Browsing articles in "Blog"

Black Hat Guide: Day One

10:15 – 11:15 Pompeian Advanced Chrome Extensin Exploitation: Leveraging API Poswers for the Better Evil Kyle Osborn + Krzystztof Kotowicz

11:45 – 12:45 Augustus V + VI How the Analysis of Electrical Current Consumption of Embedded Systems Could Lead to Code Reversing” Yann Allain + Julien Moinard
*Dan Kaminsky is also doing a talk at this time, but I think this one will be solid.

2:15 – 3:15 Palace I Don’t Stand So Close To Me: An Analysis of the NFC Attack Surface Charlie Miller

3:30 – 4:30 Palace II Intrusion Detection Along the Kill Chain: Why your Detection System Sucks and What to Do About it John Flynn

5:00 – 6:00 Palace I Adventures in Bouncer Land Nicholas Percoco + Sean Schulte


  • ISE VIP Reception at Black Hat
  • Accuvant LABS, WhiteHat and Palo Alto Party at Pure
  • Fishnet Security at Revolution Lounge
  • Qualys Party at HYDE Bellagio
  • RSA Party at Rhumbar

The Black Hat 2012 Diary: “Drink It In”

Day 0

I arrived in Las Vegas, late yesterday oddly from Atlanta, Georgia and not Denver, Colorado where I currently reside. I have to admit, I am way more excited this year than I have been since my first time to Black Hat back in 2007. So much so that I found myself watching the minutes tick off the roughly four hours it took me to fly here. When the plane landed I was practically ready to spring out of my seat and sprint the rest of the way to the gate!

As I sat in the cab eagerly encouraging the driver to get to the hotel as quickly as possible, I began to assess why I am particularly excited. Is it the talks? No. Though the lineup this year is better than any other year since 2007, I did not believe it was the talks. Is it the reunion aspect of Black Hat? Well, I’m certainly excited to see everyone, but I see people pretty regularly in my travels and my excitement level was well above typical levels for reunions. At this point, I began to think about my girlfriend (Janita) and how I was going to miss her and I wasn’t excited about that (*blush). It was on this last recognition that I realized why going to Black Hat tasted just a little bit sweeter this year.

“Something Happened…
To explain what I realized, I have to take everyone back to something she and I did together last week. For Janita and I, seeing midnight shows, if really anything, is her and my “thing.” Multiple Harry Potters, Act of Valor, the Avengers, both Iron Man’s, The Amazing Spider-man, Thor, are just a few of the midnight shows we’ve caught together. We enjoy the cosplay (people dressing in costume) and the energy of the crowd. So posting on Facebook the day that Janita, one of my closest friends Ryan and I were going to see the midnight showing of Batman The Dark Knight Rises at the time didn’t seem like that big of a deal.

To skip the suspense, I will plainly state Janita, Ryan and I watched the whole movie and all slept peaceably in our beds that Thursday evening, totally unaware of the carnage that occurred just a few miles away. We were at a different theater.

I awoke the next morning to the soft, but somewhat panicked words, “Mike, something happened…”

Once my girlfriend explained there had been a major shooting at another theater several miles away, my immediate thought shot to how worried my mother must be. I immediately grabbed my phone hoping that I would have no missed calls and no messages. Maybe the news had not made it out east yet. Unfortunately, this wasn’t the case. I grabbed my phone and immediately remembered it was still on vibrate from the movie. I then recognized I wouldn’t have heard it ringing over the fan…people had been calling me for hours.

I honestly cannot recall the actual number of calls/messages I missed, but I can comfortably state it was more than 30, and that they were from multiple people including some who I had not spoken to in a long while. Upon reading a brief summary of a few of the text messages that I received, I froze. It was not the concerned tone of the text messages that shocked me; I had anticipated concern. What shocked me was the desperation.

Janita, Ryan, and I did not know anyone who was injured or killed in the attack. (thank G-d). Frankly, despite the relatively close proximity, we have very few friends in that area and we knew they wouldn’t have gone to see the movie. And yet, while I’d love to end the story on that, note, we did not unfortunately get off so easily. Instead, Janita’s close friend, lost his high school best friend…

This is a relationship that she is far enough removed to not impact our daily life, but close enough for us to stop and seriously consider the mere fact, that what separated us from a life and death struggle is simply that, “we were at a different theater.”

I’ll spare you the cocktail of emotions that a realization like this one has put me through and I’ll also spare you the “what-if” scenarios that have been running through my mind for several days now. Just know that it hurts to know things can be so random, life can be so frail and the “what-ifs” are terrifying. More than anything I fear the idea of failing to protect Ryan and Janita, and at the same time, I think about how upset my people were not knowing if I was ok, and how devastated they would have been had I not been alright. This made me realize that I am more happy to be here at the world’s largest hacking spectacle a than normal. It is a present that I have taken for granted in recent years.

Life tastes a little bit sweeter to anyone who recognizes its frailty.

Drink It In

Looking around the Black Hat venue, Ceasar’s Palace, last night, I hoped to G-d and prayed that no one here, especially the 303 folks (whom I mostly do not know but are, I believe, almost all also Colorado residents) was directly affected by the horrific incident in Colorado. To which, I should tell everyone that, I am deeply religious but believe religion to be a very personal experience, and you’ll virtually never catch me bringing in my beliefs into a conversation. So when I openly admit to praying, it means something big.

Beyond that though, I am just SO happy to be here. I think it is worthwhile for all of us in attendance at Black Hat this year to recognize that our attendance is a luxury, seeing our friends and being intellectually enlightened by the community, is a gift. Drink it in folks, enjoy it, life is short, it is frail, and you only have one shot at it. This week, follow the blog, we’ll keep you posted of all the events and inform you of what talks we think will be interesting. And forgive me if any of my writings seem overly excited. Welcome to Black Hat!

Check out the Black Hat Day One Guide

Shodan Gets a Mobile App

In virtually useless news Shodan now has a mobile app. Shodan, one may recall, is an incredibly useful semi-public database of information on Internet connected computers. A few years ago, the existence of Shodan struck fear into security professionals everywhere. Today, it’s nefarious use is certainly recognized but it is far less feared. All that aside the introduction of Shodan onto mobile platforms is nifty and fun to play with but at the end of the day it is more a toy than it is a useful utility for security professionals. Granted, the customer cases are plentiful–who hasn’t needed to find a server running Apache 1.3.3 while reading the news on their iPad in a hotel without an Internet connect? (Hopefully the sarcasm comes across clear in writing) The real story is how the persistence of Erran Carey (of Rapid7) got the app through Apple’s review process.

Hopefully that persistence and the existence of a security tool that is not a mobile management platform or a glorified RSS reader will be the first step towards a plethora of mobile security tools on the iOS platform. For now, we’ll just have to stick with the good old fashioned PWN Phone from Pwnie Express. The Nokia N900 is a lot less sexy but with some Pwnie Express software it’s a lot more useful. At any rate congratulations to Erran and have some fun with the Shodan application available now in the Apple App Store.

“Where Are We Versus Everyone Else?”

In working with clients, I regularly receive the question, “Where Are We Versus (insert noun here) like us.” As a result I have come to label this the “Grizzly Bear Paradigm.” I modeled this paradigm off of the well-known mantra that one does not have to be the fastest camper to outrun a grizzly bear, they just have to be faster than the slowest camper. I use this paradigm because when I am asked this question, I am not being asked, “How can be we become the most secure company?” I am being asked, “How can we reach the middle of the pack.”

CISO’s often aim to be middle of the pack in terms of security because it says on the one hand that they are not incompetent versus the rest of the field and they have not reached a level of overkill. In a lot of ways this methodology makes a lot of sense as the middle of the pack is really the best place to be. On the one hand there is coverage should something happen and on the other hand there is still room to request budget. The problem is that security is only as strong as the weakest link in the chain. Any number of high security companies proved this point last year. Put simply 99% secure and 100% ineffective.

As a result let me once and for all answer all the times I’ve been asked where a company stood versus others in their market as well as ask this question of the Grizzly Bear Paradigm, “Shouldn’t we as security professionals aim to serve better than striving for the goal of a position that is politically strong?”

SecAnalysis Hacker Toy Wish List

Surfing through ebay looking for old discarded network security appliances is a guilty pleasure of many. There are simply too many toys in security to ignore. Granted, pretty much everyone would love a warehouse full of enterprise class products to play with. What could be moe fun? Seriously, who doesn’t want to run Qualys, Rapid7, and Tenable against every publicly addressable IP or AppScan and WebInspect against every website on the Internet? I’m drooling just thinking about the possibility.

Of course not every infosec toy is unattainable with a reasonable amount of personal budget. There are more than a few toys out there for infosec pros to get their hands on for some fun. Here is my current wish list:

Pwn Phone
Price: $960
Oh do we want a PWN Phone! A Pwn Phone can simply be described as a Nokia N900-based penetration testing platform and it is all kinds of awesome. The platform includes a great deal of penetration testing favorites including Metasploit, Ettercap, nmap, and Fasttrack. Basically, it is a very small version of a penetration testing computer. The PWN Phone doesn’t have everything we would want on it but it’s pretty close. Also, it would be nice if it was on an IOS or Android enabled device, but at this point, we’re just happy it exists.

At $960 the PWN Phone is not cheap, but is fairly reasonably priced. Currently, a Nokia N900 is priced at $399 on Amazon without the PWN Phone, so figure on roughly $560 for the pre-configuration, software, and support. There is also the alternative of purchasing an unlocked Nokia N900 and installing the PWN Phone Community Edition. However, the community edition does not include tech support or priority updates. Regardless, the PWN Phone is likely to be the coolest toy that one can bring home from BlackHat/DefCon this year.

PWN Plug Elite
Price: $895
The Pwn Plug Elite from Pwnie Express is similar to the Pwne Phone in it’s features however it comes in the form of a Sheeva plug, which of course is a bit cheaper than a Nokia N900 phone. In addition, it is also much easier to leave a Pwn Plug Elite plugged into a wall for lengthy periods of time to victimize more targets. Like the Pwn Phone the Pwn Plug Elite carries a multitude of penetration testing tools like Metasploit, Fast-Track, a myriad of sniffing tools, and also Test-to-Bash which allows for bash commands via SMS. There is also a PWN Plug Wireless addition which runs for $595 but does not have the nice GSM features that the Phone and Elite versions do.

Again, this is a Sheeva plug which of course can be bought pretty cheap on the Internet (new versions of Wireless plugs run about $99), thus one could build a similar PWN Plug with the community versions of the PWN Plug that can be found on the PWNIE Express website. However, PWN Plug Community Edition does not include the web-based Plug UI, peristent reverse tunneling scripts, or 3G/GSM support which we believe are essential for the plug.

WiFi Pineapple
Price: $99.99-$169.99
It’s hard to mention infosec toys without talking about the WiFi Pinnapple from the folks over at Hak5. The WiFi Pineapple is a WiFi device capable of doing Man-in-the-Middle attacks. The device is nowhere near as powerful as the PWN Plug or Pwn Phone, but the low price and modular capabilities of the device make it extremely attractive. Frankly, it is hard to go to a higher-level security conference where there is not a person who mentions the WiFi Pineapple at some point. The device includes a stealth access point for MITM attacks, mobile broadband and Android tethering, a persistent ssh tunnel for management, and a web-based management console for MITM attacks.

Much like the Pwn Plug and Pwn Phone, one could build their own WiFi Pineapple as the WiFi Pineapple seems to be based on a Alfa Networks AP121 (possibly AP121U) model and software/firmware that can be found on the WiFi Pineapple project GitHub. However, the routers are somewhat difficult to find and can run around $50 or more, so the Pineapple at $99 is actually a pretty good deal.

USB Rubber Ducky
Price: $69.99
The USB Rubber Ducky is a nasty evolution from the USB Switchblade project from the folks over at Hak5, which was essentially a USB flash drive that could be used to victimize targets in a number of ways simply by having them plug in a USB flash drive. Like Swtichblade, Rubber Ducky can be utilized to victimize targets who plug the device into their machines. However, Rubber Ducky is different than Switchblade in that it is not actually a USB flash drive, though it looks like one, it is actually a small USB MicroSD card reader in a USB flash drive enclosure. Rubber Ducky also includes a simple scripting language so that an attacker can create custom payloads when attacking.

There are a lot of interesting opportunities for using Rubber Ducky, which mainly include “gotcha” type opportunities around the office. Of course the number of these opportunities are pretty novel in nature. Thus, a $69.99 price tag is pretty stiff, especially when considering the device can be made with a chachkis that can be found on virtually any security conference show floor, about $5.00 of hardware and some of the information found in the USB Rubber Ducky GitHub. Regardless, the USB Rubber Ducky is a fun toy worthy of checking out.

WebSecurify IOS
To be honest, WebSecurify, when we used it in the past, WebSecurify was not the strongest web application scanner we’d ever gotten our hands on. That’s not to say it was particularly weak though either. In honesty, the capability of the scanner ranges somewhere in between AppScan/WebInspect and the scanner in Paros Proxy. All that said, @pdp seems to have ported WebSecurify over to IOS and Android enabled devices. Which means that one can run web application scans from their phone! This application brings the true mobile hacking device a step closer to reality. If for no other reason, this would be a great way to quickly and easily scan intranet sites.

A-R Drone by Parrot
Price: $299
Our desire for an A-R drone by Parrot is pretty simple to understand. It flies, it has a camera, and we can control it from our phones or iPads. With a price tag of $299 one could easily call this a trial of whether one is into the realm of drones. Granted, the AR is nowhere near as powerful as some of the models or instructions on, it is also lacking a GPS, and only sports a range of about 165 feet. However, you get what you pay for and this drone can help one determine whether they are ready and/or willing to pay the upwards of $500 for a drone that is little less like a toy.

The Good, the Bad, and the Ugly. Making the best of Information Security Marketing.

Information security as a market has progressed in maturity and size to the point where it can now be safely described as an industry. As such there are numerous security oriented companies vying for customer dollars through competitive products, solutions, pricing and of course marketing/advertising. While each of these arenas have their issues, the latter has the most public deficiencies. With few exceptions most security marketing campaigns range from the woefully ineffective to the realm of flat out embarrassing (see Symantec’s “Hack is Wack” campaign). This post will explore some of these deficiencies as well as discuss a few do’s and don’ts of information security marketing.

One will note that much of this article focuses around things that will resonate with operational security professionals and is not necessarily focused around C-level messaging. This is due to a primary belief on our behalf that C-level executives are a much smaller portion of purchasing decisions than we give them credit for. Granted the ultimate decision to make a purchase lies with higher-levels of management, however, the influencers that are pushing for purchases are the operational professionals behind the scenes. It is within this community that some of the biggest marketing issues exist.

FALSE! Any Visibility is Good Publicity
That said, let’s begin the exploration by first addressing one of the most common mistakes of security marketing. Namely that any visibility is good publicity even if that publicity is bad. In some circles the notion of bad publicity actually contributing to the recognition of the brand is certainly one that holds water. Heck, look at Paris Hilton. In the realm of information security however, this is not the case, bad publicity is simply that, bad. In fact the earlier mentioned “Hack is Wack” campaign is an excellent example as the campaign fell flat on its face. Beyond giving rise to twitter hash tags like #NortonAntivirusStillSucks and drawing the ire of several journalists, including Andy Greenberg over at Forbes (Forbes Article), Symantec failed to reach their target market in a positive manner. Today all that is left of the campaign are negative press and photos of infosec people who were able to catch paid spokesperson Snoop Dogg at Symantec events, even is more or less dead, with no signs of a comeback.

Really the only positive message that came out of the campaign was that if a security vendor pays a famous spokesperson, a significant portion of the community will get to meet them. Hence why there have been so many people likely requesting marketing dollars to hire Mila Kunis, Angelina Jolie, and Jessica Alba as spokespeople (or at least it was the driver behind all my requests). It may seem like I’m picking on Symantec here, I’m not, it’s merely one example how bad visibility reflects poorly on a company, there are many others (and believe me this post is going to cover several). Another solid example of a marketing bomb could be seen over at Cisco.

Market Research is Not Always the Best Option
Years ago during an analyst meeting, Cisco discussed the results of a study they had conducted regarding what resonated with security professionals. The results showed that security professionals were partial to superheros and comic book characters. Cisco thus decided to seize the opportunity and leverage cartoon superheros to draw the attention of security professionals everywhere. This was a fantastic effort on behalf of Cisco (the end product, not so much, but we’ll get to that).

First they made the investment to truly explore the base of people they were attempting to market to. Second, they were willing to break from their normal routine to try something new, even daring. All of this is very exciting, even executives were enthuiastic (check out this VP’s blog post). Unfortunately, Cisco’s attempt to reach information security professionals ended in the awfulness we now remember as “The Realm” (whose videos can now be viewed on YouTube). The mistake they made was to assume that security professionals would like any comic book superhero Cisco produced. They didn’t.

Instead the effort was seen as pandering by much of the target demographic and laughed at before being immediately dismissed. If anything Cisco’s campaign showed just how little they really thought of operational security professionals. Comic book superheros are awesome but don’t assume that the geekiness of the information security demographic is non-selective. When there is a gap between a marketing team and the people they are marketing to, it shows. The end result is a campaign that comes off as cheesy or silly. Understanding not just “what” resonates with an audience, but also the “how” and “why” it resonates is important. Of course cheesiness and silliness are not necessarily “don’ts” in security marketing. Rather silliness and cheesiness are pretty successful in security marketing when the marketer does it purposefully.

A great example of a marketing campaign using a superhero cartoon character is the one conducted by Sourcefire. Sourcefire leverages a cartoon superhero commonly known as “the Snort Pig” or “Snorty.” Unlike the characters of Cisco’s the Realm, the Snort Pig is very well received by the security community. In fact, the Snort Calendar, which features the Snort Pig in multiple pop culture scenes (e.g. the Snort Pig as Neo from the Matrix), is highly sought after by the community.

The reason why the Sourcefire campaign works but the Cisco campaign largely failed is that the Sourcefire campaign is honest. There is a certain genuine aspect of the Sourcefire campaign that makes it successful. The Sourcefire team almost makes fun of the Snort Pig by placing him in funny parodies as opposed to Cisco, who leveraged their cartoons in an overly serious tone. Honesty in marketing goes a long way with the security community. That doesn’t mean start a new slogan that says, “Actually our stuff is only second best in the market.” Rather it means that as a security vendor, take the things that are cool to your operational security people and leverage them. Generally this is a no-no in marketing/advertising (thinking the target demographic is like you), but in the realm of security, for several reasons, this actually works. The message it sends is, “Hey we’ve got people very good at this stuff, they thought this was cool, you might think it’s cool too.” As opposed to, “we ran a giant market study, this is what it said you liked. Let us try to relate it to you.” Though the difference is subtle, it can make or break a marketing campaign.

Self-Actualization is Powerful
Though Cisco’s campaign struggled as it was too serious for the particular media, having a serious message is not necessarily wrong. Actually messages of self-actualization, or rather the tendency to actualize something as fully as possible, are very powerful in security marketing. This is especially true when the message helps individuals working within security recognize just how powerful their skill set is. Security professionals love the idea that what they can do, can make or break the world. Having a piece of collateral that expresses that belief has resonated very within the security community.

This does not mean start selling FUD (Fear, Uncertainty, Doubt). Though it is painful to admit, yes FUD moves products and services. It is however, not what one should want their company known for, therefore it should be used sparingly in a targeted nature. Which is not the type of self-actualization campaign that is being discussed here. Rather, this discussion is more focused around, “An Army of One” type of marketing campaign (which was a very successful US Army self-actualization based marketing/advertising campaign). In other words, these campaigns should focus around how powerful the individual is in information security. At the same time though, it should also allow them to leverage that marketing material to show others as well.

As a corporate emergency response team member once put it,marketing campaigns allow security professionals to internally recognize how important and powerful their field is, while at the same time, leverage that campaign to validate those beliefs with external sources. One of the best examples of this can be seen at Facebook, whose “Hack” campaign does not actually focus on security, it just happens to resonate really well with that community. However, it captures the mentality of security professionals to believe in the true power of hacking and hacker mentality. Take for example the image that Facebook utilizes in the form of a poster at the right. This image merely portrays the word “Hack” and a bundle of dynamite ready to explode. It may seem like a stretch to some but the subtle message says to many security professionals, that the ability to think creatively and to “hack” has the potential energy of bundle of dynamite ready to explode. This is a truly compelling propaganda message. So much so that Facebook marketing material is heavily sought after within pockets of the security community. Of course this is not due solely to the powerful message, but also due to the exclusive nature of their marketing efforts. Which leads us to our next point of self-actualization, elitism.

Self-actualization in it’s most potent form can be seen in the realm of elitism. The desire for elitism within the security community is palpable. Marketing campaigns that properly execute on this do very well. Consider some of the brands that are believed to be elite within the security market. Now look at their marketing, one will note that these organizations subtly support these messages. Take for example, the booth that the NSA sets up at RSA. In order to get into the booth one is given a faux security pass, as if to say, only a select few are ever allowed into NSA arenas. Similar messages are sent through the limited number of challenge coins that actual security team members give away each year. These coins represent a token telling others that this organization, or in particular team, is special or elite in nature.

Which leads us to the most key principal of security marketing in the realm of self-actualization. Market internally to gain notoriety externally. Build a brand that internal security players can get behind and believe in. This often translates into real public recognition of those beliefs.

Marketing Punts Suck. No One Notices Them or Likes Them
As much of a hard time as Cisco’s the Realm or Symantec’s Hack is Wack campaigns received, they are not anywhere near the worst. Credit must be given to both companies for making an effort, for breaking from the norm and at a minimum being somewhat daring. Which is far more than can be said for the vast majority of security vendors out there. No, the worst are far less discussed than Symantec and Cisco. Rather, by far the worst marketing campaigns are those that function as the equivalent to a punt in football.

Marketing is supposed to be powerful, memorable, and in most cases fun. All three of these areas are lacking from the vast majority of information security marketing campaigns. So much so that, posting any real examples here, would be picking on companies as virtually everyone does this. In some ways this is ok. Not every marketing campaign should hit with 1,000 lbs. of force. However, when it is the only campaign being run, well, then there is something wrong. Good security marketing is not about how many times someone can put “real-time”, “threat protection”, “intelligent”, “2.0″, “next-generation”, “advanced” into a product description. Worst yet, if the most creative, eye attracting image an organization can muster is a picture of the actual appliance, then it’s time to rethink the marketing scheme.

The one exception to that rule is if one runs a marketing campaign similar to Barracuda Networks, who, despite having several campaigns that merely include pictures of their appliances, still have done very well in the marketing arena. That however, is due to the fact that they first complement that campaign with a multitude of other unique campaigns (e.g. sponsoring sports like Indy car racing or professional cycling). Also, it is difficult to ignore that Barracuda has seemingly posted their advertisements everywhere! Again though, this is the exception and frankly it is only the exception because they have done so well to complement the boring stuff with a multitude of great marketing campaigns.

In general organizations finding themselves in the realm of predictable, easy, everyday marketing should consider drastic changes. To close, this article has provided some of the good and bad of security marketing. Please remember these simple guidelines for great marketing in the future, and always be unique!

As we close, take these simple guidelines to heart
1. Market to operational security professionals, not just C-level execatives
2. Bad publicity is not good
3. Self-actualization is powerful
4. Market research still leaves room for interpretation
5. Marketing punts suck! Don’t do it.

That Time Someone Tried to Scam Me on Ebay

For years I have avoided the frenzy of selling items on eBay, but after purchasing a new iPad, I decided it was time to give it a shot. Thus, I posted my earlier generation iPad for a relatively high price and hoped for the best. I have posted the item three times now, it has sold all three times and all three times it has been a scam. The last scam attempt nearly got me, this is the story of what happened.

A few short days after posting my old iPad I got the good news that someone skipped the entire bidding process and used the “Buy it now” feature on eBay to immediately purchase my iPad. This was the first clue that something was up. My item was not by any means the cheapest iPad that could be purchased with the “Buy it now” feature. In addition, one could almost certainly have bid on an iPad and spent $50 less. Being an optimist though, I decided that my iPad had just sold and I’d move forward with the process. I immediately received a message asking for my E-mail address so the buyer could make a payment, thus I gave it (this was a mistake).

The next clue I received that something was wrong came in the form of an E-mail. Due to the fact that this was an international purchase, I had the opportunity to add an additional shipping cost. Since I was happy I sold my iPad for such I high cost, I decided to add on the relatively modest cost of $20. After I sent that to the buyer I received an E-mail letting me know that they had also looked up the cost of international shipping not to the UK where they were located but rather to Ghana West Africa, where the buyers wife was. My iPad would of course be a birthday present and the faster I could send my iPad the better. Clearly this was a scam and I had already come to terms that my iPad did not actually sell when something odd happened…I received a note notifying me that I had received a PayPal payment.

To be fair, I got this message while I was rushing to an airport for a four day trip so my immediate thought was, “Crap, there is no way I’m going to be able to get this out in a timely manner.” It wasn’t until I got home from that trip that I took a closer look at the message I was supposedly receiving from PayPal.

A few things stuck out. First, the buyer paid more than the extra $20 I had asked for, second some of the grammer was a little off, e.g. “You have ‘gotten’ funds.” I therefore went directly to my PayPal account to check to see if I received the money…I did not receive any payment. I took another look at the message telling me I had received a payment and low and behold, the message came from a account. That’s right, a Yahoo account posing as a PayPal one. As one last piece of review I took a look to see if the user had any positive reviews. Not only did they not have any reviews, their account was created the day of purchase. Clearly a scam.

The moral of the story is this, cover all your bases when selling items online and be certain you have the money before you send anything…Anyone want to buy an iPad?

Ten Tips for the InfoSec Traveller

With RSA just around the corner, a number of infosec professionals will be packing up and doing some travel so here are a few tips to consider as you’re packing your bags.

10. Make a technology travel kit (including a travel computer)

This habit comes from my days of doing forensic investigations. There is nothing worst than having to remove a hard drive for imaging with a butter knife because you neglected to bring a screwdriver. Whether one’s travel is light or heavy, always be prepared! This means building a comprehensive kit that can be put together quickly and is light to carry.

Recommended Equipment
1. One cable for each piece of equipment (e.g. iPad and iPhone equals two USB cables)
2. Power adapters (The TrendMicro adapter pictured is worth it’s weight in gold)
3. Smartphone battery backup (extremely handing my personal choice is from Brookstone $40)
4. GPS that is not your smartphone. My personal choice is whatever is on sale when you go to buy (*Protip make this your second GPS, do not use the one you utilize at home).
5. Presentation Clicker: bring your own, never let anyone borrow (personal choice is from Targus)
6. A travel computer that is not your primary machine for computing at home (get an Apple already :-D)
7. Power supply for portable computer
8. A mouse (don’t get stuck using a trackpad on a massive excel document)
9. Display adapters (if necessary for your computer)
10. A portable projector (if work will pay for it)

9. Portable surge protectors are lifesavers in airports and conf. rooms

Every InfoSec traveller has been there, a piece of crucial electronic equipment, whether it’s a computer, cellphone, or other is dead and there are no open electrical outlets in the airport. For the inexperienced traveller this will set them out on a quest for that open face to 120v goodness, but not you, no you’ve got your own portable surge protector. Now you can share an open outlet with someone else. Even better, you can charge your computer, iPhone, iPad, and possibly something else all at the same time!

Recommended Products
There are a ton of products to choose from here, but one key feature to absolutely consider is the inclusion of USB charging outlets. This reduces the number of chargers one has to bring to charge a number of diverse devices. My personal choice in this realm is the Belkin Portable Mini Surge with USB Charging Outlet for $14.95. One thing to remember though is that this will not fit into some tight places, for those one will need a bigger surge protector with a cable, which is something that I normally go without.

8. Get a smartphone and a tablet

Ok, in many ways this goes without saying. However, if you’re running around with a Blackberry, you’re missing out on a whole lot. There are a slew of applications for both tablets and smartphones (particularly iPhones and Android powered phones) that are extremely useful and entertaining. At the same time, if you’re still watching movies on your iPhone, it is probably time to upgrade to a tablet.

Recommended Apps (for iPhone)
1. Spotify with a $10/mo subscription (always have the newest and greatest music & the ability to make new playlists on the fly)
2. Tripadvisor (City Guides!)
3. GateGuru (know all about the airport you’re in and what places are best to eat or entertain yourself)
4. Yelp! (Find the best places to eat in any city)
5. Your favorite card game

Recommendations for Tablet (iPad)
1. Bring your five favorite movies
2. Bring your two favorite TV shows

7. Buy good headphones and keep a backup

This takes a long time for a lot of people to learn but there is nothing worst than watching a movie on your iPad and then having one earbud go dead. This launches most people into a long battle of twisting the connection and trying to align wires in the manner that will just get them through the flight. Don’t be that person. Number one, a good pair of headphones will last easily their value in the multiple sets of headphones one will go through in a cheaper set e.g. Bose MIE2i comes with a one year warranty for $130 which is equal to ~4 Apple Earbud purchases (and they sound better). Also noise canceling headsets are great for quieting noisy planes (so you don’t have to blast your headphones to drown out engines) and airports.

Recommendations for headphones
1. Bose MIE2i (with iPhone mic. Great for on the run conference calls and not having to reach into your pocket for volume and/or starting and stopping music or movies)
2. Bose QC3 (personal favorites but if one prefers over ear instead of on-ear check out Bose QC15′s)

6. Always have two forms of identity (in separate places)

Simple, keep a passport with you as well as your license. Or some other form of ID that can get you around places that require ID and on planes.

5. Travel clothes are versatile and rugged

This is probably a recommendation more for the men than the ladies as I do not pretend to know how women should pack clothes. For guys though, aim to bring clothes that are multi-purpose. If you bring a coat, bring a coat that you feel comfortable wearing casually and formally as this reduces the amount necessary for packing. If you are bringing casual shoes, try to bring casual shoes you can work out in. Also, bare in mind that these clothes are going to get beat up, pack clothing items that you are ok with this happening. Finally, be prepared for several weather conditions.

1. Pack for everyday specifically plus one extra day
2. Bring formal, casual, and workout clothes (and try to cross-over)
3. Be prepared for multiple weather conditions (personal preference I keep a Loki jacket which has hidden integrated mittens and facemask for cold weather)

4. Sign up for rewards programs

Not signing up for rewards programs is a rookie mistake that is made all together too often, do not make this mistake. Signing up for member rewards programs is simple, easy, and comes with an amazing number of perks. Don’t stand in line at Hertz, get free breakfast and water at Hiltons, free upgrades on airlines, etc, etc, etc. Do not make this mistake, it saves you time, money and a ton of frustration.

Some of the main ones:
1. Hilton Honors
2. Marriott Rewards
3. Starwood Preferred
4. Hertz Gold
5. Enterprise Plus
6. National Emerald Club
7. United Airlines Mileage Plus
8. American Airlines AAdvantage
9. Delta Airlines Skymiles
10. Southwest Airlines Rapid Rewards

3. Keep it clean (WASH YOUR HANDS!)

Airports, airplanes, hotel rooms, and rental cars are filthy. They are, it’s gross, so keep it clean! Wash your hands before you eat, keep sanitizer on you. Keep clorox bleach wipes with you, for areas you will be touching often (*Protip, remote controls and telephones in hotel rooms are rarely, if ever cleaned, bring some portable Clorox bleach wipes to wipe them down).

1. Clorox Bleach Wipes travel pack
2. Purell Sanitizing Wipes (recommended over the liquid due to travel restrictions)
3. Wet Ones (nice hand wipes)
4. Toothbrush Sanitizer

2. Keep it light!

Thus far we’ve listed a number of things to bring along when travelling. This adds a bigger load of things to have at all times. This isn’t necessarily the best idea when it comes to travel though, instead the goal is to keep it light! Reduce strain wherever possible. Much of this comes down to intelligent packing and the right kind of luggage. For those of us in the infosec space we typically will have computing equipment with us at all times. Heed these words of advice DO NOT TRAVEL WITH SINGLE SHOULDER COMPUTER BAGS there are too many people who have had long lasting shoulder injuries to ignore this. Use a two shoulder backpack and if necessary pack a single shoulder bag strictly for style. Do not use the bag you got at a conference, first of all, they are 90% not a good backpack. Also they are 100% of the time really dorky. In terms of luggage, think four wheels. This drastically reduces the amount of strain for larger suitcases.

1. Timbuk2 Q Laptop Backpack (I love my Timbuk2 bag)
2. Samsonite Spinner (Really any spinner case will do)

1. Enjoy yourself

This is the one most people probably forget, have fun! There is a whole world out there to be seen, when you’re travelling, try to see it! Make the best of all your time, if you are 100000% working while you travel, try to work from places that are different and interesting, maybe the coffee shops on site. If you are strictly airport to client site, try to enjoy the different airport restaurants you get to eat at. The point is, travelling can be tough, but if you make your work travel a mini vacation every time it is much more bearable.

Ten Things Every ITsec Pro Should Do

10. Work for a vulnerability research powerhouse

Working for a vulnerability research powerhouse can be a rewarding experience for any curious minded security professional. On top of working in an environment fueled by out-of-the-box thinking there is typically a wealth of information at every employees fingertips. If used correctly that information can be utilized to accelerate a career and/or reach a level of subject matter expertise. Some excellent examples include IBM ISS and Rational, Sourcefire, McAfee, the NSA, and HP (with TippingPoint and SPI Dynamics). Don’t overlook smaller companies who make a significant investment into research though, companies like ImmunitySec and Rapid7 would be good as well.

9. ?Write and conduct a hands-on training course

Due largely to the fact that the term “information technology security” covers such a broad range of topics, even the most knowledgeable security professionals may overlook the depths of their own abilities. Writing and conducting a hands-on training course can sometimes help professionals guage their knowledge level. In addition, it may result in a nice knowledge exchange as well. The days of trading “philes” may be mostly dead; trading knowledge through training may be a nice substitute.

8. Openly complain about an operating system and swear to only use BSD
Realistically BSD is enough of a pain to get up and running that hardly anybody actually ever uses it as their primary desktop (unless the desktop has a very specific purpose). Regardless, ?as a security professional it’s a rite of passage to complain about every other operating system in existence.

7. Attend the RSA Code Breakers Bash

It may sound nerdy because well…it is nerdy. Either way the Code Breakers Bash is one of the biggest (if not the biggest) IT Security parties of the year. It is easy to get lost in the day-to-day operations of IT security and never see the industry for the bigger picture. ?The Code Breakers Bash can be an eye opening experience for any ITsec pro who has never experienced it. The amount of money organizers spend on the party alone make it worthwhile, however, if that isn’t enough, then taking the opportunity to see a lot of executives and mid-level managers drunk and engaged in some sort of geek tribal dancing is well worth it.

6. A Secret Squirrel Forensic Investigation

Network forensics solutions such as EnCase Enterprise, Prodiscover, Mandiant products and others are making secret squirrel investigations (investigations where an analyst images a hard drive without the user knowing) less relevant. However, the experience is so much fun that if there is any possibility doing this type of investigation, jump on it. There is a level of thrill in this type of activity that is really unrivaled by just about any other IT security activity.

5. Publish a piece on information security

Having a whitepaper published and posted on a website is an extremely rewarding experience and publishing a piece within a publication can be equally rewarding. The best part is that a publication will be around forever. Consider it as a security professionals legacy.

4. Conduct a Formal Penetration Test

Security professionals should know how to hack stuff, plain and simple. There is no better way to put these capabilities to the test other than to conduct a real world penetration test.

3. Participate in a Government Information Security Exercise

Participating in government security exercises will show anyone just how far IT security really has to go. It will also hammer home how important it is that the community bridges that gap. Unfortunately, this stuff doesn’t work how it is portrayed in the movies. Fortunately, most people don’t know that, so it always sounds cool when you can tell your friends about participating in non-secretive government exercises like, “Cyberstorm.”

2. Walk the RSA Conference USA Show Floor

The sheer amount of money flowing through the RSA show floor make it a unique experience for every IT security professional. It is easy to see IT security as a battle for control of an infrastructure or data, seeing the RSA show floor will open anyones eyes to the monetary foundation that is really running the industry. If that isn’t reason enough to go, then robbing the show floor of as many pieces of swag as possible make it worthwhile. Bringing that swag back to an office and seeing peoples faces light up as bags full of junk are laid out for them is a memorable moment to say the least.

1. Attend BlackHat and DefCon

BlackHat and especially DefCon are somewhat like a pilgrimage for security professionals. The events and talks are legendary, although the conferences have evolved over the years they are still the premiere computer hacker conference. If for no other reason, attending these conferences is worthwhile to see and meet people who are genuinely passionate about computer security. DefCon was probably the first place where a persons cool points were based on how l33t they are. As well as probably the only place where saying things like “l33t” might cause a person to get beaten with keyboards, bad odor, and old beer bottles.

Feeling the Burn

It used to be that I could sit down and write a new blog post whenever I felt like it, I just had so much to say! Today I sat down with the intention of writing a new blog post and I came up with absolutely nothing. I am literally five drafts on multiple topics ranging from toys that I want to buy, to the business of big data analytics all the way to how to integrate an intelligence process…at the the end, they were all crap. All of them. I recognize this isn’t because I have nothing to say, but rather because I am totally burnt out.

I don’t think that I am the only one suffering under these conditions however, I think many of us are probably struggling today. Frankly there is too much work to be done and too few of us to actually do it. Worst yet, is the influx of less experienced, less passionate, and less talented security professionals stepping onto the scene attempting to dominate. In a way this is more exhausting than anything because it not only fails to decrease workloads but also creates a difficult environment for ensuring quality of security delivery.

Furthermore, for many, including myself, much of our workload now is less security related than it has ever been. This is especially true for the travelers whose work/life balance consists of trying to integrate 20 hours of travel every week. The point is it is rough out there right now. I leave you with this one piece of advice I look in the mirror and tell myself every morning…hang in there.