I was the challenge author for a handful of challenges for this year’s BSidesSF CTF. One of those challenges was lastpwned, inspired by a recent high-profile data breach. This challenge provided a web-based password manager with client-side encryption. The challenge description … | Continue reading
What is a CTF? Common Categories Pwnable (Pwn) Web Forensics Crypto Reversing (RE) Useful Tools Benefits of Playing Advice As I’m helping to organize the BSides San Francisco CTF this weekend, I thought I’d share a little primer for CTFs for those who ha … | Continue reading
Log4Shell was arguably the biggest vulnerability disclosure of 2021. Security teams across the entire world spent the end of the year trying to address this bug (and several variants) in the popular Log4J logging library. The vulnerability was caused by special formatting strings … | Continue reading
This year, I was the author of a few of our web challenges. One of those that gave both us (as administrators) and the players a few difficulties was “TODO List”. Upon visiting the application, we see an app with a few options, including registering, login, and support. Upon regi … | Continue reading
As the author of the Cow Say What? challenge from this year’s BSidesSF CTF, I got a lot of questions about it after the CTF ended. It’s both surprisingly straight-forward but also a very little-known issue. The challenge was a web challenge – if you visited the service, you got a … | Continue reading
Designing Secure Software (Amazon, No Starch Press) by Loren Kohnfelder is one of the latest entries in No Starch Press’s line of security books. This book stands out to me for two big reasons. First, this is one of the most mindset-centric books I’ve seen (which means it is like … | Continue reading
Bug Bounty Bootcamp (Amazon, No Starch Press) by Vickie Li is one of No Starch Press’s newest offerings in the security space. The alliterative title is also the best three word summary I could possibly offer of the book – it is clearly focused on getting the reader into a... | Continue reading
0x0G is Google’s annual “Hacker Summer Camp” event. Normally this would be in Las Vegas during the week of DEF CON and Black Hat, but well, pandemic rules apply. I’m one of the organizers for the CTF we run during the event, and I thought I’d write up solutions to... | Continue reading
0x0G is Google’s annual “Hacker Summer Camp” event. Normally this would be in Las Vegas during the week of DEF CON and Black Hat, but well, pandemic rules apply. I’m one of the organizers for the CTF we run during the event, and I thought I’d write up solutions to... | Continue reading
Note: Though this testing was done on Google Cloud and I work at Google, this work and blog post represent my personal work and do not represent the views of my employer. As a red teamer and security researcher, I occasionally find the need to crack some hashed passwords. It... | Continue reading
On a little bit of a tangent from my typical security posting, I thought I’d include some of my “making” efforts. Due to the working from home for an extended period of time, I wanted to improve my video-conferencing setup somewhat. I have my back to windows, so the lighting... | Continue reading
Net Matroyshka was one of our “1337” tagged challenges for the 2021 BSidesSF CTF. This indicated it was particularly hard, and our players can probably confirm that. If you haven’t played our CTF in the past, you might not be familiar with the Matryoshka name. (Yep, I misspelled … | Continue reading
I authored the BSidesSF 2021 CTF Challenge “CuteSrv”, which is a service to display cute pictures. The description from the scoreboard: Last year was pretty tough for all of us. I built this service of cute photos to help cheer you up. We do moderate for cuteness, so no inappropr … | Continue reading
I was the author for the BSidesSF 2021 CTF Challenge “Encrypted Bin”, which is an encrypted pastebin service. The description from the scoreboard: I’ve always wanted to build an encrypted pastebin service. Hope I’ve done it correctly. (Look in /home/flag/ for the flag.) I thought … | Continue reading
I was cleaning up some old electronics (I’m a bit of a pack rat) and came across a Mac Mini I’ve owned since 2009. I was curious whether it still worked and whether it could get useful work done. This turned out to be more than a 5 minute experiment,... | Continue reading
First off, I want to wish everyone a Happy Holidays and a Merry Christmas. I know 2020 has been a hard year for so many, and I hope you and your families are healthy and making it through the year. Over the past few years, I’ve gotten into making holiday... | Continue reading
Welcome to the 2020 edition of my Hacker Holiday Gift Guide! This has been a trying year for all of us, but I sincerely hope you and your family are happy and healthy as this year comes to an end. Table of Contents General Security ProtonMail Subscription Encrypted Flash Drive... | Continue reading
A coworker and I were looking at an application today that, like so many other modern web applications, offers a RESTful API with JSON being used for serialization of requests/responses. She noted that the application didn’t include any sort of CSRF token and didn’t seem to use a … | Continue reading
Last week, I took the | Continue reading
For the past few months, I’ve been running a handful of SSH Honeypots on some cloud providers, including Google Cloud, DigitalOcean, and NameCheap. As opposed to more complicated honeypots looking at attacker behavior, I decided to do something simple and was only interested in w … | Continue reading
Backups and protecting your backups are key to a reasonable security posture. | Continue reading
Build a penetration testing dropbox using a Raspberry Pi | Continue reading
I thought about using a clickbait title like “Is this the best web security book?”, but I just couldn’t do that to you all. Instead, I want to compare and contrast 3 books, all of which I consider great books about web security. I won’t declare any single book “the... | Continue reading
Encryption, Hashing, and Encoding are commonly confused topics by those new to the information security field. I see these confused even by experienced software engineers, by developers, and by new hackers. It’s really important to understand the differences – not just for semant … | Continue reading
I’ve found a lot of people who are new to security, particularly those with an interest in penetration testing or red teaming, install Kali Linux™1 as one of their first forays into the “hacking” world. In general, there’s absolutely nothing wrong with that. Unfortunately, I also … | Continue reading
A friend recently asked me if I could recommend some reading about hacking and security culture. I gave a couple of quick answers, but it inspired me to write a blog post in case anyone else is looking for similar content. Unless otherwise noted, I’ve read all of these books/reso … | Continue reading
Unless you’ve been living under a rock, you know that the Crypto Wars are back. Politicians, seemingly led by Senator Lindsey Graham of South Carolina, seem bound and determined to undermine user’s privacy and security online to strengthen the power of the police state. It will h … | Continue reading
I wanted to run a small private Certificate Authority for some of my internal services. Since these aren’t reachable from the internet, and some of them are on network segments without internet connectivity, using a public ACME CA like Let’s Encrypt was inconvenient. On the other … | Continue reading
When Netmux first released the Operator Handbook, I had to check it out. I had some initial impressions, but wanted to take some time to refine my thoughts on it before putting together a full review of the book. The book review will be a bit short, but that’s because... | Continue reading
Okay, I’m not going to lie, the title was a bit of clickbait. I don’t believe that everyone in InfoSec really needs to know how to program, just almost everyone. Now, before my fellow practitioners jump on me, saying they can do their job just fine without programming, I’d apprec … | Continue reading
Today I’m releasing a new open source hardware (OSHW) project – the Test Interface for Multiple Embedded Protocols (TIMEP). It’s based around the FTDI FT2232H chip and logic level shifters to provide breakouts, buffering, and level conversion for a number of common embedded hardw … | Continue reading
In this part of my “Security 101” series, I want to talk about different mechanisms for two factor authentication (2FA) as well as why we need it in the first place. Most of my considerations will be for the web and web applications, and I’m explicitly ignoring local login (e.g., … | Continue reading
I originally wrote this for work, where we get a lot of requests to “Red Team” something. In a lot of these cases, a white box security review or other form of security testing is more appropriate. Because I’d heard through the grapevine that other Red Teams struggle with the... | Continue reading
Outside, there’s a pandemic. We’re being asked to stay indoors, shelter in place, and avoid social contact. Conferences are cancelled, live trainings are out of the question. Some businesses are closing (hopefully temporarily) and there are unfortunate layoffs and furloughs acros … | Continue reading
I’m trying something new – a “Security 101” series. I hope to make these topics readable for those with no security background. I’m going to pick topics that are either related to my other posts (such as foundational knowledge) or just things that I think are relevant or misunder … | Continue reading
Last weekend, I had the pleasure of running the BSides San Francisco CTF along with friends and co-conspirators c0rg1, symmetric and iagox86. This is something like the 4th or 5th year in a row that I’ve been involved in this, and every year, we try to do a better job... | Continue reading
I wanted to put together a few thoughts I had on gifts for my fellow hackers this holiday season. I’m including a variety of different things to appeal to almost anyone involved in information security or hardware hacking, but I’m obviously a bit biased to my own areas of interes … | Continue reading
Description Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string compariso … | Continue reading
I’ve begun to think about what I’ll take to Hacker Summer Camp this year, and I thought I’d share some of it as part of my Hacker Summer Camp blog post series. I hope it will be useful to veterans, but particularly to first timers who might have no idea... | Continue reading
For some reason, security certifications get discussed a lot, particularly in forums catering to those newer to the industry. (See, for example, /r/asknetsec.) Now I’m not talking about business certifications (ISO, etc.) but personal certifications that allegedly demonstrate som … | Continue reading
Flagsrv was a 300 point web challenge in this year’s BSidesSF CTF. Thedescription was a simple one: We’ve built a service for the sole purpose of serving up flags! The account you want is named ‘flag’. | Continue reading
I’ve seen a lot of discussion of experience requirements and “entry-level” positions in the security industry lately. /r/netsecstudents and /r/asknetsec are full of threads discussing this topic, and I heard it being discussed at both BSidesLV and DEF CON this summer. The usual c … | Continue reading
I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts... | Continue reading
I recently stumbled upon Azeria’s blog post The Importance of Deep Work & The 30-hour Method For Learning a New Skill, and it seriously struck a chord with me. Over the past year or so, I’ve struggled with a lack of personal satisfaction in my life and my work. I... | Continue reading
Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It's the largest gathering of hackers, information security professionals and enthu … | Continue reading
Introduction As the author of the “coder” series of challenges (Intel Coder, ARM Coder, Poly Coder, and OCD Coder) in the recent BSidesSF CTF, I wanted to share my perspective on the challenges. I can’t tell if the challenges were uninteresting, too hard, or both, but they were s … | Continue reading