Taggart Tech

Count me among those who are alarmed about the implications of "AI," such as it is. But I am not among those who worry about machines taking over. I see no signs of intelligence—either from the large language models being hyped right now, or from those doing the hyping. My concern around this technology is more mundane than apocalypse, but more profound than simple economic impact.

I'm terrified we're about to lose the war for truth.

In June 2022 when we launched The Taggart Institute, we knew that the mission was a daunting one: produce high-quality tech and cybersecurity instruction that people around the world could afford. Our formula was simple: make the basic courses free, and charge a reasonable price for advanced content. We hoped the quality of the free courses would motivate purchases of advanced material for those who could afford it.

It's Friday afternoon. It always happens on Friday afternoon. You're ready to be done for the week, having closed out a pesky ticket that took far too long. Just as you're about to lock the screen and punch out for the day, you watch the email arrive—almost in slow motion—with that dreadful tagline:

URGENT: Account Compromised

Goodbye to your Friday evening. You don't get to sit down and watch the game. You don't get to enjoy a nice dinner with the fam. Because you, through a series of questionable life choices, have made your way to the role of Lead Incident Responder. The clock is ticking, and all eyes are on you.

And you know you have at least 2 adversaries: the criminal trying to cause your organization harm, and your own flawed, bias-prone brain.

This is the story of how I used Microsoft Teams's own design against itself.

We all kinda know that Electron apps are dangerous—at least to our RAM, am I right??

But seriously, these cross-platform apps, because of how they get installed, present a tasty spot for attackers to take up residence and even inject malicious code into trusted applications, with the poor user being none the wiser.

Here's how it works.

POV: You're performing a pentest/red team engagement against a fairly hardened environment. You have, through creativity and perseverance, landed an implant on a workstation. Your session has low privileges, but the user may have local admin or associated higher-priv accounts. You're trying to remain stealthy, and normal lateral movement techniques might get detected. You need creds, but how to get them when everyone's watching you?

Answer: use SSO against itself by listening in on the browser.