I am currently employed as a Senior Application Security Engineer at Netflix. Before Netflix, I was a Senior Application Security Consultant at Neohapsis and an Adjunt Professor at DePaul univeersity.
My expertise lies in software security, security research, network penetration testing, and security architecture. I have contributed and developed a number of tools for attack and defense. I have also written tools in Python, Ruby on Rails, JavaScript, and Bash. You can visit my github page for more information on my research projects and tools.
I also love speaking and presenting my research. In the past few years I have presented research at DEF CON, Derbycon, Security Forum Hagenberg, Shakacon, ISACA, Security B-sides and various local secuirty meetups.
I have a Master’s of Science in Network Security from DePaul University and have the GPEN certification from SANS institute.
I'm an avid musician and have been playing in heavy metal and obscure rock bands for the last decade. I also make electronic music as well as produce hip hop. You can hear some of my audio projects on Bandcamp and Soundcloud
In this talk we demonstrated the concept and design of the Ensnare framework. We also demonstrated how Ensnare can be used and customized to provide a unique protection against web application security threats.
This session was a combination of short micro talks and a workshop geared at getting you the tools needed to understand and implement CSP.
This talk looked into what Content-Security Policy is and how it works. We then stepped through a variety of metrics from popular websites, taking into considerations which sites are already using CSP and which sites may have issues implementing this technology. Some strategies will be discussed to overcome the hurdles of implementing CSP.
This talk discussed the SLAAC IPv6 attack as well as some issues with the current approach to the attack. We discussed how the attack works as well as discussed our automation strategy and some pitfalls we uncovered. Wealso released "Sudden Six", an attack automation script and demonstrated the attack against Windows 8.
The defensive side of web application security is moving at a very rapid pace and deserves to be investigated and presented in a way that is useful for both developers and hackers. We have seen a surge of proposed standards and governing documents to improve web security. We looked at the intricacies of the proposed and accepted standards as well as how they are implemented.
Blind SQL injection can be a pain to exploit. Tools that help you exploit Blind SQL injection often don't work on weird or complex SQL injection vulnerabilities. BBQSQL is juicy and sweet and will make all of your BSQLI worries fade away. This talk covered why you need BBQSQL, game changing features such as hooks and a slick UI, and gave examples on how to work it into an application testing methodology.
Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk introduced a new tool called BBQSQL that attempts to address these concerns. This talk focused on a brief discussion of SQL Injection and Blind SQL Injection. It then segued into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk covered how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool.
This talk discussed modern trends in web shell obfuscation, demonstrated techniques to detect them, and discussed some additional mechanisms in NeoPI scanning tool to aid in the identification of obfuscated web shells.
Presentation at Security B-Sides Chicago discussed trends in web shells, methods used to obfuscate them, and an overview of NeoPI to aid in the detection of web shells.
Sketchy is a task based API for taking screenshots and scraping text from websites.
Scumblr is a web application that allows performing periodic searches and storing / taking actions on the identified results. I helped develop a number of search plugins for this project.
CSP Playground is a utility to let you test drive Content Seuciry Policy as well as validate your own policies.
CSP Playground is a utility to let you test drive Content Security Policy as well as validate your own policies.
NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files.
BBQSQL is a sql injection framework that utilizes concurrent attacks, menu based configuration, and statistical heuristics to speed up data exfiltration.
Python utility to automate the SLAAC IPv6 attack.
Using impersonation as an attack, a method known as social pretexting, is increasingly common and poses a serious risk to end users and businesses alike, from extracting secrets to planting seeds for future data theft. Pretexting isn't limited to teenagers setting up fake profiles to smear people or get secrets from their friends. NATO's supreme commander, James Stavridis, was also a target, and while nothing has been confirmed publicly, it is believed that the exploit resulted in some degree of elicitation of data from his associates.
Neohapsis conducted a field study to demonstrate the potential damage a pretexting attack may have on an enterprise. We decided to build a believable but fake security professional and use that persona to try to get information from people who should know better--other security pros.
NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. This article discusses some of the common trends in web malware obfuscation, techniques to detect them, and an overview of the NeoPI python tool.
Information security professionals are dancing on the edge, hoping some mix of technology, education and hard work will keep our organizations safe. But lately, the tempo has changed, and the specter of failure is looming large. The analytics portion of this cover article for Information Week goes in-depth into how infective antivirus software is at detecting malware.