Brutkey

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

Tinker, Sailor, Biker, Hi

I do industrial security research for a living, mostly looking for #vulnerabilities in all of the wrong places. I like reverse engineering how PLC logic systems function under the hood, learning how safety instrument protocols work, and figuring out what malicious threat groups are doing and can do with access to such systems. A long time ago, I invented the term 'foreverday' to describe unfixable vulnerabilities.

Occasionally I analyze #industrial #malware, too, and on very rare occasions encounter threat groups that actually write malicious logic to do the vile things that I like to learn about.

I work for a little startup in the space called Dragos. In my spare time I enjoy long distance #bicycling, #sailing, and doting on our #pets.

I used to have an account on , however I haven't used it in a while and you should no longer assume that it's under my control.

Trying not to be one of the 80% that can be moved in either direction.

Notes: 4970
Following: 0
Followers: 0

Location: Des Moines, IA, USA, Planet Earth, second spiral arm around Sagittarius A
Pronouns: he/him or they/them
Security Level: Currently clean on opsec

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

Updated firewall guidance just released.

a diagram where there are 6 firewalls between the internal network. from left to right the firewalls are:
Cisco Firewall: To protect against ../
Huawei Firewall: To protect against ../../
Checkpoint Firewall: To protect against ../../../
Fortinet Firewall: To protect against ../../../../
Palo Alto Firewall: To protect against ../../../../../

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

The US version of Tank Man is the Hoagie Guy.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

"The Hero that DC deserves, but not the one it eats right now."

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

The US version of Tank Man is the Hoagie Guy.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

I just wanna give a shout-out to all the game cheaters out there.

I just bought some pcileech hardware for a research project. It only dawned on me when I got the kit that the biggest buyer of these things are kids that use DMA attacks in order to cheat? I figured that out when the knockoff pcileech hardware I got has a weird USB doohickey, meant to bridge your keyboard and mouse into your PC. The card itself is meant to function as an aim-bot by using DMA and directing this USB monstrosity to aim for you.

I plan to use the card to extract some encryption keys from a computer but hey, this wouldn't be affordable if it were not for the gamers. Or really, for the griefers I guess. Are they still called griefers? I haven't played a FPS in like 15 years...

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

Anyway. An addendum to the sources of our best technical advances as a species. The list is now:

1) war
2) porn
and the new addition
3) game cheaters

It's actually a relief that something innocuous has made it onto the list.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

I just wanna give a shout-out to all the game cheaters out there.

I just bought some pcileech hardware for a research project. It only dawned on me when I got the kit that the biggest buyer of these things are kids that use DMA attacks in order to cheat? I figured that out when the knockoff pcileech hardware I got has a weird USB doohickey, meant to bridge your keyboard and mouse into your PC. The card itself is meant to function as an aim-bot by using DMA and directing this USB monstrosity to aim for you.

I plan to use the card to extract some encryption keys from a computer but hey, this wouldn't be affordable if it were not for the gamers. Or really, for the griefers I guess. Are they still called griefers? I haven't played a FPS in like 15 years...

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange This project did teach me something funny: if infosec doesn't work out for me, I can make a killing by repairing and configuring door/badge control systems.

A couple of the devices I got used which had failed, and I found a ton of forum posts about how door controllers failed in an identical manner. I was able to repair them, all the forum people lamented that the controllers were irreparable according to the vendor and they had to buy new.

There are a LOT of failed boards out there. I can pick them up for $20-50, fix them, and sell them for $500 easily.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange If I put on my evil hat I could also preload all said repaired boards with some backdoors, lulz. Magic Card to let me into any building? Is possible.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

Whee, bugs in badge control systems: https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange Yeah. I seem to remember some supernerd friends having this argument about email a long time ago. Whether it's considered AV:N and UI:R or not.

I say 'yes' to both because the CVSS specification says that UI includes a "user-initiated process".

By default, Outlook does not start on a computer until the user at minimum logs in to the computer (usually they have to start Outlook manually to boot), which initiate the process.

Reading the CVSS spec is hard though, let's go shopping.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange You could actually argue this is: AV:N/AC:H/UI:R, high attack complexity because the default configuration of Outlook has no accounts attached and thus does not actually check any email from any server; triggering the vulnerability therefore requires a nonstandard configuration.

CVSS pedantry? In this economy?

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange I am actually super duper confused: AV:L and UI:N and PR:N. That is theoretically an impossible combination.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

@cR0w@infosec.exchange You need local access, but no privileges, nor does the user have to click anything.

So if you have code execution on the system, you get code execution on the system I guess. QED.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

Things might be awful everywhere right now, but I put a radon detector in my basement and it's been 0.5-0.8pci/L for over a week so that's pretty good I guess.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

Gonna write a /cgi-bin handler that gives the result of the 20th prior OS command injection in its response message, just to mess with hackers.

K. Reid Wightman :verified: 🌻

:donor: :clippy:
@reverseics@infosec.exchange

What if we wrote one of those weird crowdinputted /cgi-bin handlers, where it takes one parameter from each request (requests have to come from unique IP addresses and have a unique session cookie), and only after it receives N requests (where N is the number of parameters required) does it execute the handler.