David M. N. Bryan is the Senior Managing Consultant in charge of Technology with X-Force Red, IBM’s elite security testing team. His responsibilities include establishing standardized tool sets and environments for project delivery, and delivering on pentest projects.
David has over 16+ years of professional Information Security experience. From being a defender of security at a top ten bank, to securing the DEF CON network. David has been a participant in the information security community for 18+ years, first starting out as a DEF CON volunteer (Goon) – and now is on the board that runs Thotcon, a Chicago Information Security conference. For the last ten years David has been the attacker in many scenarios as a penetration tester covering: network, embedded, wireless, web applications, and physical security. David has presented at BlackHat, DEF CON, ToorCon, LayerOne, ToorCamp, BSides Events, and AppSecUSA. David lives in cold, but beautiful Minneapolis Minnesota with his wife, and two cats.
In the last year, I’ve found some pretty stupid security mistakes. Blatantly overlooked controls, or flat out lazy system admins. I will show real-world examples of misuse & abuse, and improper data handling of passwords inside application code. When talking about the security of a system as a whole, we must remember a breech in one system, can lead to a breach on another system because of the implicit trust relationships we build to get the job done.
I will cover how we pulled down 1.2M hashes and cracked them and what controls were missed, and how to prevent it from happening again.