Sally Vandeven// TL;DR – Passwords stored using reversible encryption, even if they are VERY LONG, can be trivially reversed by an attacker. Password cracking is quite enjoyable. It is very satisfying to launch Hashcat, throw a bunch of hashes at it and watch the progress over minutes, which turns into hours and then days. It does […]
John Strand talks about his own journey into information security and shares his suggestions for those wanting to get started from scratch or who are looking to change career tracks. Special Guests: Randy Marchany, CISO of Virginia Tech & Director of the VA Tech IT Security Lab, and Ed Capizzi, SANS instructor Show Notes […]
BB King// We got an email from a fan today asking how best to find a mentor in information security. Maybe you’re looking for a mentor too. It’s a great question. Much of the advice you see for people looking to make their start in infosec is something like, “Work at the helpdesk or in […]
Melisa Wachs// The first day of school starting soon for your school-age kiddos. What better time to run through some of our basic reporting guidelines with y’all? Here is a short list of points I’ve learned after ten years of reading and editing pen test reports here at Black Hills Information Security. DO: Set up […]
Kent Ickler & Jordan Drysdale// BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. The podcast version is available here. Also, the slides are available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7214618/ Preface Active Directory out of the box defaults aren’t enough to keep your network […]
Ethan Robish // WebSockets Overview WebSockets is a technology to allow browsers and servers to establish a single TCP connection and then asynchronously communicate in either direction. This is great for web apps as it allows real time updates without the browser needing to send hundreds of new HTTP polling requests in the background. It’s […]
Scott Worden* // So you and your company had a pen test…now what? What to do, how to plan, and good SQUIRREL! ways to stay on track. The 3 Stage of the Penetration Test The TESTER The TESTED Having the penetration tester reach your crown jewels, get root, own you, pwn you, own3d, 0wn3d, […]
Jordan Drysdale// Full disclosure and tl;dr: The NCC Group has developed an amazing toolkit for analyzing your AWS infrastructure against Amazon’s best practices guidelines. Start here: https://github.com/nccgroup/Scout2 Then, access your AWS console as a user with privilege enough to create an “auditor” account (best practice tip #1: once your admin accounts are online and MFA […]
Kent Ickler// TL;DR: This post describes the process of building an active system to automatically recon SPF violations. Disclaimer: There are parts of this build that might not be legal in your area. Use in the wild at your own risk. Discuss with your peeps before implementing. BHIS @Krelkci are not liable for your actions. Background: In our […]
