Notices by Marcus Hutchins :verified: (malwaretech@infosec.exchange)

@0x00string

Twitter dipshit: "the cybersecurity people have lots of sex and also don't baselessly claim the election is rigged, it's a total travesty"

Me: "where do I sign up?"

This is the kind of high quality cybersecurity content you only get on X dot com. "People support the cybersecurity guy who said the election wasn't rigged because cybersecurity is full of leftists & sexual perversion"

(Note: Chris Krebs is a lifelong Republican & Trump nominee, not even remotely left-wing).

Just woke up to find out the president has revoked the security clearances of everyone at a cybersecurity company because Chris Krebs went to work there. Krebs was his director for the agency in charge of Cybersecurity & Election Security during his first term and refuted his claim the 2020 election was "stolen".

Revoking the clearance of every employee basically kills the company's ability to do government contracts, which is a major source of revenue for cybersecurity companies. The White House press release also restates the false claim that the 2020 election was "rigged and stolen".

The US is basically a fascist dictatorship at this point. One where the president goes after entire companies because a single person spoke out against his verifiably false claims. You'd have to be completely insane to travel here right now.

I bought $200 worth of stuff from Costco this week and they bought $0 worth of stuff from me. To resolve this deficit I will be charging myself $50 every time I go to the store. With this extra income I will build toasters, which I will attempt to sell to my local Costco for $200 each.

What Is Fast Flux And Why Is The NSA Calling It A National Security Threat?

https://www.youtube.com/watch?v=CQ3nnlZ8nbw

@GossiTheDog Wait, so he basically saddled all the private equity investors in his startup with the Twitter debt? lmfaooooo

DDoS attacks almost always originate from hacked devices. The country/countries that the traffic originates from has never been an indicator of who's behind the attack. Musk's implication that Ukraine was responsible for the Twitter DDoS attack based on seeing some traffic originating from Ukrainian IPs is just dangerous speculation.

I've mapped botnet professionally for a decade, and all that looking at IP addresses locations tells you is the geographical distribution of compromised devices. When you plot this kind of data of chart, you typically just get a heat map of population density, slightly skewed by economic factors. Nations with larger populations tend to have more devices, but developing nations tend to have a higher percentage of older less secure devices, which are more likely to be hacked and recruited into botnets.

Really great thread on Bluesky by @Tarah about the disparity between economic indicators and voter's actual lived experience.

https://bsky.app/profile/tarah.org/post/3liaxh3vjyk23

@mkoek @Tarah People's feelings. People don't vote based on economic indicators, they vote based on how they feel and what they think will help them.

Interesting statement filed in the case against the Treasury and DOGE which gives us some cybersecurity insights. Here's the key takeaways:

- Only a single DOGE employee (25 year old engineer Marko Elez) has direct access to the Treasury payment systems.
- The DOGE employee was only allowed to access the systems from an encrypted government issued laptop.
- The government issued laptop is equipped with monitoring software, data loss prevention, and tools to block internet access, and use of removable storage devices.
- Strict instructions were given that no data could leave this laptop for the duration of the engagement.
- The employee was meant to only have read access to treasury systems, but was accidentally granted write access.
- Following the accident, the employee's laptop was examined and it was concluded that no data had been written during the mistake.
- After the employee temporarily resigned over racist Twitter posts, all access was revoked, and all government issued equipment was recovered.
- The DOGE employee shared updates about his work with another DOGE employee, which "may have occasionally included screenshots of payment systems data or records"

My take:
If true, it seems that unlike other instances at different agencies, the Treasury abided by strict security protocols.

My only real cybersecurity question here are:

1) They document claims screenshots of payment records were shared with another DOGE employee. It doesn't specify how they were shared. Was it just the authorized employee showing his screen to someone, or were they transmitted outside of the laptop? If it's the latter, then it calls much of the claims made in the article into question.

2) This statement isn't clear "The Bureau enabled enhanced monitoring on his laptop, which included the ability to monitor and block website access, block the use of external peripherals (such as USB drives or mass storage devices), monitor any scripts or commands executed on the device, and block access to cloud-based storage services."

The use of the phrase "included the ability to" isn't really clear on if those security controls were actually being enforced. The phrasing could simply mean they enabled software that had those capabilities, but they weren't being used.

Now, cybersecurity aside, the bigger question is what was the purpose of any of this? To audit something as complex as a treasury payment systems, you'd need teams of forensic accountants.

A single 25 year old software engineer with no prior treasury experience poking around some files on a laptop is not an audit. The entire DOGE operation seems like a charade. The organization consists almost entirely of young engineers pulled from Musk's other companies, has produced no plan for how they intend to audit any of these systems, and lacks any oversight at all.

https://www.documentcloud.org/documents/25521978-gov/

Lol, Florian is big mad because I called him out for defending a Nazi salute and spreading AfD (German Neo-Nazi party) propaganda.

It's true though, I do dislike him for other reason. I've disliked him ever since 2020 when I had to unfollow him for posting MAGA nonsense. I then disliked him even more when he decided not to respect my decision to leave Twitter and kept reposting my posts there without my permission while simultaneously mocking my choice to leave, and now that he's gone full blown mask-off neo-Nazi, I dislike him close to the maximum amount I can dislike a person.

When someone is comfortable with making posts supporting the AfD, defending a Nazi salute, and mocking trans people & DEI from their professional account under their real name, you can only wonder what they do in private. I'm certainly not comfortable sharing a space with someone like that, and I'm sure many others aren't either.

Oh man, I have so many stories about the "startup" (Path Network), which the 19-year-old DOGE employee, Edward Coristine previously worked for.
https://www.wired.com/story/edward-coristine-tesla-sexy-path-networks-doge/

My first interaction with the founder, Marshal Webb, was in 2016 when the company was called "BackConnect'. I'd recently posted a research paper on the Mirai botnet, which lead to him harassing me online, simply because he considered himself to be the sole authority on Mirai.

It later turned out, that a lot of his knowledge came from the fact that he was personally hosting the threat actors' infrastructure, therefore had direct insight into the botnet. He tried to play it off as an "intelligence gathering operation". Everyone knew he was really just in bed with the threat actors, but nobody could prove it enough to make a case against him.

At some point shortly after, a DDoS-for-hire service got hacked and its entire customer database along with all DDoS attack logs was leaked online. One of the records traced back to an employee of his DDoS mitigation firm, and from a combination of attack logs and corroboration with customers, it was determined that they had been launching DDoS attacks against businesses, then cold calling them to sell DDoS protection services.

It was fairly apparent from the fact the emails coincided with the DDoS attacks, but did not originate from the the employee performing the attacks that the company was in on it, and this wasn't the work of some rogue employee. Nevertheless, said employee got thrown under the bus, convicted, and was unsuccessful in proving that his employer was in on the conspiracy, although they most certainly were.

Eventually, the founder ended up being named in some kind of criminal complaint or other FBI related court document. The specific wording seemed to imply that he'd gotten caught doing something illegal enough that he'd become an informant to save himself. Amusingly, when the document surfaced, the company just issued a press release about how they were "helping the FBI stop crime" and nothing become of it.

The company has always been shady as hell, and while it's not abnormal for cybersecurity firms to hire reformed hackers, I've not seen a single employee who was not directly involved in cybercrime immediately prior to getting hired. Furthermore, multiple of the employees have been caught committing cybercrime while working for the company.

Originally, when I posted this thread on February 6th, I stopped short of any allegation that Edward himself was involved in cybercrime. Since then @briankrebs was able to trace his aliases back to a known cybercrime organization and confirm he indeed was directly involved in cybercrime as recently as May 2024.

You can find Brian's Mastodon thread on the matter here:
https://infosec.exchange/@briankrebs/113965646509637016
https://infosec.exchange/@briankrebs/113957683483583881

The entire tech industry right now

I went back to the Nerd Reich website to see who in infosec was defending the Nazi salute, and wasn't super surprised to see Florian Roth. He's spent the last few months posting pro-AfD (German Neo-Nazi party) propaganda and interacting with AfD accounts in his replies. Just a heads up for those of you who work with him.

I don’t think I’ve ever seen a more perfect reading of Biden’s statement where he waited until the last day of his presidency to tell everyone that they live in an oligarchy

None of this feels like the result of any technical limitations. I'm pretty sure they're just trying to maximize their engagement metrics at the expense of Mastodon. IMO Threads should be defederate until they "figure out" how to implement actual federation.

@GossiTheDog Just back up a bit and you'll be back at LAX lol

Someone has been flooding Bluesky with bots that use ChatGPT to respond to random posts, disagreeing with whatever the author says in a polite but annoying way. I have no idea what the goal is, but it kind of just makes it feel like Twitter before generative AI

A hill I’ll die on every time: NAT is a security feature. It wasn’t intended as one, it shouldn’t be used as one, but it IS one. If I go into my router and disable the firewall, then do the same on every device I own, not a single extra device on my network becomes publicly exposed. That is security. It makes it hard for users with poor cybersecurity awareness to accidentally expose devices to the entire internet. If we disabled uPNP by default, we’d see a huge drop in automated exploitation.