I do security things
Joined January 2017
- Tweets 1,282
- Following 1,162
- Followers 246
- Likes 406
39 Photos and videos
Pinned Tweet
7 Jan 2019
Today I am open-sourcing SlackPirate, a tool I developed over the last couple weeks. It's designed to run under a given Workspace token and enumerate extract sensitive/interesting/confidential data for easy offline viewing - github.com/emtunc/SlackPirat…
1
8
20
Mikail Tunç retweeted
3 Jan 2023
🔬 Open Sourcing Chronicle Detection Rules
A collection of detection rules for Google’s cloud-native SIEM, Chronicle
➡️GitHub, Okta, Google Workspace, Slack
AWS, Kubernetes, others coming soon
Code: github.com/Algbra-Labs-OSS/C…
By @emtunc
labs.algbra.com/open-sourcin…
6
10
2,057
29 Oct 2022
Hey @Merton_Council do better please. You're allowing PII (name, address, email, phone number, DOB) to be easily accessible by setting this ridiculous password as the default... what makes things worse is users aren't prompted to update from this weak password on log-in!
30 Sep 2022
There's a lot of talk on passkeys and how they impact security. As with almost everything in life; there are pros and cons... so I did what any other sane person would do and blogged about it 😅
emtunc.org/blog/09/2022/pass…
27 Jan 2022
I uncovered a disturbing lack of security & privacy practices in the mobile apps of some well known orgs, including a couple of UK FinTechs. In this particular example, Identity documents and Biometric data were open to abuse. Collab with @CyberNews cybernews.com/security/popul…
18 Jan 2022
GitHub Security 2022: Branch Protection Edition. Have a read, you might find something useful! 😄
emtunc.org/blog/01/2022/gith…
1
1
4 Jan 2022
Just blogged about responsible disclosure pages and how easy it can be to add one to your website - maybe this will help influence some small, meaningful change somewhere 😅
emtunc.org/blog/01/2022/wher…
1
1
14 Sep 2021
@DaveKSecure @jeffvanderstoep hey team, is there a known issue where WebAuthn prompts don't work on Google apps (maybe something to do with the native Android prompts) on Android? I've not been able to get it to prompt me for biometrics or a security key.
1
20 Oct 2021
@DaveKSecure @jeffvanderstoep sorry for reaching out again - do you know when WebAuthn in the native Android flows will be supported? Is it a known issue that it's not supported in Native flows (like logging in to the Gmail app)?
15 Sep 2021
@GitHubSecurity @natfriedman it would be _really_ awesome if requiring reviews from Code Owners didn't fail open, silently. Maybe it's my fault and I'm doing something wrong but it feels really easy to accidentally bypass this check even though the box is checked.
1
15 Sep 2021
e.g., Require Code Owner checked but no CODEOWNERS file exists? Fail open.
Member has write access but team not explicitly defined in the repo "manage access" section? Fail open.
1
15 Sep 2021
It wouldn't be so bad if it failed open with a clear warning somewhere but it doesn't. Makes it real easy for teams to go days/weeks/months without realising they've forgotten to include a CODEOWNERS or they've misspelt a team name or something.
15 Sep 2021
yo @BritishGas, what's up? you could have gone with something more neutral like "we're sorry but our legacy systems don't support special characters" instead of the patronising wording used here :)
22 Jul 2021
Is there a department worse than @tvlicensing? New property and one of the first letters I receive:
Brown envelope - these are usually used by tax/HMRC/debt collectors/penalties/fines/etc. I don't think it's a coincidence - fear and threats are their main tactics
1
1
22 Jul 2021
"You are at risk of a visit by our Oxford Enforcement Division" - again, instilling fear of imprisonment and monetary fines. Who is this mysterious Oxford Enforcement Division? I don't want a visit from them. They sound scary. Will they take my children?
1
22 Jul 2021
"Contact us by the 4th August, or this address will be passed to our Oxford Enforcement Division". Nice to see them using similar urgency and fear techniques used by criminals. PAY UP or else... (please don't take my children @tvlicensing)
4 Jun 2021
Strange. The @monzo app thinks I'm in Gibraltar 🤔 I'm not using a VPN or anything like that. Odd.
1
25 Jan 2021
Sweet shout-out for SlackPirate!
11 Jan 2021
Some good info and tooling for leveraging Slack access during a penetration test: sprocketsecurity.com/blog/ho… #infosec #cybersecurity #pentest
Mikail Tunç retweeted
26 Dec 2020
Some observations on the SolarWinds supply chain attack, now that I'm all caught up!
Just a rundown of what I learned - citations included, all opinions my own 😄 /1
16
142
537
16 Oct 2020
Slack does a crappy job of session management on their desktop and mobile apps. Connection failure due to degraded service? No problem, let's sign you out of the 15 Workspaces you were in.
27 Sep 2020
Not ideal. Legitimate email and link from the NHS. Warning probably triggered because URI contains the word COVID in it.