When you report on Russian cybercrime so long that it starts to rub off on you…
=> More informations about this toot | View the thread
what i wanna know is, what are the web stats on the webserver at Oracle that serves the java6 JRE, for people who are only now discovering that using the console on the ILOM web interface to press on their windows during boot requires a Java6 runtime in IE6....
And if that webserver at Oracle ran windows... welllllp, that'd be computers over and done with.
(which maybe, might just be for the best...)
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
Did you guys know that tomatoes contain seeds that you can use to make other tomatoes?! This shit is WIIIILD, yo. You can just PIRATE tomatoes!?
I grew this! In my lounge! From a seed!?! I totally would download a tomato.
And i thought COMPUTERS were crazy. :mind_blown:
=> More informations about this toot | View the thread
@mp Pipes Research Power is totally a force multiplier. One of the shells I got once that really stuck with me, was for a customer who'd deployed a security product protecting a key (and I mean ... this thing was... important AF) asset, and my hacker spidey sense told me this security product was ... well, like every other security product our industry has sold.
The customer's sysadmin had also been a condescending jerk to me while i was onsite arranging my access and pre-requisites for the assessment we were doing. I really wanted to ... take him down a peg or two. (Spite hacking, its a hellovadrug!)
Of course the guy was obstructive, in the classic "no you can't have admin access to do your job" (I sold and scoped this as a 'white box' assessment because thats how you get good coverage in reasonable time) because "a rEaL hAcKeR doesn't have access". (Yes, this was in the last ten years; this kinda wrongthink is still around in risk management). So I was doubly salty. I'm wailing on this thing blind - in prod, because of course there was not test environment - with all of the constraints that brings. Trying to cause "unusual behaviour" while also not breaking prod, def the best circumstances.
Of course I had googled to see if you could just spin up an instance of this security product in AWS or get an eval version, but, of course, this was not the sort of vendor that does friendly helpful things like that.
I'm a week in, sulking about the office, with nothing much to show for myself. Pipes decides he's sick of my whiny muttering. He digs up an ancient version of this security product, cracks the license check to get it to boot, rummages inside, finds the update mechanism, figures out how it works, and then manages to get enough incremental updates to drag this version forward years in time until it approximates the one I'm targeting.
Then he messages me on IRC with a "dude i built you a test environment. shut the fuck up and start hacking".
He's got me a working, representative test environment in a VM, with a root shell and some test accounts.
A couple days later, I'm preauth-remote-root-code-exec on this thing, and boy oh boy are the cats amongst the pigeons.
This is the power of having the data you need, when you need it. A Pipes-power research team is... its what you want.
So as not to leave y'all hanging on the story:
I schedule an emergency meeting to escalate this, onsite in person. I gently explain how bad it is. Customer sysadmin guy straight up calls me a liar, and shoves a (locked down, corp windows + internet explorer) laptop in front of me, all "prove it tough guy". Idk if you've ever tried to mentally port your burpsuite PoC made out of seven repeater tabs and a vi full of cryptic cut n paste notes into something you can do on locked down IE while people glare at you. I hadn't even brought my laptop! Getting computer equipment onsite with a customer like this... is a time.
Triumphant, their nerd has bested me in nerd combat. "Besides" he adds, to really put the boot in and belittle me further "it's behind the F5, even if this so called 'bug' did work, its IP-whitelisted".
Needless to say, umbrage was my middle name at this point.
I scheduled a follow up meeting the next day, and did the paperwork to bring my dirty hacker laptop in.
I went back to the office, made a beautiful exploit.py that pops proper shell, hooked it up to a CSRF trigger so you could do it via getting HTML in front of anyone who worked there, so as to bypass the F5. Spite-hacking, remember?
The second meeting, CISO of the customer showed up too. I destroy the sysadmin and all his works in final nerd judgement day. The security product, which had been in prod for years, it turns out without having ever been really assessed, is now a major drama.
We get brought into assess the proposed replacement product (learning!) during the design phase. We ruin that too. Yay security vendors!
Coda; this was not the sort of vendor where we could go report the bug (safely; messanger-shooting is also still a thing) directly. We handed off the bug and exploit and so on to the customer to report thru their proper support channels. I ... uhhh.. I assume it got patched and fixed. I never saw a CVE issued, but again, the sort of vendor that prolly the security udpate details are behind a support contract wall anyway.
I googled to see just now and its... joined the Broadcom family.
So, you'll forgive me for not posting the exploit ha ha. Which I legit don't have of course, cause... well, thats how research jobs go. You provide the data, clear, concise, complete, and they make their choices. You move on, ever so slightly damaged by the knowledge you've gained, to the next thing.
=> More informations about this toot | View the thread
I worked with Pipes ( @mp ) for the last twenty years. Some people ask "what's Pipes up to?", but my question always is "how is Pipes up to whatever he's up to?"
He wrote a paper answering that question: https://www.distantfield.space/observatory/party-analysts
I always used to tell new pentesters
that our job was to bring facts to risk decision making. Do the research, get the hard data, present it clearly, concisely and completely, so the customer has what they need to make their security choices.
His new thing - Distant Field Labs - is basically this but for ... anything tech.
This is legit cool, and if you have a question, a hard question or a big question or an important question that needs Hard (or big?) Data, the https://www.distantfield.space/ crew is who you want.
=> More informations about this toot | View the thread
Oh bother, said Fancy Pooh.
So in yesterday's @riskybusiness Risky Biz Ep 746, when i was intro-ing the bit about Cisco ASA firewalls getting rekt, I attributed it to Fancy Bear/Russia, when the @agreenberg piece we were talking about attributes it (correctly) to China. This was a straight up brain-fade on my behalf (because we had the goose-egg Fancy Bear story coming up) not some Advanced Risky Biz Deep Intel!
Sorry for the confusion! Will run a correction in next week's show.
Thank you to a diligent listener for pointing out my error! ❤️
=> More informations about this toot | View the thread
No main @riskybusiness show this week cause Pat's got the week off for school holidays, but I just hit the publish button on a special treat:
https://risky.biz/S1KSGSPECIAL01/
=> More informations about this toot | View the thread
same thing across the airport in Wellington at the time, under which all the politicians walk to get to their flights....
=> More informations about this toot | View the thread
I was rummaging for something unrelated in my photos and found I had saved this once upon a time.
I guess this is your reminder that Huawei once tried this on, back when our spooks were contemplating not TICSA-signing-off on the next Huawei powered cellnet.
(In their defence, NZ probably really is this Basic that it shoulda worked. Memgen(DRAKE_🫷👉, “Geostrategic competition” , “sportsball”);
=> More informations about this toot | View the thread
I love that @thegrugq has such mindshare to be used as the name for a throwaway troll comment on @briankrebs site
=> More informations about this toot | View the thread
My apologies to those parents triggered by my sneaking babyshark into yesterday's Risky Biz News bulletin ha ha #sorrynotsorry
=> More informations about this toot | View the thread
One of the things I do these days at @riskybusiness is produce the podcast version of @campuscodi's Risky Biz News. The podcast ver is ~7-8mins, three times a week, read by Claire, our pro-newsreader, and it really is so good.
Today was episode 252(!), and if you're after a quick "what is going on in the cybers" while you walk the dog or head to work, there really is no better place to get it.
Its in our Risky Biz News RSS feed (or apple, spotify etcetc) , and the written one is at our (new, nazi-free, non-substack) https://news.risky.biz!
=> More informations about this toot | View the thread
=> This profile with reblog | Go to metlstorm@infosec.exchange account This content has been proxied by September (ba2dc).Proxy Information
text/gemini