Still, for those who’ve asked for a list of good blogs to follow I’ve exported my blog list to OPML format for you to download and import or take a look at. It’s not small, so make sure you’re ready for it if you import it into your reader software.

Google Reader Export ==> (OPML)

Temporary Tumblr feed ==> http://feed.c22.cc (RSS)

What I found on Klout when I signed on was interesting, at least interesting enough for me to share with you guys…

Wow.. look, aren’t I special. I’ve got a Klout of 61! Yes, I have no idea what 61 means, there’s no range here… 61 out of 62 is high… 61 out of 1000 not so much. Great start. So far you’ve reduced me to a number and asked me to share that with the world! I’m gonna go out on a limb here and so, no I won’t be sharing that useless fact!

So… lets see what other gems they have for me shall we. Lets start off with the profile and see what they can tell me that I don’t already know about myself. After all, they know things I don’t I’m sure.

Ok, seriously, I get that 61 is a big thing for you, but I’ve still no idea what the scale is, so for me, it’s kinda like a big sign that say “Dunce”. What else do you have for me. Ok I’m an influencer of 1K (I’m guessing that’s 1 thousand, although I doubt that highly… why would anybody listen to a chump like me for goodness sake!). Ok, now this makes more sense… apparently I’m influential about Information Security, hacking, and popcorn! This must be some sort of weird twisted version of me that likes to eat sweat (and/or salty) snacks and talk about them endlessly on social media! It’s a strange world… but wait a minute. It says I’m a specialist! At least it didn’t say thought leader (hint: checkout my Eurotrash Security co-host @CraigBalding’s Klout page).

So what is a specialist, at least according to Klout. Ah such nice words… I’m not a celebrity (thank fuck for that) but I’m still special… it’s like Klout is somehow there to reinforce people’s ego and make them feel less like the people they really are. Lots of tweeting about a single topic doesn’t make you a specialist… it makes you a loudmouth who doesn’t know when to shut up.

I disagree with your opinions here Mr Klout sir… so, some playing around in the DOM will fix this up quick proper I think! A little tweak here, a correction there….

There, that looks so much better than before. I wonder what other misguided ideas they have about me. Lets take a little look in the score analysis. Ooooh look, pretty charts with lines on them. They go upwards, this must mean that something great is happening right? Pity the history only goes back a month or so. Guess they don’t like large (i.e. realistic) data sets. Well at least they give a scale on some of these things. Still, just a chart on its own doesn’t help much. Lets see if I can compare a chart from me to a chart from somebody who really HAS some Klout… HD Moore for example. (sorry HD, first name that came to mind)

Wow… if there was ever a result that made you realize that these sort of sites were as useless as a chocolate teapot, it’s this one.

(Almost) no words come to mind to describe this… but I’ll try, as it is a blog after all.

If you think services like this offer you a realistic outlook on who YOU are, then you really need to rethink these misconceptions.

This whole “everybody is special” thing has been taken to the nth degree. Do you think Klout (or any other such service for that matter) is going to tell you that you suck! That you’re boring and nobody cares what you have to say! No… they’re going to tell you what you want to hear using stats, nice graphs and the virtual pat on the back to tell you that you’re great. You’ve unlocked the “Pat on the back” achievement.

None of this makes a difference. People don’t ignore other people who’s Klout number is less than theirs, and I certainly don’t respect people who have a high Klout number especially. Numbers can say anything you want them to say. They can also lie to you.

TL:DR – Stats like this are based on false logic, bad stats and a desire to make you feel “special” about yourself… be your own little special snowflake and ignore this kind of thing! Talk about what you want to talk about, don’t bow to the pressure to be something you’re not!

"The" Wim Remes

Note: What follows are my words and the reasons why I support a change in the way ISC² works and is run… if you find issue with these words, I have a perfectly good contact from on the about me page. Feel free to use it!

First off let me say, I’m not a CISSP (and proud of that fact)… The main reason I’m so proud not to be a CISSP is the crap I see regularly coming out of the ISC² and the slightly skewed “code of ethics”. There’s been a lot of bitching and moaning about how screwed up things are, how the “code” only applies to some and not others… but very little action to actually change it.

It’s time to shit, or get off the pot!

In the last few days a close personal friend™ announced his candidacy for the ISC² board. I think Wim could really make a difference here, so consider this post my backing of his candidacy. Unfortunately, as I don’t subscribe the to code of “ethics” that ISC² assign to their certification holders (i.e I’m not certified by them, therefore must be a heathen or worse yet, a blackhat of some sort!), I’m not permitted to officially sign the petition, but you SHOULD!

Official petition page for Wim Remes

On August 19th I received the yearly e-mail from (ISC)2 where they informed me of their
board elections that begin on November 16th. While I respect everyone currently
slated for the ballot, I always cringe a little when I look back at yet another year of
separation between the infosec community of which I am a vocal participant and the
institution (ISC)2. I could spend another year on the sideline OR I can try and BE
the change that MANY of my online and real life friends are waiting for.

This is my official petition page to have my name added to the election ballot on November 16th.

You can support me by sending an e-mail from your e-mail address registered with ISC2 mentioning your NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be .

If I’m to become a member of the (ISC)2 Board of Directors I will strive to do the following in the three years that I will be given the opportunity to be the change you are all looking for:

* A closer collaboration with the information security community at large. This means recognition of what is currently considered to be an outlawish community but what I consider as a treasure trove of knowledge and capability that remains untapped. Either because we are afraid of what we don’t understand or because hackers are still suffering from a bad image. Not in my book!

* A review of the certification requirements for the flagship (ISC)2 certification, the CISSP, in order to bring it back to the level it once was on. Ideally with the incorporation of more in-depth requirements on a technical level, requirements in soft skills and, possibly, the addition of a written paper requirement that would show the knowledge the candidate has acquired during the learning process. This last requirement would feedback into the community becoming a valuable resource for security professionals globally.

* I am from Europe. I still feel that many of the subject covered by (ISC)2 and other organizations are focused on the US. My goal is to widen the efforts to a global approach that brings communities from different continents together instead of seperating them further. While there is a different in laws, culture, etc. across continents, I firmly belief that we have more in common and there needs to be a better collaboration in order to address the security challenges we have coming at us.

* With my work on PTES (http://www.pentest-standard.org), Infosec Mentors (http://site.infosecmentors.com) Brucon (http://www.brucon.org), Eurotrash Security Podcast (http://www.eurotrashsecurity.eu) and other global initiatives I want to encourage the members of (ISC)2 tobecome a part of the community that I consider so valuable.

About Me

This is not about me but apparently I need some kind of bio.
I am Wim Remes (CISSP ), working in IT for 14 years now and passionate about security for over 10 of those. I have not graduated from any posh university but who cares right?

I’m currently working for a Big4 company in Belgium as a Security Consultant. I will add extra information to my bid page as soon as possible.

In the mean time, please take the time to send me that e-mail and spread the link to this page as wide and as deep as possible. I need 500 signatures to my petition before September 19th. If you want passion on the (ISC)2 Board of Directors, you know what to do!

Source: http://blog.remes-it.be/petition.html

Warning: What follows is my uneducated rant on plagiarism and the effects I think it’s having on information exchange within the InfoSec community. I don’t claim to have all the answers, but I do have questions! Take it as you will…

pla·gia·rism

[pley-juh-riz-uhm, -jee-uh-riz-]

–noun

1. the unauthorized use or close imitation of the language and thoughts of another author

     and the representation of themas one’s own original work.

2. something used and represented in this manner.

source: dictionary.com

Maybe it’s just me, but over the last year or so I’ve seen more websites, blogs and news articles talking about plagiarism than ever before! We’ve seen everything from sites being scraped and content reproduced in it’s entirety, through to information sources plundered for content for low quality books… and copied word for word, without thought or care!

In an age were we’re already seeing a serious decline in active blogs in favour of short 140 character tweets, we can hardly afford to be killing off the enthusiasm of those bloggers we do have left! The InfoSec community has always been built on open information sharing. In this industry we live and die by the information we have to hand. Wether that’s something we research ourselves, or something shared in-kind. For every piece of research somebody shares, there were hundreds more they could rely upon being made freely available. This unspoken information sharing pact has made the InfoSec community what it is, and helped to make the most of the researchers time, skills and dedication.

(CC BY-NC 2.0) by jobadge

Not everybody can reverse engineer the latest Zeus Trojan, but you always knew somewhere, somebody would, because that’s what they did! However that information sharing is lessening as the people really doing the research have their hard-earned work stolen out from under them, and posted on one of a myriad of copy sites… without permission.

Those behind the plagiarism, at least those that have a shred of decency (few and far between), talk a lot about giving credit. What they don’t seem to understand is that regardless, taking someone’s hard work, without their permission, and using it for your own uses is plagiarism, full stop. The problem comes when trying to prove these issues in an Internet, and therefore global, context. As an English citizen, living in Austria, with hosting based in the US… who’s laws (if any) are broken when a third-party takes your content? I’m not a lawyer, so I have no idea. All I know is, I didn’t give you permission…

The Internet is a wonderful thing, filled with great information and sources… copying other people’s hard work, research and abusing their dedication to this community is beyond low.

Resources on plagiarism .:

• http://www.copyscape.com/
• http://www.plagiarism.org/
• http://www.plagiarismchecker.com/
• http://www.makeuseof.com/tag/4-easy-ways-avoid-plagiarism-blog/
• http://www.subhub.com/articles/fight-online-plagarism-copyright-theft-abuse

Note .:

Although I’ve occasionally been the target of plagiarism in the form of copied blog posts from these pages, I’m not writing this rant for that reason. There’s no point. I really see this issue as one of the biggest threats to the InfoSec community currently, and it needs to stop. The only problem is… those who are plagiarizing have no respect for the InfoSec community. They’re just out to make a buck, or ten, on the backs of the hard work done by others… History repeating itself in the digital age! Who’d have thought!

</rant>

Feel free to plagiarise this blog post.. it serves to prove the point!

Note 2 .:

After a spirited discussion on Twitter about this post, a friend of mine, @krypt3ia, was nice enough to propose a logo to show your disgust at the increase in Plagiarism… I think it’s a good starting point, so include it here for your use! spread the word!

Well the 23rd Annual FIRST conference has come and gone. Despite the lateness of this blog post (it’s been a tough month), it was a great conference, and as usual the attendees where what made it special. I’ve come to realise that the networking and contacts you gain from conferences like FIRST are more important than the presentations 90% of the time, and I really tried to use that opportunity this time around.

#FIRST2011 Blog posts .:

• #FIRST2011 – Remediating compromised environments
• #FIRST2011 – Security Challenges For Future Systems
• #FIRST2011 – Funny Pharma: Inside the Web’s leading Rogue Pharmacies

Alongside networking and seeing the odd presentation (see blog posts above) I also had the chance to work with a friend of mine and somebody I respect greatly in this industry, Martin McKeay from the netsec podcast. We actually met for the first time back at the FIRST conference in 2009 (Kyoto, Japan) and have been friends ever since. I started my journey into security listening to his podcast (amongst others) and have him to thank at least in part for my foray into podcasting in the last year. So, it was with great pleasure (and a little bit of panic) that I agreed to help out with this years FIRST podcast. I’ve learnt a lot along the way, and even started to do face-to-face audio interviews, thanks to Martin’s coaching. So I hope you’ve enjoyed them (or will enjoy them soon).

If you’ve not already heard the podcasts, please check them out and let us know what you think! Feedback is always welcomed.

#FIRST2011 Podcasts (to date) .:

• 2011.1: Steve Adegbite, Chair of FIRST.Org
• 2011.2: Kurt Sauer, Conference Liaison, FIRST.Org
• 2011.3: Mikko Hypponen, Chief Research Officer, F-Secure
• 2011.4: Iftach ‘Ian’ Amit, VP, Business Development at Security-Art
• 2011.5: Ken van Wyk, FIRST Vice Chair & President of KRvW
• 2011.6: Frank Breedijk & Ian Southam of Schuberg Philis
• 2011.7: Melissa Hathaway, President of Hathaway Global Strategies

The interviews are still being released (Weekly releases are planned for each Wednesday) and will continue over the coming months, so make sure to keep an eye on the FIRST podcast page to keep up to date

Hope to see you next year at FIRST in Malta!

Funny Pharma: Inside the Web’s leading Rogue Pharmacies

Brian Krebs

This talk will cover the world of rogue pharmacies through the lens of 2 of the biggest out there.

When we think of pharmacies we often think of Viagra. However there are many other types on offer, and only cover a small part of the problem.

Around 65% is some form of male enhancement drugs. The rest however, are for much more serious conditions (heart conditions, etc…).

When looking through the affiliate lists of these pharmacies, you find often that they got started in the adult entertainment industry. Because of this it’s often easy to go back in time and find out a lot of information about them. After all, they probably never thought they’d be a cyber-criminal one day. 

If Marijuana is a gateway drug, then maybe the adult industry is a gateway service!

Alongside the adult content and pharma services, many of these criminals are also deeply involved in credit card fraud and in particular Rogue AV. Because of the limited resources for processing these credit cards within the underground, you often find them linked back through Chronopay (started by Pavel Vrublevsky and Igor Gusev, who himself got his start in the Adult industry).

After Igor Gusev and Pavel Vrublevsky parted ways, Igor moved into the Pharmacy industry (Glavmed). Not to be outdone, Pavel followed suit and began a competing service. It was about this time that Glavmed was shutdown by the authorities, opening up the change for Pavel to move in and become the biggest processor for this industry.

[If you want to read more about the tangled web between Pavel Vrublevsky and Igor Gusev, there are several stories on the Krebs On Security blog that cover things in detail]

At the peak of the program they were brining in $6 million a week.

Despite Chronpay moving their internal communications to a program called Megaplan and using pseudonyms… they were still hacked again and their information exposed. Due to many of the Chronopay users forwarding their pseudonyms to their real Chronopay email addresses, they could all be linked very easily.

Organization chart from ChronoPay’s MegaPlan Intranet system –> http://krebsonsecurity.com/wp-content/uploads/2011/05/CurlyRx.jpg

The Buyers

40 years worth of buyer data to mine.

After spending 100s of hours tracking and talking to buyers. Despite the rumours, many of them were happy with what they got. It looked the same, worked the same and was a quarter of the price.

In the US, people tend to pay much more for drugs. Which is one of the drivers for this entire industry. People are just trying to survive.

Geographical Differences

In the US 65% of buyers were buying male enhancement drugs

In Europe 98% of buyers were buying male enhancement or recreational drugs. Price differences for normal drugs wasn’t that much, reducing the demand.

On the record

The DEA hasn’t found a large number of foreign sites selling controlled substances, but those that do offer them, often are scams, Boggs said. “Most are scams, or you get something different than what you order,” he said. “They offer to sell you this or that, and you might get Viagra, or you might not get anything.

This comment goes against the evidence that Brian has found. Most appeared happy, and despite worries, credit card information appears to have been hidden from affiliates and very few buyers comment on CC theft.

The Problem

The credit card processing firms are the same that are dealing with fake AV… So maybe if the payment processing dried up, the industry would as well! The banks and firms that deal with Pharma CC processing however, aren’t the kind of people to get pushed around. Take AG Bank for example… just take a look at their advert!

60% of sales can be traced back to 5 issuing banks in the US. If they would set a policy not to process payments for these known pharma companies, then it would make a huge impact on the industry.

In an interview with Igor Gusev regarding pharma, he commented the following regarding the problem .:

They need to put pressure on the card processors, which are monsters which only regulate on very negative public pressure. I think it would be a very powerful strike, and online pharma would be dead within two years if they could switch off the merchants who is somehow connected to online pharma.

Note: I’m sure this is all much more elegantly written over on Brian’s blog (linked below). These are purely notes from the live presentation. I would suggest following the Krebs on security blog, if you’re not already!

Note [16/06/2011]: I have removed some of the post due to the confusing way in which it’s written. Following the complex story live and writing in real-time was a little hit and miss. So I would suggest following the story straight on the Krebs On Security blog where it was originally documented.

Links:

• Krebs on Security –> http://krebsonsecurity.com/
• Bank advert shown in presentation –> http://www.youtube.com/watch?v=htu7P9RNHio
• Chronopay Stories –> http://krebsonsecurity.com/?s=chronopay&x=0&y=0
• LegitScript Study: DEA Not Adequately Enforcing Online Pharmacy Law –> HERE
• FIRST Conference –> http://conference.first.org/

Security Challenges For Future Systems

Steve Purser (ENISA)

Although a lot of things are obvious, it doesn’t mean that we’re doing them. How many people have seen a perfectly implemented intrusion detection system that rings bells all day with nobody monitoring it!

• Effectiveness –> Doing the right thing
• Efficiency –> Doing the thing right

These might be close to each other, but doing the wrong thing right, still doesn’t make it right! We need more effectiveness…

Who is ENISA?

The European Network & Information Security Agency (ENISA) formed in 2004

The agency supports the commission and the EU member states in the area of information security

Facilitate the exchange of information between EU institutions, the public sector and the private sector

The Trends

You have to be very careful trying to calculate future trends from historical data… especially if the data isn’t suitable. In Infosec, the data we have isn’t good enough.

Computer architectures have changed enormously in the last 20 years. From mainframe environments through to COBRA and WebServices.

These architectures are secured according to different principles

The weak point often lies in the connection between these technologies

• De-Centralisation
• Globalisation
• Most IT architectures are embedded in a global environment, even if they were never designed that way
• Users regularly switch context from intranet to Internet sessions
• Authentication != Trust
• Empowerment of the end user
• More choice to the user… more freedom, at a price
• Move towards browser based applications
• End Users are not ready to rise to the challenge
• Need for Speed
• First on the market wins… security is a second thought
• Users are beta testers
• Products released unfinished

Scope and Requirements

An operational system is not just technology

System = Software + People + Procedures

Secure software will not always function correctly if we make unrealistic assumptions about how people behave.

The key challenge to developing secure systems is understanding and responding to the limitations of the target environment(s)

Understanding the Threats/Risks

Risk = Threat + Probability + Impact

This process isn’t a one-off… it needs to be a cyclical model, with constant review.

Functional Requirements

We can distinguish between functional and non-functional security requirements

Traditional security functional requirements are reasonably well understood

• Confidentiality
• Data and session integrity
• Availability
• Accountability

Non-functional Requirements

Software Layers

Evolving security models

Example:

New security models

Some design considerations

Methodologies

Remediating compromised environments: Case Studies from large and small enterprises

Wendi Rafferty (Mandiant, US)

Commercial sector breakdown (2010 Mandiant data)

Breakdown of IR investigations preformed in 2010 by Mandiant

1. Cryptograph and Communication – 20%
2. Space and satellites and Imagery – 19%
3. Energy – 18%
4. Media / Public Relations – 10%
5. Technology – 10%
6. Legal – 9%
7. Chemical – 5%
8. Hospitality – 2%
9. Mining – 2%
10. Automotive – 2%

What is remediation?

Understanding your network

Centralizing Logs

A Tale of two investigations

Victim X

Classic approach

Victim Y

It’s not often I get to visit a conference close to home, but as luck would have it, this years annual FIRST conference is taking place in my own back yard. Prior to the conference start, I teamed up with Martin McKeay from the NetSec Podcast to record a few interesting interviews for FIRST. As the conference kicks off today, I’ll be doing a few sit-down interviews with speakers and organizers that should be released over the coming weeks.

If you get a chance to listen to the podcasts and have feedback, please feel free to get in touch through chris [AT] eurotrashsecurity [DOT] eu. Always striving to do better

Links:

• Podcasts –> http://conference.first.org/podcasts.aspx

With that in mind I’ve collected up the links I’ve used over the past few months into a single post for those that are interested in setting up an SAP test lab and playing about with it.

These trial versions are slightly limited as they don’t offer the ability to update them to the latest build (which is an issue when it comes to security research). They also rely on MaxDB (formerly SAP DB) by default (although I believe one uses IBM DB/2 just for fun). They might be able to be configured to use external databases (Oracle etc…) but with this you’re on your own! I’m as far from a SAP expert as you could probably find.

I’ve tried to break things down by platform as one of my aims was to get and install a few different versions for tool testing. These trials are memory hungry, CPU hungry at times, and need a lot of disk space (>42GB for a single VM).

Note: SAP isn’t for the faint of heart, and getting things running 100% is never going to be easy! Don’t say I didn’t warn you

You’ll need to sign-up for a free SAP Community Network (SCN) user account to download most of these files. This will also give you access to the forums.

Linux

SAP NetWeaver 7.0 – Trial Version on Linux –> DOWNLOAD

(N4S) SAP NETWEAVER 7.0 – SAP WEB APPLICATION SERVER ON LINUX (DVD) –> REQUEST DVD

Windows

SAP NetWeaver AS ABAP 7.02 SP6 32-bit Trial –> DOWNLOAD

Step by Step Installation of SAP NetWeaver 7.01 SR1 SP3 ABAP Trial Version in Oracle VirtualBox Part 1/3 –> GUIDE

SAP NETWEAVER 2004S ABAP TRIAL VERSION – TROUBLESHOOTING GUIDE  –> GUIDE

Notes: A few points you might want to check before beginning with the install.

• RAM
  • I got away with running this on 1.5GB of RAM, but it really needs >2GB to run smoothly
• SWAP
  • Don’t even bother starting your install without >4GB of swapfile initialized. The installer will only complain about the lack of swap after you’ve configured the whole install… you’ve been warned!
• Disk Space
  • Lots…. I made a VM with a 50GB second disk purely for the MaxDB
• JRE
  • It might look like things are all working fine with 1.6.x but I only had issues with the system afterwards or during install (crashed my vmware fusion). Stick to JRE 1.4.x  latest (worked fine for me).

VMWARE (LINUX SLES)

(CTB) SAP NetWeaver 7.0 – Java Trial Version on Linux – VMware Edition –> DOWNLOAD

Novell Link to CTB SLES images –> DOWNLOAD

GETTING STARTED SAP NETWEAVER 7.0-JAVA-VMWARE-TRIAL –> GUIDE

SAP ON LINUX: TEST DRIVES – TIPS AND TRICKS –> GUIDE

Notes: This VM is meant to be a sealed unit where you access it from a second system for management etc. I had issues getting the Visual Administrator to connect, and also getting the config tool running on the local system.

Some guides reference the n4sadm user (these guides are written for the pure Linux version of SAP and not the VM version). You might find you have more luck using the ctbadm when the guide says n4sadm.

Oh and the root password is “sap123″

Licensing

This page seems to be the main hub for what SAP now call “minisap” (originally TRIAL version).

You’ll need to run some commands on the SAP install and extract the resulting codes to request a key through this link.

http://www.sap.com/minisap/

LINKS:

• http://forums.sdn.sap.com
• irc.freenode.net #SAP