THESE 👏 TWEETS 👏 ARE 👏 FICTION👏
This account tweets fictional or headline inspired breach scenarios.
To play: Share opinions on prevention or response steps.
An influencer on your platform has changed their username to a string that exploits your logging infrastructure, beaconing out of your network.
Within a few minutes... so do a few hundred other users.
A growing number of your engineers are streaming themselves on Twitch while coding.
One of them just revealed a production secret while alt-tabbing.
The chat is now being spammed with a production IaaS secret from your repository.
A security company has externally discovered and reported your red team exercise. It is described as a sophisticated attack to a cable news station and law enforcement.
The networking gear involved in an outage is access controlled by locks that are dependent on the network gear that is involved in the outage that is access controlled by locks that are dependent on network gear that is involved in the outage that is access controlled by the...
All previously banned accounts, domains, IoCs, networks, emails, hosts, or device identifiers are now allowed on your platform due to a recent policy change made by leadership.
An executive in your organization has tweeted a high visibility statement with grammatical errors.
They’ve unintentionally rendered a hyperlink with an obscure TLD.
A has registered the domain and is hosting malware.
The administrator account to your organization's cloud email is no longer accessible.
The recovery email belongs to a former employee on a custom domain running on a personal email server.
Your CEO is asking leadership for attorney privileged material related to the CEOs litigation against the company when they were not CEO.
Happy Halloween 🎃
new one for
@badthingsdaily
: one of the top three cloud providers has a misconfiguration and deletes your entire account by accident and can't recover it.
The Twitter accounts for all of the largest companies and personalities in your industry have all simultaneously pumped up a credential stealing phishing link.
Legacy infrastructure from an long forgotten acquisition has been exploited.
There are no employees from the acquisition still with the company.
"It responds to ping, it works completely, you just can't figure out where in the company it is."
HT
@xarph
An employee has just found that "music’s infinite variability" appears in a currently onboarded vendor's security documentation where data security is described.
A company responsible for a critical part of your build pipeline has informed you of a breach before the weekend.
They are recommending a credential rotation and review of logs for malicious access.
A coordinated intrusion has succeeded against many of the internet's most widely used standard timeservers.
Systems worldwide have begin synchronizing to a malicious broadcast of: "2020-01-01"
Happy new year.
A developer has just typo'd an upstream package installation to their laptop.
There was a malicious package waiting for that typo.
The post-installation code is exfiltrating environment variables and full directories with .git folders from that shell.
An engineer has left an internet facing web app in debug mode following a maintenance window.
Errors now display environment variables, including any secrets stored in them.
An employee activist within your organization has taken advantage of the crisis SMS notification service purchased by your physical security team.
They have sent a text to all employees with political content.
HR must field complaints from ~%4 of total employees as a result.
AWS phishing email resembling a cloudwatch alarm has just been sent to one of your engineers engineer with privileged IAM credentials.
They've entered credentials.
If allowed, attacker immediately hits CreateAccessKey, will come back in a week to use them.
A new marketing employee purchased an email list from a spammer.
Your next email campaign contains address honeypots.
Massive blacklisting occurs and delivery rates plummet for all email that share MX with marketing.
A falsely notarized identity verification form has been faxed to your IaaS platform, requesting that account ownership be transferred to another email address.
@usmannk
@patio11
@badthingsdaily
On AWS, there is a process involving faxing a notarized document for gaining control of an account lost in this way... and also functions as nightmare fuel for the possibility of account take-over.
Your infrastructure is now unreachable to international customers. Foreign ISP's block entire AWS CIDR's in a censorship campaign that you also operate within.
via
@AdamTReineke
Law enforcement has reached out to notify you of a breach. They include specific information about your database table structure.
However, no incident has been declared yet. 🤔