Somewhere in my spam folder today, I noticed this pathetic email, containing my old and no longer valid Linked-In password: I am aware {$Linked-In-Password$} one of your pass word. Lets get directly to the point. You do not know me and you are most likely wondering why you’re getting this mail? No one has compensated… Read More


It’s Here, Version 1.0 The Official v1.0 release of the Image Location & Privacy Scanner has arrived! This security tool plugin for Burp or OWASP ZAP security proxy tools will scan images for privacy exposure including GPS locations, camera serial numbers, even facial recognition tags. See my presentation about this software at this link. Version… Read More


Smoke – A unified means of generating, transmitting, encapsulating, and validating multiple hash digests simultaneously to replace existing stand-alone hash digest software. The software generates digests in parallel and is notably faster than using individual algorithms serially on large files. Smoke operates much the same way as existing hash digest tools, like md5sum, and Smoke… Read More


Background & Summary Existing websites and applications implementing an older password hashing algorithm like MD5 or SHA1 must be upgraded to a more secure algorithm. Both of these older algorithms are obsolete & breakable and if an attacker obtains those hashes from a lost backup tape or website vulnerability, the attacker could make quick work… Read More


Note: I originally posted this blog entry on the Aspect Security blog around 2017-03-16. I am mirroring it here with only formatting changes. Introduction During a project working with Hydra, a Network Login Auditor, we discovered and corrected a buffer overrun issue with possible security implications that might include the auditor being attacked by the… Read More


New Version: Image Location & Privacy Scanner v0.4 I have completed another update of the Image Location & Privacy Scanner, a plugin for Burp or OWASP ZAP security proxy tools. More camera types have their serial numbers detected. With some Panasonic camera, it will also give the name and age of the person in the… Read More


Note: I originally posted this blog entry on the Aspect Security blog around 2015-02-13. I am mirroring it here with only formatting changes. Introduction The spat of SSL and TLS issues over the last year have caused concern about the quality of the encrypted tunnel in Internet communications. The various creatively named BEAST, CRIME, &… Read More


Massive updates: now with Proxy, Tunnel, & Load Balancer configurations. This page is a collection of instructions to remove unnecessary server headers which may be reported as part of a Penetration Test performed by a security engineer or reported via automated tools. I have catalogued these remediation instructions for many technologies in this single site… Read More


Modern Cache Directives As part of each website security vulnerability assessment performed, the security researcher will check that proper caching directives are implemented. In situations where the most extreme “never cache this data” is required, the gold standard HTTP headers recommended by infosec professionals everywhere is:

This advice is problematic and here in this… Read More


A massively updated version of this post is over at https://veggiespam.com/headers/. This page is a collection of instructions to remove unnecessary server headers which may be reported as part of a Penetration Test performed by a security engineer or reported via automated tools. I have catalogued these remediation instructions for many technologies in one place… Read More