KALYPTO (IN)SECURITY | Research, demonstrations, and popcorn

SQL 2016 + Dynamic Data Masking = Exposure

Starting with SQL 2016, Microsoft has included a new “security” feature called Dynamic Data Masking, or DDM for short. This new feature is supposed to allow you to secure data by masking it to people who should not have access. For example, if you are a DBA and you have a database with PCI (Credit…

How to get hacked with source code mismanagement

I have spent a great deal of time researching the best way to avoid security exposure via source control. This has become a hot-button issue right now due to the Deloitte hack. As it turns out, one of their developers checked in a file to GitHub that actually has VPN credentials in it. Looking back…

Classified Information

First, let me say that I am a self-contradicting person. I am a collector of knowledge. I seek information that is hard to find or I shouldn’t know. The reason is simple, with knowledge comes power… the power to make informed decisions instead of blindly following whatever you are told. Instead, I seek to get…

Password managers and how you are using them wrong

Anyone that is even semi-competent online knows how difficult it can be to manage passwords. Most people have 15 accounts at a bare minimum online. Managing passwords for many accounts becomes difficult. Generally, people take one of three options to solve this issue: Use the same password for most accounts with special ones only for…

Memorial Day 2017

Memorial Day is here again. This is the time of year we reflect on our lives, our freedoms, and most importantly, the people who gave their lives for you to have your life. This is not Veteran’s Day, this is specifically to remember those who have died in the name of The United States of…

Pi – 3/14 @ 1:59:26 AM

Pi is a number that has enamored people for hundreds of years. While it is much older and was known far longer, it recently (within the last 250-ish years) became super popular. Here are some facts to think about on Pi Day: Pi as a calculation has been known for over four-thousand years. Babylonians and…

Vault 7: An attack on The United States of America

On Tuesday March 7th, 2016, WikiLeaks posted a trove of stolen files and data sourced from inside the Central Intelligence Agency. This information was posted to the WikiLeaks website with a press release claiming the need for transparency to protect users. This is just the first release in a long line they have setup for…

Arris Modem Vulnerability – Updated 3/14

Arris is one of the single largest providers of cable internet modems in the United States and around the world. I was playing around with this a bit tonight while bored and came up with a simple way to cause someone to reboot their modem just by visiting a page. The controls for configuration changes on Arris modems…

Let’s get some self-respect back

I see a lot of arguments between people who have no clue about the truth behind the topics and points being argued. I miss the old days of the internet being solely for cat videos and pictures of what people ate for dinner. I always thought that was stupid… but it sure beat watching people…

How to enable Authentication on your MongoDB instance

This is a quick post on enabling authentication on your MongoDB instance, but the first thing you should do is bring the MongoDB inside your network if possible. If it is not exposed externally, there is a far lower chance of intrusion. The second thing is to create an administrator account that will be used for…