Mike Felch // More and more organizations are rolling out mandatory 2FA enrollment for authentication to external services like GSuite and OWA. While this is great news because it creates an added level of security to the external perimeter, it also forces red teams and pentest organizations to innovate new techniques into capturing 2FA tokens […]
Bre Schumacher // As I was walking through the back to school display at the store the other day, I picked up a handy-dandy school supply list. Of course there were all the usual things: scissors, glue, notebooks, etc. but it made me wonder what would be on the “supply list” for someone just starting out […]
// Jordan Drysdale and Kent Ickler talk about Best Practices for setting up Active Directory. Bre joins as fake Sierra to host and ask questions from the audience since real Sierra was on vacation. See the webcast and Kent’s show notes here.
Podcast: Play in new window | Download
Kent Ickler & Jordan Drysdale// BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. The podcast version is available here. Also, the slides are available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7214618/ Preface Active Directory out of the box defaults aren’t enough to keep your network […]
Ethan Robish // WebSockets Overview WebSockets is a technology to allow browsers and servers to establish a single TCP connection and then asynchronously communicate in either direction. This is great for web apps as it allows real time updates without the browser needing to send hundreds of new HTTP polling requests in the background. It’s […]
Jordan Drysdale//* In this blog, we are assuming that we have obtained an access key, a secret key and maybe a .pem key from a network user who left these things lying around. What services do they have access to? How far can we get? Here we stand again, on the shoulders of giants with […]
Scott Worden* // So you and your company had a pen test…now what? What to do, how to plan, and good SQUIRREL! ways to stay on track. The 3 Stage of the Penetration Test The TESTER The TESTED Having the penetration tester reach your crown jewels, get root, own you, pwn you, own3d, 0wn3d, […]
CJ Cox talks about the highs, lows, hows and why’s of security policy. // Show Notes Why are we doing this? Do you hate your audience? GDPR was bad enough. My Methodology The Rant Cross between Bob Cat Goldthwaite and Dennis Miller Policy is the foundation to the foundation Don’t we all just love Policy […]
Podcast: Play in new window | Download
Craig Vincent// This all started with a conversation I was having with a few other BHIS testers. At the time, I was testing a web application that used WebSockets. The app was giving me headaches, and I was venting my frustration. Penetration testers, red teams, and baddies are always looking for new ways to sneak […]
