2023
December
- Embracing the Cyber Age- The Art of Adaptability in Security Engineering In the dynamic and ever-evolving realm of digital technology, the need for adaptability in combating cyber threats has never been more pronounced.
November
- Securing the Digital Frontier- The Essential Role of Education in Tech Literacy and Security Awareness In the rapidly evolving digital landscape, where technology deeply permeates every facet of our lives, the importance of tech literacy and security awareness cannot be overstressed.
- The Tightrope Walk- Balancing Security Engineering and Privacy in the Tech World In the rapidly evolving world of technology, a critical and often controversial issue stands at the forefront the balance between robust security measures and the protection of individual privacy rights.
- Embracing Decentralization- The Future of Democratic Oversight and Security Engineering In an era where digital technology is not just a tool but a societal cornerstone, the concepts of democratic oversight in technology and decentralized security models in security engineering are more relevant than ever.
- Annabel's Cypherpunk Manifesto It was many and many a year ago, In a realm of digital glow, That the Cypherpunks came to know, A love for privacy, like a river's flow.
March
- 2023 update to 2021 White House Cybersecurity Executive Order I realized I needed to update the 2021 White House Executive Order …Improving the Nation’s Cybersecurity fundamentals outline. In order to scale with limited resources to achieve the basics, below are the fundamental hygienic basics one must achieve.
February
- Striking the Right Balance- Innovation and Regulation in Security Engineering In the fast-paced world of technological advancement, balancing innovation with regulation is a crucial challenge, especially in the field of security engineering.
2020
December
- Intel Sharing Metrics I pulled some metrics from my threat intelligence sharing service to generate cute charts and graphs. If you want to keep up to date, keep an eye on
February
- Failure to meet operational excellence One would think to rotate their certificates months prior to expiration. Or even the bare minimum
2019
November
September
- Kubernetes CI / CD And Monitoring Pipelines When one takes a step back and looks at a typical agile build, test, and release pipeline with a security bent; one observes the following steps and how they feed into each other like a dragon eating its’ tail.
July
- Kubernetes Pods (PodSec policies) Pods hardening is strongly configured and enforced with Pod Security policies (PodSec.). The security context enables not to restrict privileges, volume mounts, network privileges, cgroups / selinux / app armor / kernel capabilities, access control, read only file-system, etc…. This is where much of the workload insecurity comes from.
- Kubernetes Containers When we get into the specifics for containers, the challenge is that the detailed advice differs greatly between the different container technologies. As a result, I will STRONGLY recommend one doesn’t run Docker as it was never designed to be secure, requires Swarm to manage some aspects of its’ lacking security, and requires a near-infinite amount of hand holding
- Kubernetes Networks - CNI Within Kubernetes, networks are an interesting beast. They become extremely muddled
- Kubernetes Master Node & Nodes One will wish to replicate their Master node to minimize downtime events. These nodes will host the control plane building blocks
- Kubernetes Scheduler
- Kubernetes Information Security Practices We sponsored a Kubernetes security review because of its’ popular adoption, glaring insecurities, default insecure states, wasn’t designed to be secure, and everyone wanted to use it and make it available to the Internet
- What is a modern, dynamic service and its' building blocks? As I work through the ecosystem, there is no evident, leading best practice.
- Nginx exploit writing weekend This weekend will be ripe of opportunities for
- Kubernetes Basics Let’s take a look at the simplest part of the previously documented multi-tenancy architecture
Overview
June
- What does it take to break into a Cloud Service? Sometimes, all it takes is cp and rsync. See the image below for an example.
March
- When your SIEM models are not enough Just when I thought every bit of value was squeezed from the systems, it is continuing to pull out indicators and APT actors like candy at a weight loss camp.
January
- OSX First Responder - Threat Artifact Gathering How you go about hunting down malware on a macOS endpoint depends a great deal on what access you have to the device and
2018
November
- Memory Safety Code Review Some of our keen readers may have noticed that if the size of userPass is less than 9, then overflow will still occur.
September
- Solving 90% of application security defects with a proven technique Even when validation is used, a common mistake is to use block lists. For example an application will prevent symbols that are known to cause trouble. The weakness of this countermeasure is that some symbols may be overlooked.
- Data Controls Code Review The number of user records exposed in the United States has been in the billions in 2016 and 2017. 2018 will likely be the same, once the final tally is calculated.
- Binding Parameters Notice that the single quote in the name O’Brien is causing a syntax error. The SQL command processor considers the string ends
- Overly Simplistic Crypto Code review Confidentiality is one of Information Security
July
- For those who wonder what a Digital authentication cyber arms race looks like It is heavy on the technical content but is entertaining if you spend the time understanding the language.
April
- First 100 Days A friend took up a new InfoSec executive career path but didn't know how to start. She reached out to me and ask for my thoughts. I thought about it
January
- The pending crypto singularity Recently penned by Peter, it is worth a read. Especially for those who are concerned about putting all of their eggs in one basket. On the Impending Crypto Monoculture
2017
October
- Creating a Loki Splunk application One tool that has caught my interest is the [Loki APT scanner
September
- Serious XSS affecting Wikipedia XSS vulnerability in thumb.php in Wikipedia Mediawiki
- Defense Against the Dark Arts Thankfully, Naurus has produced a useful infographic to understand the variety of malicious entities. While it is not all inclusive, it suffices to help one quickly prototype simple threat models.
April
- Walking the Dark Deep Web During Black Hat, BsidesLV, and Defcon, I ended up having a chat with Justin Seitz about his nifty OSINT automation. I decided to take his data sets and enrich
2016
August
- DARPA Cyber Grand Challenge era coming to a close This Thursday, seven research institutions will compete against each other. Unlike other typical hacker challenges, their automations will compete on their behalf. The winning team will take home
March
- Multiple vulnerabilities in SecurityOnion Let this be a reminder of the joys in programming PHP
- Relatively Free From my text library, this is list of software
February
- Ransomware hitting linux hosting providers It will be interesting to watch the infection spread on Google Trends
2015
November
- DARPA Cyber Grand Challenge dropbox I have been taking lessons learned from DARPA’s Cyber Grand Challenge and applying it to our automation
August
- Hotpatch Redis's RCE Do you feel lucky
July
- Ingenious CTF dashboard As taken from a dummy account, I wish more CTFs were setup like this. [#Polictf](https://twitter.com/search?q=%23Polictf) 2015
- Destroy a City - secure code review It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure
June
- Social Engineering Confirmation Bias workflow The image below shows the role confirmatory bias can play in social engineering exploits. Two situations are depicted. In the first, the insider desires access to information supplied by the
- Redis RCE If you haven't already, time to patch Redis. Otherwise, please setup authentication in front of your Redis instance. This remote code execution is going to get nasty http
- ElasticSearch honeypot dataset I have uploaded a new ElasticSearch honeypot dataset. It appears there are a few individuals who are attempting to exploit a few 0days in ElasticSearch. All the more reason not
May
- Ghcq Challenge Completed View fullsize
April
- Impressive Node.JS vulnerability reduction In 2013, when I last performed a secure code review on Node.JS, it did not look pretty.
- Need help figuring out a Snapchat username? I have your back. I can’t tell you what makes a good Snapchat username. But what I can tell you is what makes a popular Snapchat username.
- Yet another nail in SSL TLS 's coffin RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses
- Technical Approaches to Determining if an Incident Occurred When addressing potential incidents and applying best practice incident response procedures
March
- Open Source Fairy Dust Datasets The current list of open source critical infrastructure services vulnerability metrics I have released and / or made public
- Checkbox AWS assurance testing? A great beta tool to checkbox their AWS infrastructure and account to known AWS controls. [ Scout2
2014
December
- LDAP Tool Box vulnerabilities This vulnerability allows one to bypass weak XSS filtering
June
- How to sell a story - Ira Glass If you are just starting this phase, still in this phase, getting out of this phase, you gotta know
April
- Please donate to a worthy crypto security cause If you have ever used OpenSSL, [please donate money to this worthy cause
- Bug Age - Pattern series I love standards. My blackhat persona says this makes it easy to break into systems
March
- Chrome's V8 double free vulnerability Within Chrome's V8 engine, this was an interesting double free vulnerability I uncovered. Thank you V8 team for accepting.
2013
November
- NodeJS vulnerabilities - it hurts to look Background
July
- Google Translate the translated website pops out of Google Translate's iframe and redirects the user to a website or content of their choosing
June
- Random thought for an exploding honey token I remember when Nuxi and I would create computationally compact compressed files and see which mail servers would attempt to inspect the contents. Typically, the MTA would fail over due
- Carberp Vulnerabilities Cc Pie I logged into Reddit this morning and observed Carberp
- Apache Batik parse double vulnerability It is interesting to see Batik's parse double vulnerability exist to this day. Anyone want to crash Opera or popular, open source software
- DAQ buffer overflows Sourcefire and snort vulnerabilities allow remote code execution
- Malicious mobile power station A bit back, I looked over Stavrou USB smartphone paper evil power station
- Startup Comp Structure You
- Lazy AWS devops I am seeing too much echo chamber, saber rattling, foolish dogma about agile SA
May
- Security is hard. Security Tools are harder. Cloud Security Tools are hardest. There are tools, security tools, and then there are cloud security tools. Especially in the realm of security orchestration. Many cloud snake oil tools were never designed for the cloud.
- CNN.com XSS vulnerabilities CNN fixed two XSS issues. Congrats
- Google Glass Developer program - more DOS and XSS There were two very simple Google Glass Mirror's quickstart DOS and XSS vulnerabilities. The fixes have been introduced in changeset https
April
- Google Glass 0days Jenny Murphy has some clean code. However, it isn't the most secure. The Google Glass team must be under an intense timeline. Without looking too hard into the libraries and
- Evolutionary hardware For technical problems, one may struggle to define the specifications. When this happens, look at the behavioral design. Then one may find solutions from the design automation. Thankfully, evolution algorithms
- Rapid7 Google hacks extended How many other file sharing services are affected by the inadvertant sharing of sensitive information
2012
December
- Nifty Anti-XSS validation tool - Snuck To significantly test a given XSS filter by specializing
October
- Firesale WebPanel botnet 0days Oh, Firesale WebPanel botnet. How entertaining it is to see you continue to raise your head over the years.... XSS Reflected
- ERM - How did WOPR decide the only winning move is not to play? WOPR evolved and learned while playing against himself
September
- DPAPI still applicable? I saw some code utilizing DPAPI. Given the research around MS's poor DPAPI implementation,
August
- Security quotes The present need for security products far exceeds the number of individuals capable of designing secure systems
July
- Management Wednesday- BPM Modeling - not charts anymore After one has accomplished the scoping phase, then the team should move on to modeling. Due to the large amount of time spent scoping, many scenarios will come to light
June
- Microsoft revokes Microsoft's certificate It is a sad day when a PKI private key signing software is able to sign code on behalf of Microsoft. Especially when it is found in the wild and
May
- Gribodemon on SpyEye 2.x - I expected better Saturday, I noticed my application honeypot collected an interesting sample. The cracker took my bait and attempt to hack the planet via a SpyEye 2.x variant. Apparently, the limit of
- Airing one's dirty development laundry - You are doing it wrong I recieved a lovely google alert this weekend.
- Bitcoins are hard to track Either FBI
- Sad reality hope you have a gating process in your finance team which halts the ability to pay vendors without security approval...
- Management Wednesday- BPM scoping In business process management, there is no defined starting point. The solutions are transposable, adaptive, and can be set into motion regardless of the other solution's state. In project's scoping
- PHP - two simple wins and a hammer I love programming in PHP. Fairly simple to learn, easy to code, plenty of tools available, and great community. However, due to the language's inherent behaviour, PHP has many security pitfalls.
- Meltdown exploits Here is an academic exercise to create the Meltdown exploit prior to publication on Jan. 9th. To keep honest with my CISSP certification, I didn't include all operating systems and
April
- Management Wednesday- BPM isn’t beats per minute. I was chatting with Alexander Peters and he mentioned an interesting statistic.
- Management Wednesday - Negotation Management 101 - Negotiating Observe yourself negotiating The more time one spends preparing is directly related to win
2011
April
- Web Application Security Dojo 'grams While finding innovative methods to visualize various web application insecurity practices, I came across a great visual aid. Enjoy. Credit
2023
December
-
Embracing the Cyber Age- The Art of Adaptability in Security Engineering
In the dynamic and ever-evolving realm of digital technology, the need for adaptability in combating cyber threats has never been more pronounced.
November
-
Securing the Digital Frontier- The Essential Role of Education in Tech Literacy and Security Awareness
In the rapidly evolving digital landscape, where technology deeply permeates every facet of our lives, the importance of tech literacy and security awareness cannot be overstressed. -
The Tightrope Walk- Balancing Security Engineering and Privacy in the Tech World
In the rapidly evolving world of technology, a critical and often controversial issue stands at the forefront the balance between robust security measures and the protection of individual privacy rights. -
Embracing Decentralization- The Future of Democratic Oversight and Security Engineering
In an era where digital technology is not just a tool but a societal cornerstone, the concepts of democratic oversight in technology and decentralized security models in security engineering are more relevant than ever. -
Annabel's Cypherpunk Manifesto
It was many and many a year ago, In a realm of digital glow, That the Cypherpunks came to know, A love for privacy, like a river's flow.
March
-
2023 update to 2021 White House Cybersecurity Executive Order
I realized I needed to update the 2021 White House Executive Order …Improving the Nation’s Cybersecurity fundamentals outline. In order to scale with limited resources to achieve the basics, below are the fundamental hygienic basics one must achieve.
February
-
Striking the Right Balance- Innovation and Regulation in Security Engineering
In the fast-paced world of technological advancement, balancing innovation with regulation is a crucial challenge, especially in the field of security engineering.
2020
December
-
Intel Sharing Metrics
I pulled some metrics from my threat intelligence sharing service to generate cute charts and graphs. If you want to keep up to date, keep an eye on
February
-
Failure to meet operational excellence
One would think to rotate their certificates months prior to expiration. Or even the bare minimum
2019
November
September
-
Kubernetes CI / CD And Monitoring Pipelines
When one takes a step back and looks at a typical agile build, test, and release pipeline with a security bent; one observes the following steps and how they feed into each other like a dragon eating its’ tail.
July
-
Kubernetes Pods (PodSec policies)
Pods hardening is strongly configured and enforced with Pod Security policies (PodSec.). The security context enables not to restrict privileges, volume mounts, network privileges, cgroups / selinux / app armor / kernel capabilities, access control, read only file-system, etc…. This is where much of the workload insecurity comes from. -
Kubernetes Containers
When we get into the specifics for containers, the challenge is that the detailed advice differs greatly between the different container technologies. As a result, I will STRONGLY recommend one doesn’t run Docker as it was never designed to be secure, requires Swarm to manage some aspects of its’ lacking security, and requires a near-infinite amount of hand holding -
Kubernetes Networks - CNI
Within Kubernetes, networks are an interesting beast. They become extremely muddled -
Kubernetes Master Node & Nodes
One will wish to replicate their Master node to minimize downtime events. These nodes will host the control plane building blocks -
Kubernetes Scheduler
Overview
-
Kubernetes Information Security Practices
We sponsored a Kubernetes security review because of its’ popular adoption, glaring insecurities, default insecure states, wasn’t designed to be secure, and everyone wanted to use it and make it available to the Internet -
What is a modern, dynamic service and its' building blocks?
As I work through the ecosystem, there is no evident, leading best practice. -
Nginx exploit writing weekend
This weekend will be ripe of opportunities for -
Kubernetes Basics
Let’s take a look at the simplest part of the previously documented multi-tenancy architecture
June
-
What does it take to break into a Cloud Service?
Sometimes, all it takes is cp and rsync. See the image below for an example.
March
-
When your SIEM models are not enough
Just when I thought every bit of value was squeezed from the systems, it is continuing to pull out indicators and APT actors like candy at a weight loss camp.
January
-
OSX First Responder - Threat Artifact Gathering
How you go about hunting down malware on a macOS endpoint depends a great deal on what access you have to the device and
2018
November
-
Memory Safety Code Review
Some of our keen readers may have noticed that if the size of userPass is less than 9, then overflow will still occur.
September
-
Solving 90% of application security defects with a proven technique
Even when validation is used, a common mistake is to use block lists. For example an application will prevent symbols that are known to cause trouble. The weakness of this countermeasure is that some symbols may be overlooked. -
Data Controls Code Review
The number of user records exposed in the United States has been in the billions in 2016 and 2017. 2018 will likely be the same, once the final tally is calculated. -
Binding Parameters
Notice that the single quote in the name O’Brien is causing a syntax error. The SQL command processor considers the string ends -
Overly Simplistic Crypto Code review
Confidentiality is one of Information Security
July
-
For those who wonder what a Digital authentication cyber arms race looks like
It is heavy on the technical content but is entertaining if you spend the time understanding the language.
April
-
First 100 Days
A friend took up a new InfoSec executive career path but didn't know how to start. She reached out to me and ask for my thoughts. I thought about it
January
-
The pending crypto singularity
Recently penned by Peter, it is worth a read. Especially for those who are concerned about putting all of their eggs in one basket. On the Impending Crypto Monoculture
2017
October
-
Creating a Loki Splunk application
One tool that has caught my interest is the [Loki APT scanner
September
-
Serious XSS affecting Wikipedia
XSS vulnerability in thumb.php in Wikipedia Mediawiki -
Defense Against the Dark Arts
Thankfully, Naurus has produced a useful infographic to understand the variety of malicious entities. While it is not all inclusive, it suffices to help one quickly prototype simple threat models.
April
-
Walking the Dark Deep Web
During Black Hat, BsidesLV, and Defcon, I ended up having a chat with Justin Seitz about his nifty OSINT automation. I decided to take his data sets and enrich
2016
August
-
DARPA Cyber Grand Challenge era coming to a close
This Thursday, seven research institutions will compete against each other. Unlike other typical hacker challenges, their automations will compete on their behalf. The winning team will take home
March
-
Multiple vulnerabilities in SecurityOnion
Let this be a reminder of the joys in programming PHP -
Relatively Free
From my text library, this is list of software
February
-
Ransomware hitting linux hosting providers
It will be interesting to watch the infection spread on Google Trends
2015
November
-
DARPA Cyber Grand Challenge dropbox
I have been taking lessons learned from DARPA’s Cyber Grand Challenge and applying it to our automation
August
-
Hotpatch Redis's RCE
Do you feel lucky
July
-
Ingenious CTF dashboard
As taken from a dummy account, I wish more CTFs were setup like this. [#Polictf](https://twitter.com/search?q=%23Polictf) 2015 -
Destroy a City - secure code review
It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure
June
-
Social Engineering Confirmation Bias workflow
The image below shows the role confirmatory bias can play in social engineering exploits. Two situations are depicted. In the first, the insider desires access to information supplied by the -
Redis RCE
If you haven't already, time to patch Redis. Otherwise, please setup authentication in front of your Redis instance. This remote code execution is going to get nasty http -
ElasticSearch honeypot dataset
I have uploaded a new ElasticSearch honeypot dataset. It appears there are a few individuals who are attempting to exploit a few 0days in ElasticSearch. All the more reason not
May
-
Ghcq Challenge Completed
View fullsize
April
-
Impressive Node.JS vulnerability reduction
In 2013, when I last performed a secure code review on Node.JS, it did not look pretty. -
Need help figuring out a Snapchat username? I have your back.
I can’t tell you what makes a good Snapchat username. But what I can tell you is what makes a popular Snapchat username. -
Yet another nail in SSL TLS 's coffin
RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses -
Technical Approaches to Determining if an Incident Occurred
When addressing potential incidents and applying best practice incident response procedures
March
-
Open Source Fairy Dust Datasets
The current list of open source critical infrastructure services vulnerability metrics I have released and / or made public -
Checkbox AWS assurance testing?
A great beta tool to checkbox their AWS infrastructure and account to known AWS controls. [ Scout2
2014
December
-
LDAP Tool Box vulnerabilities
This vulnerability allows one to bypass weak XSS filtering
June
-
How to sell a story - Ira Glass
If you are just starting this phase, still in this phase, getting out of this phase, you gotta know
April
-
Please donate to a worthy crypto security cause
If you have ever used OpenSSL, [please donate money to this worthy cause -
Bug Age - Pattern series
I love standards. My blackhat persona says this makes it easy to break into systems
March
-
Chrome's V8 double free vulnerability
Within Chrome's V8 engine, this was an interesting double free vulnerability I uncovered. Thank you V8 team for accepting.
2013
November
-
NodeJS vulnerabilities - it hurts to look
Background
July
-
Google Translate
the translated website pops out of Google Translate's iframe and redirects the user to a website or content of their choosing
June
-
Random thought for an exploding honey token
I remember when Nuxi and I would create computationally compact compressed files and see which mail servers would attempt to inspect the contents. Typically, the MTA would fail over due -
Carberp Vulnerabilities Cc Pie
I logged into Reddit this morning and observed Carberp -
Apache Batik parse double vulnerability
It is interesting to see Batik's parse double vulnerability exist to this day. Anyone want to crash Opera or popular, open source software -
DAQ buffer overflows
Sourcefire and snort vulnerabilities allow remote code execution -
Malicious mobile power station
A bit back, I looked over Stavrou USB smartphone paper evil power station -
Startup Comp Structure
You -
Lazy AWS devops
I am seeing too much echo chamber, saber rattling, foolish dogma about agile SA
May
-
Security is hard. Security Tools are harder. Cloud Security Tools are hardest.
There are tools, security tools, and then there are cloud security tools. Especially in the realm of security orchestration. Many cloud snake oil tools were never designed for the cloud. -
CNN.com XSS vulnerabilities
CNN fixed two XSS issues. Congrats -
Google Glass Developer program - more DOS and XSS
There were two very simple Google Glass Mirror's quickstart DOS and XSS vulnerabilities. The fixes have been introduced in changeset https
April
-
Google Glass 0days
Jenny Murphy has some clean code. However, it isn't the most secure. The Google Glass team must be under an intense timeline. Without looking too hard into the libraries and -
Evolutionary hardware
For technical problems, one may struggle to define the specifications. When this happens, look at the behavioral design. Then one may find solutions from the design automation. Thankfully, evolution algorithms -
Rapid7 Google hacks extended
How many other file sharing services are affected by the inadvertant sharing of sensitive information
2012
December
-
Nifty Anti-XSS validation tool - Snuck
To significantly test a given XSS filter by specializing
October
-
Firesale WebPanel botnet 0days
Oh, Firesale WebPanel botnet. How entertaining it is to see you continue to raise your head over the years.... XSS Reflected -
ERM - How did WOPR decide the only winning move is not to play?
WOPR evolved and learned while playing against himself
September
-
DPAPI still applicable?
I saw some code utilizing DPAPI. Given the research around MS's poor DPAPI implementation,
August
-
Security quotes
The present need for security products far exceeds the number of individuals capable of designing secure systems
July
-
Management Wednesday- BPM Modeling - not charts anymore
After one has accomplished the scoping phase, then the team should move on to modeling. Due to the large amount of time spent scoping, many scenarios will come to light
June
-
Microsoft revokes Microsoft's certificate
It is a sad day when a PKI private key signing software is able to sign code on behalf of Microsoft. Especially when it is found in the wild and
May
-
Gribodemon on SpyEye 2.x - I expected better
Saturday, I noticed my application honeypot collected an interesting sample. The cracker took my bait and attempt to hack the planet via a SpyEye 2.x variant. Apparently, the limit of -
Airing one's dirty development laundry - You are doing it wrong
I recieved a lovely google alert this weekend. -
Bitcoins are hard to track
Either FBI -
Sad reality
hope you have a gating process in your finance team which halts the ability to pay vendors without security approval... -
Management Wednesday- BPM scoping
In business process management, there is no defined starting point. The solutions are transposable, adaptive, and can be set into motion regardless of the other solution's state. In project's scoping -
PHP - two simple wins and a hammer
I love programming in PHP. Fairly simple to learn, easy to code, plenty of tools available, and great community. However, due to the language's inherent behaviour, PHP has many security pitfalls. -
Meltdown exploits
Here is an academic exercise to create the Meltdown exploit prior to publication on Jan. 9th. To keep honest with my CISSP certification, I didn't include all operating systems and
April
-
Management Wednesday- BPM isn’t beats per minute.
I was chatting with Alexander Peters and he mentioned an interesting statistic. -
Management Wednesday - Negotation
Management 101 - Negotiating Observe yourself negotiating The more time one spends preparing is directly related to win
2011
April
-
Web Application Security Dojo 'grams
While finding innovative methods to visualize various web application insecurity practices, I came across a great visual aid. Enjoy. Credit