passwords

These Aren’t the Password Guidelines You’re Looking For

“You don’t need to see his identification.” It’s a classic line.  With a flick of the wrist old Ben Kenobi deftly bypasses the identity & access management system of the poor Stormtroopers just doing their job. One would think, in that technological era, so long ago, that more advanced (and less spoofable) methods of authentication would …

These Aren’t the Password Guidelines You’re Looking For Read More »

five fingers

Five Outdated Security Excuses

The Security Industry as a whole has been known to criticize businesses large and small with respect to how they manage security.   Why does it so often seem like an after-thought?  How is it that today we still frequently find that security teams are understaffed (or not at all), that business decisions involving sensitive information are made without …

Five Outdated Security Excuses Read More »

Ebay Falls Victim to Breach: Source Forge Updates Password Storage

 It was just recently announced that eBay suffered a breach that led to the compromise of user details including: username encrypted password email address physical address date of birth phone number  Their announcement indicates that there was no other data (financial or otherwise) that was compromised.  Financial data is believed to be stored separately.  The …

Ebay Falls Victim to Breach: Source Forge Updates Password Storage Read More »

Professionally Evil: Self Inflicted Injury at Vendor’s Request

It’s an unfortunate and still too common a vulnerability to find administrative interfaces exposed and configured with default passwords.  In some cases it doesn’t matter what else you might find like some sexy injection vulnerability;  if I can access your administrative controls and gut your infrastructure it’s game over and a resume generating event for …

Professionally Evil: Self Inflicted Injury at Vendor’s Request Read More »

Defending Against Pass-the-Hash (PtH) Attacks

Pass-the-Hash (PtH) attacks have become probably the most common form of credential attacks used in the hacking community. Especially in  Microsoft Windows environments, PtH tools are so popular and easy to use, that many attackers no longer even bother to crack passwords anymore. Why waste the time when an administrator’s hash is just as convenient, …

Defending Against Pass-the-Hash (PtH) Attacks Read More »

Professionally Evil Toolkit – BozoCrack

This week I’ve been teaching a class on web app security for developers and I remembered a fun little script that I thought I’d share here.  That script is BozoCrack, written by Juuso Salonen.  I’d give my description of what this tool does, but I’ll use Juuso’s words from his GitHub page instead.  It’s pretty classic. …

Professionally Evil Toolkit – BozoCrack Read More »

Professionally Evil Perspective Podcast:Misconfigurations and Default Credentials

So we are at it again!  James Jardine, Jason Wood and I were at BSides Orlando this weekend and decided to take the opportunity to record the latest episode of the Professionally Evil Perspective (even if Jason doesn’t necessarily remember the title of the podcast completely!). As with the previous ones, we try to dig …

Professionally Evil Perspective Podcast:Misconfigurations and Default Credentials Read More »

Scroll to Top