Tuesday, December 11, 2012

The Twelve Days of Infosec

As was pointed out to me, these numbers do not represent real-life events. No one should assume these are accurate metrics over a twelve-day period for the average information security office. Now, if you add a few orders of magnitude...

The Twelve Days of Infosec

On the Twelfth Day of Infosec, the network gave to me...
Twelve hackers hacking,
Eleven spammers spamming,
Ten form injections,
Nine busted authNs,
Eight bad configures,
Seven crap encryptions,
Six plaintext cookies,
Five Pastebin posts!
Four calling cons,
Three Wikileaks,
Two credit cards,
And a forced password change for us all.

Happy Holidays from the Songs of Infosec!

Tuesday, November 6, 2012

One (More Hacked User)

As a kid, I loved the dark, scary feel of Metallica's video for their excellent song, "One".


Some days, in the world of Infosec, things seem that scary.

One (More Hacked User)

I can't remember my accounts.
They seem to come in large amounts.
Deep down inside, terror mounts.
My Facebook account's gone now.

With all of the hackers through with me,
I'm freaking out, this cannot be!
Just ain't nothin' left, you see.
My data is all but gone now.

Hold me up as I try backups.
Oh, please help, IT!

Banking accounts are there to steal.
They grab all the stuff then make a deal.
Trade your ID for a cheap meal,
And the bank can't figure why.

Spam is flowing from my email:
Tourists in London needing bail,
Stock market hints, amazing kale.
All with a link to malware.

Hold me up as I try backups.
Oh, please help, IT!

Now my phone has gone dead, I mourn.
Oh, please help me!
Hold me up as I try backups.
Oh, please help, IT!

What I can be!
Absolute horror!
I cannot surf,
I cannot stream,
Trapped without hope,
Living with life off-line!

Has taken my Mac!
Taken my phone!
Taken my Windows!
Taken my PIN!
Taken my cash!
Taken my soul!
Left me with ID fraauuuudd!

Thursday, October 25, 2012

M3AAWG - 7726

Did you know you can report mobile text message (SMS) spam to you cell phone provider?

You can!

Forward the offending message to 7726 from your phone.


Your mobile phone chimes.
Quick wind knocks screaming branches.
A new text arrives.

Interest falters,
Sun slips behind horizon.
It's a spam message!

Feel empowerment:
Use 7726!
Spite the spamming night.

Wednesday, October 24, 2012


The Internet is taking its time moving to IPv6 networking. The lack of speed is understandable, considering the plethora of issues that come along with a giant network migration.

I've heard all these stories 'bout IPv6.
From what I can tell, we're in a great fix.
Imagine some puzzles, a maze in the mix.
That starts to describe the IPv6.

It gives more addresses than stars in the sky.
It counts them with hexes; makes net tools all die.
If you want to keep going, you'd better be spry.
Don't let this big change-up cause you to cry.

Get used to notation like /44.
You're tracking addresses? Your caches will soar.
Despite all the admins that think it's a bore,
You've got to adopt it, of that you be sure.

Lest one day you'll find someone can't reach your site.
You'll do troubleshooting late into the night,
And you'll find a solution: v6 is it, right?
Your powers that be will have a great fright!


I'm attending the M3AAWG General Meeting this week. I've gotten to meet all sorts of interesting people from across the Internet, all with the common goal to make the Internet a safer place for everyone.

One group of people I newly met are employees of ESPs, Email Service Providers. I kinda knew these sorts of businesses existed, but this is the first time I'm hearing the term, since Higher Ed has traditionally used their own email services. (This is shifting quickly, though, with the promise of The Cloud(tm).)

It turns out, ESPs have the same problems as Higher Ed email and abuse admins.


I have
Something to say and
Something to send you.
I really do.

I am
One of your partners.
I want to do business,
But there's a big mess.

You have
Blocked all my email,
Hung up on my phone calls:
Discussion all stalls.

And you
Send something through us.
Attachments seem fishy.
Oh, you just spammed me?

And no,
It wasn't just to us.
You spammed half of Europe.
In spam traps we're chomped up.

Oh, no!
You included virii,
And ain't that a real shame
We're taking all the blame.

It seems
That email is chaos,
Our goose has been boiled,
Our business is foiled!

Tuesday, September 11, 2012

Guest Post - A Few of My Favorite Things

[I am hardly the only voice singing into the maelstrom. Today, I hand the mic over to a fellow infosec pro and all-around witmaster, Brad Judy. -Dan]

A Few of My Favorite Things

Like Dan, I'm an information security pro in higher education. I am currently the Director of Information Security for the Administrative Division of the University of Colorado (for professional info, see http://www.linkedin.com/pub/brad-judy/1/470/7b3). I'm a husband, father, traveler, photographer, wood turner and general geek. I like to sing to my one year old daughter on our walks and have recently been singing her items from The Sound of Music. With thanks to Dan for help on the meter, and apologies to Rogers, Hammerstein and Julie Andrews; I give you the infosec version of "My Favorite Things"

Full disk encryption and good virus scanners,
IDS updates and disaster planners,
Coding securely: the joy that it brings!
These are a few of my favorite things.

DLP networks and good central logging,
Firewall blocking and infosec blogging,
Checking the uptime with regular pings:
These are a few of my favorite things.

Two factor tokens and HIPAA compliance,
Incident handling and forensic science,
Regex that matches to sensitive strings:
These are a few of my favorite things!

When the bots come!
When the disk's lost!
When the feds have phoned!
I simply remember my favorite things,
And then I don't feel so owned!

Thursday, July 26, 2012

Sixteen Hosts

Sixteen Hosts
Sung to the tune of Sixteen Tons by Tennessee Ernie Ford

Some people say my job is all about FUD.
They think I like to spend my days deep in the mud.
Deep in the mud where the data thrive.
None of your apps will make it out there alive.

You block 16 hosts, and what do you get?
Another day older and goals left unmet.
Don't you call me for a meeting 'cause I can't go!
I'm busy analyzing our Anonymous foe.

The Internet was born in a simpler time.
People didn't think how to use it for crime.
But now every day you're on a hacker's mind.
He'll steal all the data that that baddie can find.

You block 16 hosts, and what do you get?
Another day older and goals left unmet.
Don't you call me for a meeting 'cause I can't go!
I'm busy analyzing our Anonymous foe.

We try to lock it down, and we try to secure.
But some of our diseases just don't have a cure.
New viruses come and find their way home.
Stealin' all the passwords as the users go roam.

You block 16 hosts, and what do you get?
Another day older and goals left unmet.
Don't you call me for a meeting 'cause I can't go!
I'm busy analyzing our Anonymous foe.

"You canna change the laws of physics," said Scott.
And I can't do my job with the budget I got.
You expect me to find all the hackers inside.
But the wave of dangers makes me want to hide.

You block 16 hosts, and what do you get?
Another day older and goals left unmet.
Don't you call me for a meeting 'cause I can't go!
I'm busy analyzing our Anonymous foe.

If you see me walking down the hallway to you,
Don't tell me you have got something better to do.
Security is not just only my job.
Your lack of clue makes me want to sob.

You block 16 hosts, and what do you get?
Another day older and goals left unmet.
Don't you call me for a meeting 'cause I can't go!
I'm busy analyzing our Anonymous foe.

Tuesday, June 26, 2012

Data Loss Greeting Cards

There are many state laws on the books that require anyone collecting certain personally identifiable information (PII) to notify the affected parties (and the state) if that data is compromised and shared inappropriately. Why should that process be boring? I see an opportunity for a new style of greeting cards!
Data Loss Greeting Cards

"Congratulations on Your Identity Theft!"

"Hackers thought you were so cool,
They want to make some copies.
We're sorry we made it all so easy
By losing all those floppies."


"We're Sorry About The Breach!"

"You shared with us your secrets, which we vowed to safely keep
But like a careless swimmer, we dove in way too deep.
Alas, our budget for security was met with strong rejection.
Instead, for you, we'll spend that cash on identity theft protection!"


"Did you know your computer could get a virus just from clicking a link, opening it up to hackers and other criminals who can then steal any of the data on the system as well as any passwords you type into it, especially passwords that might access large stores of personal data about our customers?"

"Hey, we didn't either! :)
Happy Data Loss!"

Thursday, May 17, 2012

SPC 2012 - A Limerick

Things were getting too serious...

There once was a smart Russian hacker.
His code obfuscation a bushwhacker.
He pooched your website
Last Saturday night,
Making Monday morning even blacker.

SPC 2012 - What You Can't Outsource

During the conference happy hour on Wednesday, someone asked the crowd what couldn't be outsourced in IT.  (This was part of an ice breaker where they gave an open mic to anyone who wanted to talk about anything, like Speakers Corner in Hyde Park in London).

Coincidentally, upon seeing an opportunity to be a ham, I wrote the following.  It happened to also answer the question of what things in an IT program can't be outsourced.

What You Can't Outsource

Our school buses
    look like city buses.

Children ride those buses
    from dorms
    from slums.

They ride
    one hand on the strap
    or on the bar.

Their minds
    on the books
    in the bag
    attached to the strap
    on their back.

Their minds
    on the face
    of the person
    they met last night
    in the bar.

Their other hand
    holding their phone
    sending a text
    updating their timeline
    checking their grades.

Their grades
    the key
    their future
    hanging in the balance.

The bus opens to
    the library
    the stacks
    the computers.

They research
    they study
    they dream
    they snooze
    they wake with a start.

Their phone reminds them:
    Time for class.
    Time for office hours.
    Time for lunch.

They smile,
    that we are there
    we run
    the network,
    the Blackboard,
    the kiosks,
    the instruments

Instruments that sing
    with music and data
    flowing and caressing them
    with an endless tune.

We keep their classrooms

We keep their Internet

They may never know
    to thank us
    to ask us
    to help them again

But we watch
    we fix
    we plan
    we dream too.

Our dreams are their dreams.

They just don't know it.

And we
    should never forget it.

SPC 2012 - Another Inside Joke

Dedicated to Tony.


Flour is foundation:
A cloud made in a mill.
Sugar adds the sweetness.
A bit, if you will.
Add a tad of leavening
And a touch of salt.
Put the dry aside now,
But it isn't time to halt!

Break a large egg or two
  In another bowl.
Add your butter or some oil.
  Beat it as a whole.
A touch of fine vanilla,
Pour in a lot of milk.
Then mix it all together.
(Should be lumpy, not like silk.)

Make the griddle hot
So drops of water spit.
Then ladle on the batter.
  Make sure each one will fit.

Bubbles start to form:
  The quick bread taking shape.
When the bubbles stop their popping,
  Flip them gently, you big ape!

Another thirty seconds,
  Then move them to the plate.
Pour on some maple syrup.
Rejoice, there's no more wait!

Tuck in to the tall stack,
Golden-brown and round.
All your work was worth it.
It's the best meal around!

SPC 2012 - No Fear

What information security professionals do and why they do it is not well understood by those outside our field.  This leads to fear and confusion whenever we enter the conversation.  But we are here to help, and our users should know that.

No Fear

I see you.
  Well, I see your packets.
Don't look offended.
It's my job.
Serve and protect
the servers.
Allow and refuse
  the users
Who knock on the doors,
  Salesmen selling brushes
  to a house of bald old men.
But we let them in
Academic freedom!
Science can't say no.

Science says yes to me.

Science watches
where you go
what you type
what you see.

Are you ashamed?
Does the idea of
Science seeing
  your post
  your porn
  your friends
  your enemies
Embarrass you?
Don't fret.

I keep your Internet flowing.
I don't see your browser's view
But I keep the view from pulling you
  the vertigo
  your computer
  betrays you
  exposes you
  takes your life
  lays it out bare

For the monsters
  who look to take
  what you are
  And propel it
  out of control
  across the world.

You worry that I might
  see you say "cantaloupe"
When a horde is pounding at your door
Paparazzi seeking a view
  of your secret places
  and secret faces.

I am not your enemy.
I do not represent
  The Man.

The Man fears me too.

I seek to find the truth.
I seek to hide the truths
From those who you want blind.

Help me help you.
Learn to trust,
  Let me earn that trust.

I can view
  without judgement.

I can shield
  without blocking.

I can secure
without bindings.

You can live
without fear.

For Beth and Holly, who thankfully didn't laugh at the haiku, even though it wasn't that good.

Wednesday, May 16, 2012

SPC 2012 - An Inside Joke

Only a few people will understand this one...

Tehweshat, Tehweshat!
On many heads it has sat!
It travels around when it's bored.

On top Wes, you might guess,
But it finds its way to mess.
It's floated and wiggled and soared.

This chapeau wants to go,
Has wild oats it must sow.
But Wes just won't let it be free.

Tehweshat, like a cat,
Is as fickle as all that.
It's wanderlust leads it to flee.

SPC 2012 - Admin Rights

Managing desktop systems for a campus is far from easy. The technical hurdles are part of the problem. Managing the social aspects, working with the users to set reasonable expectations for what security controls are necessary, and managing the risks that remain are all tricky processes as well. Playing the blame game is a bad move, of course, but thoughts like these are not uncommon...
Admin Rights

I Am God.
They are my tools.
I know how to run
My web browser with Flash
So I can watch the movies
I want to download with torrents.

What's wrong?
Don't tell me
I can't use that.
It's my computer.
I know how to run it.
Don't even try to stop me.
I have Administrator rights.

And control.
I can install
Whatever I want.
I bought this computer.
Go ahead, make policies.
I ignore the inconvenient.

Look here.
Free AV!
Just click the link.
I want that, need that.
So I click that link there.
Whatever I want is mine.
I laugh when you tell me not to.

Oh, no.
My hard drive.
My data is gone.
It's all corrupted.
Encrypted by bad guys.
Sending spam to all my friends.
They corrupted my Facebook page!

Please help.
You should help me.
You should protect me.
Remove the viruses.
And you should do it for free.
Because it just isn't my fault.

Your fault.
You failed me.
You let it happen.
Why didn't you stop it?
You let me get tricked and fooled.
Why are you smiling like that?

SPC 2012 - I Phish You're Phished

Another from SPC 2012...

I Phish You're Phished
I phished.
You're phished!
More accounts than
I ever wished.
You try
And cry
"Go pick on
Some other guy!"
But I send.
It won't end.
Your users to me
will bend.
I send spam:
"Hot babe cam"
Or "take this cash
from OXFAM".
Through email
I assail.
Your awareness work
Seems to fail.
I make scratch
With each batch
Of NetIDs
That I snatch.
I won't stop!
I'm on top!
Go cry to mom
or a cop.
You can't win.
Worked too thin.
Try to block them
In your Junk bin.

I'll find a way.
Here to stay.
I'll make users
Just obey.

SPC 2012 - Fawkes

A year ago, I started this blog to document the songs we sing. The blog was inspired by the EDUCAUSE Security Professionals Conference, and once again, I find myself attending this fantastic gathering. I'll be generating some new poems and songs as the conference goes on. I start with a song about Anonymous, APT, and the eternal threats we face.

Hey there, folks.
Have you met Fawkes?
He smiles at everyone he meets.

He loves what you do.
Loves to share too.
He's accomplished extraordinary feats.

He travels around
With the face of a clown,
And he finds his way into your data.

He inspires his friends.
DoS packets he sends.
Knows the default password on your SCADA.

Some think he's noble
Making all info mobile.
The whitehats would all like him dead.

But how can you kill
A man with such skill:
A hydra with millions of heads?

There is APT
You don't always see.
Sometimes it comes with a mask.

Sometimes it's there
Like gum in your hair.
No good way to get it out fast.

We hope that vigilance
Will increase our resilience
But the battle will never be won.

For us it's hard work
With no single perq
For the bad guys, it's totally fun.

Friday, April 27, 2012


The battle to protect sensitive data, especially Personally Identifiable Information (PII), is the driver for many security programs around the world.

It's a battle that is too easy to lose.


We're hiding, come find us.
Just waiting to cause fuss.
S-S-Ns and birth dates,
Card numbers and staff fates.
We're sitting in email.
"Sent cleartext!" you will wail.
Computers in shadows
Like minefields in shallows.
The federal and state govs
Will take off the kid gloves
When you share that you've lost us;
Into trash bins you've tossed us.

The backups went missing.
The users, caught phishing.

All your data ain't secret:
On Pastebin and Reddit.
All your data wants freedom.
Go join them! Can't beat them!

Thursday, March 22, 2012

Business Case Sonnet

Next time you need to produce a business case to buy a new product, give this a try:

Business Case

You ask me why we should spend this money,
Expecting loads of useful rationale.
As if I would ask for something silly?
Blow money on a drunken bacchanal?

This product will soothe fifty-one pain points.
Without it, we lose money ev'ry day.
Right now we're running with glass in our joints.
The inefficiencies cause me dismay.

Let us spend money, a little will do.
This investment will yield profits tenfold.
I know a vendor who'll discount it too!
Please, my dear purchase manager, be bold!

Just sign my request. Let's buy this new toy!
You'll give all your techies a load of joy.

Thursday, February 9, 2012

News Haiku

Taken from some news stories and recent postings, I offer another round of haiku.
A germ can blossom
In mother and new-born child.
Size does not matter.

OUCH! Monthly Security Awareness Newsletter - Securing Your Mobile Device Apps [PDF]

Even in the storm,
Roaring wind and pelting rain,
Calm voices call you.

Security Now Episode 339

Winds blow, water flows.
When you think you control tides
Someone else might too.

ICS-ALERT-12-039-01 - Advantech BroadWin RPC Server Vulnerability [PDF]

Wolves hunting in packs.
The scattered flock can't escape
The jaws of malware.

Citadel - An Open-Source Malware Project

Electronics Manufacturing Giant Foxconn Is Hacked

The prey will not care
The color of the snake's scales.
Black or grey still kills.

Microsoft Security Bulletin Advance Notification for February 2012

Cycles surrounding.
The moon. The sun. The seasons.
Monthly patch day comes.