03 Mar 2018
Very often, people hear “SSH” and “two factor authentication” and assume you’re
talking about an SSH keypair that’s got the private key protected with a
passphrase. And while this is a reasonable approximation of a two factor
system, it’s not actually two factor authentication because the server is not
using two separate factors to authenticate the user. The only factor is the SSH
keypair, and there’s no way for the server to know if that key was protected
with a passphrase. However, OpenSSH has supported true two factor
authentication for nearly 5 years now, so it’s quite possible to build even more
14 Feb 2018
The Penetration Testing with Kali Linux (PWK) course is one of the most popular information security courses, culminating in a hands-on exam for the Offensive Security Certified Professional certification. It provides a hands-on learning experience for those looking to get into penetration testing or other areas of offensive security. These are some of the things you might want to know before attempting the PWK class or the OSCP exam.
10 Feb 2018
Red Team: How to Succeed By Thinking Like the Enemy by
Micah Zenko focuses on the role that red teaming plays in a variety of
institutions, ranging from the Department of Defense to cybersecurity. It’s an
excellent book that describes the thought process behind red teaming, when red
teaming is a success and when it can be a failure, and the way a red team can
best fit into an organization and provide value. If you’re looking for a book
that’s highly technical or focused entirely on information security engineering,
this book may disappoint. There’s only a single chapter covering the
application of red teaming in the information security space (particularly
“vulnerability probes” as Zenko refers to many of the tests), but that doesn’t
make the rest of the content any less useful – or interesting – to the Red
05 Feb 2018
If there’s one thing I wish people from outside the security industry knew when
dealing with information security, it’s that Security is not an absolute.
Most of the time, it’s not even quantifiable. Even in the case of particular
threat models, it’s often impossible to make statements about the security of a
system with certainty.
28 Jan 2018
A few months ago, I was shopping on woot.com and discovered the Gigastone Media Streamer Plus for about $25. I figured this might be something occassionally useful, or at least fun to look at for security vulnerabilities. When it arrived, I didn't get around to it for quite a while, and then when I finally did, I was terribly disappointed in it as a security research target -- it was just too easy.