🎓️ Vulnerable U | #021

Exaggerate the Basics, Honoring Kevin Mitnick, Military Emails Leaked, and the Death of Infosec Twitter

Author

Matt Johansen
July 21, 2023

Read Time: 8 minutes

Howdy friends!

Writing you from a record-breaking heat week here in Texas. I tried to plan my escape for a bit, but the lack of dog sitting kept me grounded until I fly out to the frosty Las Vegas, NV, for hacker summer camp.

Decided that I could use some more tattoos and shorter shorts to cope with that news.

Bzzz

Sneak Peak at the Blog of the Week:

Something you might not have known about me: I’m a volleyball player.

Well, at least I was when my knees were better, and my teenage body could sustain on nothing but McDonald’s, Pizza, and Bagels like every other New York City kid.

At a point, I was competitive, played in a few championships, lots of beach tournaments, etc.

One year, I tried out for a club coached by a local legend named Merlin. This was a turning point for my skill development, and I vividly remember why.

He said something that has rattled around my brain for the roughly two and a half decades since I heard it: “Exaggerate the basics of your mechanics. Do it as if you’re mocking yourself about how you’re supposed to do it.”

Let me set the scene a bit more. When you’re first starting a sport, you’re learning a lot and getting drilled on basic mechanics. But by the time you get to the intermediate skill level, some of those basics feel less exciting than the new fun stuff your body can do. Fancy attacks, cool new plays, tricky stuff, and maybe you start phoning in the things you learned early on.

Then here I am, trying out for a competitive travel team, and this absolute legend is telling me to bend my f’n knees again.

Yeah, dude, I know how to bend my knees… Or so I thought!

Watching back video we took during the tryout showed that I was barely doing anything at all. He had me run it back and exaggerate everything I learned in year one; bending as low as possible, waiting for the ball, and swinging my arms on my approach. “Make it look funny,” he said.

…This idea of drilling the basics even as you master your craft is foundational to excellence.

In this episode:

  • Exaggerate the Basics

  • Kevin Mitnick Obituary - Las Vegas, NV

  • Details of a Malicious Visual Studio OpenAI Package

  • Typo leaks millions of US military emails to Mali web operator

  • Airline Phone Numbers are Being Replaced on Google Maps to Scammer Numbers

  • Man allegedly killed girlfriend after she took an AirTag off her car that he put there

  • Thousands of images on docker hub leak auth secrets, private keys

  • The Death of Infosec Twitter | Cyentia Institute

  • Microsoft has changed its cloud logging policies to include more detail in response to recent hacks and partnership with CISA

  • Fake passports, real bank accounts: How TheTruthSpy stalkerware made its millions | TechCrunch

  • Google restricting internet access to some employees to reduce cyber attack risk

  • Google says Apple employee found a zero day but didn’t report it

ICYMI

🖊️ Something I wrote: I asked Twitter what their most expensive mistake was. It’s fun to read all the answers. (a lot of folks say college or their first marriage)

🎧️ Something I heard: Andrew Huberman’s show this week was on the Growth Mindset! We’ve done a few segments on that here at Vuln U so needless to say I was stoked.

🎤 Something I said: We released another episode of the Vulnerable U Podcast. We’ve gone with a different format to split the news into its own episode. Check it out and let me know what you think! Its also on Spotify and all other podcast platforms. (Like and Subscribe if you dig it)

🔖 Something I read: I’m progressing well on Outlive - The Science & Art of Longevity by Peter Attia. Great book on often overlooked areas of our health.

Vulnerable News

There isn’t a more legendary name in cybersecurity than Kevin Mitnick. I remember hearing about Kevin’s famous social engineering and early computer hacks when I was in school in the 90s. I did have the pleasure of meeting Kevin a few times, and he was always nothing but nice to me and anyone else who inevitably couldn’t figure out what to say to him in a hotel lobby at a conference while he was getting a lot of attention. We here at Vuln U send our thoughts to his friends and family. (Read more)

A popular YouTuber ThioJoe almost got caught by a malicious package in Visual Studio but was saved by his paranoid AppLocker settings. The other clue he realized was a Cyrillic character in the package name that looked close to a lowercase “n” but wasn’t. Good eye, Joe, and thanks for the detailed write-up. (Read more)

This one is ridiculous. The government has sent very sensitive emails to .ml (Mali) instead of .mil (Military) email addresses. A Dutch researcher has been collecting misdirected emails, and there have been over 100k since January 2023 to let you know how bad it is. Emails in the story include travel plans and hotel room numbers for top Generals. Read Kim Zetter’s Twitter thread on this, too, for more info. (Read more)

Great outline of how a passenger on a Delta flight from JFK was trying to reach customer service to change his flight. Google the number, dialed it, and wound up in an Indian call center scam. Good on him for realizing the red flags of them calling him back from an odd number, demanding texts from him, and then requiring payment info over the phone. Upon further digging, all major airlines’ Google Maps numbers were replaced with scam centers via user suggestions. Some thoughts by Katie Nickels here on this as well. (Read more)

An important read for us in the security and privacy industry. All tech we’ve ever created has been misused to exploit others. This tragedy could’ve been prevented if we believed the victim the first few times a protection order was issued. Instead, the murderer continued to stalk, which escalated to planting an AirTag on her car. We must believe victims before the consequences get as far as they did this time. (Read more)

We've seen this a lot on GitHub repos, but it seems there is another growing way to accidentally publish private keys: Your container images. The German researchers from RWTH Aachen University analyzed 337,171 images from Docker Hub and thousands of private registries. The shocking finding? 8.5% of these images contain sensitive data such as private keys and API secrets. (Read more)

As a creature born into and raised in Infosec Twitter, this research by Jay Jacobs at Cyetia Institute is heartbreaking. We all could feel the difference, but Jay presents some data to quantify what we’ve felt. The exodus of many that used to make their online home on Twitter to platforms like Mastodon, Bluesky, and Threads is proven out in Jay’s numbers, counting occurrences of key infosec terms that only we talk about. There has been a steep drop off lately in discussions of security research. The kicker? Jay can no longer run the numbers on this data because their API usage got cut off by Elon’s policy changes. (Read more)

“Microsoft has announced that in Sept, it will make 31 critically important security logs available free to licensees of its lower-cost cloud services, including the email log that was used to identify the recent China attack.” (Read more)

Incredibly good reporting by Zach Whittaker at TechCrunch detailing a sophisticated Spyware operation. Repeatedly spy and stalkerware organizations prove their security practices are lackluster and they themselves are getting owned. This time the leaked documents allowed us to get a look behind the curtain at how intricate the operation needed to be to continue to use mainstream payment processors in the States. (Read more)

We joke in the industry often that the only secure computer is one that is unplugged. Well, Google is unplugging at least the Internet from some internal employees’ computers. I can attest that I’ve worked in an “allowlist only” access to the internet environment, and it’s challenging to productivity, to say the least. But we made due, and I’m sure there will be pros and cons to this Google experiment. (Read more)

Google and Apple are always at the center of vuln disclosure conversations. Google famously will publicly disclose zero-days after giving the vendors 90 days to fix them. In this case, an Apple employee found a zero-day during a CTF competition and sat on it. Another CTF teammate disclosed the bug to Google after discovering the Apple employee hadn’t done so yet. (Read more)

Miscellaneous mattjay

Congrats, Clint, on a huge milestone! 18k subs for tl;dr sec. Clint has been very helpful on my Vulnerable U journey, and we’re stoked to see the community still loving the work he puts into tl;dr sec every week.

@moodydoodie

#stitch with @Adam West this is a cry for help (from the birbs) #fyp #fy #birds

This is a good reminder to address real risks instead of doing what sounds right or what some checklist tells you. Exaggerate the basics!

Cool tool I found to convert potentially dangerous PDFs into benign ones by copying them pixel by pixel in a sandbox into a new picture and then creating a new PDF - https://dangerzone.rocks/

The Journey is the goal:

Extra Credit

Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay