Notices by Marcus Hutchins :verified: (malwaretech@infosec.exchange)

Really great thread on Bluesky by @Tarah about the disparity between economic indicators and voter's actual lived experience.

https://bsky.app/profile/tarah.org/post/3liaxh3vjyk23

@mkoek @Tarah People's feelings. People don't vote based on economic indicators, they vote based on how they feel and what they think will help them.

Interesting statement filed in the case against the Treasury and DOGE which gives us some cybersecurity insights. Here's the key takeaways:

- Only a single DOGE employee (25 year old engineer Marko Elez) has direct access to the Treasury payment systems.
- The DOGE employee was only allowed to access the systems from an encrypted government issued laptop.
- The government issued laptop is equipped with monitoring software, data loss prevention, and tools to block internet access, and use of removable storage devices.
- Strict instructions were given that no data could leave this laptop for the duration of the engagement.
- The employee was meant to only have read access to treasury systems, but was accidentally granted write access.
- Following the accident, the employee's laptop was examined and it was concluded that no data had been written during the mistake.
- After the employee temporarily resigned over racist Twitter posts, all access was revoked, and all government issued equipment was recovered.
- The DOGE employee shared updates about his work with another DOGE employee, which "may have occasionally included screenshots of payment systems data or records"

My take:
If true, it seems that unlike other instances at different agencies, the Treasury abided by strict security protocols.

My only real cybersecurity question here are:

1) They document claims screenshots of payment records were shared with another DOGE employee. It doesn't specify how they were shared. Was it just the authorized employee showing his screen to someone, or were they transmitted outside of the laptop? If it's the latter, then it calls much of the claims made in the article into question.

2) This statement isn't clear "The Bureau enabled enhanced monitoring on his laptop, which included the ability to monitor and block website access, block the use of external peripherals (such as USB drives or mass storage devices), monitor any scripts or commands executed on the device, and block access to cloud-based storage services."

The use of the phrase "included the ability to" isn't really clear on if those security controls were actually being enforced. The phrasing could simply mean they enabled software that had those capabilities, but they weren't being used.

Now, cybersecurity aside, the bigger question is what was the purpose of any of this? To audit something as complex as a treasury payment systems, you'd need teams of forensic accountants.

A single 25 year old software engineer with no prior treasury experience poking around some files on a laptop is not an audit. The entire DOGE operation seems like a charade. The organization consists almost entirely of young engineers pulled from Musk's other companies, has produced no plan for how they intend to audit any of these systems, and lacks any oversight at all.

https://www.documentcloud.org/documents/25521978-gov/

Lol, Florian is big mad because I called him out for defending a Nazi salute and spreading AfD (German Neo-Nazi party) propaganda.

It's true though, I do dislike him for other reason. I've disliked him ever since 2020 when I had to unfollow him for posting MAGA nonsense. I then disliked him even more when he decided not to respect my decision to leave Twitter and kept reposting my posts there without my permission while simultaneously mocking my choice to leave, and now that he's gone full blown mask-off neo-Nazi, I dislike him close to the maximum amount I can dislike a person.

When someone is comfortable with making posts supporting the AfD, defending a Nazi salute, and mocking trans people & DEI from their professional account under their real name, you can only wonder what they do in private. I'm certainly not comfortable sharing a space with someone like that, and I'm sure many others aren't either.

Oh man, I have so many stories about the "startup" (Path Network), which the 19-year-old DOGE employee, Edward Coristine previously worked for.
https://www.wired.com/story/edward-coristine-tesla-sexy-path-networks-doge/

My first interaction with the founder, Marshal Webb, was in 2016 when the company was called "BackConnect'. I'd recently posted a research paper on the Mirai botnet, which lead to him harassing me online, simply because he considered himself to be the sole authority on Mirai.

It later turned out, that a lot of his knowledge came from the fact that he was personally hosting the threat actors' infrastructure, therefore had direct insight into the botnet. He tried to play it off as an "intelligence gathering operation". Everyone knew he was really just in bed with the threat actors, but nobody could prove it enough to make a case against him.

At some point shortly after, a DDoS-for-hire service got hacked and its entire customer database along with all DDoS attack logs was leaked online. One of the records traced back to an employee of his DDoS mitigation firm, and from a combination of attack logs and corroboration with customers, it was determined that they had been launching DDoS attacks against businesses, then cold calling them to sell DDoS protection services.

It was fairly apparent from the fact the emails coincided with the DDoS attacks, but did not originate from the the employee performing the attacks that the company was in on it, and this wasn't the work of some rogue employee. Nevertheless, said employee got thrown under the bus, convicted, and was unsuccessful in proving that his employer was in on the conspiracy, although they most certainly were.

Eventually, the founder ended up being named in some kind of criminal complaint or other FBI related court document. The specific wording seemed to imply that he'd gotten caught doing something illegal enough that he'd become an informant to save himself. Amusingly, when the document surfaced, the company just issued a press release about how they were "helping the FBI stop crime" and nothing become of it.

The company has always been shady as hell, and while it's not abnormal for cybersecurity firms to hire reformed hackers, I've not seen a single employee who was not directly involved in cybercrime immediately prior to getting hired. Furthermore, multiple of the employees have been caught committing cybercrime while working for the company.

Originally, when I posted this thread on February 6th, I stopped short of any allegation that Edward himself was involved in cybercrime. Since then @briankrebs was able to trace his aliases back to a known cybercrime organization and confirm he indeed was directly involved in cybercrime as recently as May 2024.

You can find Brian's Mastodon thread on the matter here:
https://infosec.exchange/@briankrebs/113965646509637016
https://infosec.exchange/@briankrebs/113957683483583881

The entire tech industry right now

I went back to the Nerd Reich website to see who in infosec was defending the Nazi salute, and wasn't super surprised to see Florian Roth. He's spent the last few months posting pro-AfD (German Neo-Nazi party) propaganda and interacting with AfD accounts in his replies. Just a heads up for those of you who work with him.

I don’t think I’ve ever seen a more perfect reading of Biden’s statement where he waited until the last day of his presidency to tell everyone that they live in an oligarchy

None of this feels like the result of any technical limitations. I'm pretty sure they're just trying to maximize their engagement metrics at the expense of Mastodon. IMO Threads should be defederate until they "figure out" how to implement actual federation.

@GossiTheDog Just back up a bit and you'll be back at LAX lol

Someone has been flooding Bluesky with bots that use ChatGPT to respond to random posts, disagreeing with whatever the author says in a polite but annoying way. I have no idea what the goal is, but it kind of just makes it feel like Twitter before generative AI

A hill I’ll die on every time: NAT is a security feature. It wasn’t intended as one, it shouldn’t be used as one, but it IS one. If I go into my router and disable the firewall, then do the same on every device I own, not a single extra device on my network becomes publicly exposed. That is security. It makes it hard for users with poor cybersecurity awareness to accidentally expose devices to the entire internet. If we disabled uPNP by default, we’d see a huge drop in automated exploitation.

This year I'll be featuring in TryHackme's Advent Of Cyber!

Every day until Christmas they'll be releasing a cool new Cybersecurity challenge. It's free to join and there's over $100k in prizes to be won!
https://tryhackme.com/r/christmas

@GossiTheDog Paying $400 for a game is actually insane lol

FWIW, BlueSky is probably worth also maintaining a presence on. They went the decentralized route too, and It took a bit of time but the users finally managed to bully Jack into leaving the company and selling all of his ownership.

I'm mostly active here & on BlueSky.

https://bsky.app/profile/malwaretech.com

Hello Sharks, I'm seeking $50bn for my business. My idea is that we build the same business that already exists, but instead of just paying a living wage, we spend 50x that amount trying to replace the employees with extremely expensive and unsustainable arrays of graphic cards that guess sentences

Dang, I got put in LinkedIn jail over my choice of words for that dude. I won't say I didn't deserve it, but if anyone here works for LinkedIn and wants to get me release early for good behavior, I won't commit anymore crimes I promise

𝐂𝐔𝐏𝐒 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐀𝐭𝐭𝐚𝐜𝐤 𝐒𝐮𝐫𝐟𝐚𝐜𝐞 𝐃𝐚𝐭𝐚
Since there were some questions about the severity of the CUPS vulnerability due to it requiring the presence of the cups-browsed daemon and UDP port 631 being open to the internet, I performed a global scan to gather more data.

Of the 61,763 systems I found which had CUPS exposed to the internet, 13,289 of them returned a valid response when probed on UDP port 631, indicating the port was reachable and cups-browsed daemon was running.

The top affected countries are as follows: US: 3381, DE: 2790, RU: 853, FR: 724, NL: 634, SG: 582, IN: 579, FI: 566, GB: 533, CA: 282, BR: 227, JP: 202, KR: 151, ID: 141, PL: 136, CN: 131, HK: 121

My Google history from today legit makes me look like a straight up terrorist. There was speculation that the pager explosions were triggered by overheating the batteries (which is what lead to the whole "it was malware" insane speculation).

It's pretty much widely accepted at this point that the pagers were intercepted and implanted with PETN, but that doesn't actually answer the question. PETN is a secondary explosive (i.e. it's fairly stable and highly resistant to detonation from force or ignition). So the (IMO) most interesting question, which is currently still unanswered, is how did they detonated the PETN, and how did they build a detonator that would not be discovered by inspection, explosive detectors, etc.

While malware is 100% out of the question, custom lithium batteries could be made with a mechanism designed to reliably cause thermal runaway via an internal short circuit. So, I was curious if theoretically you could use a maliciously modified LiPo battery as a detonator PETN.

What I can gather from my research, is that PETN can't reliably be detonated by an open flame, and the heat produced by thermal runaway from a LiPo battery would be so hot that it would actually cause the PETN to undergo chemical decomposition and become inactive.

So, basically, the result of my entire Google history now looking like "hello, yes, CIA, I am doing a terrorism" is thermal runaway as a trigger is unlikely.