The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.


  • Leading in Privacy

    September 25, 2018, Mali Yared, Practice Director, Cyber Risk Advisory & Privacy, Coalfire

    On September 24, I was pleased to represent Coalfire (and private-sector expertise) by attending the kickoff for the Privacy Framework at the Brookings Institute in Washington, D.C. The event was attended by notable leaders in the industry and government: The Departments of Transportation and Commerce, the Information Technology Industry Council, Intel, Citrix, National Telecommunications, and various other notable public and private-sector leaders in the industry. The National Institute of Standards and Technology (NIST) is taking steps toward pulling the various, splintered privacy initiatives in our nation together into a focused approach – and it is very exciting to see.

    Read more
  • Phantom Acquisition Lets Splunk SOAR

    September 12, 2018, Matt Alshab, Certified Splunk Admin

    At the SplunkLive! Conference in Washington, D.C., Splunk gave a presentation on Phantom, a Security Orchestration, Automation, and Response (SOAR) system. Splunk acquired Phantom this year for $350 million.

    Read more
  • From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter

    September 11, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire

    When I first began working at Coalfire in early 2017, I couldn’t wait to get started pentesting professionally for the first time. When I finally got tasked with my first gig, I dove right in. I was tasked to perform an assessment of the external network. After hitting all known servers and web applications with various scanning tools, I had nothing. For a penetration tester, the assessment does not end here.

    Read more
  • Exploiting Blind Java Deserialization with Burp and Ysoserial

    September 04, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire

    While performing a web application  penetration test, I stumbled upon a parameter with some base64 encoded data within a POST parameter. Curious as to what it was, I sent it over to Burp decoder.

    Read more
  • AWS Slurp Github Takeover

    August 28, 2018, Logan Evans, Associate, Coalfire Labs, Coalfire

    Slurp is a tool used by information security professionals to enumerate AWS S3 buckets. Slurp takes a domain name (example.com) or wordlist as input and cycles through likely S3 bucket names (example.s3.amazonaws.com) looking for any world-read/writeable buckets. S3 buckets are a great find for offensive security pros because they are commonly misconfigured. This leads to things like the famous RNC Voter Records breach or Verizon’s 2017 breach.

    Read more
  • Displaying results 11-15 (of 321)
     |<  <  1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10  >  >| 

Recent Posts

Post Topics

Archives

Tags