Note: Updated with a new section on TLS/SSL Modern Cache Directives As part of each website security vulnerability assessment performed, the security researcher will check that proper caching directives are implemented. In situations where the most extreme “never cache this data” is required, the gold standard HTTP headers recommended by infosec professionals everywhere is:

Read More


This page is a collection of instructions to remove unnecessary server headers which may be reported as part of a Penetration Test performed by a security engineer or reported via automated tools. I have catalogued these remediation instructions for many technologies in one place to save the vast amounts of searching required for some of… Read More


Here in an example of a recent challenge/response form found on a system not to be named. Answer to What was your first pets name? is too short. Answers must be between 5 and 255, Sigh. Chip, Ted, Lola, Opus, Kiki, C (the letter, not the language).… Read More


During a project working with Hydra, a Network Login Auditor, we discovered and corrected a buffer overrun issue with possible security implications that might include the auditor being attacked by the auditee. TL;DR Attacker using Hydra or Medusa can get pwn’d by the victim website responding with remote code execution via buffer overrun exploit.… Read More


I have a QNAP TS-653A NAS Drive that I use for storing most of my files, including terabytes of images, iTunes collection, etc, etc. Basically, lots of data. But, how do load it up quickly from all of these external drives full of jpgs I have still lying around. It is quicker to copy the… Read More


Announcement: Image Location & Privacy Scanner v0.3 I have completed a large update of the Image Location Scanner software; so many new features in fact, it gets a new name: “Image Location & Privacy Scanner”. It now detect serial number from the cameras in scanned images and even the camera owner’s name from some Canon… Read More


For large set of reasons, I have decided to move my blog site from the confines of WordPress to a different hosting solution; thus, http://veggiespam.wordpress.com becomes http://veggiespam.com. WordPress.com has a great advantage: preexisting userbase and by moving the site to differently-hosted, I am giving that up. Since I get few comments on my public and… Read More


How To Track Down Your Ex(if) Adding Jpeg Exif detection to your penetration regiment and learning how to practice Safe (s)Exif Abstract: ¬†We unintentionally distribute GPS data with every photograph, including indoor pictures. This talk will describe a real-world scenario involving remote education site where teachers & students exposed their confidential home address via profile… Read More


If you haven’t heard, 15 July 2014 is the last day to submit comments to the FCC about Net Neutrality. You can read what people have said on this page and submit your own comments over here on 14-28. Basically, the cable companies argue that they need to get rid of Net Neutrality so they… Read More


I would like to express my thanks for each and every one of you who gave me a nomination for the ISC^2 Board of Directors. ¬†Unfortunately, I did not get enough endorsements to meet the ISC^2 minimum, but let’s look at what did happen: I am not a blogger by any stretch I have zero… Read More