So, someone tried baiting people into downloading malware on r/cybersecurity
Are there Darwin awards for skids burning their C2 infrastructure? Read more
50 Domains Worth Blocking: The Evolution of ViperSoftX's Underreported DGA
ViperSoftX is a multi-stage cryptocurrency stealer which is spread within torrents and filesharing sites, responsible for stealing hundreds of thousands of dollar-equivalent funds, mostly from individual users. Nearly three years after it was originally discovered, this malware campaign has more surprises in store, and I'm digging into its dropper/C2 ops. The first article of a series. Read more
Request Amplification in Mastodon
Mastodon is a great replacement for Twitter, but who knew it was also a replacement for LOIC too? I'm joking - but an observed traffic amplification factor of over 36,000:1 isn't very funny, especially not for 'intended behavior.' Read more
Cross-Certificates in Practice: HARICA's Root CA 2021 Transition
HARICA - the only non-DigiCert certificate authority offering .onion certificates (for Tor hidden services) - has recently switched over to signing new certificates with their 2021 CAs. Here are some cliff notes on how to use HARICA's cross-certificates in your trust chain if that becomes a problem for you or your website viewers. Read more
How I'm Avoiding Your Unsolicited Calls
It's pretty sad that I'm paying money for a phone number to post online, specifically to get it pulled into the tools used by the multi-hundred-billion-dollar talent and marketing industries, just to have some peace and quiet during the day. In case you want to do the same, here's what I do and what (little) it took. Read more
Miniscule Achievements in Digital Resurrection
Once upon a time, I stumbled on to some dead links, and through preserved materials I easily recreated a now-defunct unitasking site about IPv6 ULAs. So why did the license on my personal blog change? Read more
Public Disclosure: SQLi in wsdot.wa.gov
It's now been over six months since I reported an incident to US-CERT, and was still a trivially exploitable SQLi on the Washington State Department of Transportation website. I made a partial public disclosure while this was still exposing sensitive contractor PII from 1986-2021 including last 4 of SSNs, as well as nearly 73k users from 1999-2021. Around one week after, this issue has been resolved, and I have updated this article to contain complete information. Thank you to everyone that helped get this fixed! Read more
Signs an Intel CPU May Be an Engineering Sample
Intel themselves don't publish any information on identifying Engineering Sample (ES) processors outside of checking the markings on the lid of the CPU. I had an ES CPU once upon a time, and here's what I saw when compared to another similar CPU - it's no definitive guide but it might be useful to some who are concerned about a secondhand CPU they've received. Read more
Why is a 2,000-IP Botnet Torrenting Ubuntu?
About two days ago, hundreds of thousands of leeches were reported on Ubuntu's torrent tracker - downloading gigabits of data, but never reporting that they'd completed any chunks. My precious Linux ISOs (yes, really) were under attack. But whose botnet is this, why are they all downloading Ubuntu, and just how big is the botnet they're controlling? Let's dig in. Read more
What Happened To My Career After Joining Big Tech
What happens when you work for a household name? What happens when that household name has a reputation for only hiring and developing top tech talent? What happens when many recruiters and recruiting firms make a habit of poaching only "the best?" Turns out, your career growth goes exponential - and while that might be good for me now, it wasn't good for me before, and isn't good for the tech field overall. Read more
My Experience Breaking into Product Security
Cybersecurity is massive, and answers about "should I get certifications" or "should I get a degree" are not as one-size-fits-all as they may initially seem. So, I wrote up a ton of details and context about my first role, how I got into that role, and general advice I have for people looking into Product Security or cybersecurity as a whole. Read more
rockyou2021.txt: A Short Summary & Torrent Download
Thanks to an anonymous Redditor, I obtained a copy of rockyou2021.txt. It's easily the largest wordlist I have - keep in mind "wordlist" and not "breached password list" - but size isn't everything. While it's not universally useful for password cracking, you can download rockyou2021.txt here for your own research, projects, or engagements. Read more
Help for Users Impacted by Infected Extensions
If 'User-Agent Switcher', 'Nano Adblocker', or 'Nano Defender' sound familiar to you, I might have some bad news. A malware operator I am investigating has escalated their operations and infected 350k+ users; here's what happened and what to do if you were one of them. Read more
Email Fraud or Email Compromise: A Beginner's Guide
A student-friendly post about email, collecting evidence, forming hypotheses, and responding to a real-world incident with imperfect information. Batteries, references, and source materials included. Read more
A Believable Attack Using EIP Cards
Turns out it would cost you between $1 and $1.50 in materials to pull off an EIP Card scam, plus procurement and assembly - the rapport you get from doing this is easily more valuable, and could be a viable attack in the real-world. Read more
How to Ensure Your EIP Card is Real
A security engineer's guide on how to stay safe with any "EIP Card" you got in the mail. Begone, scammers! Read more
EIP Mailer Photo Archive
It's a scam! It's identity theft! No, wait, it's actually what passes for 'effort' at a federal level! Read more
EIP Cards Made Fraud Easier
Who thought distributing debit cards in unmarked envelopes that predominantly reference a non-.gov domain was a good idea? I almost threw it away, then thought I had my identity stolen, then got so frustrated I wrote this post. Read more