Matt Strahan

Red team: He went full 007 spy mode

#redteaming #redteam #pentesting #cybersecurity #hacking

This one resonates with me. We started a company and realised we’re great at delivering services but we’re not great at sales and not great at marketing. Luckily we’ve now got people who are great at those things!

New Volkis shirts!

I have cancelled our planned trip to the RSA Conference in San Francisco later this month. @metlstorm.risky.biz and I were headed over to record some live shows and see everyone. Unfortunately I have received advice that crossing the border into the United States right now would be a bad idea.

I saw that the super attacks resulted in $500k of unauthorised payments and my thought was "huh, that's not that bad". Shows the state of cyber security in 2025.

The Trump Administration Accidentally Texted Me Its War Plans U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.

This is a wild read! The top cabinet members of USA were discussing war plans in a Signal chat. That's unsettling enough considering it's out of band comms. Then they accidentally added a journalist to the chat.

Going to be at @crikeycon.bsky.social tomorrow. Hope to see you all there!

Looking forward to seeing you all next week!

Thank you www.volkis.com.au for your ongoing support of CrikeyCon, coming in with Silver sponsorship again. We love our long term supporters, and Volkis has been a wonderful friend and supporter of the Con. Welcome back!

I'm going to guess LLMs are going to result in a whole bunch of super weird defamation cases. Don't just go blindly trusting Chat GPT!

In a world full of bad news we must always find happiness in the good news!

That’s a wild read! That kind of thing has absolutely no place in any modern democracy!

A few years, a decade at most. Low earth orbits degrade relatively quickly.

Oh man, I have so many stories about that "startup". The founder Marshall Webb spent a year harassing me because I posted a research paper on the Mirai botnet (he considered himself to be the sole authority). It later turned out his knowledge came from him personally hosting their infrastructure 1/5

Top 10 web hacking techniques of 2024 Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...

Is this the start of a trend towards trojaned CPUs in nation state hacking?

8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, suppl...

watchTowr Labs reregistered lapsed S3 buckets and found that they were still being used for things like updates. Long read but worth going through!

Pre-purchase Sid Meier's Civilization VII on Steam The award-winning strategy game franchise returns with a revolutionary new chapter. Sid Meier's Civilization® VII empowers you to build the greatest empire the world has ever known!

I'd be keen for Civilization VII but $120 is way too much!

I'm putting together a bit of a list of Australian Infosec people on Bluesky here: bsky.app/profile/did:... If anyone wants to be added or knows people who should be added let me know!

It's fixed now. For anyone watching, the solution was to go to the homepage (NOT the settings page), do a hard reload (i.e. shift F5 or hold shift and press reload) and then redo the domain verification.

I tried to get the handle @matt.volkis.au but it hasn't gone all that well! How come it worked for @skorov.volkis.au but not me?

That said I'm kind of liking the hackery vibe of "Invalid Handle"!

I feel like it’s just really hard to differentiate a DDoS from just a huge amount of people using the app.

They don’t even seem to be saying that DeepSeek is stealing IP. I’m not even sure they violated ToS. They’re just saying that they used the OpenAI APIs as part of the training process.

This is a great blog post with some brilliant old school web hacking. It raises the question though: do we really want car companies to be able to remotely track and unlock our cars?

Yep I deactivated my account yesterday. I had hardly used it lately but nowadays I just don’t want to be associated with it at all, even if it’s just an unused account.

Listening to it now. The CSRB being gutted is such a pity. I was holding it up as a "see this is an example of getting better as an industry. It's a sign of maturity!" Now it's likely just gone. Probably won't even see a Salt Typhoon report.

Started a new year health kick? Beware the ‘subscription trap’ Gyms, streaming services and meal-kit providers are being targeted by proposed new laws that will crack down on unfair business practices.

I’ve always thought that there should be active subscription renewals like you should have to press a button that says “yes I want to renew this for the next year” www.smh.com.au/politics/fed...

US Treasury Department Admits It Got Hacked by China Treasury says hackers accessed “certain unclassified documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.

big wheel keep on turnin' www.wired.com/story/us-tre...

US Treasury says Chinese hackers led a 'major cybersecurity' breach The revelation comes as US officials continue to grapple with the fallout of a massive Chinese cyber espionage campaign known as Salt Typhoon.

Another target of Salt Typhoon, this time it’s the US Treasury. Doesn’t seem like they issued themselves bonds but they probably got some incredible intelligence. www.abc.net.au/news/2024-12...

Good luck! That must have taken some skill to achieve (and a lot of work to get out of!)