Tag Archives: technology

March – April Events

After a quiet start for the year (and keeping up with my promise to try and cut down on travel) we are fast approaching exciting times. March will have a couple of great events I’m really looking forward to, and April packs a really great conference and training. So, without further adue:

DC9723 kicking off 2012 – March 13th

We’ve been having some issues in the local DCG with a venue, and after 3 months of delayed meetups we have finally settled into what looks like a fantastic venue. It’s called “The Library”, and true to its name it is one of the public libraries in Tel-Aviv. Renovated, and retrofitted to accommodate a shared workspace for entrepreneurs and small startups, it overlooks one of the more beautiful views of the Tel-Aviv coastline, and is located at the heart of the city – right next to tons of bars and hangouts.

Furthermore, for this inauguration meetup for 2012, we are proud to host Brad Templeton of Singularity University. I’m guessing it’s mostly kismet/karma that brought us together, but it couldn’t have been a more fitting match for this meetup. To complement Brad’s talk and discussion, we’ll have a great friend of mine – Keren Elazari who will discuss the past, present and future of the CyberPunk culture. Really can’t wait for this one to happen.

Link to The Library’s meetup for registration and more information.

Hackcon – March 26th-29th

One of the cons that were on my “hit-list” for a while. Having being recommended by close friends who already spoke there, I will be heading to lovely Oslo for the aptly named HackCon (yeah, I know… Oslo in March may not be _that_ lovely, but…).

With a great speaker lineup, and a website that absolutely refuses to be in English (google translate mandatory as my Norwegian is a bit rusty), this one is shaping up to be an experience!

Link to the program (which fortunately is mostly in English 🙂 )

Source Boston (Training + Conference) April 16th-19th

What can I say about Source? One of my personal favorites, with a personal “track record” of a couple of Barcelonas and soon to be a couple of Bostons. Fantastic attendance and audience, great speaker lineup, content that mixes business and technology like a fine cocktail. And this year is even more special, as I am fortunate enough to be able to bring our Red Team Training to Boston. Chris Nickerson and myself have ran this already once in Colombia last year, and the results are still resonating through Cali :-). We got some great feedback from both business as well as technical people who attended the one-day workshop in Cali, and will be bringing an even bigger, even better 2-day training session to Boston.

Expect a hands-on, no-bullshit couple of days. Expect to be able to pick locks (EVERYONE who is in our class will end up picking at least a 4-pin lock), gather intelligence, social engineer, build threat models, understand surveillance and counter-surveillance, and much more. Expect this not to be just a dull “click-click-click” classroom session. Do not expect us to be gentle on you – the people who attack your company won’t be either. Ready to take the plunge and move up from pentesting to the real-thing? Go register: http://www.sourceconference.com/boston/training.asp

And after having “fun” with friends (don’t ask what happens when I get to spend more than 10 mintes with Nickerson…), it will be off to the conference itself. Another rock-star lineup, from Dan Geer to Michelle Klinger, from Ally Miller to Chris Gates and Zack Lanier, and many more that I apologize in advance for missing here. This is the ultimate AppSec-Tech-Business throw-down in the east coast.

Full schedule is here.

Local PayPal Phishing – and why we need a CERT

This just came in the mail: (twice – at two different mailboxes – I must be a high value target for these guys)

A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah – I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:

 

  1. The phishing site (the one led to by the obvious “CANCEL TRANSACTION” link) is hosted on al3abnt.com.
  2. al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
  3. The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something… been around there a couple of times :-)).
  4.  

  5. The blog (see screenshot below) seems pretty anti-Israeli (note the “we are with the third intifada” button on the top-left corner) – thus explaining the interest in local Israeli PayPal accounts.
  6. Obviously – there’s no-one to send the notification to… no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature…

I’m guessing that a CERT would have done the following:

  1. Publish a warning notification on the offending site, and the email template.
  2. Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information – feel free to try it out 🙂 ).

Be safe out there!

Defining Penetration Testing

I have been fortunate enough to be working with a group of peers from the security industry over the past few months (since November 2010) on finally creating a solid definition of what a penetration testing is.

It has been a topic that has been abused, cannibalized, and lowered to a level where we (as in people in the industry) could not relate to it anymore. It was time to get the fake stuff out, and focus on content. We were all getting tired of “penetration tests” that were nothing more than a Nessus scan printed out and slapped on with the “security consultancy” logo.

Enter – the Penetration Testing Execution Standard.

This is our attempt to define what a penetration test should include – both from the tester side (vendors) as well as from the client side (the business/organization being tested).

It is the fruit of a huge collaborative effort from people who I consider to be some of the best in the industry. Getting together people who on their day-jobs often compete with each other, and come from different areas of the industry, all together and working on something as big as this has been a humbling experience. For that – you guys all ROCK!

Onwards to the content – remember that this is pre-alpha, and is aimed mainly to get feedback from everyone. A lot of branches do not appear in their full glory there, and some will surely not make it to the final edition. We welcome everyone to take a close look at this, contribute, criticize, assist, comment and generally get involved. Some of you may have been watching this and thinking we are holding back – could not have been further from the truth… In order to get to something as big as this we had to cap the number of participants in this revision in order to keep things somewhat organized, so this is a chance to get back in and offer your assistance – we promise to keep this as open as possible.

This is really exciting – for me at least. Hope some of you will be able to share this enthusiasm and weed out the industry from the bad form we got into.

About CyberWar, Deterrence, and Espionage

It’s been a long time since my last post, but trust me for all the good reasons (i.e. work). This one is long due, and has been recently fueled after I had a chance to attend RAND’s Martin Libicki’s brief at the Tel-Aviv University.

Spy vs. Spy - copyright Kigs, devianart.

Martin is a great source for debate and thought exercises as he is fluent in many realms of the subject at hand, and has been trained as an economist which makes it much easier to broaden the debate into politics and diplomacy.

I’ll address a few key elements of the brief – at least the ones that speak to me the most in terms of research and ongoing work that we are engaged in on a national, international and local levels.

First – the ever provoking “there is no CyberWar” statement. Immediately followed by “this is the definition of CyberWar as I see it”… Obviously, with a definition that closely resembles war as defined in other domains (land, sea, air, space), it’s hard to see how one can state that CyberWar was ever engaged (or ever will be for that matter). But the key here is not to treat the Cyber domain as “another” domain and try to use the template of the traditional domains when defining it. Cyber is a game-changer, it’s not a domain like any other, it has its own rules, territorial issues are mute here, jurisdiction is a mess, and accessibility is even worst. It’s almost impossible to define what a conflict is in Cyber, what an engagement is in terms of forces colliding and how is aggression defined. Nevertheless, all the issues mentioned in the last sentence have risen many times over the last decade, and yet some refuse to realize that in several occasions it was indeed a state or form of warfare.

The second issue is deterrence. On this one I almost completely agree with Martin’s approach which speculates whether real deterrence can be subjected into the domain. Nevertheless, I do believe that sustained and proven threat over the opponent’s critical infrastructure, financial and base production facilities can be used as a deterrence factor. You do not need missile silo counts to prove deterrence in the Cyber domain, you need sustainable access to critical systems, and a prove that you can retain such access in light of some vulnerabilities and key access elements being taken off the table by the defensive strategy. For that – enter espionage… With a combination of cyber-domain capabilities, and a solid intelligence practice (i.e. both gathering as well as proactive), one side can create a situation where such access to critical elements in the other side’s Cyber domain are kept consistently under surveillance and accessible to modification/sabotage.

Which leads to the last issue, which has surprisingly raised a lot of eyebrows lately – even from people who I consider proficient in the “Art” of international relationships and diplomacy: the “legality” of espionage. Face it – espionage has been and will always be a fully acceptable part of a nation strategy. It is accepted at all level of diplomacy, and by every nation. Everyone knows that everyone else is engaged in it, and is putting a lot of resources to make sure that their efforts are successful while trying to minimize everyone else’ efforts in their own territory. The same applies for the Cyber domain. It’s no big surprise that the US finds itself dealing with a major espionage case (on the commercial level) almost every year, and just think about all the cases that are not made public in the government, and military sectors… But have no fear – the other side is being spied on just as well with skills that do not fall short (and usually surpass) of what the US is subjected to. It’s a fact of life, so stop whining about it (and excuse the burn notice cameo).

To conclude – I truly think that dealing with such a young and ever evolving domain is a great challenge – both technologically, as well as from the diplomacy / international relationship aspects of it. And until we’ll have some shape or form of formalized discourse on this domain (such as the efforts put in by NATO, the UN and a few of the world’s largest nations), it’s a free-for-all playground that is going to keep providing us with moral, technological and sociological challenges. BRING IT ON!

Information Security Intelligence Report for 2010 and Predictions for 2011

Looking back at 2010 shows a widening gap between cybercrime and law enforcement capabilities, in conjunction to nations that have started the cyber-race to develop defensive and offensive capabilities. Most of the attacks analyzed in 2010 depict organizations that fall behind in their defensive strategies as attackers take advantage of a hybrid approach that merges technical merits alongside human weaknesses to cash-out on their attacks.

Cybercrime widens the gap between attack capability and defense mechanisms. Analyzing several of the major attacks of 2010, Security Art notes that organizations were attacked in two key ways. Firstly, through technical exploits such as Aurora, Mariposa, ZeuS, and SpyEye. Secondly, by attacks that bypassed traditional protection methods, and gained access to targets through human-weakness areas such as social media. While businesses focused on defending themselves using security mechanisms such as anti- virus software and perimeter defenses, attackers jumped over these defenses, and proceeded to flood the market with a high volume of malware that now poses a serious threat to security providers in terms of detection rates and response time. However, law enforcement agencies have focused mainly on menial cybercriminals, and have not successfully reduced the impact of online criminal activities. On a national level, we see nations have embarked upon the race to develop defensive and offensive cyber capabilities.

Cyberwar arms race sends nations to shopping frenzy. As CyberWar gained merit (and criticism) during 2010, with the movie-material Stuxnet incident being the poster-boy for news outlets that published every spin-off, speculation, and plain old gossip, the international scene had its own race for the latest and greatest defense mechanisms. The implications of Aurora and Stuxnet made most countries feel their lack of a critical infrastructure defense and the capability to deliver a similar cyber-blow, and many went shopping for weapons. Security Art witnessed the strategic build up of capabilities in some countries, and a more hurried shopping spree (that usually led to amassment of CyberCrime provided tools) in others. This, and the delayed response of organizations such as the UN, the EU, and NATO, left the scene looking more like the Wild West than Silicon Valley.

Expanding digital domain and improved understanding of security will reign in 2011. Our prediction for 2011, drawn from the criminal, political and diplomatic sides of cybercrime that dominated 2010, is that more focus is going to be given to approaching security from a strategic standpoint. Rather than buying “best of breed” products and ticking off compliance sheets, we predict that organizations and countries will apply a more sensible executive-level understanding of what information security means to them. In the expanding personal digital domain (smartphone, tablets, and suchlike), and the continued digitization of all organizational information (from scanned materials to VOIP telephony), security must be applied to more layers than ever before. Countries and organizations will have to adopt additional skill-sets and look for solutions in areas they have not dealt with before.

Please go to http://www.security-art.com/download-report to download the full report, or email [email protected] for additional information.