May 12Philippines: Can we trust our elections?Some of my friends have approached me and asked if it’s possible for someone to cheat in the recent 2022 Philippine elections. Here is my take on it. TLDR: The current election system relies on trust to work. If trust is eroded, then it is reasonable for people to think…Elections15 min read
Nov 13, 2021Synack 2021 Open Invitational CTF Crypto WriteupIntroduction [Link to original blogpost] Recently, I participated in 2021 Synack Red Team Five Open Invitational CTF . I was able to finish all 25 challenges and placed 14th out of 333 teams. I got into the top 25 but it’s a bummer I didn’t get into the top 10…Rsa10 min read
Aug 13, 2021DEFCON 29 Red Team Village CTF Writeup: Supply Chain Attack[Link to original blog post] This year I was able to join the DEFCON 29 Red Team Village’s CTF since the event was held online for free. I joined with my team, the hackstreetboys. We got 3rd out of 650 in the qualifiers and the 3rd out of 20 finals! …Defcon10 min read
Jun 6, 2021POC Exploit from a CVE: Apache Airflow 1.10.10. RCEI recently published a simple POC of CVE-2020-11978 which, when combined with CVE-2020–13927, is an unauthenticated RCE for Apache Airflow 1.10.10. (Exploit DB link) The exploit is actually simple but when I first encountered CVE-2020–11978, I did some quick google searches and didn’t find any available exploits. I’ve always been…Cybersecurity3 min read
Aug 11, 2020DEFCON 28 OpenSOC Blue Team CTF: Lessons and Tips[Link to original blog post] This year I was able to join the DEFCON 28 Blue Team Village’s OpenSOC CTF since the event was held online. I joined with my team, the hackstreetboys. There were 800+ participants, 500+ challenges, and 350+ teams in the competition which over 20 hours. We…Security13 min read
Published in Towards Data Science·Jul 8, 2020A gentle introduction to HDBSCAN and density-based clusteringExplaining HDBSCAN in ~5 minutes — “Hierarchical Density-based Spatial Clustering of Applications with Noise” (What a mouthful…), HDBSCAN, is one of my go-to clustering algorithms. It’s a method that I feel everyone should include in their data science toolbox. I’ve written about this in my previous blog post, where I try to explain HDBSCAN in…Machine Learning6 min read
Jun 12, 2020U2F with Duo Web Phishable by defaultA scenario when U2F/WebAuthn does not protect you against phishing attacks (until hostname whitelisting is enabled) — TLDR: U2F prevents MITM attack between the victim and the Duo server, but not between the victim and the application. Because Duo is a 3rd-party service, we don’t have the same security properties that are associated with U2F between the victim and the server. This boils down to bypassing the…Phishing3 min read
May 30, 2020How to decrypt a LastPass vaultThis is a medium-sized extract from a longer blog post of mine concentrating on the crypto used by LastPass. Notes here are from [1], [2], [3], [4], and from my own experience setting up the phishing in the original blog post.Lastpass5 min read
May 29, 2020Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing AttackThis is a medium-sized extract from a longer blog post of mine. I go a little more in-depth on the difference between U2F and OTP and how LastPass decrypts your vault, you can see the full blog post. (Un)fortunately, this is NOT a MITM attack on U2F. LastPass doesn’t support…Security Token12 min read
Published in Towards Data Science·Apr 26, 2020Data Analysis for Cyber Security 101: Detecting Lateral MovementThis is the second part of a series of blog posts. You can read the first one on Data Exfiltration. This blog post is structured as follows: Introduction Lateral Movement (4 mins): a toy example to illustrate what lateral movement is Network Anomaly Detection (7 mins): Statistical and machine learning…Cybersecurity25 min read