It’s not that we didn’t like podcasts from across the pond. Au contraire. There’s were some pretty good ones back then and more have popped up in the past year but we missed European nuance and it all seemed like everything in infosec came from the U.S. and we were just eating their beans.  Apart from having good fun together we wanted to create a platform that allowed us to put European security people in the spotlight. And have we ? Sandro Gauci, Brian Honan, Justin Clarke, Didier Stevens, Ewout Meij , Portswigger, Aluc and Ivan Ristic are only some of the names that we were honored to have as our guests. It was awesome talking, listening and learning from them.

Today we released our 25th episode, 13 full-length episodes and 12 microcasts. We chose to add the microcast format because sometimes one of us would get in touch with someone awesome and we wouldn’t all have time to join in the conversation. We felt it was the best way to bring more than 1 episode per month and we haven’t regretted it. We sincerely hope you didn’t either

With this post I want to share my gratitude for being able to do this with Craig, Dale and Chris. I have enjoyed every single minute of it and without either of them, this podcast wouldn’t exist.

If I were vain enough to track server logs, I would know how many people are actually downloading what we do but that doesn’t really matter.  If you happen to listen to our podcast and you are coming to Brucon in September, consider yourself invited to the first Brucon Podcasters Meetup !

thanks for listening & sorry for the funny accent !

Viva La Eurotrash !

Much to my amazement, the post in question was about WAFs. Yup, Web Application Firewalls.  Here’s the gist of the post :

WAFs are a high value safeguard for custom applications, but are held back because so many groups are potentially involved in the operation and buying of applications.  Data center ops, server ops, appdev, application owners, security, network ops…  Unlike other products like IPS which have usually two buying centers, there is a wide spread to which roles are involved in WAF.  There will be some reduction in the number of buying centers, but as long as custom web applications are housed and delivered in this complex manner, don’t expect organizations to change to accommodate the safeguard.

Ok, that’s actually the whole post minus the explanation of the title

So apparently ‘buying center’ is leet analyst speak for a silo aka a “cylinder of excellence”* and Mr. Analyst gives us the reason why adoption is slow or inconsistent : too many silo’s are involved in buying this tech. Either organisations have to reduce the number of silos or the technology itself needs to cater for less silos. To top it off, he hints “don’t expect organizations to change to accomodate the safeguard.”

I beg to differ from this point of view.  There is a million things wrong in this world, blaming the (assumed) failure of WAFs on a) targeting the wrong silos or b) being an incomprehensible solution, is not gonna solve any of them. (properly designed and implemented) WAF solutions cater for just as much silos as (properly designed and implemented) IPS solutions. The problem is that the silos, even if there’s only two, are cemented in. They’re completely separated and years have gone by since someone peeked over the wall to see (with interest) what the other side is doing. Oh wait, we peeked allright, but only to see how hard the other side was failing.

Unless an organization actively starts to break down the silos and creates cross-functional and active involvement in information security, you can look at any technological solution and see it fail before it leaves the styrofoam womb.Obviously, none of these evolutions can be captured in magical squares or quantified in market share estimates. It is however, in my very humble opinion, the focal point of our efforts for years to come.

Thus an armchair analyst has spoken.Unfortunately I don’t have a picture of me and Jack Daniel … yet.

P.S. : I have nothing personal against analysts, there’s some pretty smart dudes out there (no name dropping here ). It just irks me that some of them seem to feel they can pontificate whatever they seem appropriate under the flag of being industry-defining.

—-

* I think Jack Daniel himself came up with the name “cylinder of excellence”, I may be attributing incorrectly.

In alphabetical order :

Aluc.TV – Aluc started with a videocast which covers all types of security related topics. Most recently (I think starting in May) he also started to do AlucRadio episodes, which are audio podcasts featuring interviews with Security people covering the whole spectrum.

Beyond The Perimeter — Recently added. Good infosec content, good interviews and rather short episodes, which I like

Disaster Protocol

Eurotrash Security Podcast – shameless plug

Exotic Liability – in most cases NSFW but often good discussions + the guys are awesome.

An Information Security Place Podcast

Infosec Daily Podcast

Network Security Podcast

Packet Pushers – recently discovered, good technical coverage of network security topics !

Risky Business — Professional Aussie podcast.

Securabit

Security Justice

Social-Engineer Podcast – unique podcast covering only social engineering topics

The Southern Fried Security Podcast —

In the post, Jennifer posts her view on how security is handled in SMB-land. Much to my amazement, the average SMB is described as a mom-and-pop shop.  Unfortunately, it isn’t.  As I’m European, I always try to view a subject from different angles.  The definition of SMB (or SME) is different wherever you live. Allthough Europe is trying to standardize, the concept of SMB is fuzzy. In Germany and SMB would have anything below 250 employees, in Belgium (this is SMB Ground Zero, just to put the record straight) it would have fewer than 100 employees.  Today we are calling anything below 50 small and anything between 50 and 250 medium.  In the US on the other hand small is anything below 100 employees and medium anything below 500.

This is not trivial information. Assuming you are targetting an SMB market, you have to know who is in that market.  Equalizing everything to the mom&pop shop caricature and then saying they don’t GET security is a little over the top.   It just isn’t true.

I have worked in several industries. I have worked in companies with fewer than 100 employees who have a revenue that you would proud of in an enterprise.  I have done security jobs in mom&pop (and son&daughther) shops and I’ve been catering for enterprise and government customers.  I’ve seen it all.  The closest I’ve been to the cash drawer lock box was when I was fixing a computer with a stack of bills worth 50k euros next to me, and that was because they forgot to put them in the (unlocked) drawer. However, I disgress, it’s not about me (or my integrity).

In the SMB market, security isn’t THAT different and, it might amaze you, but most people do get it.  A lot of those companies are dealing with compliance due to PCI or other regulations, a lot of those companies have to get it. And they do, or they try, but there’s not a lot of “security companies” interested to help. They’re too small …

On the other hand, you’re saying how much different they are from the enterprises. How enterprises do appreciate the risk and have and use the necessary resources and knowledge to do something about it. Every day you’re proven wrong. The answer to the question why is suited for another post.

Big enterpises keep losing customer records, big enterprises (knowing what they’re doing and knowing the threats they’re up against) keep getting pwned and pwned and pwned.Why is that ? Because they don’t get security.  And they deserve the rap much more than their SMB counterparts.

What the SMB people see is a bunch of vampires knocking at their door touting $1000 a day rates to solve their problems, but unable to tell them what their problems really are.

What they hear is a bunch of fancy product vendors unable to tell them what added value this or that appliance means for their business.

What they feel is fear, uncertainty and doubt being shoved down their throat and we’re not even courteous enough to allow them to swallow.

There is no need to dumb down security for the SMB so they will get it.  There is a need for us to understand them more than there is the other way around.

I understand the wake-up call is long overdue, but I’m afraid you are ringing the wrong bell.

1. SCADA vendors, Siemens in this case, don’t care about the security of their customers in the slightest. Their database password is compromised since 2008 and still, in an advisory on the virus (abusing the LNK flaw) that targets exactly that password, they do nothing less than tell their customers to not change that password.  It is a complete trainwreck.
2. Product vendors, Microsoft in this case, fail to provide their customers with adequate solutions but choose to provide quick fixes that are completely unusable since they wreck the complete user experience.  Releasing it as a ‘fix-it’ solution to make it ‘easier’ for people to implement just exponentially increases the fail.
3. Independent people succeed in providing work-arounds for the flaw using standard product functionality (namely the SRP fix provided by Didier Stevens). We can only be thankful to be active in a community with engaged people that choose not to sit back and be force-fed the crap ‘innovative’ and ‘thought-leading’ cooperations provide us but actually go out to do what needs to be done.

The question remains why Microsoft can’t come up with the stuff Didier came up with.  It uses standard functionality of the OS, it can be implemented in small and large environments in an easy and controlled manner and it doesn’t break the user experience. What is so difficult about that ? Today, it’s 2010 FFS, security administrators have evolved from registry editing and most do understand how your OS works. Stop treating them like babies and provide them the solutions they need to protect them from the evil posed by your fuck-ups.

To end, Didier deserves a word of thanks for the work he did on the SRP fix for this one.  It looks like something easy but he took the time, did the research, he did the testing and he chose to share with the community.

If it’s good enough to sell €3000 trainings, it’s good enough for me.

I loved OSSTMM when it was v2. It was open, it was verifiable and it was the shit if it came to testing methodologies. One of it’s key “selling” was that you no longer had to hide behind a proprietary standard (in most cases, companies saying that, were saying they had no methodology at all!). You could reference the OSSTMM and your customer could download the standard, see what he would be getting and if it fitted his needs. Moreover he could verify whether your work lived up to the standard you promised him.

Life was good.

I first saw Pete talking about v3 back in 2007, at FOSDEM, one of the biggest Open Source developers gatherings in the world. Promises were big and the emphasis was on quality. ISECOM wanted to deliver the best standard, nothing more, nothing less. After his talk at FOSDEM, I subscribed to the OSSTMM reviewers group and I did review a few chapters.  What I saw was awesome, it didn’t look like there was much more work left.

I was wrong, or wasn’t I ?

Eventually, since activity on the list went to near-zero I let it slip.  I expected much smarter people than me contributing to the standard and was anxiously waiting for it to be released. Fast forward to 2009.  Still no OSSTMM v3 and I blogged . Pete responded in a comment on that same post, you can read it for yourself.  OSSTMM v3 was going to be a game changer, completely different from v2, hence it was taking that long.

Another year (+ a few months) has passed. and still no OSSTMM v3.

And thus comes the question.  ISECOM is training OPSA and OPST based on OSSTMM v3, at about 2900 euro’s per student. You can become Silver, Gold or Platinum Partner for $99, $299 or $999 respectively and have access to the (draft) OSSTMM v3. The question is not when OSSTMM v3 will be there, since ISECOM thinks it’s good enough to base training on it (Pete has also stated that v2 is crap compared to v3 on the Eurotrash episode), the question is when it will live up to the OS in it’s name. When will it be open source again?

I can perfectly understand that mouths need to be fed and bills need to be payed. I can live with that. There’s 3 solutions I see in the immediate future :

1. Release OSSTMMv3 to the public, as it is supposed to be. If it’s good enough to sell €3000 trainings, it’s good enough for me.
2. Provide a deadline for OSSTMMv3 and gather a team (Gold,Silver,Platinum or volunteer, you choose) that can meet that deadline. Then release OSSTMMv3 to the public, as it is supposed to be.
3. drop the OS and call it STMMv1

Without a doubt, I got the greatest respect for Pete and his team. Some of the greatest minds in the European security scene are (according to the website) working with Pete to do nothing but great stuff.  It is, however, time to stop sending mixed messages and let the community know where it’s at.

When, if ever, will we see the new (Open Source) Security Testing Methodology Manual ?

I’d like to dedicate this to all the children
I have some food in my bag for you
Not the edible food the food you eat no
Perhaps some food for thought
Since knowledge is infinite
It has infinitely fell on me so um …

Erykah Badu, Appletree

The obvious answer to the question in the title is : “What if you don’t, and they stay.”

In information security keeping your skills up to date is key and finding the necessary budget to do so becomes more and more difficult.  The funny thing with training starts when you actually do have a budget What to choose ? Not an easy task.

You can choose to chase one of the blanket certs. CISSP, CISA, CISM, … you name it. They look awesome on your CV and the pins you receive are cool for S&M games, let alone the awesome looking paper cert you get to frame and hang on your wall.  Eternal sources of infinite ego boost.  But I disgress.

Technical certs.  Cisco, Microsoft, Juniper, [insert vendor here], … Sure, if you like yourself some letter soup.

Then, there’s the rest.  SANS offers awesome training, but your budget will probably not suffice.  While I’ve heard nothing than positive feedback. If you’re living in Europe (like me) there’s not a lot of opportunity to get to the classroom based trainings (one or two events per year) and If you have a real job and a family (like me) computer-based training, mentored training, remote learning isn’t a good choice either.

So in essence, you’re looking for local training by awesome trainers that can really push you to and over your limit and preferably close to where you live so you can maximize your budget.  It’s a damn shame spending cash on transport just to get you to the training …

One tip : Don’t settle for the second-hand knowledge transfer by your local reseller that sees their training center as a marketing tool rather than a center of excellence.

I hear you coming already … You won’t be able to spend the training budget you got without getting good value for your money.  Not true !!  Look at conferences !!

Europe has already had the Blackhat briefings a few weeks ago, lots of other conferences are yet to come.  One of those is Brucon, a conference that is near and dear to my heart (don’t ask me to utter that sentence in real life without rofling please !!).

Two days before Brucon, on September 22nd and 23rd there are awesome trainings planned that have a reasonable price and are taught by people who really know their stuff.  Examples ?

Sandro Gauci is teaching a crash course in pentesting and securing VoIP.

Joe McCray is teaching his Advanced Penetration Testing course. The sequel to his well-received training last year.

Sharon Conheady is coming back for an awesome Social Engineering course.

Paul Asadoorian is teaching Advanced Vulnerability Scanning using Nessus

and last, but not least

Justin Searle is coming to Brussels to introduce you in the wonderworld that is Assessing and Exploiting Web Applications with Samurai-WTF.

From the website :

The price for the 2 day courses is 895 € early bird (+ VAT) per attendee. After 1st of July this will become 995 €.

A vendor cert will set you back three times that amount and will only confirm what you already know. You’ll spend close to 5 or 6 times that amount to achieve a blanket cert. Why not make both your boss and yourself happy by being economic with the money provided and get real training, by real experts, at Brucon ?

There’s actually 2 ways to find the solution.  I currently have answers using only one way (you lazy bastids). I will limit the number of winners to 3 (three).  At least one winner needs to provide both possible solutions.

————————

Update 0×02

Ok, I have too hard a time to choose winners.  Khurt, test@india, Kasperle, Mirko, courts and Chris please ping me on
wim 0×40 eurotrashsecurity 0×20 eu . For the others, watch http://www.thehexfactor.org for the 2009 challenges (walk throughs are being released weekly as of last week) … I might release another few little beer challenges in a few weeks. Thanks for playing !

this is a first test to see what I can come up with to get you guys over to Brucon.

First (non-Belgian) who tells me in which Belgian city this picture was taken, gets a free beer at Brucon.

Submissions are only accepted by commenting on this post.

Please provide a detailed description of how you found the solution.

Do these improving tools make pentesters redundant ? Far from it.  As hardcore as they portray themselves, there are very few (dare I say none?) that do not use one or another tool, framework or whatever you want to call it. If you are doing pentesting for a living, economy is key.  You just don’t want to be spending time writing code for the vuln you just detected. Why exactly would you want to reinvent the wheel? There’s much better things you can do with your time.

If a pentester feels redundant with ever-improving tools flooding the market, my bet that the subject involved is a tool himself and his lazy ass deserves a cruel beating. If you forgot to improve yourself because you were thinking your 1337 apps wouldn’t be replaced by a industrialized solution, haha on you !

Mr. Jack Daniel said it well : “Any pentester that feels redundant because of Metasploit Express already was.”

Tools with tools will always be able to fool fools. Companies providing pentesting services will have to step up their game, mediocrity shall no longer be the standard, because the customer can now do that part of it themselves.

Anybody serious about the infosec industry should welcome that. Evolution is happening. And I, for one, think that is a very good thing.

(part of this blogpost was inspired by indi303, chrisjohnriley, danielkennedy74 and dasfiregod on twitter.)

I’ve been unable to blog for a while now and for various reasons I am closing this place until further notice.

Yes, I’ll be back but don’t ask me when   I got my hands full with some speaking engagements, the Eurotrash podcast, prepping some other exciting stuff, my day job and family … I’ll be busy enough.

I hope to catch you all at a later point this year !

Take care & stay secure !

Wim