Notices by Tanawts (enigma@infosec.exchange)

OK folks, I am hiring in the Seattle area for a SOC position. I am looking for candidates that have prior experience in CorpSec.

Please help me get the word out, and reach out to me if you or someone you know is interested!

https://careers.redfin.com/us/en/job/57086/Security-Operations-Engineer

@GossiTheDog am i tripping? Who watches the watchers?

https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Github seems to only have logs for the git protocol usage itself, but I dont seem to see logs for interactions like views on the www.github.com web portal itself, eg. for things like who logged in to the web portal and viewed workflow logs that would contain base64 double encoded passwords.

Bing/CoPilot has an unsatisfactory answer as well:

"How do I audit github for people who looked at github workflow logs

Unfortunately, GitHub doesn't provide a straightforward way to see who has viewed workflow logs. Logs are generally accessible to anyone with sufficient permissions in a repository, but GitHub doesn't track or display individual views on these logs."

I don't think github logs access to github
I think github logs access to git

@GossiTheDog yes, but do those max settings Look pretty? ;)

Endeavor to be the prism in the windchime

Wield what is taken for granted and considered mundane in life

Create music from the air, and fracture the light into rainbows of brilliance that dance to the tune

Help others hear the melody, to see the beauty, and remember that the greatest thing you'll ever learn is just to love and be loved in return

There is a reoccurring Tactic, Technique, and Procedure (TTP) that threat actors have been demonstrating as highly effective.
It was most notably used by Lapsus$ and you can see the behavior Copy+Pasted in the majority of recent attacks:

Opportunistic Compromise of an account -> Pour over generally unrestricted internal docs/wikis/repos -> obtain design details -> use discovered unremeditated creds for informed lateral movement/follow up attacks with more specific deeper objectives/targets.

Big Takeaway for Engineering Teams & Business Leadership is -- You can no longer rely on the false sense of security-through-obscurity of your internal designs; attackers are deliberately targeting these for surgical strikes and it is no longer sensible to believe "the bad guys don't know how to attack our complex private internal systems/services because they don't understand how its put together"; in reality they may very well understand it better than your own employees.

@GossiTheDog Remember when folks were bummed when Naughty Dog said: We made this really cool Online Multiplayer Last of Us game... but we've made a company decision NOT to be a Live Games company and instead focus on our Core Experience? Hat's off to them for recognizing the challenge and sticking to convictions.

Oooof Rocksteady has been demonstrating the big pitfalls of trying to go from a rich stand-alone game dev model to having to staff and Support Live Online Services

:|

@GossiTheDog Of course my friend!

https://telegra.ph/How-to-Receive-Microsoft-Breach-Notifications-10-21

@GossiTheDog just wait for all the fun once the psyops and cyberops start flying in full swing leading up to the election

@GossiTheDog @alex -- I don't think this was from: Spraying M365 Mailbox accounts... Reading between those lines, "Non-Prod-Test-Tenant Account" That sounds a whole lot more like a 'Service Account/Machine Account" used for a Proof of concept tool/service; automation accounts aren't going to have MFA.

There are a great many different services/tools that are granted delegated access to various different things, email being accessed sounds to me that perhaps it was an automation service meant to trigger actions based on access to mail content/interaction.

InfoSec family, I see you and I love you