The last week has been brutal for me! Our community has been given one hit after another as we learn about someone doing something horrible or of someone leaving the community because something horrible was done to them!

I reached my limit today when a friend I admire and respect said he was calling it quits! One of our biggest failings I think is we so often overlook the ones who are there always putting in work helping others but not seeking or getting any credit! I'd like to change…

[Will present this at local Defcon 414 in December 2015 and post slideshow here]

I have successfully done this over a dozen times - once for my girlfriend on a flight, sending her the credentials via email.

I MUST classify this as a "social engineering" hack despite several modifications to the boarding pass - which seems to be NOT associated with this airline's information other than flight number, date, time, and passenger name. Nobody checks, nor has the…

Many people don't know or haven't heard of threat modeling let alone know how to do it.

Hackers and crackers break assumptions we have made for how a system will be used.

But how to make the right assumptions? One way is to predict evil based on past known threats.

This might be a good start but it's not enough because hackers will also break the assumptions we make based on past attacks and change their behavior. 

The better assumption is that all input…

Paul Asadoorian has summed it up quite nicely in EP 373 of the Security Weekly Podcast. 

A good pentest not only answers the question “can my controls be breached?” but also the following questions:

• How can I be breached?
• How much damage to my business can a breach do?
• Where am I most likely to be breached given my current…

To protect your system from scammers, hackers, and malware, you need to follow certain steps.

Avoid Suspicious Websites: When you browse the Internet, be aware of the websites you are visiting. Most websites contain viruses or malware that could harm your…

Nowadays, information and computer security are on the minds of every IT professional as statistics have shown that the number of severe data loss episodes that occur each year is increasing. Data-bearing devices, including all forms of removable media, are said to be the cause of concern for both enterprise…

Hello folks.



My dear friend Leon tweeted that it took few minutes for his kippo install to get it's first catch.

I knew that if you go online with SSH password 123456 you will eventually get hacked but i was curious about how soon would that be.



So i ran a little experiment for the sole purpose of documenting that, and i repeated it on 6 fresh VPS installs in 6 different…

According to a recent report, cybercrime attacks continue to be a global threat. In fact, there is a growing trend of DDoS attacks, evolving continuously. These attacks have become more sophisticated, harder to detect and mitigate. They have also become the tool of choice for hackers to cause disruptions of…

Martin Bos (purehate)

Eric Milam (brav0hax)



As security consultants we’ve had an opportunity to pentest some of the world’s most interesting companies. Technology and penetration testing is our passion and as such - we love our tools (toys)! Having worked with a load of them over the years it’s easy to embrace the good and dismiss the rest. The devices released by the team at Pwnie Express are far from toys in the traditional sense. These devices are small form factor…

This is not a survey, consensus or popular poll. This is my opinion written from my viewpoint on how I see this subject. If you disagree with this list or if you agree, please do me a favor and write your OWN list! Seriously if you can’t find twenty things about the industry you work in no matter what it is then it is time for you to look for a new career. I have said it many times to be good at infosec you have to have a passion for it because the people you are up against love what they…

For over two years now, my ssh-honeypot kippo (developed by Upi Tamminen) is receiving “visits” from all over the world. With an easy to guess root password 123456, to shorten the brute force attacks I have gathered some interesting data/statistics.

So to sum things up:

First attack on Monday, 26-Jul-2010, 09:11 AM

Total login attempts 474433

Distinct source IP…

Every now and then somebody starts an argument about whether or not it should be a secret which security products you are using.

I will tell you my opinion on that right away:

1.) Unless your risk profile is extremely high and you are one of the five or so organizations in the world who really have super awesome wicked OPSEC in place, don't even bother starting to think about keeping secret the fact that you…

This article was originally posted on my Digital Forensics Blog.

I heard talk at the SANS DFIR Summit a couple weeks ago about "knowing normal".  What does that mean? Knowing what your systems and networks are doing each day and what their stats should look like. That way, even if you don't really know how to recognize…

Dear All,

This is my first post on DTH. I got to know about DTH due to my exploratory research on SE and I think this site provides a lot of useful info. Hopefully one of you can help me too, therefore I will shortly explain my research object. 

Sorry for my bad English by the way...

I am currently researching (historical) practices that point towards the use of Social Engineering in relation to criminal practices that have occurred within Dutch banks.…

Today I read a blogpost by Fefe in which he rants about how folks just give up on trying to develop more secure code or even fix all bugs in their software but instead draw resources from bugfixing teams in benefit of building mitigations like sandboxing technologies.

 

Fefe criticizes Adobe's security chief Arkin for saying the following sentence:

“My goal isn’t to find and fix every security bug, I’d…

I am lost - lost in an area of conflict.

Not that there were no solutions to solve the conflict.

In fact the conflict isn't as bad as it seems in the first place - at least this is my opinion.

You may be asking yourself exactly what am I talking about.

I am talking about the fact that we tell politicians and those in charge of IT:

a)…

A friend who wants to start a career in information security asked me which books are a "must read".

It goes without saying that the one and only "must-read" is of course Jayson's book.

Since you found your way to this site, you'll probably already know that. ;-)

Up front I would like to say that I really doubt there are…

WTFSecurity 0.5





A few definitions



(for later debate)







Secure (se kur) adjective , unobtainable state



-Complete removal of every threat of Possible Injurious Event (PIE), known and unknown, now and in the future.



(See also - Unusable)











Security (se kur a te) verb , non continuous state



-Constant valid attempt to be secure.



(See also - Valiant…