Skip to main content

Grant Potter

Grant Potter

Such a beautiful voice ... The Voices of Annie Briggs http://www.bbc.co.uk/programmes/b07syrrs

Grant Potter

Grant Potter

outstanding tribute on @wfmu @3ChordMonteShow this week https://wfmu.org/archiveplayer/?show=71691&archive=149498&starttime=

Grant Potter

#Budget2017 here's hoping that $50 million goes to libraries and not #codingbootcamp startups

Grant Potter

Grant Potter

Tactics, Techniques, and Procedures

  • He identified peripheral web servers via Google and Linkedin searches
  • Used known WordPress flaws and custom bugs to compromise PHP sites
  • Linux authentication mechanisms were altered to capture credentials
  • Nmap was used to identify exposed network services internally
  • Corporate Wikis revealed administrative workflows and VPN details
  • Ticketing, bug tracking, and version control systems provided secrets (e.g. cryptographic keys, seeds, hashes, credentials, and source code)
  • Cookies from weak non-production instances (e.g. staging) were valid in production as cryptographic materials were the same — bypassing 2FA
  • Client certificates (exposed by email, ticketing, or lifted from filesystems) were combined with known credentials to access corporate VPNs
  • Engineering credentials were used to commit backdoors to version control which were self-approved and later deployed into production

Grant Potter

Grant Potter

Quill is a simple client for creating posts on your own website. https://quill.p3k.io/docs

Grant Potter