Let me ask you a question dear reader, have you ever visited a website that one of your friends posts a link to only to find that the site requires you to register for an account before you can see the content? Or perhaps you visited a web site on your computer and then also... Continue Reading →
The Vulnerability A while ago I found a bunch of web servers that had the Microsoft IIS Tilde Enumeration vulnerability on them. You can read more about the vuln http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf or http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/. Essentially, you can brute force file names that are on IIS web servers and possibly retrieve them using the ye olde style Windows 8.3 naming... Continue Reading →
My Virgin CTF At DerbyCon (derbycon.com) 2014, I participated in my first conference CTF (Capture the Flag) event. For those that haven't yet done one, you take your laptop configured with your attack tools and join a network of hundreds of other conference-goers. All of you are tasked with exploiting information security weaknesses in the... Continue Reading →
The other day I came across a database dump that had user login names and hashed passwords. I had over 1,000 of them and they were SHA256 hashes. I remembered that there was some tool that could perform Google look-ups for hashes and asked the Twitter-verse for help. Wouldn't you know that the first person... Continue Reading →
Amazon Instance ConfigCreate account in Amazon.com if you don't have one alreadyGo to Amazon http://aws.amazon.com/console/ and log inCreate a new instanceChoose the Ubuntu 64bit system (free tier 2 is fine)Don't need to change any of the defaults for storage and such.Launch the instance (create or use a predefined key; set the security group (firewall))Ensure that... Continue Reading →
Those of you that read my blog and maybe know me in person/on Twitter know that I love teaching. I think it mostly stems from not getting enough attention as a kid. 😉 [Just kidding Ma.] This past year I had the honor of presenting to both of my kids' schools about my work and... Continue Reading →
So last night "Bob from Microsoft" called me because my computer was infected and "he was there to help me". Yeah right. Background Because the Internet is such a wonderful, sharing place, I'd been alerted to these types of cold-call, social engineering attacks a while ago. One of my neighbors had received one of these... Continue Reading →
Background Recently, I spoke to a local group of high school juniors about the "real" Internet world. It was a fun talk where I covered a variety of topics from: "Nothing is truly anonymous" to "Everything you put on the Interwebs will be around for ever"...and other things. But I didn't want to do a... Continue Reading →
Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.