This talk will combine updated aspects of a talk I did at SecureWV in 2016 regarding automated Human Error Pwning, and discuss what tips and tricks I've extracted over the last 3+ years running this project to aide in preventing a lot of common pitfalls. I will get into a bit of technical detail about how I replicated a Shodan-like functionality to make a targeted, automated active-scanning and data-replicating system that seeks out and replicates open Mongo instances, Redis instances, and Apache / $webserver open indexes amongst other things. Time-permitting, I'll also cover some of the most memorable results both in findings at customer sites and in bug bounties.

Mike is the Founder & Lead Researcher for BHaFSec, LLC. in Ann Arbor, and also contributes to buffing up the AppSec program at Arbor Networks. He's been involved in the infosec arena since the late 90's, and has been recognized by organizations ranging from Google, AT&T, MIT, NASA/JPL, and many others.

Recorded at AIDE 2017