Category Archives: Security Research


Social media and online interaction are dramatically changing the way our companies and employees interface with society at large. Recent examples of people tweeting or posting something silly or offensive and being responded to by doxxing or even threats of physical abuse are, unfortunately, becoming more common.

Today SIRA member Alex Hutton and Ian Amit are publicly announcing an open (free as in speech, free as in beer) project to help security departments identify social media presences that are more “at risk” to negative reactions and general information security risk. This framework of indicators is a little something we’re calling “Social Media Risk Metrics” (catchy, right?). SMRM is being introduced at Derbycon today complete with a demonstration, worksheet tool, and suggestions for further development.

The mind map is available here:

The calculation tool on Google Sheets is available here:

Additionally, here are some of the links mentioned in the talk, these are all tools that can be used as part of the OSINT collection and analysis that is part of the SMRM.
Predicting elections paper:
Sentiment analysis tools:

Yes, you knew exactly what you were walking into…

I’m writing this in response to a very well put together article written by my friend Dave Lewis on CSO Online: “Are you a legitimate military target?“.
In the article Dave talks about how security researchers, practitioners, and security vendors are suddenly “surprised” to find themselves potentially being under the scrutiny of foreign (and guess what – domestic) governments and militaries.

Dave quotes Mikko Hypponen, F-Secure’s Chief Research officer who keynoted the FIRST conference last week in Berlin, saying “I didn’t sign up for this”.
Well, sorry to take the other side – but you did. We all did. Even those of us who have been in the industry for almost 20 years. We grew up on movies like “War Games“, on the stories such as Cliff Stoll’s “The Cuckoo’s Egg“, and those of us who were pushing the boundaries and practicing security research, also knew that we were playing fast and loose with the law a lot of times (successfully for those of us with a clear record).
Well ,guess what, just like a nuclear physicist becomes a target (legitimate or not) for a foreign nation because they are associated with another nation’s nuclear program, so are we.

Any new piece of information that may allow an advantage in the greater scheme of things is highly sought after by nation states, and if you are not aware of it, well, good luck to you.

I join Dave’s closing comment on the difference between espionage and warfare. We all need to understand though that there are governments and their intelligence services behind both of these. So yes, we all knew very well what we were walking into when we found our first 0-day, vulnerability, or realized that we can bypass controls, processes, hardware, software or whatever it is we hack our way through. This kind of knowledge and skill is a far cry from a new crocheting technique.

p.s. I’ve mentioned the law here, and if you know me you know that one of my advice to any fellow practitioner is usually “get a lawyer”. This isn’t just for fun – law is just as hackable as cheap knockoff Chinese firmware, or a shady Israeli device driver. I highly encourage everyone to at least study your local legislation in relation to computer “stuff”, as well as dabble a bit in the international aspects of it.

May the force? May in full force…

Lack of updates here usually means that time constraints are in effect… But apparently all that work is paying off as some of the research we have been working on is starting to get front-and-center stage.
May marks a busy month where I’ll be bouncing around a few places (São Paulo, North Carolina, and locally here in NYC) to talk about it.
Stay tuned for details 😉

Killing (innovation) in the name of the law

I am not a lawyer. Nor I want to be one.

But fortunately I have enough education and practice around legal systems – domestic and international to be “dangerous” enough so I can actually get my job done wherever I need to.

This, however, is a constant balancing act, especially in light of the proposed cybersecurity bill. The proposed legislation basically expands the CFAA (Computer Fraud and Abuse Act), and not in the right directions. As-is, the CFAA is draconian, and has been repeatedly abused to prosecute people who have for a lack of better terms, pissed off someone. Notable examples like Barrett Brown, Aaron Swartz and Andrew Auernheimer (‘weev’) have been subjected to government prosecutors who leaned on the ambiguity and far-reaching implications of the CFAA.

Extending the law, and subjecting it to elements such as RICO (Racketeer Influenced and Corrupt Organizations Act) furthers it’s reach, and along with the proposed amendments basically criminalizes most of the work done by hackers (i.e. good guys). It stifles innovation and the ability to “play around” with computers, software and hardware, and would have put most hi-tech founders in jail for a long time if the law would have existed back then. Heck, I’d be serving decades in jail if it would.

And to think, even for a moment, that any of this have, or would deter real criminals is absurd. Other than holding back legitimate research and innovation that is put to use to thwart cybersecurity threats, this does nothing good.

I truly hope that legislators would wake up and rise above the political forces that managed to push this bill in its current form, and perhaps even take action to correct the already crooked CFAA in a way that would make it more relevant to computer crime and fraud.

Until then, I guess that we would have to keep tiptoeing between the raindrops to make sure that we can keep pushing the envelope as always. Much like a lot of organizations (private, as well as government, that I have had a chance to work with) have done by offshoring and distancing their more aggressive/proactive activities to avoid jurisdiction issues.

A couple of good reads on this are here for your background: Orin Kerr and a shameless plug of my comments on this on CSO Online.

When a door is not a door

This is going to be a short one, because so much has been written on this, and the level of (in)competence exhibited by so many people around this has almost driven me crazy.

Yes, the Sony hack. Not going to comment on what has been done, what should have been done, the sophistication of the attack, the ability to detect tens of terrabytes leaving a network, or the way to handle this (technically, politically, diplomatically, business, ugh – you name it…).

But I do find it ironic that this post comes right after my previous one, now aptly titled “To the full extent of their capabilities” by Dave Aitel (who’s also had his share of commenting on the Sony hack).

I was vocal enough around this, especially (and weirdly I must say) as someone who suddenly sounds like the responsible adult, urging for deeper and more comprehensive forensic work and not knee-jerk attribution. Attribution, as we all (should) know, is difficult. Especially in the “cyber” realm, where fingerprints are more difficult to link to actors, who are in turn difficult to link to aggressors.

dognetOn the Internet, everyone can be anyone, and planting false flags is common practice among even the less capable threat actors. Acting on such red herrings is not only irresponsible, it can also be dangerous (an “unnamed official” at the Pentagon responded as such to the DDoS attacks on July 4th 2009). And it looks like we are facing the same weak evidence again. I highly recommend reading Fauxtribution by Krypt3ia, who really lays out the evidence, and the highly speculative nature of the attribution from the FBI on this one.

Looking at TTPs (Tools, Tactics, and Procedures) only in order to derive attribution is not enough. Without being to link real activities to a human actor, and follow up with a more “traditional” investigation (motivation, funding, accessibility, relationships), TTPs and other forensic evidence leaves us with a highly biased view of what’s going on. More worryingly, this view is almost entirely controlled by the real attacker, who had the time and opportunity to choose who would they like to appear as at the end of the day when the attack is discovered. Having clear documentation on TTPs for almost any major actor, with highly accessible online resources such as proxies, compromised hosts, and for-rent bots/servers, and finally throw in some foreign language references, and we have ourselves a perfectly guised threat actor.

Unless the investigation ends up with a multi-national cooperative law enforcement effort, enforced by the legal systems, and commercial capabilities, this goose chase isn’t going to end well. We can (gulp) take a hint from Microsoft’s playbook and their recent endeavors in hunting down the true sources of mass botnets and malware attacks. One can only hope…