Shape the battlefield with what you have. Cybersecurity is (almost) always a logistical conversation first, followed by tactical and strategic decisions based on that. Most people would probably be shocked at how well a small team can shape the battlefield to devastating effect against an opponent.

Ok, they claimed unrestricted access to their product was a significant threat. Show them what that really means.

2 days post injury... This is going to take a bit to heal... :(

Some people are just dumb...

91k leechers, spreading malware is so easy

Not only is this hilariously unenforceable, it is an incredibly stupid thing to try to do.

New shirt idea: "I submitted a vuln to MSRC and all I got what Copilot in Paint"

New shirt Idea: "MSRC Denied, Attacker Approved"

Meanwhile... Bitlocker is getting beaten up on the playground.

Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it. People asked what it is. I have some free time. I poked it with a stick, People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy. This malware is interesting because of a few things: 1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware. 2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs. 3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt. It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample. A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though). The malware appears online masquerading as various products. - ecore-sourceproject - LogiDA - GPT_Claude_Free - CortexSystems.v3.4.2.Stable - TikTokBot-v2.2 - CortexLauncher Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner. If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig. C2: dfwioeiofwr-dot-info Payload (and associated families from the C2) 027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05 5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c 5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3 6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a 9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3 c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a

How did this abomination make it past QC??

Here's a clue. Remove some of the Microsoft Bureaucracy, stop buying other studios in order to compete, reduce the size of your teams to core people with core proficiencies, stop hiring in outside contractors (sensitivity readers), cut back on over priced marketing stunts (did you really need to give away a bunch off Xboxes?). In other words run lean, run nimble like you would as a startup without VC money. You can rebuild, but you have to dump the extra baggage you brought on yourself over the last 10 years,

So, we need to figure out what is going on with CVE-2026-41089, the Netlogon vulnerability that Microsoft patched in May and that the Center Cybersecurity Belgium said on 05/29 is being exploited in the wild. If the latter is true that's a *huge* deal. But no public confirmation?

OpenAI faces another wrongful death suit. GPT-4o allegedly mirrored a suicidal user's despair instead of escalating, even mocking hotlines. Over a dozen similar cases now stack up. Liability is compounding. futurism.com/artificial-inte…

It was a better time

3 things from chat w/ Nikhil→ 10 yrs in Microsoft identity, there for the birth of Conditional Access → The only recommended CA control for agents today is block & that's good for your users → Compromise now shows up first from agents, not humans → LLMs confidently recommend insecure defaults 2/3

Yeah. None of these things are true. We have been finding vulnerabilities and flaws in code without AI for decades. Can GenAI find vulnerabilities in code, sure. So can ML models, so can static and dynamic code scanning. Fable 5 was not pulled for doing this as it was so nerfed it would not even answer simple questions about security much less scan your code. Unrestricted GenAI is not the answer here

Back from break and now @IceSolst carrying us through Practical Security Engineering! And a sweet "How do we secure our product?" brainstorming session with the live chat for @_ContinuumCon_ 😎 continuumcon.com/

CVE-2026-20253 CVE-2026-20253 is a critical vulnerability (CVSS 9.8) in Splunk Enterprise and Splunk Cloud Platform. Summary An unauthenticated attacker who can reach the affected service can create or truncate arbitrary files on the system via a PostgreSQL sidecar service endpoint that lacks proper authentication controls (CWE-306). This can lead to data destruction, service disruption, privilege escalation, or remote code execution (RCE) by overwriting sensitive files or configurations. Affected Versions Splunk Enterprise: Versions below 10.2.4 and below 10.0.7 Splunk Cloud Platform: Versions below 10.4.2604.3 and below 10.2.2510.14 Fixed in: Splunk Enterprise 10.2.4, 10.0.7 (and later) Corresponding Splunk Cloud Platform releases. Technical Details The flaw stems from the PostgreSQL sidecar service endpoint (e.g., paths like /v1/postgres/recovery/backup and /v1/postgres/recovery/restore) not requiring any authentication. Network-reachable attackers can invoke file operations directly. It is particularly notable in Splunk Enterprise on AWS deployments where the sidecar is enabled by default. Impact and Exploitation Unauthenticated remote file write/truncation → High risk of full compromise. Researchers (e.g., watchTowr Labs) have published technical details and proof-of-concept information demonstrating pre-auth RCE potential. Disclosed around June 10, 2026, alongside related high-severity issues in Splunk. Mitigation Upgrade immediately to a fixed version. Restrict network access to Splunk instances (e.g., firewall rules, avoid exposing management ports publicly). Monitor for suspicious activity on PostgreSQL sidecar endpoints. Apply any additional guidance from Splunk's official advisory (SVD-2026-0603). FIf you're running Splunk, check your version and patch ASAP — this is considered easily exploitable. #byGROK

For the 2nd time in weeks, Microsoft packages laced with credential stealer - Ars Technica arstechnica.com/security/202…