The Three Step Security Strategy

October 08, 2019 | By:

Why Does Strategy Matter? The term ‘security strategy’ can be ambiguous and often means different things to different people. Because of this, many organizations do not have a formalized security strategy and those that do may not have an effective one. This is understandable. Managing the day-to-day issues associated with a security program (alerts, audits,…


Buying Internal Domain Access Again

October 03, 2019 | By:

So, this post is inspired by some very interesting research done by @mubix that you can read about here, as well as this amazing post by Tim Medin here. After reading Mubix’s post, I was whipped into a frenzy and purchased several domains. I realize that these posts are both several years old, but this idea…


Big Changes in Store for PCI DSS v4.0, and More!

September 20, 2019 | By:

This week I attended the PCI North American Community Meeting. If you are in the payment security space and haven’t been to a community meeting, I would recommend that you put this on your conference schedule. It’s great to connect with like-minded individuals, including card brands, banks, large customers, vendors, and yes, assessors – both internal (ISAs)…


Cracking the DerbyCon Code

September 18, 2019 | By:

To commemorate the final DerbyCon, TrustedSec did something a little special on our challenge coin. Along the outer edge of the coin was a code, and anyone who could figure it out by DerbyCon’s final day at noon got a prize. I was lucky enough to design the code and was asked by many people…


Attacks on the Rise Through Office 365

September 17, 2019 | By:

Office 365 is the most popular line of digital services for businesses for a reason, but when it comes to cyberattacks, its ubiquity is creating challenges. If it seems like every week there’s a new headline about a large-scale hacking incident, it’s not a case of rampant fake news. According to the 2018 Symantec Internet…


PCI Requirements 101

September 12, 2019 | By:

Having completed several PCI-DSS (Payment Card Industry – Data Security Standard) Reports on Compliance (RoCs) over the past couple of years, I have noticed a consistent pattern on the items needed for the 12 requirements. I have found that there are three basic components to most if not all PCI requirements: Documentation (Policies, Standards, and…


Three Most Common Security Flaws (and How to Fix Them)

August 27, 2019 | By:

When it comes to physical security, the most common things we see are hardware vulnerabilities or human error (through social engineering attacks, failure to follow security guidelines, or no knowledge of security protocols). We have successfully broken into everything from locally run neighborhood shops to banks, power plants, hospitals, factories, law firms, and everything in…


Top 10 MITRE ATT&CK™ Techniques

August 22, 2019 | By:

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Framework (https://attack.mitre.org/) is “a globally-accessible knowledge base of adversary tactics and techniques” that is “open and available to any person or organization for use at no charge.” One of the most beautiful parts of the MITRE ATT&CK™ Framework is that its information can be analyzed to…


Tracing DNS Queries on Your Windows DNS Server

July 16, 2019 | By:

During a recent engagement, I successfully deployed a wildcard Domain Name System (DNS) record in conjunction with Responder. Within minutes, a misconfigured host made a query for a non-existent DNS record and was poisoned into connecting to our Responder instance. Unfortunately, the account was privileged enough that domain compromise was achieved. The techniques and tools…


Mobile Hacking: Using Frida to Monitor Encryption

July 09, 2019 | By:

This post will walk you through the creation of a Frida script that will be used to demonstrate the usage of the Frida Python bindings. The Frida script will be used to monitor encryption calls and capture details about the encryption type and keys in use. We will learn how to send messages from Frida…