Couch to Half Marathon: Closing My First Year of Running

On February 11th, 2022, I took my first jog on my new treadmill, a single mile at 5mph. I’d been taking three mile walks for a couple weeks before, but that jog just under a year ago was my first workout over 4mph. Yesterday, I ran the 3M Half Marathon in Austin, crossing the finishContinue reading “Couch to Half Marathon: Closing My First Year of Running”

Defense Techniques: Reporting Phish

While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try to steal money and personal information from the less tech-savvy among us. I have hadContinue reading “Defense Techniques: Reporting Phish”

2022 EOY Fitness Summary

I spent dramatically more time on physical fitness in 2022 than I have at any other point in my life, in preparation for my planned adventure this June. My 2022 statistics from iFit on my incline trainer/treadmill show that I walked/jogged/ran almost 700 miles after it was set up on January 24th: Perhaps surprisingly (givenContinue reading “2022 EOY Fitness Summary”

Attack Techniques: Priming Attacks on Legitimate Sites

Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure that entices a user to visit a legitimate site and perform an unsafe operation onContinue reading “Attack Techniques: Priming Attacks on Legitimate Sites”

Attack Techniques: Phishing via Mailto

Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode the attack within a mailto URL, because anti-phishing scanners and email clients rarely apply reputationContinue reading “Attack Techniques: Phishing via Mailto”

Attack Techniques: Phishing via Local Files

One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email with a HTML file attachment (for me, often with the .shtml file extension): When the user opens the file, a credential prompt is displayed, withContinue reading “Attack Techniques: Phishing via Local Files”

TLS Certificate Verification Changes in Edge

When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows delegated this validation task to APIs in the operating system, layering a minimal set of additional validation (e.g. this) onContinue reading “TLS Certificate Verification Changes in Edge”