iOS and Android Native Code Protections

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust.

Password Manager Advice

A developer at work asked a general question to the group: “I’m thinking about using either LastPass or 1Password, anything I should know?” As the team’s newest “Security Guy”, I answered with this brief response:

Developing an Application Security Program

Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program.

Fix AWS SSL Certificate error in Burpsuite

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path.

Configure an Upstream Proxy for Burpsuite

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed.

My Security 101

What I hope are some reasonable basic security practice recommendations

RubberDucky Powershell Payload

On a recent engagement I supported the lead by developing a PowerShell payload for a RubberDucky. The gist is that it will run a handful of standard Windows commands and then e-mail the results to a specified address.

PHP, MySql, and Injection

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection.

DerbyCon 4.0

Unfortunately, I didn’t arrive at the ballroom early enough to get seats, or even standing room, to see this talk in-person: Ed Skoudis: How To Give The Best Pen Test Of Your Life

Local File Inclusion Mini-list

A mini-list reference for interesting LFI targets

NetBIOS Name Spoofing and SMB

NBNS still works!

How to create a Metasploit module

Learn how to create a metasploit module

DNS Recon

Introductory methods for DNS reconnaissance.

BSides DC 2013

Notes from BSides DC 2013

Subdomain Enumeration

Techniques for performing subdomain enumeration information gathering.

Configure Your Environment

Customize your working environment to your liking

Reverse shell methods

Methods for obtaining reverse shells

OSX Terminal - List Processes

An exploration of the ps command

Federal conference takeaways

Tips picked up from a red/blue infosec conference

Powershell Environment Variables

How to determine Powershell environment variables