*ANNOUNCEMENT*
Presenting: the trailer for our new 🎶MUSICAL🎶 & spoken Security Awareness Videos! After the infosec sea shanty, dozens of teams DM’d me saying "The song worked! MFA usage up, reporting way up, pls make more songs!" So we got to work & you all it's finally here!🤖
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping
@yashar
on Twitter w/ PayPal and he did in fact get my address I tipped him.
Here’s how I used AI to clone a 60 Minutes correspondent’s voice to trick a colleague into handing over her passport number. I cloned Sharyn’s voice then manipulated the caller ID to show Sharyn’s name with a spoofing tool.
The hack took 5 minutes total for me to steal the info.
2 years ago on stage I was asked “when will Deepfake video/audio impact trust & be believable in social engineering?” My response then was that we were 2 years away from undetectable Deepfakes. I wish my prediction then was wrong. We need synthetic media detection + labels ASAP.
To reach the ~youth~ we're going to have to make infosec sea shanties, aren't we? Guess so!
Behold the tale of kid who reuses their passwords & ends up pwn'd, then learns how to stay safe. We're on a mission to encourage unique passwords stored in a password manager with MFA on.
Above you can see the receipt
@yashar
sent me when I did this test with him. Be careful using PayPal Twitter Tip Jar — this is a hallmark of PayPal rather than Twitter of course but it impacts Twitter users who may not know that their address is leaked by PayPal to tip receivers.
Hitting F12 in a browser is not hacking. If your code leaks personal data via public development tools that any person can see by simply pressing F12 on a keyboard then you have a huge data leak issue, not a hacking situation, on your hands. Fix your website.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
This is EXACTLY what I was concerned to test when Twitter announced Tip Jar. PayPal needs to make it crystal clear which data is given to money receivers and stop sharing that data, & Twitter needs to educate users who don’t realize what info tip receivers get when using PayPal.
Questions I’m interested to learn more about:
- how will payment account details be shown to twitter tippers
- will tippers be able to see payment tool details like Venmo username
- when tipping via PayPal, will PayPal disclose personal tip receiver’s email in receipt to tipper
🚨ATTENTION🚨
Apple found two 0-days actively in use that could effectively give attackers full access to device.
For most folks: update software by end of day
If threat model is elevated (journalist, activist, targeted by nation states, etc): update now
We just hacked a billionaire!
Got consent 1st then got to work hacking Jeffrey Katzenberg.
@Evantobac
& I stole his pics, emails, and contacts then turned on his mic (without an indicator light) & listened to his phone calls.
Here's the video on how we hacked a billionaire:
*New takedown tool*
It’s easy to hack into accounts bc we can find most email/phone online, plug those into data breaches, then find passwords & login as you.
🔒Google launched a new tool for sensitive detail takedown requests🔒Here’s how to remove your contact info for free:
This Twitter 2FA change is nerve-racking because:
1. Only ~2.6% of Twitter users have 2FA on at all (it’s essential for preventing easy account takeover)
Of those 2.6%, 74% use text message based 2FA ()
If they don’t pay for Blue they auto lose 2FA on 3/20.
Effective March 20, 2023, only Twitter Blue subscribers will be able to use text messages as their two-factor authentication method. Other accounts can use an authentication app or security key for 2FA. Learn more here:
Deepfakes will impact public trust, provide cover & plausible deniability for criminals/abusers caught on video or audio, and will be (and are) used to manipulate, humiliate, & hurt people. If you’re building manipulated/synthetic media detection technology, get it moving.
Here’s a fun social engineering / physical security quiz!
Based on this picture of a door lock, what do you think the passcode is for entry? Please include the order the characters are entered.
No identity verification, & 8 bucks for a verified account?
Get ready for the new cyber criminal playbook: use stolen credit card to buy verified Twitter account, impersonate real customer support channels, trick users into handing over account details in DM, account takeover.
We saw internal docs with more insight into the new Twitter Blue:
-Launch on Nov. 7 but only in current markets (US, CA, Aus, NZ)
-Check marks for subscribers, no current ID authentication
-Some features announced by Musk won't be ready
-Euro launch soon
One of the easiest ways for me to hack is simply:
1. Look up who works at a org on LinkedIn
2. Call Help Desk (spoof phone number of person I’m impersonating)
3. Tell Help Desk I lost access to work account & help me get back in
I hope we learn more & get confirmation of methods
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.
A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
We’ve got a case study of Twitter blue check imposters impacting an impersonated company’s stock price.
Remember the Eli Lilly fake verified account tweets yesterday? That impacted their stock quickly.
If you are building a team to detect synthetic and manipulated media, it’s essential your team is diverse. This issue will impact everyone, but will disproportionally affect women, people of color, and marginalized groups.
These hackers went out of their way to cinematically announce their intrusion to the security control room, baffling the prison’s abusers. They then leaked stolen footage of human rights atrocities committed by these abusers. Wow.
Thank you
@yashar
for letting me test with you to ensure I can educate folks on how PayPal leaks address data to tip receivers and so we can keep people safe ❤️❤️
*New live hack demo video*
CNN’s
@donie
asked me to hack him again at
@defcon
— hacked him last time thru service provider call center attacks, but this time I intruded using the easiest method: reused passwords found in data breaches.
Here’s the breakdown.
With this announcement, bot farms everywhere are now preparing to legitimize accounts w/ new & improved pay-to-increase-verified-followers options.
Remember Goodhart's Law: when a metric becomes a goal, it ceases to be a good measure
(any metric based goal can & will be gamed)
Wow, a 49 min master class on vishing (phone attacking) by
@navalny
himself to an FSB officer involved in his own attempted nerve agent murder. Excellent work by
@bellingcat
.
I’ll break down the pretext and exact stand out vishing moments in this thread.
Yikes, strongest hypothesis is that the attackers have owned Twitter’s employee admin panel which allows Twitter employees ability to change pw/disable MFA to allow an attacker to take over a prominent account and tweet on their behalf without dealing with their password or MFA.
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.
Please share this live hacking video with your loved ones so they can see just how easy it is to fake caller ID (and even clone a voice) to demand money or data over a scam phone call.
I’m hoping this demo helps even 1 person shut down a hacking attempt.
Reminder for your friends/fam: many rely on Facebook for communication and FB, IG, and WhatsApp down may make folks susceptible to phishing attacks such as "Your FB has been deleted, click here to restore". They may be more likely to believe this bc Facebook isn't working, etc.
Good to see was able to detect this deepfake. We need tools that can detect manipulated/synthetic media at upload integrated into social media platforms to detect/label immediately. Retracting later doesn’t work. We need integrated detection/labeling.
@laurenmwhite
One of these fake Tom Cruise deepfakes was uploaded to acouple of hours ago and our DeepFake Detector AI flagged it and notified our users.
So cool to hear real world impact from this vid🤖🤘
"I got a call from someone saying they were from my healthcare provider & they were asking for sensitive info. I remembered that video you showed us so I hung up, checked, and sure enough, my provider was not trying to reach me"
Just as we hoped would happen, the prosecutor declined to file charges in the absurd F12 hacking case. It’s done. You may now resume use of your keyboard and all its keys.
Whoa. I’m verified. Thanks for following all my hacking threads here through the years 🤖🤘❤️— now to go process this information in a corner somewhere 😭
This year’s Halloween costume is again a bit too large to be a
@defcon
badge 😂 —
@StripOfMist
and I made a mobile photo BOOth! 🤖📸 Choose your prop, press the button, and you’ll get your picture from the thermal printer and
@adafruit
camera! All run on
@Raspberry_Pi
.
How to stay safe?
1. Make sure your folks know that caller ID is easily faked. Voices can also now be impersonated.
2. If they receive a dire call from “you”, verify it’s really you w/ another method of communication (text, DM, FT, call, etc) before action (like sending money).
Here’s an example of a common phone call scam hitting folks right now — the criminal uses AI to clone the voice of a loved one (often a child, nephew, grandson, etc) and call you. When you pick up they tell you they’re in trouble and need money for bail, etc.
Voice cloning only
Putin's OSINT team can determine Ukraine President Zelenskyy's location from things like table wood grain, chair leather, paint shade, wall scuff marks, etc. We must demand better from the 2 GOP senators who tweeted photos when told not to. This OPSEC breach cannot be normalized.
Lol the people messaging me that they think I did the Twitter social engineering attack because I accurately predicted the attack vector and methodology — I would have kept my mouth shut if I did it 😂😈🤘
Please don’t take consumer DNA tests. Please don’t give consumer DNA tests as gifts. You can’t control how the results will be used in the future and the results can affect the rest of your family.
Just wrapped on such a fun corporate espionage pentest — one of my attack vectors was via the Interview channel. I had to interview for a role (outside my experience) then extract sensitive info during Q&A. Got the info. Also got recommended to move forward for the role 😂🤖🤘
Google your name plus the words “phone number”, “email address”, or “address”. Do you see your sensitive personal info on data brokerage sites?
Google has a tool to request a takedown of that info from Google itself (but doesn’t remove it from the other sites).
Steps for Google
Folks are sharing screenshots of their iOS 14 home screens — Please know the more info I have on which apps you use & love most, the easier it is to phish you. Prioritizing Snapchat? How about “the mobile number has been updated on your Snapchat account, click here for...” phish.
Also important to mention that just because you feel you can personally tell the difference between synthetic & authentic media, it doesn’t mean we’re good to go. It matters what the general public believes. Altered media has real world safety, political etc impact for everyone.
Yes, this is a PayPal issue (leaks address w/ PayPal payments off of Twitter too). Twitter integrated PayPal into their tip feature so it's now Twitter's responsibility to inform users about how using PayPal w/ Twitter Tip Jar impacts privacy as many Twitter users aren't aware.
Last time I went through TSA I got randomly selected. The agent asked for my phone & I handed it to him locked,
@EFF
sticker up. He asked what the sticker means — I said “they help us defend our rights to privacy, sometimes in situations like this.” He handed my phone right back.
You may remember during
@defcon
I was tweeting about hacking someone through their reused passwords (or passwords we cracked) — well my target was
@donie
(he asked me to, I promise lol)
As a hacker, I know how to get a reaction fast — emotional content. Here to say that today you’ll likely see election misinformation that feels emotional. This is bc the emotional part of our brain reacts faster than the rational part — manipulators want you to react too quickly.
Thank you
@Twitter
@kayvz
for paying attention, welcoming security researcher’s feedback, and taking responsibility to take steps to warn and protect your users within an hour of me releasing these findings (even though you don’t control PayPal’s address leaking flow).
Thank you
@kayvz
for taking this issue seriously to protect your users. I hope 2 things happen:
1. Twitter warns users that using PayPal on Twitter Tip Jar to tip can reveal their address to the tip receiver
2. PayPal should stop sending address data to money receivers
🚨Turn off new default Twitter audio and video calling feature to prevent unwanted interactions🚨
Just went to my direct message settings here and found audio and video calling enabled by default (new feature, rolling out over time).
Highly recommend disabling this to prevent
A useful thing about using a password manager that I don’t always see folks talk about is that my pw manager won’t enter my username and password on malicious lookalike sites. Not the real airline website? Looks real but it’s actually a malicious URL? No credentials entered 👾🤘
Many are wondering how it’s possible that these jokers stole 4.5 billion in cryptocurrency…it’s because…✨they didn’t✨.
They were the money launderers — they didn’t do the hack. And they stored the private keys online lol.
Getting a lot of opsec / social engineering questions about pictures of unlocked computers during chaos at the Capitol yesterday.
Here is the takeaway 1st. Security should be fast & easy to understand, but most importantly: security needs to be *automatic*. Let's talk about it.
We make rules for ourselves as we age. Some are healthy boundaries — others are born from fear. I’m working to learn the difference to avoid this “pen line prison”.
Everyone's talking about the woman who put $50k in a shoebox and handed it to scammers and how they wouldn't fall for it. It would shock you how many everyday people have embarrassing scam stories.
I can't help once the scams over, but I can help you Spot The Scam upfront:
Wow, Gmail SMS 2FA code with an ad tacked on -- Google didn't include the ad, the ad was injected by the carrier. Looks like a phish but isn't.
Mobile carriers injecting ads, especially for SMS 2FA, is awful. It erodes accessibility & trust while teaching folks to click a phish.
I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam.
What a shameful money grab.
Password journals are a fun topic because it’s really all about threat modeling. For example, Great Aunt Ethel’s threat model: a handwritten password journal is better than her reusing her only short password for her Facebook, bank, Netflix, and doctor’s office. Let’s discuss...
If Facebook, Instagram, and WhatsApp going down are a part of an elaborate ~Cybersecurity Awareness Month plot~ to bring security to the attention of everyone in the world then honestly congrats to the team on the operation's success.
This type of impersonation drives advertisers away. This post has been up for over an hour.
When it’s eventually an impersonator pretending to be emergency services calling for an evacuation etc, I don’t think
@elonmusk
will be commenting laughing emojis after these posts.
Ask A Hacker: "Rachel, is it actually a big deal if I Google my name and my email address or phone number pop up. Why could that matter for someone like me?"
It can matter because many services you trust still use knowledge based authentication (KBA -- info like email
This is the exact thing many of us in the security and privacy world have been scared of — how will this DNA data be used to harm and discriminate against people (further deny them healthcare, etc).
Update:
@GovParsonMO
continues his unhinged claim that a reporter notifying on a vuln (visible by hitting F12 on a keyboard) is a crime. This is like calling to inform a neighbor that they left keys in their door then they claim you’re breaking & entering.
AI text-to-video is here and we need to discuss the risks.
They mention in this thread that they’re considering the ways adversaries would leverage this content to harm thru red teaming but I’m still concerned.
My biggest concern is how this content could be used to trick,
Introducing Sora, our text-to-video model.
Sora can create videos of up to 60 seconds featuring highly detailed scenes, complex camera motion, and multiple characters with vibrant emotions.
Prompt: “Beautiful, snowy
Thank you for taking action today Twitter. You didn’t create the PayPal address leak issue but you’re taking responsibility for your user’s privacy with your PayPal integration by warning them about how their personal info could be revealed when tipping w/ PayPal Twitter Tip Jar.
We’re updating our tipping prompt and Help Center to make it clearer that other apps may share info between people sending/receiving tips, per their terms.
I’ve seen an increase in the New Hire SMS Phish attack method recently:
- new hire starts at org, they or the org announce new role on LinkedIn
- attacker looks up new hire’s phone number on data brokerage sites
- sends SMS phish pretending to be Exec to new hire in first month
A company’s brand new employees are getting spearsmished (ha just coined that and I know some of y’all will hate it) with “I’m the CEO, I’m in a meeting but I need you to do something, let me know if you got my message”—any ideas on how their phone numbers would already be known?
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.
🚨UPDATE APPLE DEVICES ASAP - PHONES, IPADS, COMPUTERS, WATCHES🚨
@citizenlab
found an Apple exploit used in the wild that can compromise to watch/see/hear/spy thru Apple devices.
Exploit doesn't require you to click, attacker just sends it via iMessage.
Hacked
@donie
again this year -- new video premieres tomorrow (right on the 3 year anniversary of the last vid!)
*How do you think I hacked Donie this time?*
Hint: it's different than last time by a lot
Throw your guess below, curious to see who guesses the hack method right lol
In our Infosec circle we hear people talk about multi-factor authentication as if it's obvious but the reality is very different. Twitter released their numbers -- only *2.3%* of Twitter users had any MFA method enabled during this reporting period.
Some say they feel nervous to use a password manager -- if that feeling is leading you to be less safe & reuse passwords (which btw is the easiest way for me to hack you bc that pw gets breached), then try this trick:
🧂Salt your password manager passwords🧂
Here's the trick:
Hackers aren't fooled when you change up your passwords with special characters.
SocialProof Security CEO
@RachelTobac
tells Nightcap's
@jonsarlin
how to keep your accounts safe. For more, watch the full Nightcap episode:
As a hacker that gets hired to think about this stuff, all my brain can focus on here is how I can more easily trick folks that use this “summarize email” feature.
If users pay even less attention to the email source using this feature and more attention to the summary this can
🚨 HUGE news in AI: Google just launched Generative AI across ALL of Google Workspace -- Gmail, Docs, Sheets, Slides, Images -- EVERYTHING.
They made a video showing off the new AI's capabilities. It's AWESOME.
Whoa the FCC has recognized the risk of AI voice cloning in robocalls & scam calls! Video demo below.
- New FCC fines, more than $23,000 PER CALL
- Now gives call receiver right to take legal action and potentially recover up to $1,500 in damages per call
Update on the Twitter hack - Twitter confirms a phone spear phishing attack (we also call this vishing). This is the most common attack I execute as a white hat hacker. Why? Because it works, and is quicker than some other attacking methods.
The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.
When people ask me how OSINT works I usually give the example of finding a person’s preferred hotel chain thru a square of carpet fabric in the corner of an Instagram post.
Here’s another example: the person who leaked top secret US docs was nailed by his family’s countertop.
A breakthrough in our investigation came when the team identified a Steam profile in Airman Teixeira's name that led to an Instagram profile with photos of the exact location where leaked docs were photographed — a kitchen countertop in his childhood home.
Fun fact! I turn down 90% of the requests to human hack a company/individual. Most orgs and folks don’t need a pentest the second they reach out to me — most need support to overhaul identity verification protocols, MFA and password manager, social media sharing, & more first!
While we protest for our rights & lives, protect yourself (source
@FreedomofPress
):
- encrypt your comms (signal etc)
- keep phone locked
- long passcode > Face ID
- banner notifications off
- delete sensitive apps
- back up phone
- MFA and pw manager
See you on the front lines
Turns out
@twitter
agrees with my hypothesis! Social engineering attack targeting employees with privileged access to internal tools that could make those account changes. This is exactly how I would have attacked and it’s cool to see I’m mimicking criminals in my pentests lol.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
This is a great opportunity for orgs to start a conversation on privacy implications of features they build & tools they integrate into their platform. When an org integrates a tool that could affect user's privacy & users might not understand privacy risk, orgs should educate.
This breach may allow a person to easily search up and find email addresses and phone numbers for 5.4 million Twitter users — so it’s important to be extra skeptical of emails and texts claiming to be “Twitter” requesting things like a password update, etc
This is a demonstration of the Twitter edit feature:
🐣Please retweet or like this if you love baby animals🐣
Once others have interacted with this, I will edit it to learn more about the feature and how easy it is for those who’ve engaged to notice the tweet has changed.
🔑How does a FIDO security key limit the hacks we're seeing in the news now?🔑
Beyond fun to work with
@Yubico
& partner with
@Twitter
to answer that question + demo how social engineering is used to steal passwords & siphon out MFA codes to gain admin access with
@EvanTobac
.
I have brand new stickers for
@defcon
this year! Let me know which ones you want 🤖🤘can’t wait to hand you them.
1. Don’t Reuse Passwords pop up
2. The
@socialproofsec
tamagotchi complete with hacking activities
3. Be Politely Paranoid floppy
4. Use MFA emergency TV broadcast