Data Exfiltration via Mouse Wiggles

A class of security research out there that is a never-ending source of entertainment is “novel” communication methods. This shows up in many ways in the security industry, including: “Novel” C2 communication channels (DropBox, Telegram, DNS, Instagram comments, …) “Novel” air gap jumping techniques (HDD lights, high-frequency audio, …) “Novel” sideband communication techniques (Steganography, communication via processor cache latency) Ultimately, computers are amazing at encoding data and communicating in various ways, and humans are amazing at inventing various ways.

Optimizing CSS Coverage with Powershell

When optimizing website performance, the performance tools that Google has built are magical. One place I started when working on my site’s revamp was Google’s PageSpeed Insights. After running an analysis on my home page, I saw this warning: Almost a second of my site’s page load time was caused by loading non-critical CSS. You can use the “Coverage” tool in Chrome’s dev tools to dig into this deeper: As you can see, “all.

Statique: Simple Self-Hosted Comments for Static Websites

When hosting a static website or blog, you ultimately have to tackle the question: “What about the comments?". Statique provides a simple, self-hosted option.

BinShred - Parsing Arbitrary Binary Data in PowerShell

When working with raw binary data (especially in security forensics), it is common to need to write parsers for this binary data. For example, extracting file contents out of the NTFS data structures on disk. For many common data structures, there are already binary parsers written for them that you can leverage, but you’ll still sometimes need to write your own. BinShred is a PowerShell module that lets you do this.

Using Bloom Filters to Efficient Filter Out "Known Good"

There are many times in security investigations where we want to quickly filter out “Known Good” and only focus on what remains. Bloom Filters are an excellent way to accomplish this.

Resolving error Intune "The sync could not be initiated (0x80190190)"

If you’re running into the following error trying to get a device to sync with Intune: The sync could not be initiated (0x80190190) You probably have checked the Windows Event Log and also seen this error: MDM Session: OMA-DM message failed to be sent. Result: (Bad request (400).). I recently ran into this situation, and the cause was that I had opted into the Windows 10 default of signing in with a Microsoft Account.

Work Simulator 2020

It’s March 4, 2020. A pandemic grips the world, so you’re working from home. Can you last the month?

List of InfoSec Cognitive Biases

The mind is an incredibly complex organ. While all of us attempt to be mostly logical and rational in our day-to-day thought processes and decision making, we are hampered by an enormous number of cognitive biases. Cognitive biases are specific natural tendencies of human thought that often result in irrational decision making, and there are hundreds of them. Everybody has them them and is impacted by them – it is only through awareness that you can take steps to counteract them.

Client IP Address Disclosure in various consumer mail servers

Summary When email users of several email services send mail using mechanisms other than that service’s web interface (i.e.: their phone or laptop’s email program), services commonly include the user’s IP address in message headers. This information disclosure lets recipients of these messages perform some privacy-invasive actions, such as: Approximate geographical location of the sender Correlation of separate email addresses, but sent by the the same sender Broadband and / or cellphone provider Users looking to send email in a manner that keeps this information private from message recipients should use either the web interface or an alternative mail provider.

Searching for Content in XOR "Encrypted" Data

A while back, we talked about a common challenge in the security industry – searching for some known bad content (i.e.: “Invoke-WebRequest”) in content that you know has been encoded in base64. In a really cool bout of co-discovery, others simultaneously wrote similar implementations. Since then, this approach is now in the process of being integrated into YARA. Very cool times! Another situation you might have run across is malware authors “encrypting” their content with a static XOR key – a process I like to call “encraption”.