We expect to have great participation from all areas of the industry, are working on a great venue to host the conference, and are opening up the Call for Papers.

Please see the CSA-IL WiKi for additional information on how to submit for the CFP:

http://wiki.csail.dreamhosters.com/wiki/CSA_conference#Call_for_papers

Looking forward to seeing you all there!

Related posts:

1. Upcoming Conference Schedule
2. ExcaliburCon summary and general China notes
3. Being in the middle (or: things we didn’t manage to learn in a decade)

So, one time, at security camp, I figured that there isn’t a whole lot of infrastructure in my back yard to really call a decent CERT. I have experienced that multiple times (and again and again) when handling major incidents that prompted incident handling in dozens of countries around the world, and when trying to do the same back home (in Israel), I got “bobkes”.

The thing is, there are currently two “CERTs” operating in Israel – an academic one (ILAN-CERT) which only server a portion of the actual academic networks in Israel (surprise surprise…), and CERTGOV-IL (which seems to be mostly in maintenance mode, and only server the government sites). Bottom line – if you want to report an incident that does not fall into these CERTs constituency (about 90% of the cases), you are out of luck…

So, just like the ever-optimistic fool that I am, I decided to give it a try and start a normal IL-CERT. Back at the time when I started to dance the political/bureaucratical dance I figured that it would be a good idea to present at FIRST2010 as IL-CERT would be alive by then. Ahhh, the optimism…

Months went by, emails flew, and meeting were held, and I arrived at the FIRST conference with only a glimmer of hope for a decent CERT. I almost dropped all hope for it, but then had a great time running into the FIRST crowd. Every time I got into a conversation with a member, I usually got the same question: “so, can I send you information on incidents in Israel? Because there isn’t anyone to send data to for years”.

Embarrassing. Nothing less (and to think that there was another Israeli “CERT” member onsite…). Long story short – I’m currently willing to put my hiney on the line and at least be able to say that I tried.

So here goes – I’m publishing an open call to anyone local who would like to participate and contribute to the IL-CERT. Also – if you need/want to report on any incident related to the constituency of a decent IL-CERT, please feel free to pass it my way until we set up the basic infrastructure for IL-CERT.

Wish me (us?) luck and godspeed. And thanks again to everyone who I met at FIRST-2010 and have reinforced my crazy endeavor.

Related posts:

1. The Turkish hack and another case for IL-CERT
2. Cloud Security Alliance Conference (Israel) – CFP
3. Taking the Red Pill Down the Rabbit Hole

It all started in Berlin when I realized what an amazing community we have. People from all over the world coming over for 3 days of sharing, networking and listening to talks (oh, and partying). I also have the great honor of calling a few of these guys friends. Friends that I know that I would be honored to help if they needed anything, and friends that I know I can “drop on” if I happen to get into a snag in their hometown. Friends that I only see in-person 2-4 times a year, but still consider them one of my closest.

I saw borders dissolve in an instant as politics, geography and history dropped in sight of a beer or a cool PoC demo on someone’s PC, and I had great conversations with people I just got to know and am sure will run into again in the future.

And then I got back home. I don’t need to mention the unfortunate events that took place a couple of days ago, and I’m not going to point fingers at anyone. Everyone had their agenda, some sides were more optimistic, some had better planning, some had better intent, but the end result is what it was. Sometimes as we say it’s better to be smart than to be right…

That was just a day before I flew over to Athens to talk at Athcon. People around me started freaking out, having the entire area feel like a barrel of gunpowder, and the media adding in some FUD to top it off. And then I recalled ph-neutral. A couple of hours later, a friendly cabbie and what looks to be a really cool con, everything is left behind. The community wins again, while politicians keep meddling with their agendas.

I just hope that more people could find such communities where borders are bridged, and religion/ethnicity/gender become irrelevant in light of a common cause/interest. I’m truly happy that I had a chance to debunk myths that I’ve had in my mind, and other people had in theirs, and really hope that this focus on a common interest could work elsewhere.
Now off to polish off my presentation for tomorrow. Stay safe out there!

Quick update [6/7/2010]: Athcon was fantastic! I’ve had a great time in Athens, had a chance to finally meet some really brilliant minds that I’ve been following for some time online, and was fortunate enough to experience the famous greek hospitality. I am reassured with my previous assumptions that all these politics are just the attempt of politicians to prove that they are worth their salaries (hint -they don’t). We just want to live our lives quietly – the only reason for some kind of army/politicians is to fend off anyone who wants to disturb this (terrorists).

Back to work now, as I need to start prepping for Miami next week…

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. ExoticLiability podcast interview
3. Upcoming Conference Schedule

After BlackHat Europe (see related post), I will be speaking at:

ph-neutral – Basically the real deal… If you are FoFX (Friends of FX) expect to rub shoulders with some of the world’s best security experts

AthCon – A new regional conference in Greece, close to home, sponsored by some great guys from encode, and a very interesting lineup of speakers.

FIRST Conference – If you have ever dealt with incident handling, CSIRT, CERT, and alike, this is the conference to be at. A whole day workshop, and 5 full days packed with great talks in sunny Miami. Can’t go wrong…

BruCON – Brussel’s local security conference. Last year has been EPIC (so I’ve heard from authoritative sources ) and this year is shaping up to exceed the expectations!

These are the confirmed ones for now…

Also check out the following conferences which I plan to attend (i.e – are cool and have great content):

DefCon, BlackHat US, BSidesLV – you better know these by now…

ExcaliburCon – THE security conference in China. Held at WuXi (not far from Shanghai), and offers a great mixture of local (Chinese) hackers and international ones. Spoke there last year, if you are looking to expand to the Chinese market this is the conference to be at (and sponsor!).

Related posts:

1. ExcaliburCon summary and general China notes
2. Cloud Security Alliance Conference (Israel) – CFP
3. CyberCrime, CyberWarfare, and 2010

Disclaimers aside, down to business.

What have we learned over the past decade in the security business – let’s see: AV is pretty much the same as it was in 2000 (which is the same as it was in 1990, you get the point). Firewalls do pretty much the same give or take a couple of useless protocols that nobody needs. Oh, oh, I know (yeah – I can hear you from the back of the room) – WAF!. Well, WAF right back at you. Doesn’t work, didn’t work back in the days when it took 3 days to configure it for a small site, and still doesn’t do much good other than the simple stuff (which you can get for free at ModSecurity).

We have almost no technological advantage over what we used to have 10 years ago. So, you must say, we learnt that we as security people must have gone through so much that we manage and deal with the risks and threats much better. Yes, that’s a tear at the corner of my eye. How much I wish you were right.

The same people who I used to see so excited by their newfangled CxO title and their big office 10 years ago, who didn’t know what to do in order to do their jobs, are not doing any better than most companies nowadays.

Then, just like now, they are still trying to find the right “stuff” that’s going to save their world if they just buy/lease/license it and install it in a shiny new rack. Now, just like then, we are focused on finding “vulnerabilities” and categorizing them “high, medium, low” (or whatever scale that doesn’t mean anything) in our networks, operating systems and applications. Then, just like now, we can’t tell the difference whether a threat will render our business useless, rob us blind, or just evaporate like a baby hiccup with a faint noise of “FUD”.

I meet a lot of talented young (and old) security people, they are all bright-eyed, bushy-tailed and ready to fight until the last drop of blood over what they were trained/self-taught/researched. And I envy them. I envy the ability to just disconnect, to adapt that tunnel-vision that allows them to dig right in to the utter abyss of a technical challenge. I also meet a lot of people with broad vision of how security should be. They have forgotten the technical mumbo-jumbo the kids are talking about today. “Sea surf? Yeah! I remember surfing when I was a kid…”, “Sequel? Which one? I thought the matrix series was over…”, “But let me tell you about my new world cyber-peace strategy…”. You get the point.

And don’t even get me started on all these certifications that everyone goes after. The sad fact is, these things have kept us back from thinking differently. They boxed us into whatever the course/certification/training is trying to cram into us on a technical level, and basically leave it at that. It created a 400 pound gorilla of money sucking industry without really giving us back any more talent. Most of my friends in the industry have some kind of certification (or two, or ten), but I still call them friends not because the number of certs they have on their business card, but because I know they don’t really need these certs to be professional security people.

What I’m still struggling with is the middle. I have always been looking for the middle (even as a kid – “your son is about average, but he’s got great potential” was a recurring parent-meeting slogan through all my school years). The middle which have built itself over the foundations of technical research, got their hands dirty in pen-tests, trying out new products, breaking stuff left and right, losing once in a while to get their bearings right. The middle who didn’t get blinded by a new management position, and kept relatively up-to-date on what’s going on. The middle who didn’t skip last year’s DefCon/BlackHat/Shmoocon/[your-favorite-con] talk because he thought it was some passing fad (and didn’t want to admit that it’s just too darn complicated for them to get into new stuff). The middle who took up looking at how the business works. From the numbers, through the sales, operations, tech-support, client meetings, competition and the board-room decisions. We forgot that this middle is our only chance to make progress, because this middle can translate the latest threat to numbers. Numbers that not only the CIO/IT guy can understand, but the CFO, the accountant, the COO and the order fulfillment guys can understand. The real impact on the business. With numbers, with a strategy on how (if ever) to address it, with an understanding that it might not be the latest and greatest gizmo that we need here, but something much simpler. An old solution, a tweak here and there – in a product, or a business operation. A quick chat with the procurement department on how they process stuff, or a change in the way that the sales organization works in the field when they run off to customers and meet the competition.

I find myself trying to fit in the middle too many times. I’ll admit it – I didn’t think of a middle back when I started getting paid for breaking things, but I saw the middle. I haven’t figured out the right terminology until 6 or 7 years ago for this middle. But darn it! (imagine what I held back until now…) I like that middle, and unfortunately (or fortunately as my accountant would say) we are still bad at filling that middle. We still haven’t bridged the gaps between the techies and senior management (I’m obviously generalizing, but look at your average F-100 company – you’ll get it…). Between the millions of dollars we spend on the wrong things, and the vague strategies we build on top of them to fend off auditors and boardroom questions.

Let’s get the good guys from both sides back to the middle. Let’s get the techies some business training, dress ‘em up nice and give them the tour. Let’s send our CxO’s to DefCon for a refresher on how things are done these days. There’s no shame in learning. If I find a day in which I didn’t have a chance to learn something new – technical, financial, political, strategy or disassembly, I feel wrong. Let’s justify our overpriced salaries and really make something out of it. We were used to be paid to think outside the box, and all we did since we started getting paid is to paint the box in crayons.

Break the box. Down to it’s nails and planks. See what makes it tick. Reassemble, open, get out, close it, and think how to make it better.

p.s. – what’s with the parenthesis you ask? well, that’s just how I like to write, and besides – it leaves room to put things in the middle

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. Cyber[FUD]Fare – repost from fudsec.com
3. The community to the rescue again

Hola from Barcelona!

It’s been a very productive couple of days here. Quite a lineup for this version of the BlackHat briefings out here. I had the great fortune of speaking right after a fantastic opening by Jeff Moss (BlackHat founder and director) and Max Kelly (Facebook’s CSO) that just set me up perfectly – both discussed elements of attribution, deniability when talking about proxied attacks through certain countries, and how money is the driving force for all Cybercrime.

The talk went fairly well, and the responses I got afterward was favorable all around (if you were too shy to put me on the spot or complain feel free to do so here or on my email… all feedback will be highly appreciated). For your viewing pleasure, I am including the most up-to-date slides that I used for the talk here: CyberCrimeWar-BHEU2010.pdf

Related posts:

1. Cyber[FUD]Fare – repost from fudsec.com
2. CyberCrime, CyberWarfare, and 2010
3. It’s all about the money

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know… sorry…) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.
I decided to start off with my prior knowledge of CyberCrime (again – definitions aside, some say eCrime, some CyberCrime, some tomato…) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were the Estonia and the Georgia ones.
Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian  – meaning that there didn’t seem to be a Kremlin general high on Vodka that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar that expected – a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that – behold – is attributed to CyberCrime. Almost like someone was trying to push me back to my “place”.
To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you probably are aware of the close ties it has with Russian authorities that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonia neighbors.
But from some greased hands that allow RBN to keep running aloof to “the first true cyberwar” is a long haul…

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it has been closely coordinated with kinetic actions taken on the ground by the Russian forces. Nevertheless, the same deniability factor plays well here – use of botnets operated mainly by CyberCriminal groups was the main attack surface.

Interestingly enough – true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s… These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution… Yeah – I’m such a sucker for the media
Too bad that the latest APT (and that’s the last time you’ll see this acronym here) is just another FUD-happy name for – wait for it – TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! run for your lives…
Seriously now. Whether state sponsored (possible…) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names…), we go back again to the FUD motivation.
According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by – you guessed it – AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It’s just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes – even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime (BlackHat, DefCon, HackerHalted, Excaliburcon, etc.) and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU and the FIRST conference.

Related posts:

1. New post on fudsec.com – CyberFUDfare
2. CyberCrime, CyberWarfare, and 2010
3. Cyber[Crime|War] – connecting the dots – BlackHat EU 2010

Have fun reading: http://fudsec.com/cyberfudfare

Related posts:

1. Cyber[FUD]Fare – repost from fudsec.com
2. ExoticLiability podcast interview
3. BlueHat post on the state of web security

Well – it might seem as non-news for readers of this blog (or people who were in my presentations at BlackHat, DefCon, HackerHalted, ExcaliburCon, BlueHat, or in other venues), but a couple of interesting sound-bytes may catch your eye:

1. ZeuS (good ol’e friend, how I missed debugging thou) has implemented licensing schema. The schema enforces that the licensed software be only used on licensed machines. News? yes, kind’a. Remember Neosploit (another personal pet-peeves)? Then you must remember the licensing scheme there as well. Pretty close to what ZeuS just introduced. And they say that the world has stopped sharing. pffff. And you can quote me on that. As anyone who ever took more than a brief look at how these things operate, the only takeaway possible is simple: It’s all about the money (hence – license enforcement is key. Ask Microsoft )

2. Staying with ZeuS, there has been quite a lot of effort in the past few months to take down one of the main autonomous systems providing upstream for some of the biggest C&C’s hosting ZeuS. You can read more about it here, and here. Notable effort indeed, as TORYAK-AS has been on the hit list for ZeuS tracking researchers for a long time. Only thing is – there’s money here again. Which means that even taking down the entire AS won’t really take down the botnet as it relies on bulletproof hosting which means that there will ALWAYS be alternate routes leading to it. That’s how things work. Just like trying to fight trafficking and drug trade. As long as there is demand, there will be supply. You dry out one supplier, the economy will just pop out another one. It’s all about the money.

So, I’ll finish up with a couple of reassuring words. We are not done yet. We like fighting the technical battle (I’ll admit that I had my fun doing so, and still have fun when called to duty), but the real battle won’t be won in that playing field. Remember Al (Capone) – it didn’t take the DEA or FBI to take him down. It was the IRS…

Related posts:

1. Cyber[Crime|War] – connecting the dots – BlackHat EU 2010
2. ExcaliburCon summary and general China notes
3. New post on fudsec.com – CyberFUDfare

May not be completely safe for listening to at work (especially not with speakers…).

On that note (of shameless plugs) and as we noted on the podcast, if any of you know (or are) potential sponsors for BSides, and ExcaliburCon (especially if you have or want exposure in the Chinese market) feel free to contact us – g0d be my witness it’s not really expensive to sponsor, but critical as these shows are not cheap…

Closing up for now (until later this week probably – expect some new material), just a heads up on the upcoming speaking engagements:

April 14-15 at BlackHat EU in Barcelona, Spain.

June 13-18 at FIRST in Miami FL.

More to come soon…

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. Cyber[FUD]Fare – repost from fudsec.com
3. Identity crisis