Author | Lightnews

Tim Medin @timmedin.bsky.social · 10d

Damn.
I’m never going to find this room.

Tim Medin @timmedin.bsky.social · 25d

Two days of teaching Pen Testing: Beyond the Basics ✅
Two hour Kerberos workshop ✅
Talk ✅
Tomorrow, time to be a full time booth babe.

Red Siege @redsiege.com · 25d

Putting a bow on the day at @wildwesthackinfest.bsky.social with CEO @timmedin.bsky.social presenting "Death by Dashboards: Moving the Needle on What Actually Matters"

#hacking #infosec #cybersecurity #wwhf

8

Tim Medin @timmedin.bsky.social · 25d

Last year at @wildwesthackinfest.bsky.social a few packages arrived late (not mine). The maintenance staff regularly receives packages and thought it was theirs. They opened it, found a pack of stickers.
They have been putting them on their stuff and the hotel.
"We wondered who that guy was"

1 1 4

Reposted by Tim Medin

Red Siege @redsiege.com · 25d

Senior Security Consultant Justin Palk tells you everything you need to know about getting started with proxy chains in this blog 🔗 redsiege.com/proxychains

#hacking #infosec #cybersecurity

1 1

Tim Medin @timmedin.bsky.social · 25d

The booth is hopping! Stop by to get tons of stickers, a shirt, and get entered to win a framed autographed picture from Hackers.

Red Siege @redsiege.com · 25d

The booth is buzzin here at @wildwesthackinfest.bsky.social! We've had the chance to meet so many awesome folks already.

There's still plenty of handshakes, high fives, and killer swag to give out!

#hacking #infosec #cybersecurity #wwhf

1

Tim Medin @timmedin.bsky.social · Oct 1

Join us tomorrow!

Recon InfoSec @reconinfosec.com · Oct 1

Don't miss out! Tomorrow, @timmedin.bsky.social of @redsiege.com joins us for #ThursDef at 12:30 PM CT to discuss Offensive for Defense.

This 30-minute fireside chat is one you won't want to miss. Register now: thursdef.com

#ThursdayDefensive #cybersecurity #infosec

Tim Medin @timmedin.bsky.social · Oct 1

Live now with pre-show banter with @mzbat.bsky.social (Kimber) and @antisyphontraining.bsky.social.

Close Security Gaps, Pass Audits, Stay Secure w/ Kimber Amos and @redsiege.com
www.antisyphontraining.com/event/anti-c...

Anti-Cast: Close Security Gaps, Pass Audits, Stay Secure with Kimber Amos - Antisyphon Training

Join Kimber Amos for a free one-hour training on cutting through compliance theater and running reviews that actually strengthen defenses and keep auditors happy.

www.antisyphontraining.com

1

Tim Medin @timmedin.bsky.social · Sep 30

I desperately want to know how long it took the bad guys to crack it. My intel/rumor mill says it took at least a week (or more). If that were the case, my guess is pen testers wouldn't have cracked it, so it is just an informational finding in the report.

2 3

Tim Medin @timmedin.bsky.social · Sep 30

I think about this often.
What is a real world bad guy's level of effort for cracking?
How long do they spend?
How big is their cracker?
Do they have multiple crackers?
How do they distribute the load?

Raphael Mudge @raphaelmudge.bsky.social · Sep 28

My understanding from @timmedin.bsky.social is RC4 risk is mitigable w/ a properly (service account std differs from user account) strong password. If it was never cracked by a pen tester, because their level of effort vs. adversary effort differed--how would Ascension know it wasn't strong enough?

1 1 6

Tim Medin @timmedin.bsky.social · Sep 30

If it was in the report, then that's a really bad look.
Of course, this assumes they had pen test and the pen testers successfully cracked it.

Tim Medin @timmedin.bsky.social · Sep 30

BRB, going to wake up Billie Joe.
www.youtube.com/watch?v=pGhw...

Green Day - Wake Me Up When September Ends (Official Audio)

YouTube video by Green Day

www.youtube.com

2

Tim Medin @timmedin.bsky.social · Sep 26

Join me next week on the Thursday Defensive (thursdef.com) next Thursday at 1:30 ET on Offensive for Defense - How defenders can use offensive tools to test themselves.

2

Tim Medin @timmedin.bsky.social · Sep 24

Couldn't agree more. How many high/crit PHP findings in your vuln scan reports that are meaningless because that function isn't used (or used with user input). Teams work hard remediate issues that have 0 impact, largely because it shows up in a dashboard, metrics, or KPIs... not because it matters.

Matt Linton @amuse.bsky.social · Sep 24

Today's hot take: "Vulnerability" as a term has become meaningless in the industry.

I propose that at a system level, a vulnerability is not a *vulnerability* if there are other intact, effective compensating controls. Many of the things we call vulns should just be called bugs

6

Tim Medin @timmedin.bsky.social · Sep 18

Really cool to be interviewed and quoted in this article.

Red Siege @redsiege.com · Sep 18

Our CEO @timmedin.bsky.social offers his thoughts on what exactly led to the Ascension breach in this follow-up article from Ars Technica:

arstechnica.com/security/202...

#hacking #infosec #cybersecurity

How weak passwords and other failings led to catastrophic breach of Ascension

A deep-dive into Active Directory and how “Kerberoasting” breaks it wide open.

arstechnica.com

4

Tim Medin @timmedin.bsky.social · Sep 16

So by proxy, RC4 with Kerberos is bad.

1 2

Tim Medin @timmedin.bsky.social · Sep 16

RC4 used with Kerberos isn't the fundemental flaw we think. Yes, RC4 is deprecated, but the real issue is the key generation for AES v RC4 for cracking (Kerberoasting). With RC4 the key = password hash. With AES it is 4096 rounds of hashing of hash+username+domain. The 4096 rounds matters, a lot!

1 2 8

Tim Medin @timmedin.bsky.social · Sep 12

I'm looking forward to @wildwesthackinfest.bsky.social. I also have a Kerberos workshop there, so check that out.
Oh, and we'll have tons of swag at the @redsiege.com booth, so stop by if you're in-person!

Wild West Hackin' Fest @wildwesthackinfest.bsky.social · Sep 12

@timmedin.bsky.social is ridin' into Wild West Hackin' Fest - Deadwood 2025 with his talk "Death by Dashboards: Moving the Needle on What Actually Matters"
Virtual con and virtual training tickets are still available! wildwesthackinfest.com/register-for...

#WWHF #Deadwood2025 #TheFutureIs

2 4

Tim Medin @timmedin.bsky.social · Sep 11

Here is the original @arstechnica.com article
arstechnica.com/security/202...

Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting”

Wyden says default use of RC4 cipher led to last year’s breach of health giant Ascension.

arstechnica.com

2

Tim Medin @timmedin.bsky.social · Sep 11

@theregister.com published an article on the letter
www.theregister.com/2025/09/11/w...

Senator blasts Microsoft for 'dangerous, insecure software'

: Ron Wyden urges FTC to probe failure to secure Windows after attackers used Kerberoasting to cripple Ascension

www.theregister.com

1 1

Tim Medin @timmedin.bsky.social · Sep 11

In response to Senator Ron Wyden's letter to the FTC, I have put together my comments on Kerberoasting and RC4.
redsiege.com/blog/2025/09...

redsiege.com

1 3 10

Tim Medin @timmedin.bsky.social · Sep 10

Oh god, I hope not

1

Tim Medin @timmedin.bsky.social · Sep 10

A senator talking about Kerberoasting was not on my bingo card!

1 1 9

Tim Medin @timmedin.bsky.social · Sep 10

lol, ya

Tim Medin @timmedin.bsky.social · Sep 10

The issue isn't as much RC4 as it is bad passwords. While RC4 isn't good, other encryption does *not* prevent Kerberoasting. AES128 and AES256 just slow down the attack by ~100-170x. If the password is really bad, 170x is meaningless.
@matthewdgreen.bsky.social
arstechnica.com/security/202...

Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting”

Wyden says default use of RC4 cipher led to last year’s breach of health giant Ascension.

arstechnica.com

1 1 4

Tim Medin @timmedin.bsky.social · Aug 16

“Always go for more sparkles!”

Words of wisdom from a 9 yo at Heathrow when I asked if I should get the more and less sparkling water.
Such a valuable life lesson there.
She also said, “trust the diva”. Another valuable lesson.

14