticated enough to warrant 0day. I promise. But the responses are making me wonder how wide spread the eggshell networks are in 2021

https://twitter.com/J0hnnyXm4s/status/1458914431862198273

Don’t get me wrong. Using 0day when you don’t need it is silly. But red teams for large/sophisticated defense teams *are* using 0day & doing so is highly valuable to blue team.

0day isn’t implausible. Check the news.

I’m jealous of y’all who test nothing but eggshells all day

Let’s play another round of “your assumptions about USB C are wrong!”

Here is a board I got on Amazon. It claims to be made by @lilygo9. The USB C port is improperly designed and it results in the odd behavior seen in the video.

Guess what the problem is!

Thread 1/n

https://twitter.com/_mg_/status/1445532608549457921

I am confident that most people would immediately blame this on the cable, but that’s not the case!

This is what a proper USB 2.0 Type C receptacle & cable/plug should look like. I’ve grayed out the non 2.0 pins for easier reading. Notice the lack of symmetry on the cable!
2/n