CatsCrdl

CatsCrdl

Daniel's thoughts on infosec and trading

Regarding SMS 2FA

Responding to Tavis Ormandy's comments on SMS 2FA

Daniel Wyleczuk-Stern

4-Minute Read

Two Factor Authentication

I think an important question that Tavis either explicitly or accidentally omitted is “for whom”. I am not sure why he did not include this as it’s a critical component to his argument. If Tavis is stating that “SMS 2FA is ineffective for an enterprise”, then I would agree. The threat model that he is operating from is that an organization is being explicitly targeted by a motivated (though not necessarily extremely capable) attacker, who only needs minimal access…

Demonstrating the Future of Command and Control with Wikipedia

This tool demonstrates what I believe will be the future of Command and Control (C2) for Red Teams and potentially Advanced Persistent Threats (APTs). With Domain Fronting slowly being killed by major CDNs and security teams getting better at looking for unusual sites (I still love that detection for new sites encrypted with LetsEncrypt certificates), Red Teams will look for alternate ways to hide their traffic. What better way than to utilize features of common sites that users are visiting anyways?

Daniel Wyleczuk-Stern

2-Minute Read

Wikipedia

This work was inspired by my coworker’s (Josh Abraham) work to demonstrate alternative forms of Command and Control. Some of his POCs included demonstrations using Slack and ICMP for C2. While these techniques aren’t revolutionary, the simplicity of the POC and how hard it was to detect confirmed my suspicion that the future of C2 is going to be tunneling traffic via features of well-known applications.

Open Source SaaS Reconnaissance Utilizing Subdomains

Investigations into enumeration of an organization's SaaS tooling

Daniel Wyleczuk-Stern

4-Minute Read

SaaS

On a recent Purple Team engagement, I was accessing the client’s Splunk cloud instance. Being my normal typo-filled self, I fat fingered the URL and went to clieent.splunkcloud.com instead of the correct client.splunkcloud.com. Instead of being redirected to the login portal, I received a DNS resolution error, fixed the typo, and moved on. A little while later, I was thinking about the typo again and wondered how this information leakage could be utilized by an attacker. To backup a little, a…

Recent Posts

Category

About

A random collection of thoughts on cybersecurity and finance.