The Songs of InfoSec

Adversity can inspire creativity. It can also inspire insanity. Somewhere in between, we sing of the world electric. Data flows, laws are created and bypassed, privacy is threatened, Bad Guys drink their Red Bull, and the lowly information security professionals of the world stand a vigilant watch. Infosec workers huddle together against the storm, the small campfire of hope burning by our feet. On the coldest nights, stories are told, songs are sung, and coffee is consumed.

Saturday, March 16, 2024

Exfiltration

Recently, I had a discussion about ways to exfiltrate information through packet headers. That chat led to a more lyrical idea...

Exfiltration

Folks today try to get in,

But I wanna get it out.

All those data you be hidin'

Just makes me wanna shout.

I'll sneak it out in li'l ways.

I'll walk right out the door.

I'll drip drip over ten whole days,

Then come back for some more.

I'll stick it in a header

Or post it on Pastbin.

I'll shove it up in GitHub

And revel in my sin.

So go ahead and try your best.

Lock it up so tight.

No matter how hard you may try,

I'll make sure it sees the light.

Tuesday, May 8, 2018

IRAP Rap

If you want to do business with the Australian government, you'll need to learn about IRAP (the Australian Signals Directorate's InfoSec Registered Assessors Program). IRAP is a compliance regime that is designed to help secure "protected" data.

Like other compliance regimes, it's a non-trivial task to work through.

IRAP Rap

Have you been, have you been to the Land Down Under,
Risk-based rules that'll make you chunder?
Yeah, oh, yeah, I can hear the thunder
Of brains going "POP!" from walkin' to this blunder.

You ask me what I'm doing, why I'm layin' down this rap.
I'm workin' though requirements and all that kind of crap.
You think that this is easy? No, it ain't, man, it's a trap.
I'm throwin' up my arms trying to get us through IRAP.
IRAP
IRAP

Why you gotta ask me 'bout the color of my plugs?
What are you tryna do, decorate for Aussie thugs?
I get you should be worried how I diagnose my bugs,
But are you gonna ask me how I wash my coffee mugs?

You ask me what I'm doing, why I'm layin' down this rap.
I'm workin' though requirements and all that kind of crap.
You think that this is easy? No, it ain't, man, it's a trap.
I'm throwin' up my arms trying to get us through IRAP.
IRAP
IRAP

I see you wanna know we're assessin' all our risk.
Four hundred some-odd rules, dude, you know it makes me pissed.
You have to understand that I'm feelin' kinda dissed.
When this goes away? Lemme tell you, won't be missed!

You ask me what I'm doing, why I'm layin' down this rap.
I'm workin' though requirements and all that kind of crap.
You think that this is easy? No, it ain't, man, it's a trap.
I'm throwin' up my arms trying to get us through IRAP.
IRAP
IRAP

Monday, April 23, 2018

Frosty Assessor

Working with a good QSA can be a useful way to validate one's PCI controls and assumptions. They aren't just a speed bump toward getting your ROC. As with all things, though, there are good assessors, and there are bad assessors.

Frosty Assessor

Frosty Assessor
Was a nosy, noisome soul.
With his DSS and his calipers
And a soul as dark as coal.

Audit the people
To ensure that they comply.
If they don't, he'll know
And your biz won't go.
You'll be left outside to cry.

There must have been some documents
That covered all the things.
'Cause when he looked at evidence,
He began to dance and sing.

Frosty Assessor
Gave a passing grade that day.
Now for PCI,
And we just won't lie,
We're compliant, yeah, oh, yay!

Bumpity-bump-bump!
Bumpity-bump-bump!
Watch the spreadsheets go.
Bumpity-bump-bump!
Bumpity-bump-bump!
Through every rule he'll mow!

Thursday, April 19, 2018

I Have a ROC

I Have a ROC
(based on the Simon and Garfunkle tune)

A springtime day,
Every year so we'll remember.

I am alone.

Gazing at my Dashboard,
At responses so,
I can make sure the evidence will go.

I have a ROC!
I have compli-i-i-iance!

I have docs,
They make a stack tall and mighty!
That none may penetrate.
I have to do an audit.
An audit causes pain.
It's question after question! So insane!

I have a ROC!
I have compli-i-i-iance!

Don't talk too much.
Assessors heard it all before.
We're facing down a QSA,
And I let a quick comment
Make them ask me more.
Our processes should be enough and more.

I have a ROC!
I have compli-i-i-iance.

I have my NOC!
And my user training to protect me.
I am shielded by firewalls.
I have my AV,
Safety's watching me.
Nothing's gonna get me hacked, you'll see.

I have a ROC!
I have compli-i-iance.

And a ROC is endgame.
But at the end, I always cry.

Tuesday, April 17, 2018

A POAM Poem

FISMA is abysmal
It makes us jump through hoops.
We need a plan of action
And milestones to boot!

The OMB are meanies
And gatekeepers most dour.
The JAB keep watch unsmiling
With attitudes most sour.

We do our song and dance
For 3PAOs every year.
But they are not impress'ed
With what we're doing here.

And so we have a freak-out
A fire drill, a scramble.
We have to write a POAM
That we hope is not a gamble.

Friday, December 1, 2017

Some Subhaikuing

You've heard of subtweeting? Here is some subhaikuing.

Meanwhile, in the High Sierra

The tallest oak tree
Falls without the strongest root.
For mountains, also.

When ripe Apples fall,
We can see what's in their cores
By hitting Enter.

Even straightened roots
Can cause the mighty to trip.
Admins, tread with care.

Friday, November 3, 2017

Black Hat and DEF CON (a little late)

I had written a few thoughts on Black Hat and DEF CON that I never shared here. They are two very different experiences, and the intersection of tech, culture, and commerce left a distinct impression on me. Here are three of those impressions.

I Wish I'd Done More EE

I wish I'd done more Double-E
Those folks have all the fun.
They solder random shit and then
They code it 'til it runs.
They get to play with flashy lights,
They get to plug in wires.
They mess with crazy 'sciloscopes,
They get to tweak with pliers.
They rip apart all sorts of goods
To find out how they work,
Then they post their hacks online:
Part hero and part jerk!
Oh, why did I waste all that time
With English and not math?
History just can't teach you how
To build the future path.

I Don't Wanna Go To DEF CON

(with thanks to Elvis Costello)

I don't wanna go to DEF CON
They're all crazy there.
They pick the locks and hack the toys and
Color all their hair.
They brag about the 'splits and O-days.
They drink and get tattoos.
They want to free the information
And smash apart taboos.

Don't even think about turning on your wifi.
If you do you can kiss your phone goodbye.
Social engineers who try to con.
I don't wanna go to DEF CON.

They wear black shirts with skulls and crossbones.
They listen to the goons in red.
You ask a name, can't trust the answer.
Who would name their kid "TehG0dHed"?

Mobs of stinky nerds sitting side by side all
Listening to talks 'about shit that got fried.
Just like X-Files, you can't trust no one.
I don't wanna go to DEF CON.

Monday, May 22, 2017

One Conference - NLCyber Haiku

I attended the One Conference in The Hague recently, and seeing my European peers talking cybersecurity and Vermer's art inspired me.

The Girl With the Perl Earring

What does she look at,
The Girl with the Perl Earring?
Your code needs review.

Beneath her turban,
Her mind races through the vulns.
She sees the exploits.

Just out of the frame,
Her lithe fingers are dancing.
She's pwning your site.

Thursday, April 27, 2017

SOURCE Boston - Stop Asking?

I've had a great time attending this year's SOURCE Boston conference. Today's panel discussion on ransomware inspired this sad song.

Stop Asking?

Files arrive with a smile,
a wink,
and a nod.
Or they trickle down,
the drips from a leaky ceiling,
bad news arriving, staining,
and costing.

You need to click.
They demand your attention.
(So shiny!)
They promise you others' secrets.
(While demanding all yours.)
They warn you of impending doom.
(Not far from the truth.)

You have to click.
and the smiles drop,
the ceiling crashes down,
and you are left to wade
through unfriendly faces
offering you a life jacket
for a price.

"But what if
those smiles had been genuine
and there really was
a hole that needed patching?"
(How could you know?)

The next file arrives
and while holding a mop,
you ask again.

Tuesday, June 14, 2016

FIRST 2016 - Innovation

Today's keynote at the FIRST conference discussed the importance of innovation in security products and services. Not everyone is a fan of such things.

_______

Innovation, you say?
It's easy to say.
Harder to do when you're spending your day
Fighting the fires and calling out liars
And answering calls from your C-level criers.
We barely have time to kick all the tires
On products we buy
Whenever we try
To solve all our problems
When the budget is high.
(Sometime we barely can even ask why.)
Often we're choosin'
Tools that are proven
By peers who have shown
That they're really worth usin'
And are ones that risk management ain't refusing.
We'd like something new,
Innovation that's true,
But it's rare that it's something we'd purposely do.
Radical changes we often eschew.
Innovation is something, I guess, that we fear.
It's something, I'd say, you'll never find here.