Friday, October 17, 2014


POODLE.  The word invokes fear and loathing across the world.  Without the clarification between "standard" and "miniature", the mind defaults to the diminutive version: yappy, insanely groomed, full of hate, and probably growling from a debutant's purse.  If the POODLE vulnerability were "standard", you would know it is to be respected and admired: a hunter, a protector, a guide with curly hair.

This POODLE is on the yappy end, but it is anything but miniature.


From the middle, I can see
The passwords that might fly by me.
Though you think encryption's hot
I still can take all the things you've got.

Trim me down howe're you like.
I'll watch for cookies, then I'll strike.
My nose will sniff the traffic there
While you're distracted by my hair.

A POODLE knows just how to dig
To compromise your server rig.
SSL ain't all the rage;
It certainly has shown its age.

So lest you mandate TLS,
I'll keep on walking without rest.
No leash, no collar keeps me down.
No hope I'll end up in a pound.

Tuesday, August 5, 2014

You Come From Ports Ephemeral

Team Cymru is a great source of information regarding Internet security.  One example they offer is a find summary of ephemeral source port selection strategies for modern OSes.  It's handy if you are crafting some IDS rules or want to understand what you're seeing in your sniffer.

And it feeds the muse in weird and wonderful ways.

You Come From Ports Ephemeral

In darkest aether, packets flow.
It's to IP address they go.
But when they reach their final place,
So many choices, they must face.

Deep within the packet's heart
It lists its goal, it lists its start.
It knows which port to which to bind,
And just what port it left behind.

You come from ports ephemeral,
And most ignore this numeral,
But hackers know your history,
And solve the OS mystery.

Foolishly ignore the past,
You'll find you're losing info fast.
So much can be learned from all these
Port selection strategies.

You come from ports ephemeral,
And most ignore this numeral,
But if you're tuning IDS
This makes you better than the rest.

It's not only the port of call,
Destination isn't all.
Get to know where things began:
There'll be more value from your span.

You come from ports ephemeral,
And most ignore this numeral,
But hackers know your history,
And solve the OS mystery.

Tuesday, July 1, 2014


Symantec published a report about some state-sponsored hacking of industrial control systems (ICS) in many countries, including the US.  They identified the group that did this by the name "Dragonfly".


I'm a wicked Dragonfly.  You ain't never gonna learn.
When you think you found me, huh, I'll make a hairpin turn.
I'll zoom around your networks with intent to sabotage,
Sting you and be hiding out in perfect camouflage.

I am a master hacker, and I'm working for a state.
Before you ever find me, boy, it gonna be too late.
I'm trained in writin' malware, and I know your ICS.
Industrial control: it is the world that I know best.
I know about your BACNet, and your HMIs are mine.
I'll keep them running smoothly, and you'll think that you are fine.

But soon the time is comin' when I'll tear your systems down:
No lights, no steam, no coolin',
Don't think that I am foolin',
Might leave your furnace droolin',
Heck, I might blow up your town.

I'm a wicked Dragonfly, and I'm dartin' right and left.
I hacked your favorite website with some skills that you'd find deft.
You came and took a sippy from my evil waterhole.
I snuck on in to bite you, and I gobbled you up whole.

I took a look around with a sneaky little RAT.
I learned about your network as I poked at this and that.
I guess you never found out that an air gap is your friend,
You'll hold on to that error, right up to the very end.

I'm a wicked Dragonfly, and I'm dartin' left and right.
When your turbines start to screamin' it will be a scary sight.
I hope you have some candles and some chopped up firewood.
Your power grid is flimsy, soon to be all messed up good.

Monday, June 30, 2014

After Six Weeks

After Six Weeks

After six weeks
Of welcoming my new daughter into the world,
        (Enjoying the blissful blessing of formal family leave,)
Ignoring the HIPAA violations at the hospital,
Trying not to observe the inefficient placement of security cameras during diaper runs,
Or balancing birth announcements and baby updates with my desire to lead a private life,
I return to my office and find:

My fingers still remember my password, even after changing countless diapers;
Our weekly staff meeting is unchanged in either place, time, agenda, or cynicism;
My coffee pot still offers eager and trusted assistance;
Pastebin still displays our passwords for the world to see;
Spam subject lines continue to evolve
        (bowels and parasites joining viagra and loans);
Bots are still phoning home
        (the cries from our computers admitting defeat);
Wordpress is still getting hacked while PHP looks on mutely;
Staff are still falling for phishing;
Students are still sharing illegally;
Professors are still typing in WordPerfect;
Sysadmins still resent us;
Webdevs still ignore us.

I return to the work,
Swimming in the winds of challenge and changeability,
Building rickety roofs to keep out the rough weather,
Watching the clouds to predict what the day will bring,
Hoping the heat won't wither my muscle
And the cold won't paralyze my bones.
I remind myself that we play the long game
        (Yes, the game went on without me)
And the rules are still the same,
Playing out despite my absence,
But if I focus on the game,
So long as I keep playing to win,
I can eventually rest each night,
       (After the baby has calmed herself and embraced a milky torpor,)
Knowing my work is heading somewhere
Through the storm.

Thursday, May 8, 2014

SPC 2014 - Good Morning

Good morning, SPC-goers!  I hope last night was good for you.  Many of us found ourselves at the bars, talking, planning, and dreaming.

Glasses dance
From table to mouth to table
Riding the conversation's
Networking while talking networking,
or policies,
or war stories,
or master plans,

Or planting the seeds for new plans
Deep in the soil of conversation
Watered by a rain
Of bar drinks
and laughter
and song.

Wednesday, May 7, 2014

SPC 2014 - The Cloud, some more

Joel Rosenblatt from Columbia is giving a great talk on sensitive data in the cloud along with CloudLock.  My thoughts, slightly less minimalistic than my last Cloud post.

The Cloud is Really Great

We gave our data names, we gave the data places.
But when we gave out access, it began all kinds of races.

The users needed info, they pulled it from the store.
And then we were surprised to find it running out the door.

They brought it to the Cloud and the services within.
They posted it it Google Docs and shared it on LinkedIn.

Dropbox was their favorite for sharing with their friends
Or maybe they just put it there for sinister of ends.

We asked them not to do it; we pleaded and we begged.
It didn't make us popular; it was like getting egged.

So we're looking now for policy and maybe DLP,
Or many we'll encrypt it all; I hope we keep the key!

But horses, they have left the barn; it may just be too late.
We cringe whenever users say, "The Cloud is really great!"


Within wispy gauze,
Floating silently above,
There is turbulence.

The acorn planted
Last autumn by a squirrel.
New roots crack sidewalk.

SPC 2014 - Cloud

Cloud, Cloud, PII, Cloud, Cloud.
Cloud, Users, Cloud, Control, Cloud.
Cloud, Cloud, Cloud, Cloud.  Cloud.

SPC 2014 - Bounty

Charlie Miller got me thinking about software bug bounty programs.  Are they good?  Are they bad?  Hard to say.


I found myself a little bug.
It's in your favorite app.
It makes me feel a little smug.
It'll put me on the map.

I spent a year on Mountain Dew
While plowing through some code.
I fuzzed and fuzzed, just like you do
To find a weakly node.

So after months of grinding hard,
I thought I would cash in.
I finally played my final card
The money filled my bin.

For months I longed to hear the tale
Of how the app was lacking.
But the buyer seemed to cop a fail
and others started hacking.

It was my bug that broke the app,
But someone else had found it.
They used it like a leaky tap
To hack some more, confound it!

If I had let more people know,
They may have fixed it early.
Instead I chose to make some dough,
And now I'm feeling surly.

Yes, I spent a lot of time
And did a lot of work.
But did I help commit a crime
By acting like a merc?

SPC 2014 - Keynote #2

The second keynote for this year's SPC is "Failures of the InfoSec Community" by Charlie Miller.

He ended up depressing me.  The barbarians are at the gates and within our PCs.  So much work to do.

Exploding PCs:
Reality written wrong.
Goat describes tractors.

Time marches onward
But the headlines stay the same.
Earth around the sun.

Software bugs hiding,
Dormant for years upon years.
Cicadas emerge.

How much is too much?
You could fuzz inputs all day.
A bear fishing.

Assuming a breach
Will bring you serenity.
Water finds a way.

SPC 2014 - Risky Poetry

The first break-out panel I attended this year was "A Consolidated Approach to Risk and Standards Management" by Matthew Dalton from The Ohio State University.  OSU has a nice tool for doing risk assessments, which I plan to steal (once he's made it available).  It is a method for defining your assets, measuring the likelihood and impact of different events, and creating a risk report that C-level folks can easily understand.  It also contains a way to track mitigating controls (including their costs and their effectiveness) that affect those risks.  Pretty slick.

If you use all those frameworks from NIST,
Regulators will never be pissed.
You'll look like a pro
And put on a good show
When the auditors search for what's missed.

Measuring your risk:
Teaspoons carefully poured, then:
A tsunami comes.

Red, yellow, and green.
Sunset flairs above lush grass.
Or fire, tornado.

SPC 2014 - Keynote Haiku

Greetings from St. Louis and the 2014 EDUCAUSE Security Professionals Conference.  Today's keynote speaker has been Harriet Pearson talking about privacy, cybersecurity, and law.  Here are my notes in haiku form.

Government listens
For cybersecurity.
Thunder all around.

Higher ed moves slow:
The sun setting behind hills.
Eternal sunset.

NIST builds a framework.
Robin weaving tangled nest
To protect her eggs.

Lawyers are friendly:
Guard dogs that know their master
And protect their yard.

Tuesday, April 1, 2014

The Inbox March on April First

Sadly, this post isn't an April Fool's joke.  The flood of spam, delivering phishing messages trying to steal your information or malware trying to do the same, continues to assail our email Inboxes without pause.  Criminals use this technique because it works; many people click on the links and images in the messages they receive, which may point to malware, a form trying to steal your information, or just a flood of webpages that will make money for the criminals the more that people view them.

Well, take up your Sousaphone and get ready to march the April blues away!

The Inbox March on April First

Everyday's the first of April in my Inbox!
Everyday someone's playing a big joke.
Some would say I should just delete the junk mail,
But instead it just makes me want to choke!

It would seem that my mailbox is all filled up,
And I must log in now to save my skin.
'nother one says I came into some money,
If I send my bank login to Prince Jim.

Jim it seems is a prince living in exile.
Royalty, they have never seemed so kind,
Unlike those who robbed my dear friend in London.
Didn't know that he had vacation time.

All these banks want to check my information
Even though I don't bank there anyway.
Lucky me, someone's checked my online profile.
Russian bride? Doubt my wife would say "OK!"

Everyday's the first of April in my Inbox!
Everyday someone's trying to fool me!
Wish there was some neat way that we could stop them,
But instead I'll just have to hit delete!

Monday, March 31, 2014

I Won't Be Abandoning Windows XP

Windows XP is at an end.  Microsoft announced a while back that they were stopping support of the operating system, and as of April 9th, they will no longer be providing security updates to the graying OS.  This leaves many people in a lurch.  Some users of XP cannot upgrade because their current computer cannot run a more modern OS and they cannot afford to upgrade their hardware.  Other users, especially on college campuses, have laboratory and specialized equipment that was build on a Windows XP platform and the vendor either cannot upgrade it or went out of business years ago.

Of course, there are also those who just don't want to change their OS.  Their computer runs "just fine", and why fix what isn't broken?  Warnings about security problems fall on deaf ears, and resistance grows with every attempt to sway them away from their Windows XP.

I Won't Be Abandoning Windows XP

I've had this here laptop since twenty-oh-one.
The two of us have had all sorts of great fun.
The best part about it was all it could be
Because I upgraded from Me to XP!

XP was the better OS, sir, by far.
'Twas faster and stabler and shined like a star.
It ran all my programs, a crash was quite rare.
It made my computing come without a care.

Oh, sure it had updates to fix this and that.
Three service packs later, quite stable it sat.
Occasional viruses might have caused harm,
But after a cleaning I'd feel snug and warm.

And now you all tell me that this is all done.
You tell me that XP's a race that is run.
I just won't believe it, I won't let it go.
Hell no, I won't upgrade, I just love it so!

Sure MS won't update my box any more.
They've thrown in the towel, they've shut up the door.
They've moved on to 7 and gross Windows 8.
But I just refuse to accept that whole fate.

So keep all your warnings, they won't be observed.
To me it all sounds like a notion absurd.
My XP keeps running, my XP loves me!
No, I won't be abandoning Windows XP!

Monday, March 3, 2014

NTP is DoS-ening.

Criminals recently have been using poorly-configured NTP (Network Time Protocol) servers to launch Denial of Service (DoS) attacks on a number of victim networks and sites on the Internet.  Proper NTPD configuration would help stop this misuse.

NTP is DoS-ening

Pardon me.  What time is it?
The answer could cause a fit.
I'll bet your site can't handle it.
A DoS attack will flip its bit.

NTP is listening.
A golden ring is glistening.
A DoS attack is quite the thing!
The packetstorm is littering.

The bad guys find an open host,
And with the proper query post,
They fake the source, and with a boast,
They turn your website into toast.

'Cause they all got themselves some bots
That wait for them to call the shots
The bots all front and lie a lots
Like "eating healthy tatertots".

A million bots all say hello
And tell the answers where to go.
And NTP? Heck, it don't know.
It sends them to some lucky shmoe

Whose network pipe gets overfilled.
Their ISP gets over-billed.
Like gardens that are never tilled,
They're strangled and then fin'lly killed.

So if you're running NTP,
Please take the time, listen to me:
Help make a net that's clear and free.
Secure that stuff! Yo, hear my plea.

Monday, February 17, 2014

My Twin - A Reminder for Unique Passwords

Over this past weekend, emailed their userbase to inform them that there was a data breach that allowed the usernames, email addresses, other personal information, and encrypted passwords of the users to get out.  Bad guys could use these data to attack and take control of other accounts owned by the users, especially if they crack the passwords and those passwords are used on other sites.

Always use unique passwords on each site you visit.  Don't make it any easier on the bad guys.

My Twin

Did you know I have a twin?
Do you know where it's been?
Lingering in sites around
The Internet, where sites abound.
When my dear user must create
An account with which to participate,
He always uses my little twin,
And doing that's a little sin.

Now that my dear twin's alive,
It goes along for the ride,
Whether sitting encryptedly
Or left alone for all to see.
And if a bad guy comes along
And hacks the site; oh, it's so wrong!
My twin, it now be known to her!
My twin, it now creates a stir!

My twin will let the hacker know
Other places she can go:
Into my user's email box;
The places seen in Firefox;
Or allow the bad Anonymous
To find some dox and start a fuss;
Or steal my user's bank account:
My twin would show the full amount.

The lesson here for you to learn
Is every password made does yearn
To be unique and used just once.
Don't let yourself be seen a dunce.
Passwords distinct for every site
Will help you sleep throughout the night.