All file downloads.
2016 Kennesaw State Cyber Security Awareness Day - Exploiting Smart Devices - 06Oct2016
2018 Cybersecurity Symposium – Breaking Into a Career of Breaking In - 19Oct2018 - Slides
2600 Magazine-The Hacker Quarterly-Summer 2013-Splunking the Google Dork PDF
MSI installation file.
ZIP standalone file.
Assessment and Penetration Testing Brochure
The Bishop Fox Assessment Team breaks into things before the bad guys do; then we show you how so you can protect yourself against real attacks.
August Case Study - Built in Security
AWS S3 Buckets Security - Avoid Common Mistakes When Deploying Cloud-based Services
This guide by Bishop Fox's Gerben Kleijn details how organizations can avoid the pitfalls posed by lackadaisical AWS S3 buckets security and keep their environments secure.
BayThreat 2011 - Pulp Google Hacking - 09Dec2011 - Slides
BayThreat 2011 - Putting Logs on a Diet - 11Dec2011 - Slides
BayThreat 2012 - Securing a Start Up - 07Dec2012 - Slides
Beast Case Study
BetterCloud Cloud IT Live - Creating a Security Blueprint - 25Oct2016 - Slides
Bing Hacking Alerts.xml
These feeds are organized and can be viewed/searched via Google Reader by importing the downloaded OPML file.
Bing Hacking Database (BHDB) v2.0.txt
BHDB v2.0 Dictionary file
ZIP Standalone file
Bishop Fox Cybersecurity Style Guide
Bishop Fox Cybersecurity Style Guide V1.1
Black Hat USA - CloudBots Harvesting Crypto Coins Like a Botnet Farmer - 6Aug2014 - Slides
Black Hat USA 2005 - Catch Me If You Can - 27July2005 - Slides
Black Hat USA 2010 – Lord of the Bing – 29July2010 - Slides
Black Hat USA 2011 – Pulp Google Hacking – 03Aug2011 - Slides
Black Hat USA 2013 - Lets Get Physical - 31July2013 - Slides
Black Hat USA 2015 - Bypass Surgery - 6Aug2015 - Slides
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides.pdf
Danger Drone slides, slight updates 14 Mar 2017.
Bluebox Case Study
BSides CMH - Check Your Privilege (Escalation) - 01Mar2019 - Slides
BSides LV - Untwisting the Mersenne Twister - 5Aug2014 - Slides
Bsides PDX - Resistance Networks - 27Sept2013 - Slides
BSides SF - Twist and Shout: Ferris Bueller’s Guide to Abuse Domain Permutations - 03Mar2019 - Slides
Business Development Executive
CactusCon 2014 - Malware and the Syrian Civil War - 4Apr2014 - Slides
CactusCon 2014 - Malware and the Syrian Civil War - 4Apr2014 - Slides
CactusCon 2015 - Wireless Network Risk and Controls - 13March2015 - Slides
CactusCon 2016 - Developing and Testing an Effective Incident Response Program - 6May2016 - Slides
CactusCon 2016 - Telling Lies & Making Friends: Penetrating People's Emotional Barriers - 6May2016 - Slides
CactusCon 2018 - Anatomy of an AppSec Program - 29Sept2018 - Slides
CalPoly SLO - So You Wanna Be a Hacker? - 10Nov2014 - Slides
CCOAITS - Incident Response Preparation - 10Jul2014 - Slides
CCOAITS - Not the Weakest Link - 10Jul2014 - Slides
CEIC 2006 - Defeating Forensic Analysis - 04May2006 - Slides
Change Healthcare Case Study
CIO Magazine - How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab - May 2007
Forensic investigations start at the end. Think of it: You wouldn’t start using science and technology to establish facts (that’s the dictionary definition of forensics) unless you had some reason to establish facts in the first place. But by that time, the crime has already happened. So while requisite, forensics is ultimately unrewarding.
Coinbase Case Study
Combined Google and Bing Hack Alerts.xml
This is a combined OPML file for both Google and Bing alerts.
Converge Detroit - Homebrew Censorship Detection by Analysis of BGP Data - 16July2015 - Slides
Critical Infrastructure Luncheon 2016 - Laika Boss - 03Nov2016 - Slides
CSO Magazine - The Rise of Antiforensics - June 2007
Cybersecurity Style Guide
Danger Drone - 3D Print Files - 15Sept2017.zip
The entire DangerDrone air frame is also 3D printable. We’ve provided customized versions of the traditional frame parts that are cheaper, more light weight, and have a more convenient surface area.
Danger Drone - Parts List, Prices, and Links - 03Aug2016.xlsx
Dark Reading University - Monitoring Threats and Measuring Risk - 31Oct2014 - Slides
Dark Reading University - Protecting Backend Systems - 28Oct2014 - Slides
Dark Reading University - Protecting the Customer-Facing Website - 27Oct2014 - Slides
Dark Reading Virtual Event - Preparing a Next-Generation IT Security Strategy - 15Nov2016 - Slides
Day of Shecurity Boston 2019 - Introduction to Linux Privilege Escalation Methods - 22Feb2019 - Slides
Day of Shecurity Boston 2019 - Network Penetration Testing Toolkit - 22Feb2019 - Slides
DEF CON 23 (2015) - RFIDiggity - Pentester Guide to Hacking HF/NFC and UHF RFID - 09Aug2015 - Slides
DEF CON 25 (2017) - DeepHack - 30Jul2017 - Slides
DEF CON 25 (2017) - Game of Drones - Brown Latimer - 29July2017 - Slides.PDF
DEFCON 18 – Lord of the Bing – 30July2010 - Slides
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides
DEFCON 21 (2013) - RFID Hacking - 03 Aug 2013 - Slides
Diggity Alerts FUNdle Bundle – OPML File.xml
Use as default input file.
Dr. Katherine Albrecht Radio Show - Interview of Fran Brown about RFID Hacking - 22Aug2013 - Recording.mp3
Francis Brown was interviewed by the radio program "The Dr. Katherine Albrecht Show" on 22Aug2013, discussing the topic of RFID hacking.
Drone Magazine UK - Hacker's Delight - Danger Drone - Oct. 2016 Issue.pdf
Oct2016 issue of Drone Magazine, article on the Danger Drone.
Empire Hacking NYC Meetup - Server-side Spreadsheet Injections in High Impact Attacks - 12June2018 - Slides
ES Associate - Policy
ES Associate - SDL
Firecat - Source Code - firecat1.6.c
Single C file source code for Firecat utility.
Firecat - Tool Overview Guide.pdf
Firecat utility help guide.
Firecat v1.6 - Unix Binaries.zip
Firecat utilities binaries for Linux (x86/x64), Debian Linux ARMv5, and iOS ARM binary (for jailbroken iPad / iPhone).
Firecat v1.6 - Win Binaries.zip
Firecat utility binaries for Windows 32bit / 64bit.
Formula Injection Cheat Sheet
Forum - The Ethics of Cybersecurity - 26Feb2014.mp3
The cybersecurity trade show known as the RSA conference kicked off in San Francisco this week. The conference begins two months after revelations that the RSA Corporation allegedly accepted $10 million from the National Security Agency to engineer a "back door" allowing NSA access to its encryption products. In the resulting backlash, some of the scheduled speakers are boycotting the RSA conference and have created their own spinoff conference, TrustyCon, which opens Thursday. We discuss cyber ethics and what this rift means for hackers and the online security industry in the Bay Area.
GHDB Reborn Dictionary - NEW ONLY.txt
Exploit-db.com GHDB Reborn. Only NEW Google dorks added since Johnny Long original GHDB.
GHDB Reborn Dictionary.txt
Exploit-db.com GHDB Reborn - 21Sept2011. Includes original dorks from Johnny Long's GHDB.
Google Hacking Alerts.xml
This feeds have been organized and can be viewed/searched by importing the downloaded OPML file into Google Reader.
History of major events affecting the topic of Google Hacking.
ZIP Standalone file
HackCon 2011 – Lord of the Bing – 16Feb2011 - Slides
HackCon 2011 – SharePoint Hacking - 16Feb2011 - Slides
Hacker Halted 2010 Singapore – Lord of the Bing – 26Oct2010 - Slides
Hacker Halted USA 2011 – Pulp Google Hacking – 27Oct2011 - Slides
Hacking CSEs - Creating Google Custom Search Engines.zip
How-to and configuration file.
UPDATED - o5JAN2012 - Updated with additional configuration changes to have the custom search engine "Search the entire web...". This is especially important for the new IP address range input feature of GoogleDiggity.
"Harness the Power of Agile" has no version set!
HOPE - Rickrolling your Neighbors with Google Chromecast - 18July2014 - Slides
How ‘Small’ Security Errors Lead to a Security Breach
How do small security errors lead to huge headaches for a variety of organizations? This organization and joint case study with Timehop discuss the most common cybersecurity errors as well as how to best defend against them.
InfoSec World 2006 - K2 - Bleeding-Edge Anti-Forensics - Brown and Liu - 03April2006 - Slides
InfoSec World 2010 – Google and Beyond – 21Apr2010 - Slides
InfoSec World 2011 – Google Hacking – To Infinity and Beyond – 21Apr2011 - Slides
InfoSec World 2012 – Pulp Google Hacking – 02Apr2012 – Slides
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Environment – 14Apr2013 – Slides
InfoSec World 2016 - RFIDiggity - Pentester Guide to Hacking HF/NFC and UHF RFID - 05Apr2016 - Slides
Interop 2017 - Defeating Social Engineering, BECs, and Phishing - 17May2017 - Slides
Interop 2017 - Developing and Testing an Effective Incident Response Program - 16May2017 - Slides
Interop Las Vegas - Social Engineering: The Bad, Better, and Best Incident Response Plans - 4May2016 - Slides
Introduction to AWS Cloud Security
If you're a newcomer to the world of AWS cloud security, this Bishop Fox guide can help you determine where to start and what best practices to embrace to ensure a strong security posture for your organization.
IoTium Case Study
IoTium Case Study
ISACA Phx - Protection of Information Assets - 27Feb2014 - Slides
ISACA Phx - Wireless Network Risks and Controls - 22Jan2015 - Slides
ISC(2) Phoenix - Effectively Operating a Bug Bounty Program - 13Aug2015 - Slides
ISSA Journal - July 2007 - Penetration Testing: The White Hat Hacker
Most people attempt to define penetration testing as a network attack against an Internet DMZ with the goal of breaking into the internal network. Fundamentally, however, penetration testing is properly defined as the simulation of an attack against a target network or application, encompassing a wide range of activities and variations.
ISSA LA – 4th Annual InfoSec Summit – Pulp Google Hacking – 15May2012 – Slides
ISSA LA – Pulp Google Hacking – 15Feb2012 – Slides
ISSA Phoenix Chapter – 05 Oct 2010 Presentation Slides
ISSA Tucson - Untwisting the Mersenne Twister - Slides - 5Nov2014
ITAC 2014 - Mobile Application Testing and Code Review - 30Sept2014 - Slides
ITAC 2014 - SCADA Hacking - Clear and Present Danger - 02Oct2014 - Slides
ITAC 2015 - CloudBots - Abusing Free Cloud Services to Build Botnets in the Cloud - 29Sept2015 - Slides
ITAC 2015 - Internet of Things (IoT) - Hacking Smart Devices - 29Sept2015 - Slides
ITAC 2015 - Putting Your Logs On a Diet - Network Intrusion Detection - Best Practices - 01Oct2015 - Slides
Job Description - Editorial Intern
Job Description - Enterprise Security Analyst
Job Description - Enterprise Security Associate
Job Description - Junior System Administrator
Job Description - Penetration Tester
Job Description - PHX Personal and Administrative Assistant
Job Description - Project Manager
Job Description - SFO Junior Project Manager
Job Description - Travel Coordinator
Journal of Digital Forensic Practice – Challenging the Presumption of Reliability – Mar2006 PDF
There is a general tendency among courts to presume that forensic software reliably yields accurate digital evidence. As a judicial construct, this presumption is unjustified in that it is not tailored to separate accurate results from inaccurate ones. Vincent Liu illustrate this unfortunate truth by the presentation of two currently uncorrected weaknesses in popular computer forensic tools, methods, and assumptions.
Kaspersky SAS - Ghost in the Browser: Broad-Scale Espionage with Bitsquatting - 10Apr2019 - Slides
Kiwicon 2038AD - Getting Buzzed on Buzzwords - DeMesy - 16Nov2018 - Slides
LCD FacePlate - 3D Files - Tastic RFID Thief.zip
3D printable files for an LCD 20x4 faceplate to cover the rectangular hole on the front of the Tastic RFID Thief. Printed using a Makerbot Replicator 2.
Marketplace.org - 1-800-Hackers Why cyber crime is no longer a dark art - 02Oct2013.mp3
Hackers are forming straight-laced companies and selling their services for big bucks to the very businesses that are most afraid of them. And as the demand for hacking grows, the once-dark art is becoming a 9-to-5 day job with a public and a private sector, even corporate recruiters.
MD4 Collision Generator - md4coll.c
Using a 1.6 GHz Pentium 4, MD4 collisions can be generated in an average of 5 seconds.
MD5 Collision Generator - md5coll.c
Using a 1.6 GHz Pentium 4, MD5 collisions can be generated in an average of 45 minutes.
Microsoft BlueHat v2 - Introducing the Metasploit Anti-Forensics Project - 13Oct2005 - Slides
Microsoft BlueHat v8 - Real World Code Review - Liu - 17Oct2008 - Slides
MISTI - Mobile 2013 - Mobile App Testing and Code Review - 19Nov2013 - Slides
NPR - Apple Pay Wants To Be Your Mobile Wallet - 10Sept2014.mp3
Apple recently announced a new mobile payment system called Apple Pay. CEO Tim Cook says that Apple Pay will provide a more secure way to make transactions using an Apple device.
NPR - Apple To Fight Court Order To Break Into Shooters iPhone - 17Feb2016.mp3
Apple says it will oppose a federal court order to assist the Justice Department in unlocking an iPhone used by one of two attackers who killed 14 office workers in San Bernardino, CA. Security Associate Joe DeMesy weighs in on Apple’s reasoning in this NPR interview.
OWASP AppSecCali 2019 - How Perceptual Analysis Helps Bug Hunters - 24012019 - Slides
OWASP Atlanta – Attack Chaining Advanced Maneuvers – May 2012
Rob Ragan and Oscar Salazar will be presenting on the topic of Advanced Attack Chaining during the OWASP Atlanta meeting on May 31, 2012 at 6:00 PM EST.
OWASP LA – SharePoint Hacking – 22Feb2012 – Slides
OWASP Phoenix - If You Like It, Then You Shouldn't Put a Ring3 On It - 9June2015 - Slides
Password Security Guide
Passwords have suffered from numerous flaws throughout the history of time. In this guide, we examine what's gone wrong in the past and how we can change - for the better - going forward.
PaulDotCom - Security Weekly - Epsd 211 Pt. 1 - Liu - 16Sept2010.mp3
Vinnie Liu is our guest tonight to discuss things pen testing, how to get started in the industry.
Penetration Testing Resource Guide
Phoenix Security & Audit Conference - The Active Directory Kill Chain - 10Sept2015 - Slides
Practising Law Institute SFO - Cybersecurity: A Hacker’s Perspective - Evolving Cyber Adversary Simulation - 06Nov2018 - Slides
Primer to Red Teaming
Curious about why your organization should consider red teaming? This guide explains how red teaming fits in as part of a holistic cybersecurity program and whether your organization is ready to implement it.
QCon London - Out of the Browser Into the Fire - 08Mar2017 - Slides
RSA 2014 - Cloud Ninja - 27Feb2014 - Slides
SANS - AppSec Summit 2007 - Implementation Lessons Learned - 15Aug2007 - Slides
SANS - Pentest and AppSec Summit 2009 - Realworld Code Review - 02Jun2009 - Slides
SANS - Pentest Security Summit 2008 - Success Stories and Lessons Learned - 02Jun2008 - Slides
SearchSecurity - Securing SharePoint: SharePoint security best practices
Security B-Sides Atlanta 2010 – Lord of the Bing – 08Oct2010 - Slides
SharePoint - URL Extensions - 18MAR2012 PDF
Reference document that maps out common SharePoint administrative pages to their respective URL extensions.
SharePoint Bing Hack RSS Alerts - OPML.xml
Bing search results turned into convenient RSS feeds that provide real-time SharePoint vulnerability updates.
SharePoint BingDiggity Dictionary.txt
Updated: 16 August 2013
Bing queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Bing search engine.
SharePoint Google Hack RSS Alerts - OPML.xml
Google search results turned into convenient RSS feeds that provide real-time SharePoint vulnerability updates.
SharePoint GoogleDiggity Dictionary.txt
Updated: 18 March 2012
Queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine.
Updated 18 March 2012
Zip contains both the SharePointURLBrute Perl script and a Windows executable versions.
SHODAN Hack RSS Alerts - OPML.xml
SHODAN search results turned into convenient RSS feeds that provide real-time vulnerability updates.
SHODAN Hacking Database (SHDB).txt
SHDB Dictionary file. UPDATED: 21Jun2013
SPI Dynamics Expert Articles Series - Effective Controls for Attaining Continuous Application Security Throughout the Web Application Development Life Cycle - Sept2007
Given the choice, every organization would want secure Web sites and applications from the Web application development phase all the way through the software development life cycle. But why is that such a challenge to attain? The answer is in the processes (or lack thereof) that they have in place.
SPI Dynamics Expert Articles Series - Implementing Effective Vulnerability Remediation Strategies Within the Web Application Development Lifecycle - Aug2007
Once you've completed a security assessment as a part of your web application development, it's time to go down the path of remediating all of the security problems you uncovered.
SPI Dynamics Expert Articles Series - Web Application Vulnerability Assessment Essentials: Your First Step to a Highly Secure Web Site - Aug2007
If an organization isn't taking a systematic and proactive approach to web security, and to running a web application vulnerability assessment in particular, then that organization isn't defended against the most rapidly increasing class of attacks.
SPICON 2007 - Lessons Learned – Implementing an Application Security Program - 17Oct2007 - Slides
TakeDownCon 2011 – Lord of the Bing – 18May2011 - Slides
TakeDownCon 2012 – Pulp Google Hacking – 08May2012 - Slides
The Business Journal of Phoenix - Even without big budget, employee theft can be stopped - Nov 2006
The Challenges of Automated Application Assessments in a Web 2.0 World - 12Dec2009
Rob Ragan and Vincent Liu author The Challenges of Automated Application Assessments in a Web 2.0 World, which discusses the difficulties of properly auditing modern Web 2.0 applications.
The Gold Standard in Security Consulting - About Bishop Fox eBook
The Good, the Bad, and the Ridiculous - SANS Penetration Testing Summit 2010
The Good, the Bad, and the Ridiculous slides presented at the SANS Penetration testing Summit 2010 in Baltimore, MD
The ISSA Journal – SearchDiggity- Dig Before They Do – 04Sept2012
Bishop Fox’s Google Hacking Diggity Project was featured in the toolsmith article SearchDiggity: Dig Before They Do, found in the September 2012 edition of The ISSA Journal.
Threat Modeling Brochure
ToorCon 12 – Lord of the Bing – 24Oct2010 - Slides
ToorCon 2014 - If You Like It Then You Shouldn't Put a Ring3 On It - 25Oct2014 - Slides
Toorcon 7 - Introducing the Metasploit Anti-Forensics Project - 16Sept2005 - Slides
UAT TechTrek - Lessons on Security Consulting - 6Nov2014 - Slides
VPN Comparison Guide - Chart
Zephyr Health Case Study