I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

Orlando, FL
Joined November 2008
Casually compromising API keys from Azure customers: - Step 1: Create an Azure automation account - Step 2: curl localhost on ports 40000+ You now have an API token in the Azure tenant of another customer, with the same permissions as the automation🙈 orca.security/resources/blog…
I found a vulnerability in #Azure allowing me to access Azure accounts of companies worth billions We all know vulnerabilities exist. This isn't an injection, XSS, or RCE. But the crazy thing about it? It took 2 hours to discover. 🤯 Here's the story of #AutoWarp👇 (1/10)
6
94
13
248
And steak. So much steak. nom nom nom
Training registration is still open! Don't miss amazing courses like Linux Forensics with @hal_pomeranz! Instead of virtual classes filled with distractions put your training budget toward an intimate in-person experience with an expert instructor‼️ kernelcon.org/training#linux… 🐧
2
This so much!
I really miss the "after talk" chats that you have in IRL conferences. Sort of weird to talk and then just walk away and thats it!
4
Thanks @TireKingdom for saving our weekend with a quick patch on the family minivan tire that had taken a nail. Been a customer for years, recommend them highly!
1
Hal Pomeranz retweeted
NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll A simple method to bypass ntdll.dll user-mode hooks! x86matthew.com/view_post?id=…
5
238
2
703
GIF
Hal Pomeranz retweeted
Replying to @anton_chuvakin
if i may propose an ascending scale… 1. outage 2. anomaly 3. incident 4. compromise 5. breach 6. owned 7. pwnd 8. lolpwnd 9. pWnZ0r3D 10. congressional hearing
3
25
5
92
Hal Pomeranz retweeted
#Malware analysis tip of the week: Malware can hide from a debugger by calling NtSetInformationThread and setting the ThreadHideFromDebugger flag. If this flag is set, the running code thread will no longer send debug events to the debugger, essentially hiding code execution. 🧐
3
74
3
232
Replying to @h0meschooled
Yes, but those people get cycled out pretty quickly. At least I hope so.
This isn't easy news to share, but my family could use your thoughts and prayers if you have them to spare.
314
47
5
1,422
Think about this for a minute, how bad did we have to be in Infosec that we got labeled as the "Department of No" over the legal team??
120
50
20
819
Replying to @iotucker
Soft skills (managing your customer, dealing with local political issues) is definitely part of it. There are also logistical issues around dealing with large amounts of (sometimes remote) evidence that can be fun to solve.
1
I am intrigued and wish to subscribe to your newsletter
This tweet is unavailable
Supply and demand maybe. What kind of rates are typical for emergency IR where you are?
1
1
Why do you love #DFIR? For me it's: 1) Love problem solving-- DFIR is a constant stream of puzzles (technical and non-technical) 2) Researching how things work-- DFIR is an open field (so much we don't know) 3) Helping others and fighting the good fight
been there... i think you have really have to love this work to stay in it.
5
8
4
42
Did I mention that my business is providing "surge staffing" to overloaded DFIR teams?
1
5
Not only exhausting and stressful, but also requires a substantial body of knowledge, acquired through both training and experience, in order to be successful. There are few of us because the barriers to entry are high.
senior incident leaders are rare, you can look on Twitter or LinkedIn and find a handful of us. partly bc the work is exhausting and stressful. but it Hella pays the bills.
3
3
5
Replying to @AnneCaminer
I don’t know where that data is coming from but those salaries seem very low based on my experience.
3
5
Replying to @DeadPrezidents
I agree. Which is why I quoted them my usual rates and refused the gig.
1
Evergreen content in so many domains
Replying to @hal_pomeranz
Pay 🍌, you get 🐒…
2
Replying to @pchobbit
Yeah, the market is just weird right now. Sadly I'm afraid that some of the low-bid DFIR work is going to result in a bigger bill later related to failure to adequately address the intrusion.
3
5