Jerry Decime

Security Researcher, Builder, Strategist, Inventor


ABOUT JERRY

About Me

With a strong belief that one must break something to make it stronger, I've honed my application security skills from pen-testing to security design and architecture. From the development of technologies used by Google, Microsoft, HP, Hewlett-Packard Enterprise, DXC, Micro Focus and many others, I've been a guiding force in securing the applications and operating systems people use every day.

While there are many elements of my work which I cannot talk about, my public disclosures paint a picture of just some of my capabilities. I work with teams to identify and mitigate vulnerabilities which are typically not found by automated scanners and run the range from user experience flaws to application hijack and remote code execution vulnerabilities. From my work with the Department of Homeland security to Apple, I've been a regular fixture in major OS and application security updates.

Experience

MICRO FOCUS

11 / 2017 - Present

Principal Strategist and Researcher

Helping to drive a security always strategy as a senior member of staff to better enable Micro Focus and our customers in the marketplace into the future.

Leading cyber security all-hands cross functional technical sessions focused on pressenting attack vectors and mitigation strategies.

Developed policies, standards, and specifications using a risk based approach.

Approved in policy and developed models for the support of Let's Encrypt to be used as an enterprise CA for both internal and Internet facing solutions.

HEWLETT PACKARD ENTERPRISE

11 / 2015 - 10 / 2017

Principal Strategist and Researcher

Continued my HP journey with Hewlett Packard Enterprise focusing on application and product security strategy and research.

Built out a Cyber Security Lab in Boise, Idaho focused on both product hardware and software security research and development.

Focused on staff mentorship.

INDEPENDENT SECURITY ADVISORY and RESEARCH

02 / 2014 - Present

Consulting, non-executive technical board member, and research securing critical infrastructure.

HEWLETT PACKARD

01 / 1999 - 11 / 2015

Information Security Strategist

Assisted product development teams in the development and implementation of security solutions across all regions and product lines from mobile, PC, and printing platforms to cloud computing.

Worked with both the consumer and commercial business teams to identify vulnerabilities and secure HP's eCommerce platforms including www.hp.com, shopping.hp.com, snapfish.com, as well as the commercial and government online platforms including the Canada Post.

Worked with world-wide fraud management to identify fraud vectors within HP's eCommerce and consumer support organizations, saving HP hundreds of millions of dollars a year.

Architected and developed with a team of developers an innovative mitigation framework solution for the identification and prevention of common web application vulnerabilities.(US Patent: 9,083,736)

A recognized thought leader in the HP global security space providing cross functional mentorship.

Provide technical direction for the worldwide application security program through the development of solutions, training and policy creation.

Identified and worked with industry financial partners to mitigate critical and systemic vulnerabilities which if exploited could have resulted in massive, worldwide economic loss.

HEWLETT PACKARD

08 / 1994 - 12 / 1998

Solutions Architect

Co-founded ftp.hp.com, a service to provide HP product documentation and support to HP customers worldwide.

Founded support.hp.com, HP's online product support service.

Architected the HP Support Assistant CD-ROM service to leverage an online to offline content model.

Co-architected content management and release strategies supporting www.hp.com.

Founded forums.support.hp.com, an interactive public forum to discuss HP product support related issues in 12 languages and across numerous platforms including Microsoft WebTV.

HP worldwide support e-mail program architect.


HEWLETT PACKARD

04 / 1992 - 1994

Alternative Support Sysop & Solutions Architect

Developed methods for consumer support including Macintosh driver documentation solutions which shipped in product.

HP Sysop on CompuServe responsible for building the Macintosh products community.

Lead the technical investigation and implementation of the HP Technical Support BBS service, a 96 line BBS providing technical support documentation and drivers for HP products.

Public VU and CVE History

CVE-2018-4305

09 / 2018

Apple

An attacker in a privileged network position may be able to spoof password prompts in the iTunes Store on iOS, tvOS, and watchOS. Because the itunestored/1.0 daemon runs with system privilege it was possible for an attacker to leverage this to spoof password prompts within any application or OS context. It was further possible to use this vector in denial of service attacks against iOS resulting in the need to perform a soft-reset of the device.

https://support.apple.com/en-us/HT209106
https://support.apple.com/en-us/HT209107
https://support.apple.com/en-us/HT209108

CVE-2018-4202

06 / 2018

Apple

An attacker in a privileged network position may be able to spoof password prompts in iBooks which in turn, through network monitoring by an attacker could result in spoofing password prompts in macOS applications of choice which communicate on the network.

https://support.apple.com/en-us/HT208849

CVE-2017-2748

04 / 2018

Hewlett-Packard

The Isaac Mizrahi iOS and Android application platform failed to use HTTPS for critical interfaces related to authentication. As a result it was possible for an attacker in a privileged network position to spoof application interfaces and obtain user credentials in clear text.

https://support.hp.com/us-en/document/c05976868?jumpid=reg_r1002_usen_c-001_title_r0002

CVE-2018-4177

04 / 2018

Apple

A flaw existed which allowed an attacker in a privileged network position to prompt users for their authentication credentials.

https://support.apple.com/en-us/HT208693

CVE-2017-7153

01 / 2018

WebKitGTK+ Security Advisory WSA-2018-0002

Attacker controlled HTTP authentication responses result in security interface confusion in certain contexts.

https://webkitgtk.org/security/WSA-2018-0002.html

CVE-2017-7164

01 / 2018

Apple

An attacker in a privileged network position may be able to spoof password prompts in the App Store.

https://support.apple.com/en-us/HT208334

CVE-2018-5115

01 / 2018

Mozilla

If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about the originating site of the authentication request and may cause users to mistakenly send private credential information to a third party site.

https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5115

CVE-2017-11786

10 / 2017

Microsoft

Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows a remote attacker to steal authentication hashes or clear-text authentication credentials.

https://nvd.nist.gov/vuln/detail/CVE-2017-11786

CVE-2017-2743

06 / 2017

Hewlett-Packard

The embedded printing management service in enterprise printers failed to validate specific strings within an IPP print job and as a result it was possible to reflect JavaScript into print management interfaces by sending carefully crafted documents to a printer.

https://support.hp.com/us-en/document/c05541569

CVE-2017-0129

03 / 2017

Microsoft

A flaw existed in the Microsoft Lync for Mac client which allowed a networked attacker to compromise the TLS connection between the client and the server to impersonate a Lync server, obtaining user authentication credentials in clear-text.

https://nvd.nist.gov/vuln/detail/CVE-2017-0129

MS16-099 Defense in Depth

08 / 2016

Microsoft

In certain contexts, Windows leaked user authentication credentials to unauthorized parties in clear-text.

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-099

VU#905344 - FalseCONNECT

08 / 2016

CERT / DHS

Discovered cross platform vulnerabilities resulting in the full compromise of HTTPS communications allowing an attacker full visibility and control of data.

https://www.kb.cert.org/vuls/id/905344

http://falseconnect.com

In the Press
FalseCONNECT sends vendors scrambling to patch proxy MITM bug
Paranoid iPhone owners used a privacy tool that made them hackable
Proxy authentication flaw can be exploited to crack HTTPS protection
FalseCONNECT Flaw Exposes Proxy Connections to Attacks
False CONNECT vulnerability allows MitM-attack and intercept HTTPS-traffic
FalseCONNECT Vulnerability Affects Most Of The Internet Users
Proxy authentication flaw affects Apple, Microsoft, Oracle, Opera


Oracle
https://www.kb.cert.org/vuls/id/BLUU-AAZHFL

CVE-2016-5597


Apple
https://www.kb.cert.org/vuls/id/BLUU-AAZHCJ

CVE-2016-4642
CVE-2016-4643
CVE-2016-4644
CVE-2016-7579


Chrome
CVE-2016-5133


Bee U G DMG Mori Seiki Co., Ltd.
JVNVU90754453


Hewlett-Packard Enterprise
Multiple Products


Micro Focus Detect & Response
Activate Packages FalseCONNECT


Trend Micro Detect & Response
Trend Micro DPI Rule

Microsoft Security Advisory 3045755

04 / 2015

Microsoft

Organizational credentials could be leaked to unauthorized parties via WLID.

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3045755

VU#924307 - D-Link DIR-685 WPA/WPA2 Encryption Failure

10 / 2011

CERT

Heavy network load causes the router to fail into an open wireless AP mode despite the configuration of WPA or WPA2 encryption. This attack can take place through any networking condition so that an attacker sending a large number of authentication requests to the router can cause it to fail into an open state. Due to the nature of the flaw, it can also be triggered through standard use of the router when under heavy network load.

https://www.kb.cert.org/vuls/id/924307

CVE-2011-4507
https://nvd.nist.gov/vuln/detail/CVE-2011-4507

Patents

Monitoring and Mitigating Client-Side Exploitation of Application Flaws

Issued, 01 / 2013

US Patent: 9083736

Inventors: Jerry Decime, Cale Smith

https://www.google.com/patents/US9083736

A system for monitoring and mitigating client-side exploitation of application flaws, the system comprising a client device operating an application, a server communicatively coupled to the client device, and an application flaw service module communicatively coupled to the client device and server in which the application flaw service module receives a request from the client device comprising transactional metadata and inspecting the transactional metadata for malicious content within the request. A method of monitoring and mitigating client-side exploitation of application flaws by adding computer usable program code to the response to a first request from a client, receiving a second request from the client, determining that transactional metadata within the response contains an attack vector, and returning a response to the browser including attack vector countermeasures embedded in the response.

System and Method for Authenticating Digital Content

Issued, 03 / 2009

US Patent: 7509683

Inventors: Jerry Decime

https://www.google.com/patents/US7509683

A system and method for authenticating digital content is described. In one implementation, digital content recorded by a recording device is stored in a secure section of a memory device.

Connector Locking Device

Issued , 10 / 2004

US Patent: 6802723

Inventors: Jerry Decime, Brenda A. Burget

https://patents.google.com/patent/US6802723B2

A locking device for a connector that can be readily adapted to an existing electronics enclosure such as personal computer. Preferably the locking device has one or more sheathing members that form a hollow space for at least partially retaining a connector.

Tracking Users at a Web Server Network

Issued , 10 / 2003

US Patent: 20030187976

Inventors: Jerry Decime

https://patents.google.com/patent/US20030187976A1

A method of tracking clients at a web server network comprises intercepting web page communications between a client computer and at least one web server within the network.

System and Method for Monitoring a Network Site for Linked Content

Issued , 09 / 2003

US Patent: 20030172050

Inventors: Jerry Decime, Jason Crawford, Marcus Nilson

https://patents.google.com/patent/US20030172050A1

A method of monitoring a network site includes searching a network site to identify any objectionable content associated with a network page link on the network site, and responding to the identified network page link.

Interactive Remote Monitoring of Client Page Render Times

Issued , 09 / 2002

US Patent: 20020124047

Inventors: Jerry Decime, M. Scott Gartner, Matthew Parrish, Marcus Richard Nilson

https://patents.google.com/patent/US20020124047A1

A server architecture remotely monitors client page render times by approximating the time lapse from when a hyperlink is first activated to request a web page to when the web page is rendered on the requesting client machine.

Method and System for Efficient Routing of Customer and Contact E-mail Messages

Issued , 06 / 2002

US Patent: 20020083181

Inventors: Jerry Decime

https://patents.google.com/patent/US20020083181A1

After a client or potential client accesses the web-site of a host organization and generates an e-mail to the organization, an e-mail sorting and routing system parses the meta-tags appended to the message to appropriately sort and route the message.

System and Method for Tracking Usage of Multiple Resources Provided...

Issued , 05 / 2002

US Patent: 20020059193

Inventors: Jerry Decime

https://patents.google.com/patent/US20020059193A1

The present invention is directed to a method for tracking the use of an e-mail support tool. In one embodiment, the method initially involves eliciting from a user a query in connection with providing the e-mail support service.

Talks

Bsides Boise

2018

401 Problems and Getting Your Password Isn't One of Them

Bsides Boise

2017

Settling the score: taking down the Equifax mobile application

Bsides Boise

2016

The FalseCONNECT Syndrome: A Little Bit of History Repeating

Bsides Boise

2015

The Spooky Internet of Things:The Future is a Stephen King Novel

Education

BS 7799 (ISO 27001) LEAD AUDITOR

2001

British Standards Institute issuing authority


BOISE STATE UNIVERSITY

1992

BA in Writing, Technical Emphasis