It’s been a busy couple of months!
I thought it would be worth providing a long-overdue update into the development status of gophish. Overall, the project is getting closer to beta status every day, and I’m hoping to see a 0.1 release at the end of March.
Without further ado, let’s dive in and see where we’re at.
Read More
During the process of planning a vacation, I came across a nice hotel I wanted to stay at. When looking at some possible dates, I noticed the nightly rate would fluctuate dramatically. This made me question if I was going to wind up paying way more just because I wanted to stay at the hotel on a certain day.
Then I considered the alternative - maybe I could scrape the prices every day to find the cheapest nightly rate. Sounded like a job for Python, BeautifulSoup, and some whiskey.
Read More
Back in December, SANS released another installment of their annual holiday challenge. I enjoyed taking on the 2012 challenge, so I was excited to see what SANS had in store this year. This year’s challenge didn’t disappoint with a nice mix of basic network recon, web application hacking, and some forensics. This post will detail how I found each required “secret” to solve the challenge.
I’d like to extend a personal thanks for all the hard work SANS puts in to putting on this challenge every year.
Read More
So you accidentally committed a password or API key to Github. Ouch.
“No problem!”, you think, “I’ll just follow Github’s helpful information on how to delete sensitive information and I’ll be fine!”
Just today, I saw a great article detailing one developer’s experience with committing sensitive information to Github. Unfortunately, this article missed the main point. In this post, I’m going to show exactly how hackers instantly harvest information committed to public Github repositories, and why deleting this information doesn’t solve the problem.
Read More
Busy year.
It seems as though each year brings more and more events that throw our industry into the forefront of attention - and they’re never good. At the same time, it’s key to remember that these events allow us to learn and evolve as an industry. Let’s take a look at some of the key things we as an infosec industry can learn from 2014:
The Tor Project has announced that they have received threats about possible upcoming attempts to disable the Tor network through the seizure of Directory Authority (DA) servers. While we don’t know the legitimacy behind these threats, it’s worth looking at the role DA’s play in the Tor network, showing what effects their seizure could have on the Tor network.*
Read More
> Friendly Reminder: Browser makers may track every key you type in the URL bar
Technologies like Google Chrome’s Omnibox makes searching easier. However, these quick search suggestions come at a price. This post is a friendly reminder that you may want to consider turning off predictive search to protect your privacy.
Read More
I’ve always been a proponent and contributor of open-source projects and information. I strongly believe that information and knowledge should be shared as much and as freely as possible - progress happens this way.
As such, I’ve decided to “open-source”, if you will, the academic essays I wrote regarding information security and software development my last couple of semesters at Texas Tech. It’s my hope that people find these useful, either by provoking thought and discussion or simply by serving as material to help people fall asleep a little easier.
Please bear in mind some of these papers were written the night before in a short time-span.
Tor is often used to protect the anonymity of someone who is trying to connect to a service. However, it is also possible to use Tor to protect the anonymity of a service provider via hidden services. These services, operating under the .onion TLD, allow publishers to anonymously create and host content viewable only by other Tor users.
The Tor project has instructions on how to create hidden services, but this can be a manual and arduous process if you want to setup multiple services. This post will show how we can use the fantastic stem Python library to automatically create and host a Tor hidden service.
Mobile applications are often viewed as black-box applications. However, these applications often suffer from the same (or similar) vulnerabilities as their web application counterparts.
In a previous post, I showed how we can perform dynamic analysis on iPhone applications by intercepting the inbound/outbound traffic with the Burp proxy. In this post, we’ll explore static analysis of Android apps by looing at a couple of online tools that make decompiling apps into equivalent Java and Smali code trivial.
Read More