Presentation: Zero to Hero – Building a Red Team
On 23 March 2018, David and I presented “Zero to Hero – Building a Red Team, One Step at a Time” at HackWest in Salt Lake City. Here are links to the slide deck, audience handout, and video recording.
OWASP-AT-002 Vulnerability in Leading Email Providers
Almost one-half of email providers, some of them leading providers, are vulnerable to an email/username verification attack with no apparent mitigating controls. This is my attack code and research.
I Have Your PII
I have all of your PII (Personally Identifiable Information) from your voter registration. One caveat, I only did so for one of the US Congressional Districts in Texas, but I could have just as easily obtained all voter records. This article is about what it took to obtain records and the implications.
Exposing Tanium: A Hacker’s Paradise
Tanium has gained much popularity the past few years. Those jumping on the Tanium train need to beware. If your company uses Tanium, your data is at high risk, IMO. Their “peer chain” model, and the lack of encryption of that data, is unsecure and should not be trusted.(more…)
Restricting to Local Admin != Mitigation
I frequently come across and use endpoint exploits and attack vectors that “require admin”. Almost as frequently, I hear people in the industry stating, “We’re safe from that; it requires local admin|system”. In many cases, that is not a mitigation. If you’re putting trust in the assumption that restricting to local admin will protect you, how secure do you think you really are from an attacker?