Installing Linux on a Live Windows System
As you may know, I run the Red Team for the Collegiate Cyber Defense Competition (CCDC) in the southwest region. One of the more interesting things I put together for the regional competitions this...
View ArticleClik here to view.
March – Pass the Hash Awareness Month
March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog:...
View ArticleClik here to view.
CCDC and CTFs – Addressing the Criticisms
As you may know, I’ve been involved with red teaming all levels of CCDC, but I’ve also taken part in a number of CTF competitions. CCDC is one of a number of defense competitions growing in popularity,...
View ArticleRed Teaming the CCDC
At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional...
View Article4 practical rules to not get your program hacked
Quinn Norton recently wrote Everything Is Broken, an article lamenting the sad state of software and internet security in general, concluding that there are “plenty of ways we could regain privacy and...
View ArticleClik here to view.
More Spiders, Fewer Trees: Meterpreter Hop
Just about every time you see a serious network intrusion where the attackers obtain access to internal networks, the attackers used “hop points” to conceal their identity and evade detection. Hop...
View ArticleEasy Smart Card SSH Setup
If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to...
View ArticleClik here to view.
Exploiting Ammyy Admin – developing an 0day
Background For the past few years, a number of groups of scammers have been cold-calling thousands if not millions of people in what’s been referred to as the “Ammyy Scam” or the “Microsoft Tech...
View ArticleReplacing Passwords With EasyAuth
There’s been a lot of focus on replacing passwords for authentication lately. Google and Twitter have each put forward proposals to address issues in authentication, Google’s based on browser...
View ArticleClik here to view.
How to run a secret drug empire and hide your incriminating evidence*
-or- New tools to stop common laptop data thefts Why your OPSEC advice is wrong The internet security and privacy communities, law enforcement realms, all sides of the drug war, and the world as a...
View ArticleCredential Assessment – Mapping Privilege Escalation at Scale
I recently gave the following presentation at CanSecWest. (cansecwest.com) You can see the slides below:
View ArticleOn Wassenaar
My comments to the Bureau of Industry and Security (BIS), which had requested comments on the proposed Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. I...
View ArticleOn Suicide and Ashley Madison
Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best...
View ArticleStop doing input validation
"Buffer overflows Injection attacks DoS attacks Memory leakage Information disclosure Compromised systems" What is the common factor between all of those vulnerability classes? If you have heard...
View ArticleHow I used dead drop C2 to hide malicious traffic
Over the past few years, I have been organizing, participating in, and frequently writing attack software for CCDC red teams. This year, as I've been starting to dust off the code, spin up VM's and...
View ArticleWhy the government shouldn’t pay for your college (or most other things)
Recently there has been a renewed push, from presidential candidate Bernie Sanders to the "Million Student March" protests, to have 100% government funded college in the US, and similar policies under...
View ArticleClik here to view.
Human Adversaries – Why Information Security Is Unlike Engineering
A common theme among information security commenters and keynotes is that infosec can and either will or should evolve to be more like structural engineering, product safety, or similar successful...
View ArticleClik here to view.
Yeoman Angular Bootstrap
Although I have done a lot of software development on different projects, I am not great at making nice looking UI's. Someone recently told me it would be easy to set up a simple but nice looking...
View ArticleOn Wassenaar
My comments to the Bureau of Industry and Security (BIS), which had requested comments on the proposed Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. I...
View ArticleOn Suicide and Ashley Madison
Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best...
View Article