KALYPTO (IN)SECURITY | Research, demonstrations, and popcorn

The ‘RID’ vulnerability is not a vulnerability…

Recently a “researcher” has gone on a marketing blitz trying to convince the world he found a vulnerability that doesn’t exist. This vulnerability has been dubbed ‘RID Exploitation.’ According to this researcher, the RID is the relative identifier at the end of a SID (security identifier) that generally denotes the level of access an account…

Daily Reminder: Listen More, Talk Less

This is a reminder to listen more and talk less. Don’t be one of the masses that talks without knowledge, experience, or data. Everyone appears to be a subject matter expert on everything these days. Unless you have empirical data and/or first-hand knowledge of a specific subject… let someone else respond. We are in an…

How to lose an InfoSec job before you’re hired

Recently I have seen many posts from out-of-work security researchers who are looking for gainful employment. It is never a bad idea to exhaust every resource you can when looking for a job, but you should be mindful about the request you are making, the demands you have, and the impact to your acquisition of…

Stephen Hawking, the future, and women

Stephen Hawking passed away today at the age of 76. Many thought it would come much earlier in his life. Many thought it would never happen because he was a super genius from another dimension (sarcasm). Regardless, the world lost one of the most brilliant and beautiful minds ever known to the planet Earth. Stephen…

Gutting Net Neutrality is an attempt to control information

What is Net Neutrality? Net Neutrality is a simple concept. At it’s very basic meaning, it is an order that all internet traffic must be treated equal without regard to source, destination, or monetary compensation. This means that the traffic from The Washington Post and The Intercept must be treated the same as traffic from…

SQL 2016 + Dynamic Data Masking = Exposure

Starting with SQL 2016, Microsoft has included a new “security” feature called Dynamic Data Masking, or DDM for short. This new feature is supposed to allow you to secure data by masking it to people who should not have access. For example, if you are a DBA and you have a database with PCI (Credit…

How to get hacked with source code mismanagement

I have spent a great deal of time researching the best way to avoid security exposure via source control. This has become a hot-button issue right now due to the Deloitte hack. As it turns out, one of their developers checked in a file to GitHub that actually has VPN credentials in it. Looking back…

Classified Information

First, let me say that I am a self-contradicting person. I am a collector of knowledge. I seek information that is hard to find or I shouldn’t know. The reason is simple, with knowledge comes power… the power to make informed decisions instead of blindly following whatever you are told. Instead, I seek to get…

Password managers and how you are using them wrong

Anyone that is even semi-competent online knows how difficult it can be to manage passwords. Most people have 15 accounts at a bare minimum online. Managing passwords for many accounts becomes difficult. Generally, people take one of three options to solve this issue: Use the same password for most accounts with special ones only for…

Memorial Day 2017

Memorial Day is here again. This is the time of year we reflect on our lives, our freedoms, and most importantly, the people who gave their lives for you to have your life. This is not Veteran’s Day, this is specifically to remember those who have died in the name of The United States of…