New York State Department of Financial Services – 23 NYCRR 500 – ‘CyberSecurity Requirements for Financial Services Companies’ Overview: Yes, that title is a serious mouthful! In this post I want to give a quick overview of what this new law states and requires as it was just released today! Like most legal documents it can […]

Bypassing HSTS when Adobe crossdomain.xml is configured to be overly permissive. Synopsis Domains protected by HSTS which use an Adobe CrossDomain Policy (poorly configured) are vulnerable to the very attacks which HSTS is meant to protect against. The issue presents itself when the CrossDomain Policy allows access from domains without HSTS protections. The most damning configurations […]

Synopsis: I’m releasing version 0.1 of a web screenshot tool I wrote to make recon of a target organizations web resources very fast and effective. Details: I chose to write a tool to perform this task after trying to find one that fit my needs but unfortunately the tools I found either didn’t fit exactly […]

I wrote this DLL years ago and spoke about it at Rochester BSides last year. I’ve been meaning to post this since then, but time tends to get away from me. Because Windows 2K and XP might not be around that much longer I’m going to keep this post short and sweet. You can download […]

Synopsis: No it’s not a typo, that’s the name of the book. If you’re a penetration tester or into social engineering you MUST read this book, however anyone and everyone will find this extremely entertaining and really enlightening. There was so much to this book, I can’t recommend it enough. Immediately the author really draws […]

Summary: A method and scripts to grab bulk data from Linkedin profiles and format it, using Burpsuite, curl, grep and cut. In this case to create a username list for identifying emails and domain accounts. Foundation: I was performing a relatively unique task for a social engineering engagement for a client. Normally I’ll just receive […]

I recently finished reading “Shoninki: The Secret Teachings of the Ninja” by Master Natori Masazumi – “The 17th-Century manual on the Art of Concealment”. This book is an absolute must for anyone into hacking, penetration testing or any other form of offensive security. It’s a very short and quick read, only 140 ‘small’ pages of […]