Cyber Security Resources
Whitepapers
Improve your cybersecurity by reading our whitepapers and learning from our experts
Labs
Take a look at our tools, presentations, and policies
Inbox (1): Proper Email Authentication
Emails are sent from a source server to a destination server (sometimes through multiple hops) via the SMTP protocol. When you use a webmail client - think Gmail and Yahoo - to send an email, the web server sends emails to its bundled SMTP server and handles authentication for you. When you send...
The Root of Certificate Authorities
Ask any cyber-security professional if using self-signed SSL certificates is acceptable, and they'll probably say "not really." Ask why, and we’ll say “we can’t always know who’s behind the screen,” even though we really want to say “Man-in-the-Middle attack.” Then we’d advise your server to...
Scanning SMB shares with SMBLS
In Carve's internal engagement service line, we simulate an attacker on a corporate network, which is usually Windows-based. We use a variety of tools to gather information, but we were frustrated by reliability, performance and logging of tools dealing with scanning SMB shares, so we wrote a...
How to get better bugs from your pentest
During scoping for penetration tests, customers often say that they want us to perform the engagement exactly as a bad actor would, with no collaboration from the customer’s IT or security teams and no access to inside information. This is known as a black box penetration test, a methodology we...
Keeping an Eye on Your Public IP Space in Private
Keeping track of your company's public IP space is always a good idea. This means maintaining a centralized up-to-date list of: All static IP blocks allocated to you (by an ISP)All VPS instances operated by you in the cloud This makes your life easier by: Keeping your your DNS updated to...
The Feeling is Mutual: Elegant & Effective Authentication
Author: Carve Systems If your user base is primarily IoT devices and your organization doesn’t want to manage passwords for each device, then it seems like a series of unguessable passwords such as “d3v1ce [serial-number]” is the only solution. While that technically works, it isn’t the most...
Stay Connected
Stay on top of the latest in cybersecurity tools, news, and opinion with @carvesystems on social media! Check out our blog for cyber tips, tricks, and all things infosec.