Professionally Evil Insights

How to configure BurpelFish

I recently was doing a pentest and was continuously looking up translations for words, and thought “there has to be a better way…”. That is when I...

The Best Way to Capture Traffic in 2021

How can we do analysis without Wireshark? For Linux and macOS that utility has been tcpdump for quite a while; In Windows, we can use netsh.

LD_PRELOAD: How to Run Code at Load Time

    Today I want to continue the series on using LD_PRELOAD.  In previous posts, we covered how to inject a shared object binary into a process, and...

Announcing Burp Co2!

This is for those of you who do web pen testing with Portswigger’s Burp proxy tool!  Over the past couple of months I have been using my Java skills...

3 Reasons to Pentest with Brave

Penetration testing is a race against the clock. Often, we only have a few days to examine all the functionality of a web application or an API. That...

Boolean Math (NOT Logic) – CISSP Domain 3

Hello everyone.  We’ve got another Boolean math session lined up for you today.  This time we’re going to take a quick look at the NOT logic and...

Boolean Math (XOR Logic) – CISSP Domain 3

Hello everyone.  We’ve got another Boolean math session to look over today.  Our focus this time will be on the XOR logic.  The XOR stands for...

LD_PRELOAD - Introduction

    Today I wanted to start what I plan to be a small series of blog posts about LD_PRELOAD. LD_PRELOAD is related to Linux based systems and...

Boolean Math (OR Logic) – CISSP Domain 3

Today we are going to take another look at some Boolean mathematics.  In particular, we’re going to focus on the OR operational logic, as covered in...

Proxies, Pivots, and Tunnels - Oh My!

Forward When talking about a proxy or a pivot or a tunnel, we could be talking about very different things.  However, to me, these terms could mean...

Boolean Math (AND Logic) - CISSP Domain 3

Today we’re going to take a quick look at the AND Boolean logic, which is covered in Domain 3 of the CISSP common body of knowledge (CBK).  To begin...

The OPSEC of Protesting

For the past three months thousands of people have been protesting in the United States due to the deaths of George Floyd, Breonna Taylor, Tony...

Encryption – CISSP Domain 3

We’re circling back to some more CISSP-related materials.  Today’s topic will be encryption, which can be found in CISSP Domain 3. By its very...

Encoding – CISSP Domain 3

Today we’re going to take a quick look at encoding, as covered in Domain 3 of the CISSP common body of knowledge (CBK). There is often some confusion...

Summer Internship at Secure Ideas

This past summer, I worked as an intern for Secure Ideas. My role at the company was that of software developer, designing applications to streamline...

Bash Tips and Tricks

I know I definitely identify with being a visual learner, and I am happy to help where I can with creating content for the security/sysadmin (system...

Hashing Functions – CISSP Domain 3

Today we’re going to take a quick look at hashing functions, as covered in Domain 3 of the CISSP common body of knowledge (CBK).  There is often some...

Visual Learner? Look no further!

Secure Ideas has been in the business for 10 years and over the last ten years we have found that everyone learns differently. There is no set way...

Proxying HTTPS Traffic with Burp Suite

This is easy to fix. All we need to do is tell our browser that the Burp CA can be trusted. Because every new installation of Burp generates a...

Asset Discovery

The first step in securing any organization is to understand what you have.  Unless you have a strong understanding of the systems and services on...

Once upon a time there was a WebSocket

This is the story from one of our recent penetration testing engagements. Still, the story is a familiar one for those who are testing newer web...

Fiddling with Windows: Proxy tools for Win10

If you have been following along with us, you know how to set up a Windows 10 Virtual Machine (VM) for web app pentesting. But now we have run into...

It's Okay, We're All On the SameSite

With Google’s recent announcement that all cookies without a SameSite flag will be treated as having SameSite=Lax set by default in Chrome version...

Top 10 Blog Lists

We have written a lot over the past year and beyond, and we wanted to provide you with our Top 10 lists! Take a look and gain some new knowledge for...

In Case of Fire: Break Windows

When a client calls us to pentest a web application that is only available in Internet Explorer. I cringe. I don’t know if it’s flashbacks from the...

IAM Access Analyzer Review

TL;DR – This is a free tool that helps solve one of the biggest security problems when working in AWS. Turn it on. Turn it on now! Instructions are...

Security Review of Nest Camera

I love tinkering with home automation and security solutions.  The simplicity of turning on a light bulb with a voice command makes me giddy, and I...

IAM Root: AWS IAM Simulator Tutorial

If you needed yet another reason to be paranoid about your personal information being exposed, the recent Capital One breach should be sufficient...

My Experience in the CISSP Mentorship Program

A little while back, I was talking with a friend of mine about the different services that Secure Ideas offered, and one of the topics that came up...

Game Console Hacking: Part 1 Lab Setup

This is the first in a series of blog posts on my journey through video game hacking and security. I plan to go through any aspect of this domain...

Using Components with Known Vulnerabilities

[Note: There is an updated version of this article] When dealing with cyber vulnerabilities, there are lots of threats that are unknown and ever...

Computers are People Too

There are those rare times during pen tests, when you are on a client’s network and you don’t have any valid domain credentials but you do have local...

OWASP's Most Wanted (Continued)

In my last blog I talked about Command Injection and OS InjectionOWASP’s Most Wanted, and will now discuss SQL Injection. So as before, I will be...

File Encryption Using VHD and BitLocker

When I was thinking of topics to write about, the idea of protecting the data we work with came to mind.  There’s always some sort of data that we...

Post-Quantum Cryptography Series

Perhaps you have heard of quantum key distribution, or perhaps you are curious as to what quantum computers with sufficient qubits and quantum error...

Welcome to the New Secureideas.com

We are excited to announce the launch of the new Secure Ideas website. It is located at the same url: https://www.secureideas.com. We hope you like...

"That looks ODD" Securing your workspace

When you look at “security” and the big picture, it always seems to come down to the decisions made by the Chief Security Officer (CSO) and Chief...

Security Misconfigurations

The configuration of web and application servers is a very important aspect of web applications. Often times, failure to manage proper configurations...

Android App Testing on Chromebooks

Update: As of March 2021, I’d recommend using Android Virtual Devices over Chromebooks.  Chromebooks still work (in many cases) but the AVDs are much...

OWASP's Most Wanted

So you ask who is this OWASP and why do I care? Well, let’s hear it directly from them:  “Open Web Application Security Project (OWASP) is a...

HIMSS 2019 - Champions of Security Unite

Organizations of all sizes and industries face increasing challenges in safeguarding vast amounts of sensitive data, with Health Care being no...

Cracking WPA Pre Shared Keys

Cracking WPA Pre Shared Keys This is intended to be part 2 of a previous blog (Intro to Wireless Security), which was designed to introduce people to...

Fuzz Testing

If you have a brand new piece of software, a program, a network, or an operating system, you will want to test it for any bugs, coding errors or...

#AffordableTraining requires change

In 2019 Secure Ideas is dedicated to offering affordable security training to everyone. This concept has been one of our core goals and passions...

What is Physical Security?

What’s Physical Security? Ok, I’m just going to say it,  I’m a physical security guy in a IT security world.  So why physical security for IT? Easy,...

Stored XSS: What Is It

In the cyber security world, there are a number of vulnerabilities to be aware of. Today we’re going to look at a specific one; Stored Cross-Site...

2018 Year in Review

As we put the finishing touches on another tremendous year, and look toward the New Year, we at Secure Ideas wanted to take a moment to reflect upon...

Twelve Days of XSSmas

This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips....

Teaching an old dog new tricks

  We all get older, and technology is always changing.  With changes in technologies, we are continually faced with new ways we perform tasks in our...

Network Check Ups

Most people know that taking care of your personal health is important. We get regular check ups and try to keep ourselves as healthy and free of...

Compliance is not Security

Many folks get confused about the difference between security and compliance. Many, especially those less technically inclined, assume that...

Happy Thanksgiving from Secure Ideas

As we enter the busiest time of year for us (both personally and professionally) we wanted to take a moment and reflect on where we are and why that...

ISC2 Security Congress 2018

Some of the Secure Ideas team headed down to the “Big Easy” last month for (ISC)2’s 2018 Security Congress, and it was a BIG hit.  From the various...

SamuraiWTF 4.0 Finally Released

  In February of this year, Mic posted a blog discussing the future of SamuraiWTF. (You can go read it here if you don’t remember).  As we discussed...

Gosh Darn Policy Requirements

The Internet was built to be a platform to share information remotely.  Since it was created, sharing everything about ourselves and others has...

A Brief Introduction to MFA

If you are reading this, then you are becoming a cybersecurity geek, or you already are one and you just can’t get enough.  You wake up at four in...

Still SMiShing You - SMS Scams.

Have you ever gotten a strange text message on your phone that you don’t recognize?  Well, be careful because you don’t have to use a computer to be...

Preventive Security for You

-Preventive Security for You-     As you go through everyday life, how do you think about your own security?  Are you the type of person that may...

Security on the Go!

The use of mobile devices is steadily growing.  With this increase comes the need for the users to learn how to safely operate their devices.  Just...

Defending the Wall: Strong Passwords

Strong passwords are an important part of maintaining accounts and of any organization’s security infrastructure.  They are the first line of defense...

Watching yOUr Permissions

Often, one of the main goals of a pen tester is to get Domain Admin (DA) rights in a client’s Windows network.  But why do we want to get that level...

Going the distance with Burp

Welcome to the 5th blog on Burp Suite, and Happy 4th of July! Please visit Secure Ideas’ previous blogs on using Burp Suite at the following links:...

Ethics of Ethical Hacking

Ethical hacking uses the principles and techniques of hackers to help businesses protect their infrastructure and information (You could also say it...

Checking Under the Bed

I’ve got four kids and part of their chores involve cleaning up their bedrooms. Inevitably, their understanding of “clean enough” never quite matches...

Why are software updates important?

We have all seen the alert that “updates are available,” or “software update needed.” How often have we just clicked “cancel” because it pops up at...

The “Human Sensor” Continuum

The “Human Sensor” Continuum How people can counteract suspicious activity and crime in the workplace   As a security professional for over 20 years...

The Importance of Log Reviews

Most companies have logs that are generated daily, but not all companies think to review these or know the importance of them.  Log reviews are an...

A Brief Evolution of Web Apps

Author’s Note: This was actually meant to be the first part of a series called Three C-Words of Web App Security, dealing with CORS, CSRF, and...

The Report

Being a pen tester is a cool job, we get to break into companies (with permission), steal stuff, and then tell them how we did it. Many testers focus...

Burp Suite continuing the Saga

Welcome to the fourth blog introducing and exploring the features of Burp Suite. Please visit Secure Ideas’ previous blogs on using Burp Suite at the...

Current State of Security in Healthcare

Healthcare organizations are a prime target for many malicious individuals and organizations in the information age. Identity thieves, blackmailers,...

The Future of SamuraiWTF

Samurai Web Testing Framework, if you’re not familiar with it, it’s a linux environment that is primarily now used for teaching web application...

Security Concerns around Remote Employees

In the cloud-based economy, businesses of every size are hiring remote employees. Remote employees may decrease their capital costs, free the...

Ransomware and Scareware Pop-ups

Every computer owner has had the heart-stopping moment where a popup comes up and says that your computer has been infected. Most people know that...

Full disclosure debate.... again?

The full disclosure debate has raged over the years again and again.  While I am sure that many people are tired of hearing about it, sometimes...

Equifax Breach: Why I am not surprised

The Equifax breach, announced in September 2017, is said to potentially impact some 143 million Americans.  At this point in time Equifax has not...

Are You Ready for Your Pen Test?

  It is day three of a five-day penetration test engagement and we still don’t have all the information we need to proceed with the test. This...

Ransomware Intelligence Briefing

Ransomware Intelligence Briefing Media reporting on the WannaCry ransomware campaign has contained exaggeration, bad information, and fear tactics....

Protecting your Kids from Online Threats

“The greatest gifts you can give your children are the roots of responsibility and the wings of independence.” — Denis Waitley As information...

Place Your Right Hand On This Glass

One of the hassles of the Yahoo! breach was clearly the coming-home-to-roost quality of the mega-stupid 90’s era “something about you” secret...

You Must Be This Tall . . .

Imagine going in to do an incident response at a fairly large customer that has no visibility within their firewalls, no intrusion detection, no...

An Introduction to Javascript for XSS Payloads

I recently got the opportunity to speak at B-Sides Charleston on cross-site scripting (XSS) payload development. For me, this was a really enjoyable...

Incident Response services now available!

Security Incident Response is like firefighting: it’s not something you need everyday, but when you need it, you want the best, and you want it fast....

A Brief BeEF Overview

BeEF, the Browser Exploitation Framework,  is a testing tool that allows the penetration tester to look past hardened network perimeter and client...

Burp Repeater

As a consultant for Secure Ideas there are many tools I use often in my daily tasks.  One of the many great tools I use in web application testing is...

SQLMap Beginnings: What and How

Testing web based applications is not only fun but is often multi-faceted and challenging. Often times a web front end will have places for data...

Whose Code Are You Running?

One of my favorite ways to eat Oreo cookies is to twist the two halves apart, carefully set the filling aside, eat both chocolate halves, and then...

Professionally Evil Insights: 2015

Are you interested in knowing which vulnerabilities are the most commonly discovered in penetration tests?  How about which industries are doing the...

Reversing Type 7 Cisco Passwords

While working on a recent pen test, I came across a few Cisco routers sitting on an internal network. The fact that they were using default...

Red Teaming - Not What You May Have Thought

Lately, I’ve been doing a lot of reading on some less technical topics and I ran across “Red Team: How to Succeed By Thinking Like the Enemy”...

Five Outdated Security Excuses

The Security Industry as a whole has been known to criticize businesses large and small with respect to how they manage security.   Why does it so...

Introduction to Metasploit Video

The Metasploit Framework is a key resource for security assessors. Whether you’re goal is to become a commercial penetration tester, to demonstrate...

Introducing Burp Correlator!

This one is for you web penetration testers!  This new Burp extension is designed to help with efficiency when you are testing a complex application...

Practical Pentest Advice from PCI

The PCI Security Standards Council released a Penetration Testing Guidance information supplement in March 2015.  This document, while geared towards...

Tip: Running BurpSuite on a Mac

Here’s a quick tip I use to save some time when spinning up Burp Suite on a Mac.  I use Burp Suite frequently enough that having an icon on my task...

SamuraiWTF 3.2 RELEASED!

We are really excited to announce that SamuraiWTF 3.2 is now available publicly.  This release is available at...

Patching binaries with Backdoor Factory

When was the last time you downloaded a binary file from the Internet or grabbed one off of a network share that is used by your organization to...

And Now... Introducing: Burp BS!

Burp BS… where the “BS” stands for BeanShell.  “What on earth is BeanShell?” you may ask?  BeanShell is a very old Java library that was designed to...

MobiSec 2.0 Awesomeness Unleashed!

MobiSec has undergone a major reconstruction and version 2.0 (actually 2.0.1) is now available for download on SourceForge.  The popular mobile...

Don't Forget the Little Things!

On January 31st, Deusen disclosed what was described as a Same Origin Policy Bypass flaw called “Universal XSS (U-XSS)” in IE 9 through 11 on Full...

Web Penetration Testing with Burp and CO2

Start 2015 right with a free web session to learn all about the Burp CO2 plugin!  This training is scheduled for Thursday, January 8th, 2015 at 2pm...

SamuraiWTF 3.0 and into the future!

We are really excited to announce that SamuraiWTF 3.0 is now available publicly.  (We did a previous release but found some issues and so that was...

Burp CO2 now sports some Laudanum Scripts!

There have been a number of updates to the Burp CO2 extension suite over the past couple of months but the most exciting one is the addition of...

Beware of Holiday Scams

 It is that time of year and we need to be ready for the fraudsters to be out in full effect.  The holidays are approaching and it is a time for joy...

Tactical Burp Suite Webinar

We have decided to try something new here at Secure Ideas.  We have a long history (as long as the company actually) of doing webcasts and...

Thumb Drives.. Can you tell the difference?

 During a physical penetration test, it is not uncommon for the tester (attacker) to drop usb thumb drives out in the parking lot or someplace within...

CORS Global Policy

I recently noticed an uptake on Cross-Origin Resource Sharing (CORS) findings showing up in automated scanning tools, which would not have been a...

The ABC's of ASV's & PCI

Secure Ideas’ prides itself on providing the highest level of service to our customers. We are tirelessly searching for new tools, and methods to use...

Logging Like a Lumber Jack

Turn on any news outlet or visit any news site and you will most likely see an announcement of yet another data breach.  On the DTR podcast we...

Policy Gap Analysis: Filling the Gaps

 In today’s world, something never seems to be true unless it is written down, and even then it is a guideline.  In the business world there are...

New Data Security Breach Laws in Florida

Since many organizations are collecting what many would consider personal, non-public, information, it is very important that they protect this...

Too Small to Hack: Small Business and Security

If you are paying attention to the news, security is a big topic.  At least that’s what CNN and the Wall Street Journal think.  And I would happen to...

What Do You Expect From A PenTest?

There are many reasons that a company has a penetration test performed.  Maybe it is due to regulatory compliance, like HIPAA, or they are just take...

Carolina Spring Security Events

It seems that Spring is “prime time” for security professionals in the Carolinas, and Charlotte seems to be at the center of it at least...

Purple Teaming for Success

You know what blue teams and red teams are.  Red is our attack side, or the adversaries, and Blue is the defense side.  Unfortunately, we don’t see...

Heartbleed: Complete Heart Surgery

If you haven’t seen it in the news, you must not have any technology close by.  That is right.. another story about heartbleed.   But this is...

Windows XP: Eol, What you need to know

Last week Windows XP finally reached its end of life.  The operating system was released back in 2002 and was (and still is) a favorite among many...

Auto-Updating Devices: How to Test?

Everyday we see new technology and devices in our everyday lives that are connected to the internet.  Smart TVs, scales, even a crockpot.  I...