• Home
  • Moments

Saved searches

  • Remove
  • In this conversation
    Verified account @
Suggested users
  • Verified account @
  • Verified account @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?
    New to Twitter?
    Sign up
pwnallthethings's profile
Pwn All The Things
Pwn All The Things
Pwn All The Things
@pwnallthethings

Pwn All The Things

@pwnallthethings

Mostly #infosec or #natsec tweets. Also @foiathethings | email: matt.tait$gmail,com | RTs are not emoluments

Joined December 2013
  • © 2017 Twitter
  • About
  • Help Center
  • Terms
  • Privacy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified account @
Suggested users
  • Verified account @
  • Verified account @

Retweet this to your followers?

Optional comment for Retweet
 

Saved searches

  • Remove
  • In this conversation
    Verified account @
Suggested users
  • Verified account @
  • Verified account @
 
140

Are you sure you want to delete this Tweet?

Promote this Tweet

Block

  • Add a location to your Tweets

    When you tweet with a location, Twitter stores that location. You can switch location on/off before each Tweet and always have the option to delete your location history. Learn more

    Your lists

    Create a new list

    Under 100 characters, optional
    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    Preview

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Buy Now

    Buy Now

    Hmm... Something went wrong. Please try again.

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    1. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

      If you're interested in the technical aspects of #DNCHack, implant and attribution, here's @Crowdstrike's analysis: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …

      1 reply 85 retweets 68 likes
    2. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

      .@CrowdStrike assertion is that first hacking group (FANCY BEAR) in #DNCHack is APT28. If so, that is a strong attribution to Russia.

      1 reply 4 retweets 4 likes
    3. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

      .@CrowdStrike says the "COSY BEAR" group in #DNCHack is RU for this reason. But tbh, looks more like a piggyback oppic.twitter.com/SVFubyejAF

      1 reply 4 retweets 4 likes
    4. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

      COSYBEAR is an interesting implant. Python and Powershell; comms via .NET using AES with a fixed sym-key #DncHackpic.twitter.com/CpCXNEQTux

      2 replies 16 retweets 12 likes
      Pwn All The Things ‏@pwnallthethings 14 Jun 2016

      That puts COSYBEAR here on the @daveaitel implant-sophistication scale :) #DncHackpic.twitter.com/DXNIhVplhx

      • Retweets 11
      • Likes 8
      • lctrcl (((my_random_name))) adam ep Inquimit on Security Brian Nilsson L0NGC47 DarkSim-侍 Umat Šumak Jonathan D. Abolins
      9:49 AM - 14 Jun 2016
      4 replies 11 retweets 8 likes
        1. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          Fixed IV/key in COSYBEAR means can traffic-decrypt from pcap. Clearly not written by folks who know crypto #DNCHackpic.twitter.com/BrPLBNjli9

          1 reply 2 retweets 7 likes
        2. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          3... 2... 1... MimiKatz #DncHackpic.twitter.com/9wX5f7ALnZ

          1 reply 8 retweets 12 likes
        3. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          lolwtf? COSYBEAR operators apparently are lame script kiddies. Clearing event logs is like the worst opsec #DncHackpic.twitter.com/KW2AA1iW7a

          2 replies 3 retweets 6 likes
        4. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          Serious Q: What AV does DNC run? How did it possibly miss an implant clearing win-event logs w/ WMI persistance?pic.twitter.com/bls5QPOn8R

          2 replies 6 retweets 7 likes
        5. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          🤔🤔🤔🤔🤔pic.twitter.com/nzpansXaQF

          1 reply 2 retweets 6 likes
        6. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          For some reason @CrowdStrike listing IOCs as SHA256, when industry standard is SHA1. Makes it harder to search for.pic.twitter.com/p2BQY92hXz

          3 replies 2 retweets 3 likes
        7. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          .@CrowdStrike Also for some reason clearly have, but aren't sharing the binaries. Seems optimized to stop people checking their results.

          1 reply 1 retweet 2 likes
        8. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          Btw, if you want to piggyback onto COSYBEAR, its startup module downloaded w/ fixed AES/IV dl-ed over HTTP (port80)pic.twitter.com/HejStU8MWi

          0 replies 1 retweet 2 likes
        1. daveaitel ‏@daveaitel 14 Jun 2016

          @pwnallthethings This is a pretty common place for implants to be. It has advantages because doing client-side key generation is noisy.

          1 reply 0 retweets 0 likes
        2. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          @daveaitel Yes, but doing a full-blown HTTPS connection isn't especially. AES over HTTP is noisy and obv to firewalls + network perimeter

          1 reply 0 retweets 1 like
        3. daveaitel ‏@daveaitel 14 Jun 2016

          @pwnallthethings Tradeoffs everywhere. :) Sometimes just because of legacy code!

          1 reply 0 retweets 0 likes
        4. Pwn All The Things ‏@pwnallthethings 14 Jun 2016

          @daveaitel Usually! Here I think it's just a bug. COSYBEAR uses HTTPS for its actual comms. HTTP+FixedKey is only for startup/bootstrap.

          0 replies 0 retweets 0 likes
        1. Paul Jaramillo ‏@DFIR_Janitor 14 Jun 2016

          @pwnallthethings @daveaitel Can you please send me a link to this sophistication research? very much interested

          1 reply 0 retweets 0 likes
        2. daveaitel ‏@daveaitel 14 Jun 2016

          @DFIR_Janitor @pwnallthethings http://cybersecpolitics.blogspot.com/ 

          0 replies 0 retweets 1 like
      4. iarce ‏@4Dgifts 28 Jul 2016

        @pwnallthethings awkward.. I discussed this extensively with @daveaitel in 2002 when we demoed CORE IMPACT to Atstake New York

        0 replies 0 retweets 0 likes

      Loading seems to be taking a while.

      Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

        Promoted Tweet

        false

        • © 2017 Twitter
        • About
        • Help Center
        • Terms
        • Privacy
        • Cookies
        • Ads info