Damus
Ian Campbell ๐Ÿด profile picture
Ian Campbell ๐Ÿด
@Ian Campbell ๐Ÿด

Security ops engineer for DomainTools, DT Investigations threat researcher, writer, voracious reader. he/him. Fan of good trouble. Opinions here mine only. No LLM content from me, all flaws detected are human-generated. Autistic/depressed/anxious/hungry.

#infosec #cybersecurity #privacy #actuallyautistic #neurodivergent

Relays (1)
  • wss://relay.ditto.pub โ€“ read & write

Recent Notes

Ian Campbell ๐Ÿด profile picture
ok back to cooler stuff:

"Western OSINT researchers consistently underperform on China-focused work for one reason: they treat the Chinese-language internet as a translated copy of the English-language web. It isn't. The highest-value records โ€” company registries, procurement awards, court and enforcement data, regulatory penalties, patents, disclosures โ€” are indexed under Chinese names, Chinese pivot terms, Chinese identifiers, and Chinese document conventions, and they surface on different engines and official portals than the ones English-speakers default to.

This repository is a practical, bilingual playbook for doing that work well and lawfully."

#infosec #cybersecurity #threatintel

https://github.com/ArgeliusLabs/chinese_osint_search_dorks
Ian Campbell ๐Ÿด profile picture


Ad blocking is a security measure, given the failure of ad platforms to keep malicious actors out.

Like any defense, it works best in layers - consider adding this on the DNS level as well.

If that sounds daunting? It's not, especially with off-the-shelf services like NextDNS*, which also have a good amount of adaptability.

(*I have no connections to NextDNS other than as a happy customer.)

LeeRayl · 3w
nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpq8c7wjmr8txk9u3xzrxl5rsx8mpt4dr84nyluufn4qg4x9xnar52q4k524c I am waiting for this to be released https://store.steampowered.com/app/3282600/Crowded__A_Crow_City_Builder?snr=1_25_4__318
Ian Campbell ๐Ÿด profile picture
Is BGP boring? Well...it depends. But a few quick observations we've made recently:

1. We identified several /24 IP blocks with consistent RPKI/IRR flips between a Romanian ASN that's the largest VPN exit node in Europe, half a dozen Iranian ASNs, and another handful of shell ASNs in Europe and North America in order to launder transit from sanctioned IP space.

2. A new-ish ASN that's very much a problem child, including a recent favorite of Iranian threat actors, is nothing more than a well-known AS bucketing all its known problematic customers together, but still taking their money and providing them service. All original prefixes for the Problem Child originated at its parent ASN and migrated in the course of 3 hours.

3. In looking at other IP blocks showing up in recent-ish advisories, you can see clear IP prefix handoffs from an Iranian ASN to an Italian one while traffic clearly still originates from Iran. The BGP updates occur in the middle of the night for Italy - but a healthy morning period for Tehran.

4. This one, we published on - a Seychelles-based ASN under complete transit capture by one Russian organization and a second Slovakian one whose administration offices just happened to be in Moscow.

And these aren't even the coolest things we've seen lately. These are just the ones I'm okay vaguebooking about.

So no - BGP ain't boring. Much like DNS, it leads you to exactly where threat actors hang their hat.

Look deeper, look wider, punch bad guys where it hurts and make sure the bruises last.
Ian Campbell ๐Ÿด profile picture


Remind me, was it Meta's AI safety executive that had an AI agent go rogue on their mailbox?

Anyways, things are still going great over there.

Ian Campbell ๐Ÿด profile picture
I'm just a SecOps and Threats guy, not selling a damn thing, so whenever you talk about AI "democratizing" capabilities to the average enterprise employee, I want you to keep in mind for me that short of herculean new spends and deliberate frameworks, you're democratizing some software capabilities but without the development, QA, monitoring, and responsibility offload.

We've been working with the concept of Third Party Risk Management for years and are barely in its infancy - yet even so, none of the lessons TPRM has taught us so far have been natively incorporated into AI products, and especially not executive or board mandates demanding employees increase AI use or agentic deployment.

Simply put, none of the forethought or structure that real software development requires, little of the centralized administration or visibility for defenders to work with, but all of the consequences.

Whenever someone in your presence starts talking about how employees should script Gems or Projects or Skills or gizzards or whatever the customized agentic buzzword of the day is, and give it trusted access to their email or calendar or, god forbid, customer data, remember that it has precisely zero of the attention and accountability that Third Party Risk Management involves. And TPRM is a critical path.
Ian Campbell ๐Ÿด profile picture
So let me get this straight:

in a 48-hour period, Microsoft-owned Github got compromised due to a malicious extension in Microsoft-owned VScode

and Microsoft-owned Windows has a system-integral RCE vulnerability thanks to Microsoft-owned Windows Defender... scanning a file.
ุงู„ุชู†ูŠู†ูˆูƒุณ · 6w
nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpq8c7wjmr8txk9u3xzrxl5rsx8mpt4dr84nyluufn4qg4x9xnar52q4k524c They want grafana to pay extorsion? They downloaded their source code? But grafana is open source and operate in the open so what is the deal here? They can't get it back? Tons of mirror...