🎓️ Vulnerable U | #021
Exaggerate the Basics, Honoring Kevin Mitnick, Military Emails Leaked, and the Death of Infosec Twitter
Read Time: 8 minutes
Writing you from a record-breaking heat week here in Texas. I tried to plan my escape for a bit, but the lack of dog sitting kept me grounded until I fly out to the frosty Las Vegas, NV, for hacker summer camp.
Decided that I could use some more tattoos and shorter shorts to cope with that news.
Sneak Peak at the Blog of the Week:
In this episode:
Exaggerate the Basics
Kevin Mitnick Obituary - Las Vegas, NV
Details of a Malicious Visual Studio OpenAI Package
Typo leaks millions of US military emails to Mali web operator
Airline Phone Numbers are Being Replaced on Google Maps to Scammer Numbers
Man allegedly killed girlfriend after she took an AirTag off her car that he put there
Thousands of images on docker hub leak auth secrets, private keys
The Death of Infosec Twitter | Cyentia Institute
Microsoft has changed its cloud logging policies to include more detail in response to recent hacks and partnership with CISA
Fake passports, real bank accounts: How TheTruthSpy stalkerware made its millions | TechCrunch
Google restricting internet access to some employees to reduce cyber attack risk
Google says Apple employee found a zero day but didn’t report it
🖊️ Something I wrote: I asked Twitter what their most expensive mistake was. It’s fun to read all the answers. (a lot of folks say college or their first marriage)
🎧️ Something I heard: Andrew Huberman’s show this week was on the Growth Mindset! We’ve done a few segments on that here at Vuln U so needless to say I was stoked.
🎤 Something I said: We released another episode of the Vulnerable U Podcast. We’ve gone with a different format to split the news into its own episode. Check it out and let me know what you think! Its also on Spotify and all other podcast platforms. (Like and Subscribe if you dig it)
🔖 Something I read: I’m progressing well on Outlive - The Science & Art of Longevity by Peter Attia. Great book on often overlooked areas of our health.
There isn’t a more legendary name in cybersecurity than Kevin Mitnick. I remember hearing about Kevin’s famous social engineering and early computer hacks when I was in school in the 90s. I did have the pleasure of meeting Kevin a few times, and he was always nothing but nice to me and anyone else who inevitably couldn’t figure out what to say to him in a hotel lobby at a conference while he was getting a lot of attention. We here at Vuln U send our thoughts to his friends and family. (Read more)
A popular YouTuber ThioJoe almost got caught by a malicious package in Visual Studio but was saved by his paranoid AppLocker settings. The other clue he realized was a Cyrillic character in the package name that looked close to a lowercase “n” but wasn’t. Good eye, Joe, and thanks for the detailed write-up. (Read more)
This one is ridiculous. The government has sent very sensitive emails to .ml (Mali) instead of .mil (Military) email addresses. A Dutch researcher has been collecting misdirected emails, and there have been over 100k since January 2023 to let you know how bad it is. Emails in the story include travel plans and hotel room numbers for top Generals. Read Kim Zetter’s Twitter thread on this, too, for more info. (Read more)
Great outline of how a passenger on a Delta flight from JFK was trying to reach customer service to change his flight. Google the number, dialed it, and wound up in an Indian call center scam. Good on him for realizing the red flags of them calling him back from an odd number, demanding texts from him, and then requiring payment info over the phone. Upon further digging, all major airlines’ Google Maps numbers were replaced with scam centers via user suggestions. Some thoughts by Katie Nickels here on this as well. (Read more)
An important read for us in the security and privacy industry. All tech we’ve ever created has been misused to exploit others. This tragedy could’ve been prevented if we believed the victim the first few times a protection order was issued. Instead, the murderer continued to stalk, which escalated to planting an AirTag on her car. We must believe victims before the consequences get as far as they did this time. (Read more)
We've seen this a lot on GitHub repos, but it seems there is another growing way to accidentally publish private keys: Your container images. The German researchers from RWTH Aachen University analyzed 337,171 images from Docker Hub and thousands of private registries. The shocking finding? 8.5% of these images contain sensitive data such as private keys and API secrets. (Read more)
As a creature born into and raised in Infosec Twitter, this research by Jay Jacobs at Cyetia Institute is heartbreaking. We all could feel the difference, but Jay presents some data to quantify what we’ve felt. The exodus of many that used to make their online home on Twitter to platforms like Mastodon, Bluesky, and Threads is proven out in Jay’s numbers, counting occurrences of key infosec terms that only we talk about. There has been a steep drop off lately in discussions of security research. The kicker? Jay can no longer run the numbers on this data because their API usage got cut off by Elon’s policy changes. (Read more)
“Microsoft has announced that in Sept, it will make 31 critically important security logs available free to licensees of its lower-cost cloud services, including the email log that was used to identify the recent China attack.” (Read more)
Incredibly good reporting by Zach Whittaker at TechCrunch detailing a sophisticated Spyware operation. Repeatedly spy and stalkerware organizations prove their security practices are lackluster and they themselves are getting owned. This time the leaked documents allowed us to get a look behind the curtain at how intricate the operation needed to be to continue to use mainstream payment processors in the States. (Read more)
We joke in the industry often that the only secure computer is one that is unplugged. Well, Google is unplugging at least the Internet from some internal employees’ computers. I can attest that I’ve worked in an “allowlist only” access to the internet environment, and it’s challenging to productivity, to say the least. But we made due, and I’m sure there will be pros and cons to this Google experiment. (Read more)
Google and Apple are always at the center of vuln disclosure conversations. Google famously will publicly disclose zero-days after giving the vendors 90 days to fix them. In this case, an Apple employee found a zero-day during a CTF competition and sat on it. Another CTF teammate disclosed the bug to Google after discovering the Apple employee hadn’t done so yet. (Read more)
Congrats, Clint, on a huge milestone! 18k subs for tl;dr sec. Clint has been very helpful on my Vulnerable U journey, and we’re stoked to see the community still loving the work he puts into tl;dr sec every week.
tl;dr sec is now over 18,000 subscribers 🎉 🤯
Thank you everyone for the kind words and encouragement along the way 🙏
Haven't heard of tl;dr sec?
Get the latest and greatest security research right in your inbox 👇
— Clint Gibler (@clintgibler)
Jul 18, 2023
#stitch with @Adam West this is a cry for help (from the birbs) #fyp #fy #birds
This is a good reminder to address real risks instead of doing what sounds right or what some checklist tells you. Exaggerate the basics!
You allow internet access. You allow email access, you use slack, teams, discord etc. you don’t monitor all the things/EDR…
You ban usb devices because someone might run malware!
🤪🤪🤪🤣🤣🤣🤣 does anyone else see the reason this logic is a bit flawed?!
— mRr3b00t (@UK_Daniel_Card)
Jul 16, 2023
Cool tool I found to convert potentially dangerous PDFs into benign ones by copying them pixel by pixel in a sandbox into a new picture and then creating a new PDF - https://dangerzone.rocks/
Useful chart showing how cybercriminals deal with stolen crypto to hide their tracks and safely launder the hack proceedings.
Taken from Europol report: europol.europa.eu/cms/sites/defa…
— Lorenzo Franceschi-Bicchierai (@lorenzofb)
Jul 17, 2023
The Journey is the goal:
Help us grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them!
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen