April 10

                April 10, 2022

            April 10

A very funny story of hacking critical national infrastructure.
Corben Leo @hacker_
In 2010, WikiLeaks released a classified document. 

A list of infrastructure critical to U.S national security.

The government listed a Trans-Atlantic cable.

3 years ago,

19-year-old me gained ADMIN access to that cable (and another; shared codebase).

🧵Here's how I found it 
10:07 PM ∙ Apr 8, 2022
4,546Likes908Retweets

Pearls of Katie Moussouris wisdom.
Katie🌻Moussouris (she/her) @k8em0
Glass half full:
Awesome bug hunter, excellent discovery, well earned bounty.

Glass half empty:
Critical infrastructure in private company hands can’t secure itself fast enough, even with a bug bounty.

Glass half pwned:
Neither can governments

In case of emergency break glass. 
Corben Leo @hacker_TLDR;

- Participating in a bug bounty program (telecommunications company)
- Scanned their IPV4 Ranges
- Found a webserver that said "███ Cable System"
- Directory brute-force found /admin/accounts/
- The endpoint set a valid admin JSESSIONID.

https://t.co/Zgwj0jiKBD5:57 PM ∙ Apr 9, 2022
36Likes6Retweets

OpenSSH is making the cryptotheogens happy by changing to some new crypto thing. I take not my field so I don’t really understand it. I just hope it’s not an NFT.
Filippo ${jndi:ldap://filippo.io/t} Valsorda @FiloSottileWoah, did not see this one coming. OpenSSH now uses hybrid post-quantum Streamlined NTRU Prime + X25519 by default!

openssh.com/txt/release-9.0 
11:34 AM ∙ Apr 8, 2022
771Likes221Retweets

A look at some layers of is happening within a hacking session. It is super interesting analysis.
Jared Atkinson @jaredcatkinson
🧵 
1/ Two days ago I shared this image to demonstrate how many unique paths exist for a single behavior. At the time I didn't know how to use it, but today I realized it shows why red teams, MITRE evals, & vendor tests can't answer Technique coverage questions without change. 
2:00 PM ∙ Apr 7, 2022
654Likes239Retweets

This related thread is also good. An observation about what we lose when we just hijack military terms. 
nature's born troubleshooter @viable_alt
This thread is great, but I had a side note complaining a little bit about the use of military terms in infosec. Let me explain (thread) 1/9 
Jared Atkinson @jaredcatkinson🧵 
1/ Two days ago I shared this image to demonstrate how many unique paths exist for a single behavior. At the time I didn't know how to use it, but today I realized it shows why red teams, MITRE evals, & vendor tests can't answer Technique coverage questions without change. https://t.co/zLUDq8kHJw3:34 PM ∙ Apr 9, 2022
14Likes7Retweets

Senior devs have senior moments
Ryan Cavanaugh @SeaRyanC
"Do senior devs still have to look up stuff on StackOverflow?"

Gentle reader, I have gone to StackOverflow to read answers that I wrote about behavior that I myself designed and implemented.9:55 PM ∙ Apr 8, 2022
27,508Likes3,356Retweets

This is an excellent discussion on incentives and outcomes. Particularly important with the way the world is going with open source.
Noah Kantrowitz @kantrn
FAANG promo committees are killing Kubernetes: A Short Thread 🧵7:42 PM ∙ Apr 6, 2022
3,037Likes667Retweets

If you’ve missed the bonkers story about the two guys bribing secret service agents, Matt Blaze has the updates.
matt blaze @mattblazeMore details on the Secret Service ingratiation case in a filing from this morning.

mattblaze.org/private/TAHERZ…

Several new/notable details...
5:48 PM ∙ Apr 8, 2022
25Likes5Retweets

Elon Musk has donated StarLinkX terminals for Ukraine. But the US bought ~1500 units, at $1500 (retail price: $600), and paid $800k to ship them all to Ukraine. Over $3m in public moneys for Elon Musk to donate equipment (with 3 months unlimited data… if the war last too long those data charges gonna kick in, lol)
The Washington Post @washingtonpost
Analysis: U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX’s claims wapo.stAnalysis | U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX claimsA federal agency is paying some $3 million for technology and transportation.2:32 PM ∙ Apr 8, 2022
1,418Likes642Retweets

Well, that’s not terrifying in anyway. Shanghai tower blocks at night where people are just screaming after a week of no leaving your apartment for any reason.
Patrick Madrid ✌🏼 @patrickmadrid
What the?? This video taken yesterday in Shanghai, China, by the father of a close friend of mine. She verified its authenticity: People screaming out of their windows after a week of total lockdown, no leaving your apartment for any reason. 
1:16 AM ∙ Apr 9, 2022
28,601Likes14,326Retweets

John Opdenakker @j_opdenakker
Linux is not magic, it's sudo science.4:17 PM ∙ Apr 9, 2022
3,808Likes486Retweets

Ollie’s cyber summary. Worth the subscribe. 
Ollie Whitehouse @ollieatnccgroupWeekly summary and analysis is out:

- 🇺🇦 ops against 🇷🇺 on OT leading to 🔥
- 🇮🇷 love for social engineering
- 🇨🇳ops against 🇮🇳 power generation
- 🇨🇳ops via Lof4Shell leading to 🪟 rootkit
- 🇨🇳ops against gov,⛪, NGO in 🇪🇺, Asia and Africa

and more 👇

bluepurple.substack.com/p/bluepurple-p…bluepurple.substack.comBluepurple Pulse: week ending April 10thIf there was cyber version of Richard Scarry’s Busy Town Busy People this would be it..6:57 AM ∙ Apr 10, 2022
20Likes11Retweets
Epic bug killer kills epic bug. 
Felix Wilhelm @_fel1xMy report for this bug is now public: bugs.chromium.org/p/project-zero…. Thanks @github for donating a 40000$ bounty to Médecins Sans Frontières (msf.org) 
Felix Wilhelm @_fel1x
I stumbled upon a fun heap overflow in Github's markdown rendering library. RCE via a malicious README 🤔 Demonstrates the risk of memory unsafe dependencies used by scripting languages.  https://t.co/4zFIdgNmZN https://t.co/9zWFyUuFyS
9:28 AM ∙ Apr 6, 2022
546Likes115Retweets
Do you want to know way too much about the design and implementation of the business cards from that scene in American Psycho? Good, because it’s a fun read about business card design. 

https://hobancards.com/blogs/thoughts-and-curiosities/american-psycho-business-cards

Some color on the Battle of Kiyv. Interesting vignettes that reveal some aspects of diverse elements of modern war.
Need to inform Ukrainian military where the Russians are? There’s an app for that. 
Officials have since made it easier for citizens to upload enemy locations through the Diia app, a government portal for digital documents such as driving licences and Covid passes used by millions of Ukrainians.
The Ukrainians are heavily overloading this one app. It seems like there was one functioning .gov app and they’ve been organically adding features to address new needs. 
I wonder how many 1 star reviews it has from Russian troll farms.
Another cool detail is how the Ukrainians defeated Russian thermal imaging drones by hiding under foam mats. Camouflage and deception is cool. I wonder how true the story is…
Tim Judah @timjudah1
My latest piece in which I reveal the role of karmats - Ukraine's secret weapon that no one is talking about: How Kyiv was saved by Ukrainian ingenuity as well as Russian blunders ft.comSubscribe to read | Financial TimesNews, analysis and comment from the Financial Times, the worldʼs leading global business publication6:02 AM ∙ Apr 10, 2022
201Likes50Retweets

                Don't miss what's next. Subscribe to the grugq's newsletter: