GDID is the persistent Windows ID that helped FBI trace a Scattered Spider hacker despite VPNs. Here’s how it works and how to limit it.
GDID is the persistent Windows ID that helped FBI trace a Scattered Spider hacker despite VPNs. Here’s how it works and how to limit it.
I was asking the same question, quoting that exact excerpt in a different thread… and getting pretty hairbrained responses.
After a little bit of digging, I can see ngrok has a sign in option where you can sign in with a GITHUB account.
I suspect that’s how Microsoft has a record of someone interacting with that specific website.
Still am unclear how the browser has access to this id, which sounds like it’s a registry setting. If browsers are able and willing to just fork over arbitrary registry values when asked, that’s a major issue.
And if it’s not arbitrary… just THAT value, it seems to suggest complicity on the browsers themselves.
Can I see this id egressing my system if I’m snooping with wireshark? I really really want to understand how and when this value is going over the wire.
if the hacker signed in with his github… I would assume it’s something hidden behind “telemetry” or such - but either way it’s horrible. And the article is bad for just mentioning this without going into detail.