DROWNing in bad crypto

If you are still running SSL to “protect” your website at all, you need to shut it off. Yes, really.

If you have some kind of load balancer in front of your server, disable SSL on that also.

Using SSL on a mailserver? Kill it there too.

SSL is seriously broken (see: CRIME, BEAST, BREACH, FREAK, and now DROWN). It does not protect data, though it may appear to.

If you want to keep data safe configure your system to use TLS only, enable HSTS, and accept only strong cipher suites. Sound complicated? It’s really not.

Here are some configuration examples to get you rolling.


View post on imgur.com



how do you become a hacker?

I sometimes get asked how one can develop the skills needed to do what I do for a living. This is a tricky thing to answer, because being a good hacker ultimately means you think “wrong”, not just that you understand tech.

When I interview people for a job, of course I’m looking to see if you have technical chops. More importantly though, I’m looking to see how you think, and how you handle unexpected things.

That “hacker mindset” quality is hard to define, tough to extract over the course of a brief interview, and impossible to teach. We can bring people up to speed in tech stuff, business stuff, project management stuff, etc., but thinking crooked, that’s not really a teachable skill; you either do it, or you don’t.

All that said, understanding tech is definitely a requirement, and fortunately there are tons of ways to gain skills in this (one fantastic resource for this is the book “The Web Application Hackers Handbook” written by PortSwigger).

There are a bunch of resources online as well, (free in most cases), so I threw together a small list of some quality sites that teach tech/hacking:


Basics of Computing



This list is obviously not exhaustive, or even complete really, but hopefully it’s useful to someone.

Another recommendation I would make to anyone looking to get into this field, is definitely get to a hacker con – specifically one like BSides. These are pretty much everywhere at this point, and are very good for learning new things and getting a feel for what hacker culture is like.

Adding BurpSuite CA To The Java Keystore

Just a quick tech note for my own reference in the future.
While testing a Java based thick client, I discovered the developers had left an option to set a proxy right inside the app (handy!). That meant I could throw all the app traffic through BurpSuite, and manipulate it as I wished.

The problem I ran into was that Java didn’t trust the Burp CA. To get around that, I needed to add the CA to the default Java keystore. That turned out to be simple enough, the main thing to know was where the Java keystore is stored:    $JAVA_HOME/jre/lib/security/cacerts
and what the password is:    changeit

Once I had those, importing was painless:

$ keytool -import -trustcacerts -file ~/burp.cer -alias BURPSUITE -keystore $JAVA_HOME/jre/lib/security/cacerts

Enter keystore password: changeit

Owner: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger 
Issuer: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger 
Serial number: 563a4f3e 
Valid from: Wed Nov 04 13:32:30 EST 2015 until: Tue Oct 30 14:32:30 EDT 2035 
Certificate fingerprints: 
        MD5:  AF:5E:1C:E9:D5:18:4B:EC:7D:E3:6C:C7:91:BE:11:F0 
        SHA1: D5:5E:D4:2B:BC:4D:D0:0F:A2:04:97:AC:B8:1E:EB:DA:95:94:60:DB 
        SHA256: 73:F6:FF:6B:63:9C:E6:80:86:A3:63:C6:C5:08:77:F1:69:DA:71:34:4A:E5:7E:1B:33:5A:4B:F4:FD:1F:E1:6
        Signature algorithm name: SHA256withRSA 
        Version: 3 


#1: ObjectId: Criticality=true 

#2: ObjectId: Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 20 1C 1C 67 C2 21 B5 73   21 88 E2 77 6C 1D 2E 80   ..g.!.s!..wl... 
0010: 97 8E B2 D7                                        .... 

Trust this certificate? [no]:  yes 
Certificate was added to keystore