Dylan's Avatar

Dylan

@insecurenature.bsky.social

Appsec and security hot takes.

163 Followers  |  18 Following  |  22 Posts  |  Joined: 05.05.2023  |  1.66

Latest posts by insecurenature.bsky.social on Bluesky

This is how you make an AI Ransomware Worm
YouTube video by Truffle Security This is how you make an AI Ransomware Worm

Here's my bsidessf talk on using LLM's to self replicate and ransome the planet:

youtu.be/s4RKXTC8iuM

12.05.2025 15:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Bsides works really hard, and they're all volunteers, I didn't mean to tease them too hard here

27.04.2025 16:24 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

πŸ”₯ You can now add TruffleHog to Burp Suite!

🌐 Install it directly from the BApp Store
πŸ”Scan web traffic for live, verified credentialsβ€”active & exploitable

Because secrets don’t just leak in code… 😬

πŸ”— trufflesecurity.com/blog/introdu...

13.03.2025 16:57 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Removing Jeff Bezos From My Bed β—† Truffle Security Co. Eight Sleep smart bed found to contain an exposed AWS key and a likely backdoor that allowed engineers to remotely access users' beds

The privacy concerns I have around the Eightsleep have kept me from buying one, the security concerns make me want to warn people about buying one:

trufflesecurity.com/blog/removin...

21.02.2025 22:50 β€” πŸ‘ 39    πŸ” 7    πŸ’¬ 3    πŸ“Œ 1
Post image

NEW: security researchers found what they say appears to be a backdoor into Eight Sleep beds, which could allow company engineers to SSH into any bed

in theory, they could see if you're home or not, if you're sleeping alone or with someone

in today's newsletter for @bloomberg.com

21.02.2025 20:50 β€” πŸ‘ 41    πŸ” 16    πŸ’¬ 2    πŸ“Œ 7
Post image

Agent Zuck takes you out to a stake dinner and offers to plug you into the oculus, which perfectly simulates the year 1999.

All you have to do is hand over the codes to Zion.

05.02.2025 03:17 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

🐷 Under the Hood of TruffleHog!

⚑ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. πŸš€

πŸ‘‰ trufflesecurity.com/blog/under-t...

24.01.2025 20:04 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Millions Of Sign-In-With-Google Users Warned Of Data-Theft Vulnerability A security vulnerability in the β€œSign In With Google” OAuth authentication process could allow attackers to access sensitive data from millions of accounts.

Forbes and Arstechnica ran a story on my research, neat! www.forbes.com/sites/daveyw...

16.01.2025 02:16 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I wrote a blog about my shmoocon talk, check it out πŸ‘‡

14.01.2025 04:35 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

I spoke at Shmoocon today and linked my Twitter and Blue Sky.

It led to:
+ 5 Twitter follows
+ 19 Blue Sky follows

12.01.2025 04:27 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Vigilante Justice on GitHub. πŸ¦‡πŸ¦Έ

Here's how to spray painting on other fraudster's GitHub Activity Graph.

trufflesecurity.com/blog/vigilan...

08.01.2025 08:02 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

🚨 10% of SaaS platforms mishandle GitHub OAuth tokens, opening potential backdoors into corporate accounts. 😱

⚠️ Extends to Azure, Slack & moreβ€”increasing risk with poor token handling.

πŸ›‘ The issue isn’t OAuth; it’s how platforms secure tokens.

πŸ‘‰ trufflesecurity.com/blog/mishand...

19.12.2024 21:57 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Hey Fidelity,

Now that CCP is literally in our phone networks-

Can you please stop making your customers rawdog their passwords over touch tone?

Thanks.

19.12.2024 23:20 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Look up "Altoona Pizza", I can't even

12.12.2024 02:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

My Shmoocon talk got accepted!

I've never spoken at Shmoocon before, but I have been submitting every year for a while.

If you're wondering what it takes to get accepted at a conference the answer is a lot of rejection first.

10.12.2024 03:54 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Truffle Security is posting on Blue Sky now??

09.12.2024 17:40 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I found an AWS key inside one of my household devices, does anyone want to guess which one?

07.12.2024 07:51 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Cracking Open APK Files at Scale β—† Truffle Security Co. TruffleHog now automatically decodes Android Package Kit (APK) files and searches them for secrets. It runs ~9x faster than using an external decompiler before calling TruffleHog.

It's no secret Android apps have a lot of passwords and API keys in them.

TruffleHog can now find them, fast: trufflesecurity.com/blog/crackin...

05.12.2024 03:59 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

I'll pay $200 bucks for a moxie robot. Seriously.

03.12.2024 02:07 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Announcing Truffle Security’s CFP β—† Truffle Security Co. Have a security research idea? We’re sponsoring 2 projects a month. Your research will be featured on our blog, you get $1500 and you can still submit your research to conferences.

Truffle Security sponsors security research, in case anyone is tired of the conference loop: trufflesecurity.com/blog/announc...

02.12.2024 21:29 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Technically you can satisfy data breach notification requirements by sending snail mail to those impacted, and never announcing publicly.

02.12.2024 20:25 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

How will code gen will change the security landscape?

AI will write code containing vulnerabilities, and humans won't know the first thing about it.

Then they will actively push to not be held accountable to review and fix it.

29.11.2024 22:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

So do people use this app?

19.11.2024 03:13 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 3    πŸ“Œ 0
Post image

Sometimes you find the shell, sometimes the shell finds you

05.07.2023 10:27 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Hacking on coffee

Hacking on coffee

@twitchyliquid64.bsky.social is enjoying a coffee

14.05.2023 19:22 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Low-level motherboard security keys leaked in MSI breach, claim researchers What can you do if someone steals your keys but you can’t change the lock? We explain the dilemma in plain English.

A few years ago reports came out suggesting the NSA had hardware signing keys and used them to embed hardware level backdoors. Now, with MSI keys leaking, you can make your own https://nakedsecurity.sophos.com/2023/05/09/low-level-motherboard-security-keys-leaked-in-msi-breach-claim-researchers/

12.05.2023 20:12 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Okay I'm posting my first.... What is this action? Sky? Am I skying?

08.05.2023 19:23 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Omg is that why I got followers minutes after joining? I was wondering what the deal was...

05.05.2023 23:53 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

@insecurenature is following 18 prominent accounts