An obituary to pentesting?

I just saw a blog post in which Mike Kemp discovers the realities of 2010 (linkedin). (disclaimer – I know Mike and love him as a person, and this is my way of poking at him a bit – no disrespect here, but pretty much the opposite)

Now, go read that post (yes, I know, it’s long, but trust me).
This isn’t new (albeit very honest, direct and true),but here are a couple of comments I have:

  1. Penetration Testing is dead. Overrated, and abused by fancy vulnerability scanning, it died a few years ago. If you are still paying for one – check carefully what you are actually getting…
  2. Automation is king. I actually argue that 80% of what’s sold as a pentest by the major providers can/should be automated. All those scanner monkeys should be fired or forced to step up their game and actually do some work.
  3. Compliance? Really? Do you really want to go there? It’s got nothing to do with security, and if you thought so for a second I want to have what you were on when you did.
  4. Standards. This is where Mike touches on a sensitive topic for me (yes, PTES…). I’d actually challenge Mike to show me how PTES (which he mentions in the post – but you already know that because you read it, right?!) restricts providers by providing the engagement steps – which they should follow. There’s no restriction to scope, and I have personally used PTES in red team engagements. Full scope, no bars held. But still with a standard to follow, and something the client can also keep track of and know what to expect (and demand).
  5. I fully agree on the “pass the wealth” point where you should call in someone else who’s an expert to deal with a specific client request. Done that many times, and have never lost a customer that way.

Last but not least – yes, I do think that most pentesters can be replaced with a script. As they should. I do however have a solid advice to Mike and others who are still valuable professionals that have skills which are not replaceable by automation: demand a proper engagement model. And yes – I’m referring to the PTES again. You’d notice that threat modeling is part of it. Done properly threat modeling achieves multiple goals:

  • Forces the discussion to be around security rather than compliance, price or other factors that have nothing to do with security.
  • Scope goes out the window as threat models focus on the BUSINESS and not the TECHNOLOGY.
  • Enables the organization to test itself against its adversaries (threat actors/communities) rather than against pentesters. Much more rewarding, and correct.
  • Enables the provider (if it can muster to perform a decent threat model with the client) to charge decent rates for its services. You can clearly show how this isn’t some automated software running and spitting out reports, but skills and experience playing. It’s then your responsibility to follow through on it and make sure the final deliverable also looks like that (otherwise you are looking at a very short success rate for trying to adopt only part of this approach).

I actually welcome the hordes of scanner monkeys and tool-jockeys. They make the real professionals look even better. And although professionals don’t often have the marketing/sales power of the big-[number], trust me – they are busy, and doing work that the “big” and “trusted” suppliers can’t even start to put on their canned proposal templates.

Amazonian Trojans and Marketing Fear-Mongering

Hello there, welcome back to our scheduled programming on how to drum up clicks and views on your website “Powered by Fear Uncertainty and Doubt”.

As most marketing organizations know, sometimes you need to be a little creative when coming up with news and research. You draw a target for your security researchers to hit, and hope they come back with meaningful data that’ll make it to the next news cycle. And sometimes it actually works.

This time it didn’t. Recently, when reviewing my Twitter/Facebook feeds, I ran across “news” that state that Amazon (OMG – our trusted Amazon) are selling Rooted Android tablets, preinstalled with Trojans. Most of the public probably goes: “Hide your Nexus and shoot your Kindles!” in response. How dare Amazon sell us trojaned tablets?

But worry not, only after actually reading the details of the article ( and the original research report ( you’ll understand that:

  1. Amazon has nothing to do with this. Just like you and I can set up shop on Amazon and start selling backdoored laptops, Amazon wouldn’t have anything to do with said backdoored laptops.
  2. It’s not about your usual tablet. So you can pull back your Nexus, brush up your Kindle, and keep using your Asus/Samsung/LG/[brand] Android tablet.
  3. It’s not even really an Android issue. One could have jailbroken an iPad, install a backdoor/trojan on it, and sell it online. The Android part is relates more to the price point and the ability to sell really cheap tablets.
  4. I dare you to recognize any of the “brands” of tablets sold with these trojans. Funny, the top “brand” is actually, wait for it, “NO BRAND”. I kid you not.


So after sorting out the FUD, we are left with no much of a scare. Suspiciously cheap tablets, marketed mostly as “no brand” (or other brands which at least I’ve never heard of), are filled with questionable software. Kind’a reminds me of even “big name” manufacturers who load their phones/tablets/laptops with assorted unwanted software (officially dubbed “bloatware”). Wow. How did this not make headline news across the nation?

Bottom line – it’s pretty sad that we end up running research on the fringe areas of consumer devices and shopping behaviors. Yes, there’s a technical merit to analyzing a Chinese backdoor, but marketing it as “OMGWTFBBQ!” by sprinkling in Amazon and Android in the headline is pure marketing alchemy. Let’s get back to two things:

  1. Educating that when the deal seems too good, it probably is.
  2. Focusing our research efforts on more meaningful things. Yes, this also applies to stunt hacking, or junk hacking of sorts. There’s a lot of brainpower that could be diverted to solving problems that we have been dealing with for ages, yet would probably yield less media buzz.

Debunking the “8200”, “81” and other #### ex-Israeli Army Intelligence myth

I’m a known and pretty vocal advocate of self learning, self starting, and inquisitive entrepreneurial spirit. As such, I’ve witnessed over my years in the security industry, a lot of occasions where the halo or myth surrounding some so-called “elite” units in the Israeli Army Intelligence has blinded people.
Such blindness comes from a very small percentage of people who capitalized on what used to be highly selective knowledge and experience in a narrow field of practice. But that was almost 20 years ago. Companies like Checkpoint, Nice, and Amdocs, were all started by alumni of such intelligence units, who basically applied their specific experience from the army signals intelligence unites to building firewall systems, telecom and spy/monitoring technologies.

Nowadays, the reality could not be further from this. What used to be a very specific skill-set and knowledge, is mostly open, and freely accessible to anyone with the right aptitude to pick up and master. Back in the days you had to earn your “hacker cred” in order to get access to the forums where people were sharing knowledge, today most of that “exclusive/unique” knowledge is wide open and available.

And today I ran across an article that infuriated me because of its ignorance. Enter: “The cyber labor market in Israel, the cyber guild“. In this article, the author claims, again, that the “ex-#” alumni phenomenon is filling the Israeli market and basically owning it to a point where non-guild members are shunned out. It claims that whereas information and knowledge should (or is?) open, in the guild market it matters more where you came from than what you actually know and have experience with.

I respectfully call BS on this. It’s just not the reality anymore. Yes, there is an obvious alumni network effect, but such that is just as common with other alumni organizations (think Ivy-league Universities, local schools, or any other melting-pot where people get to know one another). But the “guild” part is just wrong. It’s actually the complete opposite. After the initial success of the early founders, the “Ex-#” units basked in the glow and enjoyed a fairly long streak of alumni that only had to mention their unit’s name (or even not that – just to keep things more hush-hush) in order to nail a high-paying job. However, with such high expectations, the failures became more apparent. And then the realization – that 8200, which is the largest unit (people-wise) in the Army, does not actually employ thousands of talented programmers and hackers. That a huge percentage of it are grunt workers, pushing papers, poring over analyst reports, and operating the collection and dissemination processes and technologies. Glorified IT support in most cases. And with that, the sham evolved. The “friend brings friend” system worked most of the time when the initial friend was one of the actually few talented alumni, who brought their few talented friends. The rest ended up blowing the bubble out of proportion, and infusing the industry with the glorified IT technicians. And the industry balked fairly quickly. I have personally witnessed companies hurting and buckling under the cost of incompetent alumni recruitment, and eventually realize their mistake and quietly ditch those. I have personally interviewed tens (if not hundreds) of people, and very quickly realized (again – after making a few trust mistakes myself) that my gut feeling and personal assessment of ones personality is more consistent than their alleged history in a “famous” unit.

I have personally mentored extremely talented people who had to fight for their place, had to learn programming languages and platforms, gain their experience in the real world, and become some of the more sought after talents out there. At the same time I’ve seen the “ex-#” alumni stagnate at dead-end jobs because they could not scale beyond their alleged field of expertise. The market is highly capitalistic out there. It won’t tolerate too much of the halo effect, and albeit huge efforts in fueling that effect through several alumni organizations, and alumnus in executive positions, this doesn’t really hold. If you are looking for innovation and “thinking outside the box” maybe try to look for people who have not been indoctrinated in a very strict environment to perform a very narrow task. Look for people with broad experience, from different paths of life, who share core traits – curiosity, innovation, drive, and the ability to say “I don’t know”. That’s how the modern market operates. There is no guild. And if you are led to believe so – try to see who/what is it that gave you that impression. You’ll be quick to learn that it is mostly self-serving marketing created to favor the less talented who need to rely on riding the coattails of the successful few. Who by the way – were mostly self-taught and would have made it without having the “ex-#” experience 😉


Social media and online interaction are dramatically changing the way our companies and employees interface with society at large. Recent examples of people tweeting or posting something silly or offensive and being responded to by doxxing or even threats of physical abuse are, unfortunately, becoming more common.

Today SIRA member Alex Hutton and Ian Amit are publicly announcing an open (free as in speech, free as in beer) project to help security departments identify social media presences that are more “at risk” to negative reactions and general information security risk. This framework of indicators is a little something we’re calling “Social Media Risk Metrics” (catchy, right?). SMRM is being introduced at Derbycon today complete with a demonstration, worksheet tool, and suggestions for further development.

The mind map is available here:

The calculation tool on Google Sheets is available here:
And the talk’s video will be posted through DerbyCon soon [link placeholder]

Additionally, here are some of the links mentioned in the talk, these are all tools that can be used as part of the OSINT collection and analysis that is part of the SMRM.
Predicting elections paper:
Sentiment analysis tools: