John Nye

About John Nye

John Nye is Vice President of Cybersecurity Strategy for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).

Man-in-the-Middle Attacks

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), published an advisory in the March issue of its “Cybersecurity Newsletter” warning of a well-known attack method known as the man-in-the-middle (MitM) attack. This type of attack is used by attackers to, exactly as it sounds, become a man in the middle of a secure connection. So, while the victim thinks they are connecting to their destination website (e.g. bank, social media, email, etc), the attacker is taking over the connection and can see any data “in the clear” before it is forwarded on to the actual destination.

April 10th, 2017|

Why Would You Hire Someone to Attack Your Network?

While researching future blog post topics, I discovered that many people are searching on Google in the hopes of better understanding the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer even if your organization is not governed by regulatory or compliance requirements to have a penetration test done. There are plenty of reasons to conduct a pen test, or red team assessment, on your organization’s technical environment.

April 1st, 2017|

New Year, Same Challenges

If you are reading this blog post, you have survived 2016. By most accounts, it was a rough year in regards to the state of security in healthcare. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in U.S. politics through attacks on IT security.

January 19th, 2017|

Penetration Testing Methodologies: In the Clear

There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.

November 23rd, 2016|

A Tale of Two Sites: An Internet of Terrible Things

Background Around 8:00 p.m. on September 20th hackers who were upset about being outed by Brian Krebs, a well-known security and IT journalist, attacked his website with what was then the largest Distributed Denial of Service (DDoS) attack in history. The attack against krebsonsecurity.com was perpetrated using a previously hypothesized piece of malware that takes control of Internet of Things (IoT) devices and uses them to create a powerful bot net (a network of infected

November 1st, 2016|

Using a Battering RAM to Hack

Most corporate systems, whether end-user systems or core servers, are guarded by various malicious software protections. These usually present in the form of anti-virus (AV), data-loss protection (DLP), and host-based intrusion detection (HIDS). These protections are useful for the defenders as they help the systems to remain safe, secure, and free from malicious code. At the very least, the hard drive, or non-volatile memory, is typically kept safe.

October 6th, 2016|

Hiding in Plain Sight: How SSL/TLS Can Be Used Against You

Recently, in performing my daily due diligence to keep up with the latest news and changes in information security, one article in particular caught my attention. Its topic of SSL encryption, and the related research, are particularly fascinating and nascent to me as an offensive security professional. The first article was in Dark Reading, and while its title was a bit “click-bait like” it is still true: more than 40% of attacks abuse SSL encryption. This did not catch my attention

September 20th, 2016|

MouseJack Hack: Wireless Keyboard & Mouse Lets Bad Guys in the House

Serious Vulnerability in Non-Bluetooth Wireless Human Interface Devices (HIDs) Overview Over the last week, I have been working to better understand the MouseJack hack and how easily it could be exploited. It turns out that this is a very concerning attack. Without purchasing any hardware (mostly because I have several different Logitech keyboards and mice), I was able to re-flash the firmware on a standard Logitech Unifying receiver.

August 23rd, 2016|

Vegas Aftermath: Black Hat & DEF CON Takeaways

Black Hat Last week marked my third year in Las Vegas for the annual “hacker conferences,” BSides Las Vegas (which I was unable to attend), DEF CON and Black Hat. Black Hat is two days of briefings, tool demos, workshops, and a very large array of security vendors. Finally, the week affectionately known as “hacker summer camp” by attendees is capped off with the largest, longest-running, hacker conference in the world – DEF CON.

August 12th, 2016|

Pre Black Hat and DEF CON Primer

As I am writing this particular blog post, I am just eight days from flying to fabulous Las Vegas, Nevada. Why on earth would I, or anyone not required to, go to the middle of the desert during the hottest possible time of the year (the first week in August)? Because that weekend is the biggest, and oldest, hacker gathering in the world. The gathering I am talking about is the 24th annual DEF CON where more than 10,000 hackers

July 28th, 2016|