July 2009

DEFCON – Las Vegas – Riviera

If all goes well, I’m sitting in on these talks Friday.

10:00-10:50 Track 2
Perspective of the DoD CSO
Robert Lentz

11:00-11:20 Track 2
Asymmetric Defense: How to Fight Off the NSA Red Team with Five People or Less
Efstratios L. Gavas

11:30-12:20 Track 1
Q & A with Bruce Schneier

13:00-13:50 Track 3
Hacking WITH the iPod Touch
Thomas Wilhelm

14:00-15:50 Track 4
Defcon Security Jam 2: The Fails Keep on Coming
David Mortman, Rsnake, Maynor, etc
@mortman @rsnake @donicer

16:00-16:50 Track 2
Three Point Oh
Johnny Long
@ihackstuff

17:00-17:50 Track 3
BitTorrent Hacks
Michael Brooks and David Aslanian

18:30-19:20 Track 1
Something about Network Security
Dan Kaminsky
@dakami

{ Comments on this entry are closed }

43 years old “UFO eccentric” hacker Gary McKinnon just loses appeal against his extradition to the States for computer crimes he committed 7 years ago.

If you’ve lived under a rock during the last few years what this dude did was basically break into .gov computers looking for UFO related material.

Probably the last case of recreational hacking I’ve heard about.

So his case is obviously going to be a classical “Strike one to educate one hundred” kind of message to every hacker attacking american computer systems: we can reach you everywhere you live and have you extradited to our country where we will sentence you to life in prison.

Unless you are a multi millionaire cyber criminal living in Russia or a chinese spy, of course.

{ Comments on this entry are closed }

I’ll leave it up to you to figure who’s who [I'm the one with the 'good' accent,] but Craig Balding from Cloudsecurity.org and I have teamed up to host a regularly-scheduled (whatever that means) podcast on Cloud Security.

It’s called…wait for it…

The Cloud Security Podcast.

You can find it, and the show notes of our very first (and dodgy) version right here, homed at libsyn. We’ll stick it on iTunes shortly.

We had issues with drop-out over Skype, so I apologize for the annoyances there.

This (last) week’s coverage focused on:

• What we mean by Cloud Computing?
• Upcoming Cloud Security Events/Talks
• Clouds News: Cloud FUD
• Need to get past the FUD, how can you shape Cloud security today?
• Non security specific Cloud linkage

Please do comment on our performance.

/Hoff & Craig

{ Comments on this entry are closed }

By Rod Kay

Knowing what’s happening on the LAN, much less controlling it,  is becoming quite complex.  We hear concerns about managing access rights and other control issues all the time from our customers, across every industry, and the message is always the same. With the rapid increase in the number and types of users, applications and devices on LANs today, IT managers are losing visibility and control at an alarming rate.  To better understand this situation, and to get from anecdote to real data, we commissioned Loudhouse, an independent research consultancy, to interview IT decision makers in both the US and UK on these issues.

Loudhouse asked respondents to consider how their LAN had grown over the last two years and about anticipated growth over the next two years.  A key finding is that LANs have grown at fairly consistent rates across a wide range of axes and are expected to maintain this multi-dimensional growth over the next two years. Loudhouse calls this multi-dimensional growth “LAN Sprawl” – the combined effect of more and different types of users, applications, and devices and their inter-dependencies. Cross-functional users, third-parties, more diverse applications, and corporate, personal, and non-user IP devices are all in the mix, contributing to LAN Sprawl.

For IT organizations being asked to do more with less, this sprawl has become quite a problem. The video below provides survey results on the LAN Sprawl issue and some of the concerns IT has in dealing with this situation. If you’re having trouble viewing this video or text, click here for a larger slideshow with the full results.

We’d love to hear from you on this topic – are you feeling the effects of LAN sprawl? What steps are taking to regain control?

The survey, conducted in June 2009, is based on 200 interviews with IT decision makers from mid-size (250+ employees) to large enterprises (1000+ employees) across the US (100) and UK (100) regions.

Key Findings: LAN Sprawl Growth

1. 30% average growth in LAN size from 2007-2011 (average across all areas of growth)
2. The largest areas of growth in the network overall over the last two years are:
         *Number of applications (16.8%)
         *Smart/mobile devices (16.6%)
         *Remote working employees (16.6%)
3. The greatest area of risk for UK respondents: ability to control access in remote locations (50%)
4. The greatest risk for US respondents: inability to enforce appropriate usage policies (40%)

Key Findings: Resources and Growth

Key Findings: Resources and Growth
1. The greatest areas of growth are increases in:
         *Approved business applications
         *Number of applications supported by the network
         *Smart/mobile devices
         *Remote working employees
2. Over next two years, 55% of US companies expecting greater growth, and 44% of UK
         *The largest growers are also more likely to increase the pace of LAN growth
3. However only 42% of businesses have sufficient investment for IT to support their business goals 
         *37% say that staffing levels have increased to support LAN growth

{ Comments on this entry are closed }

Parfois les collègues de la VoIP reçoivent des données à troubleshooter au format PCAP et dedans il y a des requêtes TFTP de transferts de fichiers.

- “François, tu aurais une idée pour voir les fichiers avec wireshark ?”

- “Wireshark ne sait pas faire ça. Allez on va coder notre mini tool!”

Newsoft me disant au cours de la semaine que le Ruby c’était “à la mode” … alors j’ai crée un mini-tool en ruby qui reconstruit les fichiers en lisant un fichier PCAP.

Et voilà ton .Jar et tes paramètres de boot des IP phones reconstitués!

Le script est téléchargeable ici.

{ Comments on this entry are closed }

I wanted to get this post up before I leave for DefCon since it will be hard to have time to blog in Vegas.  In a nutshell, I started a new web site called socialmediasecurity.com.  This was originally a project that I started to move my social media research over to a separate web site but has since evolved into something much larger.  What I have done is consolidated (with permission) research from other security researchers such as Aviv Raff, Joseph Bonneau, Kevin Johnson, Nathan Hamiel, Scott Wright, theharmonyguy and more.  Each article links back to the original author.  The purpose of this was to have an easy way to search on a specific topic or social network (for example: Twitter) and get the security information you are looking for.  You can subscribe to post updates via RSS, Email or through Twitter.

In addition, at the top of the page are links to downloadable guides, presentations, video’s and more.  All of this content is related to user education and awareness on social media security issues.  This is obviously a work in progress and I plan to have more content added to this very soon.  One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide).  I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future.  The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.

So…you can also concider this a call for volunteers!   If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net).  There are a few other researchers and volunteers working on some really cool stuff for the web site.  Far too many ignore the security and privacy issues of social media.  We welcome your participation to help make a difference!

{ Comments on this entry are closed }

Take a look at

• The Search for reduced SPAM load – Part 1
• The Search for reduced SPAM load – Part 2

to understand purpose of this series and what I’m looking for. As only firewalling spammers which are in a DNS RBL after they got a 5xx didn’t worked as hoped I had an other idea.

Instead of only firewalling the spammer I thought as there will be no packet from the spammer within the 30sec timeout why not just terminate the process which handles the connection. This leads to a reduced process number at once and makes space for a new one. A clean solution would implement my complete script in the mta itself – basically adding the IP to the firewall and terminating the smtp handling process. But for a mere test it would be easy to extend my script to kill the current process.

This python script (watchForSpammers2.py) does exactly that – It extends the old script by searching through the process list for a submit progress which handles the spammer connection. It follows the ppid and kills with a SIGTERM the parent courieresmtpd process.

You say thats a hard method? And you asked yourself if it works – yes it does.

After some testing I implemented it on the productive server and I’ve it running for a few days now and I didn’t reach the maximum of 300 connections since.

e.g. take a look at this spam wave

Tue Jul 28 08:30:51 CEST 2009 5
Tue Jul 28 08:30:56 CEST 2009 8
Tue Jul 28 08:31:01 CEST 2009 7
Tue Jul 28 08:31:06 CEST 2009 2
Tue Jul 28 08:31:11 CEST 2009 3
Tue Jul 28 08:31:16 CEST 2009 4
Tue Jul 28 08:31:21 CEST 2009 13
Tue Jul 28 08:31:26 CEST 2009 100
Tue Jul 28 08:31:31 CEST 2009 77
Tue Jul 28 08:31:36 CEST 2009 48
Tue Jul 28 08:31:41 CEST 2009 31
Tue Jul 28 08:31:46 CEST 2009 32
Tue Jul 28 08:31:51 CEST 2009 39
Tue Jul 28 08:31:56 CEST 2009 34
Tue Jul 28 08:32:01 CEST 2009 19
Tue Jul 28 08:32:06 CEST 2009 19
Tue Jul 28 08:32:11 CEST 2009 18
Tue Jul 28 08:32:16 CEST 2009 18
Tue Jul 28 08:32:21 CEST 2009 16
Tue Jul 28 08:32:26 CEST 2009 15
Tue Jul 28 08:32:31 CEST 2009 13
Tue Jul 28 08:32:36 CEST 2009 14
Tue Jul 28 08:32:41 CEST 2009 19
Tue Jul 28 08:32:46 CEST 2009 53
Tue Jul 28 08:32:51 CEST 2009 58
Tue Jul 28 08:32:56 CEST 2009 38
Tue Jul 28 08:33:01 CEST 2009 30
Tue Jul 28 08:33:06 CEST 2009 28


or the biggest in the last days


Tue Jul 28 14:36:19 CEST 2009 3
Tue Jul 28 14:36:24 CEST 2009 4
Tue Jul 28 14:36:29 CEST 2009 2
Tue Jul 28 14:36:34 CEST 2009 1
Tue Jul 28 14:36:39 CEST 2009 3
Tue Jul 28 14:36:44 CEST 2009 1
Tue Jul 28 14:36:49 CEST 2009 1
Tue Jul 28 14:36:54 CEST 2009 34
Tue Jul 28 14:36:59 CEST 2009 56
Tue Jul 28 14:37:04 CEST 2009 52
Tue Jul 28 14:37:09 CEST 2009 60
Tue Jul 28 14:37:14 CEST 2009 87
Tue Jul 28 14:37:19 CEST 2009 126
Tue Jul 28 14:37:24 CEST 2009 128
Tue Jul 28 14:37:29 CEST 2009 140
Tue Jul 28 14:37:34 CEST 2009 138
Tue Jul 28 14:37:39 CEST 2009 143
Tue Jul 28 14:37:44 CEST 2009 161
Tue Jul 28 14:37:49 CEST 2009 198
Tue Jul 28 14:37:54 CEST 2009 208
Tue Jul 28 14:37:59 CEST 2009 187
Tue Jul 28 14:38:04 CEST 2009 175
Tue Jul 28 14:38:09 CEST 2009 140
Tue Jul 28 14:38:15 CEST 2009 144
Tue Jul 28 14:38:20 CEST 2009 150
Tue Jul 28 14:38:25 CEST 2009 190
Tue Jul 28 14:38:30 CEST 2009 182
Tue Jul 28 14:38:35 CEST 2009 167
Tue Jul 28 14:38:40 CEST 2009 176
Tue Jul 28 14:38:45 CEST 2009 190
Tue Jul 28 14:38:50 CEST 2009 206
Tue Jul 28 14:38:55 CEST 2009 199
Tue Jul 28 14:39:00 CEST 2009 197
Tue Jul 28 14:39:05 CEST 2009 199
Tue Jul 28 14:39:10 CEST 2009 168
Tue Jul 28 14:39:15 CEST 2009 199
Tue Jul 28 14:39:20 CEST 2009 210
Tue Jul 28 14:39:25 CEST 2009 201
Tue Jul 28 14:39:30 CEST 2009 195
Tue Jul 28 14:39:35 CEST 2009 216
Tue Jul 28 14:39:40 CEST 2009 203
Tue Jul 28 14:39:45 CEST 2009 200
Tue Jul 28 14:39:50 CEST 2009 196
Tue Jul 28 14:39:56 CEST 2009 189
Tue Jul 28 14:40:01 CEST 2009 180
Tue Jul 28 14:40:06 CEST 2009 176
Tue Jul 28 14:40:11 CEST 2009 173
Tue Jul 28 14:40:16 CEST 2009 177
Tue Jul 28 14:40:21 CEST 2009 165
Tue Jul 28 14:40:26 CEST 2009 170
Tue Jul 28 14:40:31 CEST 2009 164
Tue Jul 28 14:40:36 CEST 2009 167
Tue Jul 28 14:40:41 CEST 2009 151
Tue Jul 28 14:40:46 CEST 2009 147
Tue Jul 28 14:40:51 CEST 2009 139
Tue Jul 28 14:40:56 CEST 2009 140
Tue Jul 28 14:41:01 CEST 2009 136
Tue Jul 28 14:41:06 CEST 2009 131
Tue Jul 28 14:41:11 CEST 2009 131
Tue Jul 28 14:41:16 CEST 2009 147
Tue Jul 28 14:41:21 CEST 2009 134
Tue Jul 28 14:41:26 CEST 2009 133
Tue Jul 28 14:41:31 CEST 2009 128
Tue Jul 28 14:41:36 CEST 2009 103
Tue Jul 28 14:41:41 CEST 2009 74
Tue Jul 28 14:41:47 CEST 2009 98
Tue Jul 28 14:41:52 CEST 2009 91
Tue Jul 28 14:41:57 CEST 2009 75
Tue Jul 28 14:42:02 CEST 2009 75
Tue Jul 28 14:42:07 CEST 2009 88
Tue Jul 28 14:42:12 CEST 2009 89
Tue Jul 28 14:42:17 CEST 2009 83
Tue Jul 28 14:42:22 CEST 2009 81
Tue Jul 28 14:42:27 CEST 2009 64
Tue Jul 28 14:42:32 CEST 2009 55
Tue Jul 28 14:42:37 CEST 2009 71
Tue Jul 28 14:42:42 CEST 2009 52
Tue Jul 28 14:42:47 CEST 2009 45
Tue Jul 28 14:42:52 CEST 2009 40
Tue Jul 28 14:42:57 CEST 2009 41
Tue Jul 28 14:43:02 CEST 2009 40
Tue Jul 28 14:43:07 CEST 2009 36
Tue Jul 28 14:43:12 CEST 2009 35
Tue Jul 28 14:43:17 CEST 2009 32
Tue Jul 28 14:43:22 CEST 2009 32
Tue Jul 28 14:43:27 CEST 2009 28
Tue Jul 28 14:43:32 CEST 2009 26
Tue Jul 28 14:43:37 CEST 2009 20
Tue Jul 28 14:43:42 CEST 2009 15
Tue Jul 28 14:43:47 CEST 2009 14
Tue Jul 28 14:43:52 CEST 2009 14
Tue Jul 28 14:43:57 CEST 2009 15
Tue Jul 28 14:44:02 CEST 2009 11
Tue Jul 28 14:44:07 CEST 2009 6
Tue Jul 28 14:44:12 CEST 2009 9
Tue Jul 28 14:44:17 CEST 2009 7
Tue Jul 28 14:44:22 CEST 2009 7
Tue Jul 28 14:44:27 CEST 2009 11
Tue Jul 28 14:44:32 CEST 2009 14
Tue Jul 28 14:44:37 CEST 2009 11
Tue Jul 28 14:44:42 CEST 2009 9
Tue Jul 28 14:44:47 CEST 2009 9
Tue Jul 28 14:44:52 CEST 2009 2
Tue Jul 28 14:44:58 CEST 2009 3


If you compare that to the values from my first post you see that it really works. Currently it is only a test script which is not tuned for performance, on a big wave I’ve problems to kill the processes as fast as they are forked but a better algorithm would help here. And I will look also into the possibility of limiting the amount of new connections per seconds I can handle per iptables.

But the biggest advantage would be if courier would be extended in a way that the smtp handle process adds the IP to iptables and terminates itself.

Anyway, I’ll try to make my code more than only a test script, but one that I can run in production 24/7. I’ll keep you posted – any ideas on your part?

{ Comments on this entry are closed }

{ Comments on this entry are closed }

In my most recent post, I identified the direction and state-of-the-art in application security. We all know of the importance of application security in today’s environments. However, finding out where to fit application security policies and programs into an overall security program (or organizational security plan) is as difficult (or more difficult) than integrating mandatory regulations, compliance standards, secure enterprise architectures, and many other risk management activities.

Building a continually improving security program is an important and common topic. For many CISOs and other directors of security programs — this has been their day job since they earned their titles. There still exists huge gaps between IT/Operations, Application Development, and Information Security Management organizations and how they work together. There are gaps in communication between departments, and even within departments. The challenges of finding and retaining talent are not unique only to appsec, as suggested in my last post.

I’ve only spoken about building a security plan once before on this blog, but it’s a popular conversation making the rounds. securitymetrics.org (the blog, mailing-list, Metricon conferences, and book) resurfaced a lot of my interest, as well as the work that Mike Rothman did with the Pragmatic CSO, Michael Santarchangelo with his book and the SecurityCatalyst blog/podcast/forums, and numerous others.

Not all security programs and bloggers have picked up on these resources. Take Creating a Solid Security Program from Accuvant’s new blog called Insight from Kirk Greene. He appears to be familiar with some of the above resources, but I think there is a lot more out there. After you read my comment (which never got “approved”), be sure to check out the new material I’ve been reading on the state-of-art in information security management, especially including the human element.

Comment gone wrong #2

I think what you wrote here is a great example of a vulnerability management program, but not a security program. Even then, it’s actually more operational (like a compliance initiative) because it gives little strategic or tactical advice.

Starting with awareness is probably the worst way to build a vulnerability management or security program. Maybe we just disagree, but I’d like to see some evidence or metrics demonstrating that this technique has any value, if you can point me to the literature.

Capital planning based on current or mock Strategy Maps and Scorecards/Dashboards is really the first step for building a security program. It is often best to first work with risk management (an operational activity) that can feed metrics up to the strategy, although this should be done along with compliance, regulatory requirements, and potential liability factors. Risk assessments, especially ones done with data classifications, can be the tactical metrics to pull into a risk management report. Simple risk assessments can be done using business tools such as 5 Forces, PESTEL, and/or SWOT anlaysis — although in security we have various others including FAIR, FMEA, and PRA.

I also like the concept of drilling down another strategic metric platform via Enterprise Architecture, in particular an Enterprise Architecture Blueprint (such as the one from Gunnar Peterson). Enterprise Architecture can bring metrics down to the operational level with security policy and certification standards. These can be turned into server and application hardening standards at the tactical level.

Finally, asset/inventory management is another strategic activity that can be conducted to build a proper security program. When combined with the risk analysis data, asset management will provide guidance on where to scan & patch, pen-test, and perform exploit development activities at the tactical level. These tactical procedures can then provide more metrics up to risk management, and back again up to more strategic activities.

On second or further iteration, a balanced scorecard can easily be created to include compliance metrics (operational) along with a strategic direction (suggested as a strategy map). The balanced scorecard could then include metrics from incident management, which in turn could feed back into risk management and liability factors. SABSA could be used to build a governance program to keep the capital planning and security program alive and running with the rest of the business. Additional qualitative metrics based on organizational development and organizational behavior could be included in a hybrid platform such as business scorecards very easily, including Six Sigma metrics such as Voice of the Customer, et al. Simple, isn’t it?

Your notion of using Application Security Scanners in a vulnerability management program disturbs me — especially in the way you have suggested it. Maybe you’re not familiar with these tools or how an application assessment is best performed to today’s standards.

First of all, the surface coverage for even the best app scanners is 94%, with many getting less than 1% surface coverage. Even IBM/Rational AppScan was only showing 74% surface coverage using modern link extraction application drivers.

Secondly, the false negative rate of app scanners is approaching 92%, often more. The false positive rate varies between tools, testers and apps, but I’ve seen figures as high as 40%. App scanners must be properly configured and utilized by an expert in order to be effective at all. Even then, black-box app scanners need to be combined with static analysis and manual expert review for a significant majority of applications falling under “most-risky” data classifications such as PII (PCI-DSS, HIPAA, state performance auditing, etc) or financial data (SOX, GLB, et al). Even middle-of-the-road risky data classifications (e.g. proprietary information that has yet to be patented) should probably have more done to them than a simple black-box app scanner.

When I say manual review + static analysis, I really mean it. The automated tools pay for themselves by the amount of time saved — but can never be used alone. Security review tools that implement static analysis techniques, such as Fortify, Ounce, Checkmarx, Parasoft, Grammatech, DevInspect, AppScan DE, Coverity, Klocwork, and SciTools have better false negative rates than black-box scanners, but much worse false positive error rates. FN is usually between 65-85% (the tool FAILS to find vulnerabilities this often); FP is 85-99%, you’ll often see more “vulnerabilities found” than lines of code averaged across apps. This is why manual expert review with full-knowledge remains the best application assessment technique.

I don’t mean to harsh on you too hard, but it does appear that you need to do more homework before making prescriptions for building a security program — let alone a vulnerability management program. You seem to be capable of providing this information accurately (based on your last blog post and the great blogroll you’ve setup so far), so I expect better out of future blog posts.

Aftermath and reasoning

The consulting companies that I work with (and other colleagues, often consultants from other consulting companies that have been on the same or similar engagements with me) have all taken a strong interest in building trusted advisory adjuncts to the “too busy IT manager” or Mascot CISO/CSO. We have to in order to remain relevant and respected. However, I’ve always viewed consultants as “the colostomy bag of a very ill organization”. Fix the organization and the technology advancements (or whatever else is needed) become agile and sustainable.

Rafal Los recently had me on his 31337 Spotlight: Andre Gironda for his Digital Soapbox blog. BTW – Thanks Rafal — hope you and nearly everyone else are having fun in Vegas right now! There are a few links which may have got lost in my nonsensical chatter, so I wanted to specifically point them out. I said:

I like the idea that I can use my hacking skills for good and cause organizational change through discovery of organizational management and behavior. A real “hack” to me is to take a disfunctional organization and turn it into something awesome.

There are very few state-of-the-art resources on organizational theory combined with information security management. Allow me to point you to the few that I’m familiar with and highly recommend. After you check them out, you may find yourself coming to similar or related conclusions as I did with the above comment.

• David Lacey, author of Managing the Human Factor in Information Security: How to Win over Staff and Influence Business Managers
• Krag Brotby, author of Information Security Metrics: A Definitive Guide to Effective Security Monitoring and Measurement and Information Security Governance
• Ron Person, author of Balanced Scorecards & Operational Dashboards With Microsoft Excel — one of many books on Balanced Scorecards, but very recently written and caught my attention.
• Ian Gorrie, blogger of Bad Penny, with posts such as the most recent The Trials of Toorcamp where he kindly provided the slides to his talk entitled “Hacking HR”. He has even posted earlier on information security management (or as he calls it security information management, an interesting but perhaps confusing twist there). My favorite was a presentation he did at ITCi 2007 that is a must read.
• Kevin Nassery, (@knassery, who spoke at LayerOne 2009 on Diplomatic Security Consulting, with video and slides available.

I have at least one more of these “comments gone X” posts, but the next ones should both begin and end on more positive notes. If you have any suggestions of comments you’ve seen from me that you would like to see turned into a blog post, let me know!

{ Comments on this entry are closed }