Gerald Benischke
LightNews LightNews
banner
beny23.github.io
Gerald Benischke
@beny23.github.io
2.9K followers 890 following 1K posts
Maker, breaker and fixer of software. Adventures in #appsec and #agile: beny23.github.io he/him
Posts Replies Media Videos
beny23.github.io
I updated the relevant @xkcd.com
Very crude photoshopping of https://xkcd.com/538/ Left panel: Stick figure shows a laptop to another. Text: A crypto nerd’s imagination. “His laptop’s encrypted. Let’s build a million dollar cluster to crack it.” - “no good! It’s 4096-bit RSA!” - “blast! Our evil plan is foiled! Right panel: Stick figure shows a wrench to another. Text: what would actually happen. “Is it Louvre” - “got it”
November 6, 2025 at 8:54 AM
beny23.github.io
Meme - school girls head in tuba. “Every company” - girl holding the tuba “AI” - the tuba “Me” - girl with head in tuba
October 31, 2025 at 12:43 AM
beny23.github.io
Brb, just broom scrolling
Picture of wooden broom
October 28, 2025 at 8:29 AM
beny23.github.io
Little Bobby Tables would proud. imgs.xkcd.com/comics/explo...
Little Bobby tables xkcd cartoon.
October 15, 2025 at 9:43 AM
beny23.github.io
Just like all the crypto mining infrastructure was reused. Wait what? ;-)
Image of burnt out bitcoin mining farm
October 11, 2025 at 11:01 AM
beny23.github.io
It might work for us meme with text: DOT COM WAS A BUBBLE SUBPRIME WAS A BUBBLE BUT AI DEFINITELY ISN'T
October 11, 2025 at 9:29 AM
beny23.github.io
@safesecs.bsky.social closing #bsidesncl - thank you to everyone, it was fab!!!
Sam closing BSides Newcastle
September 27, 2025 at 5:01 PM
beny23.github.io
It wouldn’t be a @rnbwkat.bsky.social talk without honeypots!

Great whirlwind tour of “just do the fucking basics already”!!!

Loved it.

9/fin
DETECTION & RESPONSE • Enable immutable logging (CloudTrail, Azure Activity, GCP Audit Logs) • Ship logs to SIEM and set alerts for unusual API calls, role usage, and new instance creation • maagsoft.com/how-to-use-wazuh-to-monitor-and-secure-your- cloud-infrastructure/ • Use CSPM for continuous posture checks and laC scanning in CV/CD pipelines Honeypots!!! • Common Sense - FTW! • Stop overthinking • The Basics < Ding ding ding! • Stop the Fancy • Audit! KEY TAKEAWA Three things to do tomorrow: 1. Run a secrets scan on public repos and rotate any exposed keys 2. Audit IAM for wildcard permissions; enforce least privilege and role separation 3. Enable logging (CloudTrail/ Activity Logs) and add basic alerts for creds/role usage
September 27, 2025 at 4:56 PM
beny23.github.io
It’s funny how a simple hardcoded credential can lead to complete takeover: 8/n
CASE STUDY: STARTUP AI (TECHNICAL PATH & LESSONS) Attack path & escalation timeline: • Hardcoded creds in repo → cloud access • Attacker stood up EC2 and performed DNS cache poisoning to MITM front-end - prompts intercepted/modified • Food Kidininetes training cluster; escalated to admin on a pod and injected dat intro • Consequences: model integrity failure, data extiltration, unnoticed attacker presence Recommendations: • Scan repos for secrets (trufflehog, git-secrets), remove hardcoded creds, rotate keys Managived credentials (OIDC/STS) and centrized secret sioes Vault, Secrets • Harden internal detection: host agents, VPC flow logs, monitor metadata server access • Secure k8s with RBAC, network policies, and restrict admin pods
September 27, 2025 at 4:56 PM
beny23.github.io
Shodan for storage buckets: grayhatwarfare.com

And prowler.com to find misconfigured objects. 7/n
Screenshot of grau hat war fare Screenshot of prowler TOOLS & PLAYBOOKS • Discovery & OSINT: cloud _enum, CloudRecon, initstring/cloud_enum • Audit & CSPM: Prowler, ScoutSuite, CloudMapper, Prisma/Wiz/Orca • Secrets & laC scanning: trufflehog, tisec, Checkov, git-secrets • Red team & labs: Pacu, CloudGoat, CloudPentestCheatsheets
September 27, 2025 at 4:56 PM
beny23.github.io
Some tools to help: 6/n
IAM APE • IAM AWS Policy Evaluator • github.com/orcasecurity/orca-toolbox CloudRecon • CloudRecon is a suite of tools for red teamers and bug hunters to find ephemeral and development assets in their campaigns and hunts • github.com/g0ldencybersec/CloudRecon https://maagsoft.com/how-to-use-wazuh-to-monitor-and-secure-your-cloud-infrastructure/
September 27, 2025 at 4:56 PM
beny23.github.io
It’s the usual suspects: 5/n
GENERAL ATTACK VECTORS • Unrestricted Ingress/Egress ports MISCONFIGURATIONS • Secrets Mgmt (what else?!) • Missing Logging/Monitoring • https://www.cloudquery.io/(osquery on steroids) • Extracts cloud assets into normalized PostgresQL tables • Insecure Backups • Buckets/Storage Access • Lack of TLS/SSL GENERAL ATTACK EXAMPL laas • Weak creds • Anything belonging to tenant = attack surface • Application bugs = RCE (reading files?) • Misconfigured "fw" • Metadata API
September 27, 2025 at 4:56 PM
beny23.github.io
It takes minutes for a leaked key to be exploited. Usually it’s crypto miners. But sometimes crypto is used as a decoy. 4/n
CLOUD INCID • Misconfigurations #1 • Training non-existent • Misplaced (forgotten?) keys/tokens • Once upon a time • Lack of training cloud secrets usage and application
September 27, 2025 at 4:56 PM
beny23.github.io
It’s used to be much work pentesting. Now it’s just about finding misconfigrations. Or people accidentally uploading creds. 3/n
OW ASP A05 SECURITY MISCONFIGUR "Nearly all successful attacks on cloud services are a result of customer misconfiguration, mismanagement and mistakes." -Neil MacDonald, G Pentesting BTC (before the cloud) • Identify target • Find vulns • Exploit • After • Find Misconfigurations (= vulns) • Line up targets
September 27, 2025 at 4:56 PM
beny23.github.io
With 1400 different privileges, is it any wonder that it’s so easy to misconfigure. 2/n
Customers aws in Web Sanitos Ina Customer content Platform, Applications, Identity & Access Management Operating System, Network, and Firewall Configuration Client-Side Data Encryption Server-Side Data Encryption Network Traffic Protection AWS Foundation Services Compute Storage Database Networking Customers are responsible for their security in the cloud AWS is responsible for the security of the cloud AWS Global Infrastructure Availability Zones Regions Edge Locations AN INCIDENT • Most incidents are NOT O-day • Most incidents are NOT "fancy" • Most incidents don't come from "vulnerability scanners" 1. Most breaches come from "Config Issues" 2. A close 2nd - compromised credentials 3. Trailing in 3rd - Over-Priv Users incidents are NOT O-dav NEWS AN INCIDENT incidents are N incident , Leaked It Agai 17 NOV 2022 Hundreds of Amazon RDS Users' Data NEWS Snapshots Discovered Leaking sed Amazon RD. unfials users Exposed AWS buckets again implicated in multiple data leaks
September 27, 2025 at 4:56 PM
beny23.github.io
@rnbwkat.bsky.social doing the lock note at #bsidesncl about cloud misconfiguration.

So most of the incidents then.

1/n
Kat starting her lock note.
September 27, 2025 at 4:56 PM
beny23.github.io
Top tip: “different phones for fun and profit”. And adopt an elderly person.

That was fun!

But how do I launder money, we’ve not learned that yet ;-)

8/fin
Call to action: adopt an elderly person { or CFO or sparky • Societies low hanging scam fruit • Don't quite believe its needed • Internal trust model built in a different era • No preventative or corrective action that relies on memory • Paranoia often a leading indicator of a UTI • Signs on the back of the front door • No cold caller stickers and a video door bell • Add a anti-laundering layer (savings account behind the current acc • They have to be onboard with any changes • Elderly often don't see the need for change o copranChallenge to their independence 16 Getting informed consent: The largest rock to push up a hil • Loss of any control over financial matters is seen as "loosing freedom" • Goal is to extend length of independence • Offspring often are not up for the battle • Sometimes listen to police officers or doctors • Be willing to shrug shoulders for now • A recorded video doorbell • Tie face to their money • Current and Saving account or different banks • 2FA • Cash withdrawal limits • Co-approvals over ?000s • 2 day payment delay over 200? • Banks are really helpful 17 O Copyright 2023 Kepner-Tregoe, Inc. All Rights Reserve
September 27, 2025 at 2:26 PM
beny23.github.io
Incident maps illustrate dangers and possible mitigations. 7/n
Ruth Roofing Scam Incident Map Random comment to daughter- Damage to root Poster on naide of doc Did not ask for trusted heip 1960% trust model + No barriers to payment Ruth agreed to unneeded work Savings nooound Poster on nside of door Let them in the door Postor on nside of door Opportunity for company + Targeted by rogue roofers no cold caller deterants Door stickors video dey boll Contributing circumstance +/- mary ovo rob Breached barrier Unh Bar Random at petrol station meeting with CEO 98k CFO almost scam Incident Map Near misa Traudulant tranator of 08k 4760 pounds Just under 100k limit + CO jet lagged CFO submitted transfer request andatory dela fol now paybest Skipped CEO signor LowEr foriew levo 3 phones 20.- Had been in aquasition talks Phone, text and emal from CEO requesting transfer to enguage advisors Phone, text and emal from CEO requesting transfer to enguage advisors exec calenders available Did not speak to CEO In person MFA port freeze" Jo not chani account ormation" ti Support pin quire in-peraon for SIM swap Key Possible simm swap Life on one phone 3 phones Contributing circumstanco +/- Breached barrier CEO phone hacked Primary ovent Known problem Unknown probler Barrior How was phone hacked? Tumbled 3 times in « 10 minutes + Porsche fund drained Incident Map money > /dev/null Probably automated attack 52k goes missing from bitcoin wallet Address outside UK Blockchain architecture no + concept of owner Private key scraped All bitconin in 1 wallet phone a cesspit of curious process names + phone hacked No concept of OPSEC 219.. "friends" from internet + Key Horent es for fun 1 profit How phone was hacked? Contributing circumstance +/- Hormones out of control ‹Breached barrier Primary ovent Known problem Unknown problem Barrior
September 27, 2025 at 2:26 PM
beny23.github.io
Then we look at incidents that can lead to dirty money. 6/n
Common thread: Follow the money «AIEF FINANCIAL OFFICE». ???? Ruth Cash, account transfer Copyrignt 2UZ3 Kepner-Iregoe, Inc. All Kignts Keserved. Charles Company treasury Andrew Bitcoin wallet 12 Kepner-Tregoe
September 27, 2025 at 2:26 PM
beny23.github.io
And of course it’s not really anonymous because the blockchain is public after all. Despite all kinds of crypto tech that enables laundering. 5/n
Obfuscating transactions on the block chain • Mixers / Tumblers • Privacy Coins • Chain Hopping • Moving assets across multiple blockchains • Layering • Sending funds through yield farms, liquidity pools. • trade via peer-to-peer networks or unlicensed brokers • Use a casino which accepts crypto • Use a juristdiction you can't follow into • China • Copwieh 22 SWitzerland chis Reserved. Following the money into the blockchain • Firms who make a good living out of doing this • Chainalysis, Elliptic, TRM Labs. • 10% is the going rate • Bybit Exchange Hack (2025) ~$1.46-1.5 billion (in Ethereum) • Compromised a cold wallet via the signing interface. • The Lazarus Group is suspected (Read Geoff White's book : excellent ) • They probably won't chase the 20k stolen from the bitcoin wallet on your phone Most "hidden" transactions can eventually be linked if investigators follow patterns, metadata, and exchange off-ramps.
September 27, 2025 at 2:26 PM
beny23.github.io
There’s a fundamental weakness in crypto. It doesn’t care who should own it. Only knowing the private key matters.

Make a mistake: all your money gone.
Lose your key: all your money gone.

Great - future of finance right there.

4/n
Bitcoin Wallets : Follow the private key What is a Bitcoin Wallet? Software or hardware that stores private keys (not coins themselves) Lets you sign transactions to spend BTC Types of Wallets Hot Wallets $ (online, e.g. mobile apps, exchanges) Cold Wallets (offline, hardware devices, paper) Do Wallets Have a Unique ID? B No unique wallet ID - only addresses + keys • Whoever has the private key can sign transactions and move the Bitcoin. • The blockchain doesn't care who "should" own it — only who can prove control by knowing the private key. Kepner-Tregoe ) Copyright 2023 Kepner-Tregoe, Inc. All Rights Reserved.
September 27, 2025 at 2:26 PM
beny23.github.io
Can’t talk about money laundering without the blockchain. Crypto is an enabler. How is this not illegal. 💯

3/n
• Cryptocurrency has 3 purposes • Stop others knowing what you are buying • Stopping other knowing what you have sold • Making a margin on the 1st 2 activities • Like a online Swiss bank account with much lower charges • But there is still a trail that can be followed Kepner-Tre O Copyright 2023 Kepner-Tregoe, Inc. All Rights Reserved.
September 27, 2025 at 2:26 PM
beny23.github.io
Laundering money is about hiding money you shouldn’t have from the tax man.

Hiding many that is yours is fine, bike to work, pensions are tax avoidance. Every does that.

Tax evasion is not. But at least it was your money. 2/n
Why think about the money ? • Let's play spot the .... • A.l. is an asymmetric multiplier for Cybercrime. ( 10:1 ??? ) • Finding exploits • Exploiting people • Fix the Situation • Rather than Response • Stopping/slowing the flow of money is part o strategy 3 D Copyright 2023 Kepner-Tregoe, Inc. All Rights Reserved. all cyber Kel
September 27, 2025 at 2:26 PM
beny23.github.io
Chris King talks about money laundering at #bsidesncl. It’s a full house. Seems like a lot of dodgy people. 1/n
1872 PRIFYSGOLI ABERYSTWYTH UNIVERSITY Dr Clive King BSides Newcastle Sentember 2025 +KT Kepner-Tregoe So you want to launder money ? Chollengel Opportunties Present and past in mid Wales OPERATION JOLIE A ROGK MUSICAL THE TRUE STORY OF WALES BIGGEST EVER DRUGS HUST ocaine washed up on beach near berystwyth worth £42m Early 1970's 2022 tone on Tany twich hench, near nherystwyti • of drug» that washed up on a beach are worsh abous 642m, police • number of black bage sied to plastie sube ware found by passers-by
September 27, 2025 at 2:26 PM
beny23.github.io
Example: take control of robotic arms because their jobs were uploaded to the controllers by FTP…

So not that different to legacy IT ;-)

6/fin
Case enrdy Global manufacturing plant Visited 2 factories in Johannesburg, South Alrica * Ran through multiple scenarios beginning with an attacker with no credentials or client laptop → malicious insider. • Successfully managed to breach a user account from a zero- Information starting point. • Successfully managed to pivot through a network device and gain unauthorised access and control of factory robots. Location: Johannesburg, South Africa Duration: 2 weeks engagement: Operational technology (OT) penetration testing 23
September 27, 2025 at 1:44 PM