Marc Maiffret
@marcmaiffret
Followers
3K
Following
631
Media
24
Statuses
1K
CTO @BeyondTrust. I like books, science, hacking, and backpacking. But not backpacking with books. The FBI once served me a warrant and pastries.
Joined July 2009
I recently joined SpaceX as CISO. We are hiring in Information Security.
75
282
716
Oct 2nd we prevented an attack on an Okta account. Forensics led us to believe that the point of entry was actually due to a compromise within Okta's Support environment. Okta has now confirmed that to be the case, other customers affected.
11
87
273
Insecure software continues to be the problem, not @taviso We are lucky to have him publishing his work.
1
36
95
#Vault7 Wikileaks did not redact binary embedded in .reg file from JQJSNICKER. Possible CIA implant code:
5
73
86
@KimZetter Our team prevented an attack on Oct 2nd and escalated within Okta the belief that the attack was made possible because Okta themselves had been compromised. Further technical details in our blog here:
0
13
52
"We don't have IIS so. " The issue is there if you have anything leveraging http.sys. E.g. Run netsh http show servicestate (check port/pid to find http.sys process mappings). Enterprises will have a variety of WinRm, FDResPub, WIA, Spooler, Razer, etc.
1
19
38
Windows 10 attack surface, store malware in Bash env, containers. New win10 ssh server (command prompt) etc new ways to live off the land.
0
24
32
2016 and people are still blaming 3rd parties who discover software vulnerabilities vs. those that create them.
3
34
32
Reminder with #PrintNightmare you can drop your .dll to any valid Print\Environments. E.g. Windows NT x86 (W32X86) and then call RpcAddPrinterDriverEx with that path directly. Old/new copy will still take place in x64 but worth checking the nuance in case that is avoidable.
2
10
29
The year old NSA guide to not getting, as TAO chief implied, punked like Saudi Aramco and Sony: #enigma2016.
0
21
28
Grab Dan Geer's 2003 paper on monoculture, find/replace Microsoft for Amazon; operating systems for cloud services.
1
17
24
Excited to be back at @BeyondTrust building on all of the great progress that's been made. Thank you to the infosec teams that invited me in to work along side them the last few years. I will bring that empathy forward with what I do next.
0
3
20
@LBPD_PIO_45 @KimZetter @LagunaBeachPD I drive that road often in my Tesla, would never use autopilot there. Autopilot is great on established freeways as a lane guided cruise control with 100% attention. People clearly cant be trusted to pay attention, software should narrow scenarios where autopilot can be enabled.
1
1
18
Identity in the U.S. is a 9 digit num and basic metadata. We should be solving that problem with more fervor than the breach problem.
4
39
14
Infosec teams who chase individual vulnerabilities more than they control their attack surface, will always be softer targets. Control your attack surface. E.g. Do more things like this: And disable spooler, what are you doing printing in 2021 anyways? :).
3
5
17
You can debate what happened during Kavanaugh's teenage years but there is zero debate about the grown man sitting in front of the senate right now coming off like an entitled petulant frat kid, and not displaying the character of an person that should sit on the Supreme Court.
1
5
15
Yay new client side attack surface!: JPEG images may soon have copy protection http://t.co/Ju4axYKNC7.
3
11
11
NSA TAO is not scared of any of your defenses. They are scared American businesses can still get knocked over by amateurs. #enigma2016.
0
16
12
@fmarmond Context was whether NSA should report vulns. I do not want my tax dollars subsidizing what software vendors should do themselves.
4
2
12
Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3
0
14
11
@KimZetter covered, in Countdown to Zero Day, how I hacked into a water plant in ~2011. Hardest part was figuring out from a plant engineer what all evil I could have done. Sounds like someone figured that out.
1
2
11
Someone really took the recent Windows Journal vuln blog post to heart; http://t.co/bPGBENfO0U
http://t.co/ZHV31RUIPN.
1
6
10
WTF? Is this actually a real webinar title? "Make Security Great Again: Build a Wall, Deport Undocumented Programs."
3
13
10
I was recently interviewed on @VICENews where we discussed hacking as a career path. @BiaSciLab clearly shows the future is amazing and vibrant, with a strong glow of terminal green.
1
4
10
"Lenovo wants cleaner software bundles to avoid security disasters" <-How about just not bundling crap to begin with. http://t.co/7ujmFXF1yU.
2
12
9
Good work @Sahad_nk surprised we do not see more hijacking of abandoned azurewebsites and related. Reminds me of phone phreaks leveraging abandoned numbers back in the day. @0xdabbad00 when you want a break from AWS, Azure ready for you. :) via @safetydet.
1
4
9
I had the pleasure of working with @ohjeongwook for many years at eEye. He is one of the kindest and most brilliant people I have had a chance to work with. Check out his new company and the training/etc they offer!.
Just made a new company: - starting as a Security Intelligence and Training Platform Company. Very early phase but we are opening new curriculums teamed up with other security and machine learning experts. Stay tuned and contact me for potential service.
0
2
10
That moment your fiancee takes you for bday to dive bar and the band ends with NiN and Tool covers. It is going to be alright. Miss you brother Barns. Cannot burn enough pianos but I'll try.
0
1
10
@KimZetter One of my favorite versions of this was sending an employee flowers. Sat on their desk with better access to WiFi and more importantly a ton of crappy office Bluetooth devices.
1
2
9
Great few years back at eEye/BeyondTrust as CTO. I have left to pursue next security venture. Stealth start-up, like the F-35 right? :-p.
11
6
8
Hopefully NSA TAO preso at #enigma2016 gets IT to read the defensive guides NSA has been publishing for many years.
0
4
9
#npmgate is more of a reminder of the sheer number of crap dev that is blindly pulling in potentially untrusted packages into production.
0
6
9
@BiaSciLab you rocked it and are such an inspiration, so stoked you were able to come out!.
Giving my keynote at @BeyondTrust Go Beyond conference!.I even got to mention my @SecureOpenVote project!
1
3
9
The Pepsi challenge for nextgen endpoint/EDR is to actually have free trial product downloads for anyone. Even most AV vendors allow that.
4
3
9
Love this; big reason I have much respect for @dugsong @jonoberheide @duosec, both in usability & CEO can kickflip.
Innovation in defense is figuring out how to implement things that Rob Joyce recommended cheaply and without grinding all work to a halt.
1
3
7
All skills equal in IDA it seems the imagination in seeking out attack surface is the bigger division in vulnerability discovery.
0
5
6
Had an awesome time chatting with @shehackspurple recently. Try to catch her at one of the many events she has going on at #RSAC this week.
Are you following our Podcast "Adventures of Alice & Bob"? Don't miss this week's insightful and candid chat with the one & only @shehackspurple. Full episode with Tanya can be found wherever you listen or
0
2
5
@dugsong @BiaSciLab @eEye You have been an inspiration for me from the start @dugsong. The w00w00 easter egg in @stobal's mockitecture didn't make the vid but seems @BiaSciLab and I both are fans of another group that did. #kradacousticcoupler.
2
2
6
Modern dev practices and devops are in a terrible state of security at most orgs. Blind trust in packages among other problems. #npmgate.
0
2
6
$10,025 raised, big thanks to all. Leaving active while i figure out funds transfer to Khalil http://t.co/4B6DqprbLs.
6
12
5
@0xdabbad00 in the same way that their new cloud based operations manager pales compared to @splunk. Will @Azure MS fully enter security?.
0
0
6
EMET 5.2 released, great for standard corp desktop images where compatibility challenges can be overcome. http://t.co/HvyXZHjsqr.
1
9
6
E.g. Drop to spool\drivers\W32X86.pEnvironment: Windows NT x86.pDriver: ntprint_inf_x86 (Get-PrinterDriver for valid x86 paths).pConfig: syswow64\kernelbase. Then recall normal x64 exploit against the .dll you dropped in spool\drivers\W32X86 etc. .
0
0
5
@Laughing_Mantis This was the local news thing that Derek and I did. He leveraged his CSRSS privesc, Vista specific, but paired it with your MSPUB vuln (at time not patched by MS) so we could make the “hacking vista” more complete/interesting to average users.
2
2
6
Trump on dnc hacks, "maybe Russia or China or some 400lb guy on a bed somewhere" to all my 400lb hacker stereotype friends; the jig is up.
1
2
6
Had fun last weekend talking to my podcast co-host James Maud. He attempted to drag Okta honeypot info out of me, almost!
1
0
4
Massive congrats to friends at @cylanceinc.
BlackBerry is buying Cylance for $1.4 billion to continue its push into cybersecurity by @jonrussell
0
1
6
@Kym_Possible @hackerfantastic @gsuberland @Fox0x01 @zackwhittaker @msftsecresponse Haha much love. Yeah just playing, became good friends with many in MSRC. Passionate people trying to improve security do not always agree on the best way to go about it and that is ok.
0
0
5
The SolarWinds “intern password” is more noteworthy as it relates to the ransomware groups that have been targeting managed IT companies vs. being at all useful to measure advanced intel. team operations.
1
0
5
@Laughing_Mantis Seriously watching you discover your second (real :)) Office vuln that weekend was one of the happiest moments of my career. Whole team was on it but everyone was without a doubt hoping it would be you, knowing how much it would mean to you. Love you dude, thanks for sharing that.
2
0
4
Quick test of high level @metasploit functionality looks to work under Bash for Windows(Windows Subsystem for Linux)
0
2
5
Song on new @whoismrrobot trailer is "Nice To Meet Me" on album Ronin by @Zack_Hemsey. Go support him directly at
0
1
5
@FortyNorthSec Cool, reminder in other scenarios can just ps it $C = New-Object SQLClient.SQLConnection.$C.ConnectionString = “serv”.$C.Open().$M = $C.CreateCommand().$Command.CommandText = “mycmd”.$D = $M.ExecuteReader().while ($D.Read()) {.$D.GetValue($1).}.$C.Close().
1
1
5
#NSA "china hackers bad, no stopping" - "Wait nevermind, I'm retired, totally have the solution now.".
0
4
2
2002 I found an RCE in NAI's PGP Outlook plug-in. Victim views email, attacker executes code. 2018 *steal victims email*, send back to them repeatedly to decrypt. #efail like most named vulns, is an example of progress in security or the continued decline of public vuln research.
0
0
4
@Laughing_Mantis @DennisF @aaronportnoy @RandoriAttack @springframework @FabiusArtrel That one time Tenable “borrowed” our remote check without knowing we embedded a secret string. I can’t remember what Derek had put for the string but something saucy I’d assume. Miss you hommies and good stuff as always @RandoriAttack.
1
0
4
@0xdabbad00 or it could be to the threat analytics world what MBSA was to vulnerability assessment. Heh.
2
0
4
I was recently interviewed on the @moderncto_io podcast by Joel Beasley. They did their homework, even asked about one of the times I got cursed out on the phone by a leader of Microsoft’s security team.
0
0
4
Something weirdly nostalgic about this. my buddy and I ditching class to go see what new hits we had in PhoneTag. Personally think it would be hilarious if there are some kids out there zoom dialing while they are stuck home during lockdown.
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning
0
0
4
@egyp7 @scriptjunkie1 Reminds me of failing my typing class in 9th grade. I was faster than the teacher but did not use home row so I was told I was goofing around. Which I guess if someone was hacking the districts VMS during class that would count as goofing around? 🤔.
0
0
4
@msftsecurity Not Internet legend. Ryan Permeh and I named CodeRed after the same named Mountain Dew soda we were drinking while analyzing.
2
4
4
Two-factor authentication startup Duo Security raises $30M to launch a platform http://t.co/lHSPFVK8Yq.
0
0
4
@0vercl0k @HenkPoley Nice POC @0vercl0k ! For others asking about other processes bound via http.sys: netsh http show servicestate - correlate listener url to PID/software etc. netsh http show urlacl - is also useful.
1
0
4
@dugsong @cnoanalysis Generation later infosec companies still define anomaly as "Something bad![tm]" vs. "something different, abnormal, peculiar, or not easily classified." And is adding keywords like chocolatey to your PowerShell command line, to bypass popular EDR solutions, the new fragmentation?.
1
0
3
@dinodaizovi When I see Netscape I always think of this from solar designer http://t.co/khdrg29Cq9 so much awesome there.
1
3
3
@DennisF @TheBrianDonohue @DennisF getting his Larry King on! That was fun to listen to again. I particularly like my snarky old guy comment about the kids having it easy with LinkedIn whereas we had to put on some old clothes and jump into corporate trash dumpsters.
1
0
4
Most orgs barley control what binaries are on their systems let alone the nuance of legitimate apps having their configuration modified to make them work as a backdoor. Whether it be this example of Absolute Software Lojack, Tanium, AD/SS, backup software. the list goes on.
Lojack, the software companies embed in employee computers to track their location if stolen, was found to contain callback references to malicious command-and-control servers known to be used by the Russian nation-state hacking group Fancy Bear
0
1
3
netsh http show urlacl is also a helpful command. If you work in offense or defensive you should understand the nuance of how http.sys works. You know, bypassing some EDR among other things.
0
0
3
Time for JavaScript dev civil disobedience? aka: How Trump almost had Putin kissy face on his donation page.
0
0
4
@4Dgifts @ortegaalfredo @mis2centavos Ah nice, we should definitely have more voting security hinge on the ability for people to write file parsers - let alone not leverage outdated ones. :-p.
0
1
4
@haroonmeer @WeldPond Worms were largely what drove MS customers to demand better. Mass of CVEs doesn't outrage; exploitation at scale does.
1
0
3
I hear the NSA is running their own Wall of Sheep at RSA for the Apple SSL bug.
2
9
3
Ransomware rising; CC & identity continues to lose value. Easier to lock people out of their data than find new unique ways to monetize it.
0
2
3
Man Fined $500 for Crime of Writing 'I Am An Engineer' in an Email to the Government via @motherboard.
0
1
3
@Kym_Possible @hackerfantastic @gsuberland @Fox0x01 @zackwhittaker @msftsecresponse And if you do get cursed out on the phone by the head of MSRC you just send them a remote SYSTEM the day they release the patch for the last one, repeat 4 times. #eEye I guess these days that would be an Electron injection flaw in MS Teams or whatever the kids are doing. :-p.
0
0
3
Years old NSA note on limiting workstation to workstation communication to prevent lateral movement: #enigma2016.
0
3
3
@Laughing_Mantis @khaxan Is this where I quote top gun and say you can be my wing man any day? Or like we go roller blading through grand central? I would not break myself on roller blades for many people, would for @Laughing_Mantis though.
1
0
3
@aaronportnoy I love Boulder, was there last summer climbing Sharkstooth in RMNP. If you are still there grab brunch at The Buff.
1
0
3
@dugsong Guttermouth, 98ish, first time crowd surfing also. Learned quick that a song ending drops you faster than gravity (punk physics, don't question it).
0
0
3
Former Tiversa investigator says firm faked LabMD breach findings http://t.co/rhIoQHB0d4 via @scmagazine.
0
5
2
@bascule I feel that! Strict egress filtering/detection on servers feels timeless as a 'good security thing' (tm). The Rainbow Books are covered in the tears of those who have never learned security physics or maybe security first principals or maybe I dunno but egress filtering is cool.
0
0
2
Hack from 1903. Hacked co more interested in finding attacker than fixing problem. not much has changed in 100yrs http://t.co/Jov3wRa3.
0
5
3
@dinodaizovi had my raid as a teen led to arrest, I would be most likely getting out of jail around now with the new proposed laws.
0
4
3