May not be completely safe for listening to at work (especially not with speakers…).

On that note (of shameless plugs) and as we noted on the podcast, if any of you know (or are) potential sponsors for BSides, and ExcaliburCon (especially if you have or want exposure in the Chinese market) feel free to contact us – g0d be my witness it’s not really expensive to sponsor, but critical as these shows are not cheap…

Closing up for now (until later this week probably – expect some new material), just a heads up on the upcoming speaking engagements:

April 14-15 at BlackHat EU in Barcelona, Spain.

June 13-18 at FIRST in Miami FL.

More to come soon…

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. ExcaliburCon summary and general China notes
3. Clouds, and the winds that blows them away…

One tiny thing mudded the whole experience – a couple of days after getting the Macbook Pro, I’m finding a single “stuck” pixel. Really annoying (nothing life-threatning, but definitely not Apple-like…). So I call support. Great guys on the phone, really appreciative (and just as annoyed as I was by the pixel). Too bad I was on my way back to Israel – the land of service that sucks.

And so I’m faced with the local Apple representative (hope that they wouldn’t stay Apple affiliated after this) – who got the repair order from Apple US – to replace the screen or the entire laptop (yes – they would do that in the US…). BUT (and that’s a big BUT) – the local guys aren’t as savvy to help as their US counterparts. Especially if the laptop was not bought at the local Apple store (where the prices are literally double than in the US – and you get dirt on your keyboard in the form of Hebrew alongside the English engraving).

Long story short – laptop left at the authorized service center just to be returned with a “we don’t fix issues that concern dead or stuck pixels – live with it”.

Fast forward one week – entering a web scheduled Genius appointment at an Apple store in the US. Was late 20 minutes (flight delays). Huge line, but local crew is super supportive, getting the manager to deal with me (laptop is being used for work, and I kind’a got attached to it…). 2.5 hours later I get an email – come pick your laptop – we fixed it (in Israel it took them a whole day – without even touching it). Picked up the laptop when the store was CLOSED (staff was happy to assist, and offered additional support and tips).

Laptop has EVERYTHING new (looks like they just swapped out my disk and memory to a fresh piece). Fully working, no bad anything, one happy customer.

How F*#&ing hard was that huh?

No related posts.

Just to set the stage right – we are at a point where I just saw a USA Today “Money” section front page article on how Google’s engagement with the NSA post the breach will affect the security vendor market, and a few VCs were also quoted to the fact that we will be seeing IPOs this year that will ride this trend.

Overhyped – definitely. Real – just as it’s overhyped. You must be asking then what to do? If the hype is too much, then there must not be so much behind these scary global cyberwar threats! Not exactly – the threat exists, and countries do deal with making sure they have an edge over everyone else (see how I didn’t use adversaries… hint, hint ), but at the same time this has been happening for years now.

The news here is somewhat lukewarm when compared to the hype. The news is that it is becoming common knowledge that companies tend to miserably fail when keeping their own intellectual and informational assets under wraps. The news is that even the “do no evil” Google(tm) have their own share of problem using old(tm) (or should I say pathetically insecure?) software inside the Googleplex.

But let’s dig a little deeper past the hype – have anyone heard of the fourty-something other “big” companies that were affected? have anyone heard of the thousands of companies that deal with data of sensitive nature (whether they know it or not) that also have a big job ahead of them dodging the flak from their local government trying to make sure the exposure is somewhat lessened? Probably not.

I’ve have the questionable pleasure of assisting some of these entities – which have anywhere between loose and close ties to local and federal government (either providing data at will, or being relied on for compiling national threat level information at varying level of the threat modeling). Without getting into any specific details I can truly say that I was simply disappointed. A lot of good people trying to do good things, but ev

entually (as always) a big fat failure due to some sideline error brings the whole security architecture down. Things as easy as applying service packs, eliminating use of old un-pached software (IE6 – are you still here? I think I to

ld you to get out and never come back again!) and just plain good-ole’ malpractice.

Without sounding too dreary (I’m sure the horrible weekend east-coast weather is doing that to me) we still have our work cut out for us. As long as people (non-security-industry ones) are ignorant regarding the implications of their actions in an all-connected world (nice evasion of “cyberworld”!), holes will be cut open in any modern security design – no matter how well it was thought to be, or how much money was thrown into it. With almost zero-cost, we managed to implement an “idiot-proof” system that would just stop these things from happening for one of the companies…

What can you do? remember how we were taught to plan for the worst – count people in that too. Your people. They may be the smartest guys in accounting, or marketing, or production, but in terms of information assurance they can be your worst enemy (no offense guys, but it’s just like that…).

Related posts:

1. ExcaliburCon summary and general China notes
2. Practical vs. Regulatory – the votes are in!
3. CyberCrime, CyberWarfare, and 2010

What I would do is give a quick preview on some areas of interest which I’m focusing on now – as you know, CyberCrime has been a big thing in terms of a research topic for me during the last few years. As expected, the simple technical stuff has been less of a focus (predictable, not so innovative), and the behind the scenes of how this whole thing works as a business and an industry have been the areas of innovation and true new insights on my part. As the research I conducted and managed chugged through, the many evidence that came to view also contained additional “leads” into areas that I have not explored firsthand before. That’s exactly what I’m knee-deep in now…

There have been rumors (some of them sprinkled by yours truly in my latest talks worldwide) of links between CyberCrime and nation endorsed CyberWar. In an attempt (which would hopefully not completely fail ) to make some sense out of the materials gathered and the links mapped thus far, I’ll have something ready pretty soon for peer review (if I nagged you than now you know why…), and a more public presentation of the material (again – hopefully at some of the security conferences of 2010).

So, just about making it to the first post of 2010 here, have a great year, and… stay safe out there

IA

Related posts:

1. Cyberwarfare and Cybercrime – more links turn out in study
2. DefCon 17 talk video available!
3. ExoticLiability podcast interview

Not that there is anything revolutionary about the report – it’s the same basic “look at what we could figure out from our logs” type, loaded with graphs and tables (as opposed to forward looking research, or one that dares to predict or create a disruptive technological/behavioral change). But the mere use of “MalWeb” is funny since I clearly remember starting to use it in an internal meeting some years ago back when we used to issue reports ourselves…

In any case – use this “with caution” (just as you would use last years financial news to base your investments on), or better yet – just use the graphs and maps to scare potential customers Hope that the nest report would have a somewhat beefed up sections discussing “what to look for” (a mere single paragraph here), and more discussions on the thinking of how domain names are picked by eCrime operators to reach their target audience.

Keep safe!

Related posts:

1. Getting a business degree as part of Security Research?
2. Malicious ads circa 2007
3. Two steps forward, one step back – controling botnets…

I’m not putting any links to BeeFence since it was a startup I had the honor to be one of the founders of (which obviously went down the road of many other startups…), but the neat thing about it was the technology (did I mention I was the CTO ). Basically – we had what we called “Active Validation” (or sometimes “Interrogation”) of sessions. We generalized it a bit more to cover additional protocols rather than just focus on Web2.0 (think what it can do to the NIDS/IPS world…).

Makes me think of getting back on the startup bandwagon, although I’d have to make some sense out of the drawer-full of ideas I’ve been filling over the past few years having been engaged in web security and cloud security recently… you never know

Related posts:

1. Two steps forward, one step back – controling botnets…
2. Clouds, and the winds that blows them away…
3. ExcaliburCon summary and general China notes

Conference first: It was just great! No-nonsense, I have been speaking at quite a few conferences around the world, but this one really was special. From the organization, through the location and hospitality, down to the fact that we basically were less than a dozen (western) speakers hanging around all day (and night) which really was a great opportunity to make some new friends and strengthen existing friendships.

Talk wise, I have really enjoyed Nathan Hamiel’s “weaponizing the web” talk which I missed at BlackHat earlier this year – right up my alley of the past year’s research on MalWeb, and a great person in general to hang around with.

Later on Steve Topletz has been discussing intelligence on the internet and the superpowers that are engaged in it (with a strange kudos to a little country called “Israel”? Thanks Steve!) which was I’m sure an eye opener for a lot of people who were not privy to some of the data presented.

I also watched the Joe McCray deliver his “this is so easy” advanced SQL-Injection attack talk with the style we always expect Joe to deliver. Adam Laurie (Major Malfunction) has been wrecking havoc with his RFIdiots talk as usual (and in several other places where we hung around). Jordan Wiens made all this Capture-the-Flag stuff look like a big game (don’t think it is for a minute – the skill-set that a team needs to possess is just brutal, and the challenges are as hard as they are fun!). Jayson Street has been juggling with organizing the conference but managed to smoothly present his talk as well, and I can only say I’m really disappointed for missing out Chris Nickerson’s red-team testing talk (close to my heart and business), as well as Wim Remes’ Open Source Security one (one of the few true Unix guys out there and a swell chap overall ). FX did not miss his mark either as he delivered a riveting router exploitation talk (riveting for English speakers – not sure how the somewhat direct language translated to Chinese…).

Other than the conference, China has been a great experience – culturally, politically (don’t get me started), culinary (we got pictures – not for the faint of heart), and technologically (I told you not to get me started…). I have learned a lot (which should be the case for every trip and conference) and am sure to come back for more next year after WuXi will recover from the can of pawnage we have opened up there.

The rest of the stories may not be SFW and deserve a been to be divulged, so until then, keep safe!

Related posts:

1. The China/Google thing, accountants and other miscreants
2. ExoticLiability podcast interview
3. CyberCrime, CyberWarfare, and 2010

The slides and audio are also available in my section on the DefCon17 archives: http://defcon.org/html/links/dc-archives/dc-17-archive.html#Amit

Have fun!

Related posts:

1. Post BlackHat, pre DefCon
2. Botnet communications moving to Web2.0
3. CyberCrime, CyberWarfare, and 2010

First things first – the main reason for abstaining from the cloud security discussion was simply the lack of definition (and existence) of clouds… True – Amazon has provided the infrastructure to the first layers of building cloud solutions, but full-on “process-as-a-service” has yet to emerge from the different offerings that call themselves cloud. There has been enough ink (bits?) spilled over what really is  cloud computing and what it isn’t (you can check out Craig’s presentation, and Hoff’s view on things).

And now to my 2c on the subject at hand, I have been involved with a few cloud security companies in the past months and being able to lend a hand at the strategic level, I was exposed to several aspects of where are we now with cloud computing, where are the gaps that security firms will need to pitch in and provide basic protections, and a whole lot of marketing fuzz that needed to be thrown off in order to realize what’s out there.

To begin with, we had to sift through the marketing mambo-jumbo to get to the point – seems like the more expensive your marketing budget is, the farther away you get from reality in your message – too bad (and that’s coming from someone who turned a lot of technical material into marketing…). Hence the first point – blowing enough smoke to make everyone tear does not constitute for creating a cloud.

Point two – now that we to the bottom of the offering (and I’m not going to name names…), one usually realizes that it has either been out there for quite a while and has been wrapped in clouds to sell it better, or that someone has made some basic adaptations to an existing offering (see roaming users, VPN, scanning services) to cloudify it. Whatever is left that did not fit into the previous schemes is worth a second (or is it third by now) look.

Point three – what’s the market for your cloud offering? The last hurdle that all these new cloud companies face is choosing (or defining) a direction. Do you see yourself providing a solution for the end users? for businesses? for the cloud infrastructure providers? for providers of services/software/processes on the cloud? If you get an answer in the lines of “we basically provide a solution for all of them” – run! As each of the mentioned markets have different needs, and different views on their place in the cloud, you better get a solid answer for this. I strongly suggest reading the “Cloud Architecture” section written by Chris Hoff which is part of the Cloud Security Alliance’s “Guidance for Critical Areas of Focus” starting at page 15 in order to get an idea on the latter.

Now with most of the fluff away, and the offering at hand we can actually focus on whether it makes sense (business-wise), and where does security fit in. By no means this is going to be a guide for securing the cloud, but always remember the architectural model – from hypervisor, all the way through multi-tenanting, data abstraction and sharing, inter and outer process communication, and off to simple abuses of the cloud in the form of DDoS, Botnet tools, etc…

Hope this made some sense – if not I can only suggest reading some more material on it, and to play around with the current offerings from Amazon, Azure (MS), and Ubuntu (Canonical).

Related posts:

1. AHA! A blast from the past…
2. Cyberwarfare and Cybercrime – more links turn out in study
3. Two steps forward, one step back – controling botnets…

Recently, I ran across an article that “exposes” such a scheme as if it was completely new (see Register article here). My initial response was to tweet about it as it reminded me of how we covered the same issue some years ago. It was late and I was trying to recall how far back was it since this coverage, and surprisingly I got it right! 2007…

Having been running this blog which saves all of my “historical” posts, there is even one dating back to September 2007 here, which references a report I issued for the 2nd quarter of 2007 (means it was written in May) and tracks the story published on the Q1 report (which would mean that I almost missed it and some of these were tracked back at the end of 2006). Funny story how a 3 year old news is reemerging now… For your comfort here are a couple of excerpts from the original research (find the differences…):

Numerous parties are often involved in getting an ad from an advertiser to a consumer. These include advertisers, ad agencies, advertising affiliate networks, adware makers, software makers, distribution affiliates, distribution affiliate networks, and websites. This complicated network of relationships can make it difficult for advertisers to know exactly where their ads are being delivered.

As websites depend more on advertising revenues, they often display ads from third party advertising networks, over which they have little or no control. While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes “sublet” their space to others. This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content.

Bottom line – same as always. If it works, no point of changing anything. Back at the time we were watching sites such as MLB.com, CNN.com and other high profile ones serve malicious ads, and today the situation is not any different. And I thought that I had to keep on the cutting edge of research to keep up in this line of business

Keep safe!

Related posts:

1. Malicious space on MySpace
2. And the winner for “top virus” of 2007 is…
3. Have something to hide? make a lot of noise about it!