Author | Lightnews

Reposted by tomchop

Maarten van Dantzig @maartenvdantzig.bsky.social · Jun 19

Using Timesketch for timeline analysis? We recently added a new feature: LLM summaries of up to 500 events in view. Example below uses Gemini Flash, but you can just as easily use a local Ollama model. Setup guide: timesketch.org/guides/user/...

4 6

Reposted by tomchop

Mark Russinovich @markrussinovich.bsky.social · Apr 1

4 11 91

tomchop @tomchop.me · Apr 2

That's not that many cabs.

Asher Wolf @asherwolf.bsky.social · Apr 1

13cabs may have suffered a major data breach www.cyberdaily.au/security/119...

13cabs may have suffered a major data breach

Major Australian cab service 13cabs has published a notice detailing a potential cyber attack after it discovered unauthorised activity on its network.

www.cyberdaily.au

5

tomchop @tomchop.me · Jan 29

Well well well, how the turntables...

Financial Times @financialtimes.com · Jan 29

OpenAI says it has evidence China’s DeepSeek used its model to train competitor

https://www.ft.com/content/a0dfedd1-5255-4fa9-8ccc-1fe01de87ea6

OpenAI says it has evidence China’s DeepSeek used its model to train competitor

White House AI tsar David Sacks raises possibility of alleged intellectual property theft

www.ft.com

3

Reposted by tomchop

Johan Berggren @jbn.the4711.net · Jan 7

Great stuff from @tomchop.me! Memory analysis and Yara support in #OpenRelik

#DFIR

tomchop @tomchop.me · Jan 7

I had a look at #OpenRelik last year and wrote a couple workers that might be useful:

* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!

Demo of the Volatility 3 worker extracting files and plugin output

Demo of the Yara scanner worker showing matches for a dumb DarkComet rule

3 5

tomchop @tomchop.me · Jan 7

I had a look at #OpenRelik last year and wrote a couple workers that might be useful:

* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!

6

Reposted by tomchop

Johan Berggren @jbn.the4711.net · Dec 12

New #OpenRelik release. Task metrics (queue length, completion, failures etc) & new Prometheus exporter. Plus, a new task dashboard for deep dives into task performance.

📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX

#DFIR

1 3

tomchop @tomchop.me · Dec 12

This is also the reason I never talk publicly about my dog, any favorite foods, or the season we were in < 3 months ago

Skeletrina 💀 @ohcatrina.bsky.social · Dec 12

When i see trends that ask me to post about movies that came out the year i was born or photos from the city i was born in or anything asking for information that could be used to crack a password I remember the golden rule:

Don't share any information Ron Swanson wouldn't share

a man with a mustache is holding a cup and saying i like saying " no " .

Alt: a man with a mustache is holding a cup and saying i like saying " no " .

media.tenor.com

2

tomchop @tomchop.me · Dec 4

I made this one, which tracks a bunch of infosec-related keywords (and blocks noisy accounts): bsky.app/profile/did:...

tomchop @tomchop.me · Nov 29

Looks like the kind of manual you could find in The Last of Us that would allow you to upgrade your rifle

1

tomchop @tomchop.me · Nov 27

Travel budgets are tight yo

tomchop @tomchop.me · Nov 27

Looks like shit just got real @swiftonsecurity.com

1 8

tomchop @tomchop.me · Nov 26

Probably the most riveting incident report I've read in a long time. I would've so much liked to be part of this investigation!

Kudos to @volexity.com for going into so much detail on this novel network attack technique.

www.volexity.com/blog/2024/11...

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

www.volexity.com

2 4 13

Reposted by tomchop

Hash Miser ✊🇺🇦 @hash-miser.bsky.social · Nov 23

This incredible investigation is worth the time you’ll spend reading it #dfir

www.volexity.com/blog/2024/11...

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

www.volexity.com

1 6 11

Reposted by tomchop

danielroe 🇺🇦 @danielroe.dev · Nov 23

if you have a @github.com profile, can i ask you to update it with your @bsky.app handle? 🙏

👉 it enables some very cool integrations, like auto curated feeds and starter packs for contributors and tech

84 210 1K

tomchop @tomchop.me · Nov 23

“i know bsky is an echo chamber because those echo chamber posts keep coming back around and i know what an echo is”

tomchop @tomchop.me · Nov 21

There's probably less content than there was on twitter in 2012, but this already feels much nicer and relevant than what X is right now.

2

tomchop @tomchop.me · Nov 19

Shiiiiyet, I'm gonna try to not miss this edition! 🤞🏼🤞🏼🤞🏼

PIVOTcon @pivotcon.bsky.social · Nov 19

#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)

two men are standing next to each other with the words " we open it up " on the screen

ALT: two men are standing next to each other with the words " we open it up " on the screen

media.tenor.com

2

tomchop @tomchop.me · Nov 19

Amazing, thanks! skyfeed.app offers a (less polished, more hacky) similar interface but also allows you to create custom feeds

2

tomchop @tomchop.me · Nov 18

*cue pokémon battle song*

"plaso I choose you!!"

Eric Capuano @eric.zip · Nov 17

Starter Pack containing #infosec trainers — if I missed any, lmk!

go.bsky.app/V5iocw6

1 3

tomchop @tomchop.me · Nov 17

Thanks, this is useful! I also started a feed a long time ago with more generic infosec keywords: bsky.app/profile/did:...

bsky.app

2

tomchop @tomchop.me · Nov 15

Thinking of coming up with a Bluesky #DFIR Starter Pack with @the4711.org... who should we include?

2 6

Reposted by tomchop

Filippo Valsorda @filippo.abyssdomain.expert · Mar 30

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

Filippo Valsorda @filippo.abyssdomain.expert · Mar 29

This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.

Looks like this got caught by chance. Wonder how long it would have taken otherwise.

Filippo Valsorda @filippo.abyssdomain.expert · Mar 29

Woah. Backdoor in liblzma targeting ssh servers.

www.openwall.com/lists/oss-se...

It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…

Now I’m curious what it does in RSA_public_decrypt

7 280 690

Reposted by tomchop

Martijn Grooten @martijngrooten.bsky.social · Nov 28

Today, we published this Field Guide to incident response for civil society and media, which I’ve been working on for the past year or so and which I am pretty excited about internews.org/resource/fie...

3 8

tomchop @tomchop.me · Nov 14

Yes, for sure. Otherwise does the project even exist?? I tried briefly playing a bit with Dall-E but didn't get any satisfying results :(

1 1