7 Minute Security
Today we have a fun featured interview with my new friend Stu Musil of I had a great time talking with Stu about bashing come common misconceptions people have about working with recruiters, plus tackling some frequently asked questions: How do you properly vet a recruiter you don’t know, but who offers a job opportunity you’re interested in? What questions should you ask a potential recruiter to get a feel for their level of experience in the industry (hint, if a recruiter doesn’t even have a LinkedIn page, that’s probably a red flag) Resume tips: Finding the right...
info_outline7 Minute Security
Hey friends, today we talk about some not-so-glamorous but ever-so-important stuff related to running a cybersecurity consultancy, including: Taking an inventory of all the SaaS stuff your business uses – to keep an eye on spending, know when services are expiring, and track which credit card the services are tied to (so the services don’t almost get cancelled like some did with me!) Tracking domain names, and setting up your own automated rules to notify you well ahead of time when a domain is expiring (maybe that passion project is never gonna happen…time to let those old...
info_outline7 Minute Security
Hey friends, today we continue our series all about migrating from VMWare to the world Proxmox! Specifically: Getting my first Proxmox-based NUCs out in the field for live engagements! Pulling the trigger on two bare-metal Proxmox servers to eventually replace my vCenter environment. made it super easy to to add Proxmox to those bare-metals with a simple wizard. I couldn’t figure out how to get a Proxmox VM as the main firewall for the whole Proxmox node, but it turns out it helps to When getting a bare-metal OS/hypervisor installed, be careful in that the provider may...
info_outline7 Minute Security
Hey friends, today we’ve got a security milkshake episode about Web app pentesting. Specifically we talk about: – a lightweight alternative to Burp – Web fuzzer. Using a proxy:wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt –sc 200 “https://somedomain.com/shopping?&qty=%2FUZZ” -p 10.0.7.11:8080 – for XSS testing – pairs nicely with this wrapper: In the tangent dept, I moan about how I hate some things about Proxmox but am also starting to love it. In the tangent #2 department, I talk about tinnitus and acupuncture!
info_outline7 Minute Security
Road trip time! I’ve been traveling this week doing some fun security projects, and thought all this highway time would be a perfect opportunity to take a dip into the 7MS mail bag! Today’s questions include: How do you price internal network penetration tests? Have you ever had to deal with a difficult client situation, and how did you resolve it? Are you done going after certs? Spoiler: no – I’m interested in doing the (not sure if it includes a cert) Do you provide managed services or just stick with more “one and done” assessment work? You said the...
info_outline7 Minute Security
Today’s tale of pentest pwnage is all about my new favorite attack called SPN-less RBCD. We did a teaser episode that actually ended up being a full episode all about the attack, and even step by step commands to pull it off. But I didn’t want today’s episode to just be “Hey friends, check out the YouTube version of this attack!” so I also cover: Our first first impressions of Why I have a real hard time believing you have to follow to install Kali on Proxmox
info_outline7 Minute Security
Today’s prelude to a tale of pentest pwnage talks about something called “spnless RBCD” (resource-based constrained delegation). The show notes don't format well here in the podcast notes, so head to to see the notes in all their glory.
info_outline7 Minute Security
Sadly, the has hit 7MinSec hard – we love running ESXi on our NUCs, but ESXi free is no longer available. To add insult to injury, our got a huge price gouge (due to license cost increase; not OVH’s fault). Now we’re exploring as an alternative hypervisor, so we’re using today’s episode to kick off a series about the joys and pains of this migration process.
info_outline7 Minute Security
Today we revisit a series about eating the security dog food – in other words, practicing what we preach as security gurus! Specifically we talk about: We’re going to get a third-party assessment on 7MinSec (the business) Tips for secure email backup/storage Limiting the retention of sensitive data you store in cloud places
info_outline7 Minute Security
Today we’re talking about tips to deal with stress and anxiety: It sounds basic, but take breaks – and take them in a different place (don’t just stay in the office and do more screen/doom-scrolling) I’ve never gotten to a place in my workload where I go “Ahhh, all caught up!” so I should stop striving to hit that invisible goal. Chiropractic and back massages have done wonders for the tightness in my neck and shoulders For me, video games where you punch and kick things relieves stress as well (including a specific game that’s definitely not for kids!)
info_outlineToday our pals Bjorn Kimminich from OWASP and Paul from Project7 and TheUnstoppables.ai join us as we kick off a series all about hacking the OWASP Juice Shop, which is "probably the most modern and sophisticated insecure web application!" We got a few wins on the Juice Shop score board today:
- Found the score board
- Bullied the chatbot
- Fired a DOM XSS
- Located a confidential document
- Gave the Juice Shop a devastating zero stars review
- Fired a DOM XSS which played the OWASP Juice Shop Jingle