Security sites to bookmark: and

Belgium: Waffles... and security

The professional activities that we undertake within our company, be it our own shop or our employer, can, and should, benefit from all our other security related activities. The two Security Sites I recommend to visit confirm this. Both are written by well known names in the European Information Security community: The Belgians Didier Stevens and Xavier Mertens.

As securityandrisk, Didier Stevens created his blog in 2006. Since then, he regularly publishes very practical and technical security articles. Didier pays special attention to network security. The quality of the blog invites you to visit his own business' site, especially dedicated to pdf and "shellcode" analysis.  His company site is accessible from

Xavier Mertens, with his unique "Belgian balloon fish" avatar, present both in his twitter account and blog, is the author of On the Internet since 2003, publishes, together with his presented papers, very detailed summaries of the security conferences he attends. This is an opportunity to know what happened and what was said there. As in the case of Didier, also links to, his own security company, specialized in log management and security testing.

Both authors discuss security issues that are useful to our everyday job. From the pages of their blogs, they both link to some security tools (both Didier and Xavier). Didier proposes his own Microsoft Windows process-related utilities and Xavier introduces evasion tools such as "PingTunnel" and "Dns2tcp".

Information security is still a working field in which many breakthroughs, ideas and new developments come from "informal" channels such as blogs and security conferences rather than through formal academic degrees and scientific journals in the field. These two sites confirm this trend.

In short, the visit of these two personal sites from well-known Belgian security experts gives us ideas for our professional life while they nicely introduce the security companies they have created.

Happy Belgian security reading!

Making bridges

Security site to bookmark:

Controversial but worth-reading

In the past, guilds regulated and controlled the practice of a craft., an initiative from the volunteer crew, aims to protect the information security profession from intruders.

In an almost irreverent way, they publish news that is charged with irony (for example, a security company that promises 100% security with its products and that, interestingly enough, is successfully attacked and compromised) and references to security snake oil sellers.

All this controversial content is organized into twelve sections that reveal:

- Companies that sell products containing malware before they even reach customers.

- Legal threats to security researchers who have found a security vulnerability.

- Failures in automated software update processes.

- Charlatans, be it individuals or companies, who introduce themselves as security gurus. The subsection dealing with companies can be controversial.

- Plagiarism: A long list of authors and books that turn out to be copies of previous publications.

- Firms offering security services or products that have been attacked and compromised themselves.

- Security companies that send unsolicited e-mail ("spam") to prospective customers.

- Security incidents involving Internet-related companies, such as the case of Stratfor, a company that suffered loss of confidential information in 2011.

- Invented or manipulated security statistics.

- Examples of how media confuse their audience with not confirmed security news. This section stopped being updated a long time ago. The authors could not keep with the rhythm of appearance of such pieces of news.

- Vulnerabilities and data leakage items from initiatives like, the Open Source Vulnerability Database, and, a site that I already recommended in this blog.

Definitely shows the great influence of mass media and acts as a whistle blower against charlatans. It is an Internet-based antidote to identify attempted fraud in information security. Therefore, before buying a product or a security book, have a look at their pages.

Happy errata reading!

You can also read this post in Spanish here.

Dark night

The hedgehog's dilemma - Story of business and IT Security

In Summer 2011 a new security related conference series was started in Madrid. Or better said, a technology-based risk management and innovation event. I had the privilege to give the opening talk on the links between security and business to a wide and wise audience. I titled my talk the hedgehog's dilemma.
This post summarises the main points of the talk. They are still applicable (they are even more applicable now than in 2011!). Happy to start a discussion thread on your views on these macro topics. They are not closed to a command line but they certainly steer our professional future working with and at corporations.
Using wikipedia's description of the dilemma, "hedgehogs all seek to become close to one another to share heat during cold weather but they must remain apart, however, as they cannot avoid hurting one another with their sharp spines".
Security and business suffer exactly from the same dilemma. The objective will be to change the paradigm from hedgehogs to penguins. Penguins can stay together. Actually, they benefit from staying together every winter.
I proposed two dimensions to work with, a methodological dimension and a human one. Let's describe both of them:

From hedgehogs to penguins: A method
Firstly, we need to use traditional risk management concepts such as vulnerability, threat, risk, impact & probability and benefit to risk ratio, all of them explained in the first chapters of IT Securiteers.
Secondly, I propose the use of 1 + 3 + 1 filters. As a security professional, pay attention to elements that pass these five filters:
1. They are real and detected threats. This is why monitoring is key.
2. They cause a high impact to the organisation and they mean a low risk for the attacker.
3. Their treatment does not require massive resources and does not decrease customer usability. This filter is a though one to respect. However, it constitutes a mid-term survival guarantee for Infosec professionals at work.
4. They bring a positive reputation to the security team. This one is also challenging but worth considering in these times in which we need to market everything.
5. They comply with legal and governance requirements and they satisfy senior management's requests. Please do not forget the last part of this fifth filter.
Certainly this is easier said than done. Three additional tactical tips:
a. Plan not more than 40% of your security resources. They need to be available to deal with a great deal of unknown (and ad-hoc/unplanned) activities.
b. Follow a "baby-step" planning approach and celebrate (and sell!) every successful delta.
c. A useful way to structure your work is considering these layers: networks, systems, applications, data and identities. (Thanks to Jess Garcia for this point).

From hedgehogs to penguins: A passion
Security teams certainly need passionate and technically-savvy security professionals. Together with this statement, I would add that we need a multidisciplinary team. Non IT-savvy and non-security savvy players have also their place in a Security Team. These new players can come from fields as distinct as marketing, sociology, statistics, journalism, law and economics.
The number of interactions that some of the security team members need to have with the rest of the organisation is high. Public relations and marketing are essential for the previously presented 5-filter method to succeed.
How many active security teams do you know that already have this innovative composition? Probably not many. Two references to go deeper into this subject of security management: Try IT Security Management and Secure IT up!. I would be happy to present it to you if required.
These multidisciplinary teams will live the motto "share, respect and mobilise":
- Share the information you work with with your colleagues.
- Respect any personal and academic background from any player in the team.
- Mobilise your peers i.e. trigger their curiosity for your field of expertise.
Two models to help growing cohesive teams. Both models aim to find a balance in every team member:
- Find the sweet balanced spot among the skills they offer, their passions and market demands.
- Find the sweet balanced spot among they as individuals, they in their social dimension and finally they in their professional lives.

Multiple leadership and continuous learning
Security teams need more than one leader. Preferably three. At least two that get along well and complement each other. The role of the leader will be to look after team members while delivering the mandated value to the organisation.
In a two-dimensional graph, draw where your team members are in terms of valuable security skills and level of motivation. Those scoring high in both axis constitute your team's critical mass. The role of the leader will be to grow that critical mass i.e. encouraging everyone to sharpen their skills and letting motivation grow inside of them. Imagine a KPI on this!

Important ingredient not to oversee
Security team leaders need to be outward looking and multidisciplinary themselves. They need to act as security ambassadors specially with their reporting lines and customers. They'd better double check periodically whether they still have their senior management support.  

Security innovation: Five provocations
Some food for thought. Call it crazy ideas, call it security innovation:
- Conduct effective guerrilla marketing out of your CERT team.
- Design accurately (and smartly) the experience that a visitor to your facilities and a customer of your security services would leave with. End to end.
- Identify social connectors in your organisations and make them be your security marketing ambassadors, even if they do it unconsciously.
- Make the most of the "power of free" e.g. distribute free encrypted memory devices.
- Be constructive. Remember, life will always find a way!

Happy finding!

Finding a way

Discussion on intuition. Daniel Kahneman's lecture.

Google talks
This post is a recommendation to watch the lecture that Daniel Kahneman gave in the @Google Presents talks. It was a discussion on human intuition, somehow explaining why we magically know things without knowing we know them. We information security practitioners will find many points to link to.

Modest disclaimer: This post by no means tries to replace the video of the talk. It just provides a very subjective (and telegraphic) summary of some of the points touched upon.

Some references such as "Sources of Power: How People Make Decisions" by Gary Klein or "Blink" by Malcolm Gladwell propose that judgement biases are not so negative and actually a source of power. Daniel Kahneman is certainly very sceptical on the power of expert. For example, how would intuition play in Medicine? When you can trust intuition?

Intuition and judgement

Kahneman distinguishes between two modes of thinking i.e. thoughts that come to mind (system 1) and judgements (system 2). Examples of the first ones are something that happens to us, something truly perceived, impressions and also intuitive thinking. This type of thoughts are intuitive, automatic. The second type requires effort. They are deliberate and effortful.

A empirical exercise would be the following one: we would fall into the temptation of eating chocolate more easily if we have to keep a 7 digit number in our head. Our self control is impaired if we are doing another activity. This clearly means that it takes some effort to control our impulses.

Then in minute 12 he starts to talk about skills. For example, driving is a skill. In a skill things begin to happen automatically. That is the reason why we can drive and talk or why braking is completely automatic. However, some skills are completely non-intuitive e.g. driving on skids requires different and non-intuitive skills.

An interesting point is that having emotional reactions to a certain perception is automatic in system 1 but also system 1 is where skills are located. Then he mentions that Herbert Simon (Nobel laureate) defined intuition as simply recognition.

When can you trust intuition?
If there are clear rules in the environment, especially if they can give you immediate feedback, we will acquire those rules e.g. we all identify erratic behaviour when driving.

Human beings are also very good at reinforced practice e.g. anesthesiologists get very good feedback and very quickly, radiologists get the opposite case, slow and not so good feedback i.e. it is more difficult for them to develop intuitive expertise.

In a sentence, intuitive expertise is not possible in chaotic scenarios, that is the reason why the world is not predictable. Formulas beat human when there is some predictability but the perform poorly in low predictability environments.

We frequently have intuitions that are false and are not distinguishable from expert intuitions - how can we distinguish from expert intuition?.

A book by Joshua Foer titled "Moonwalking with Einstein" states that memory is superb at remembering routes through space but memory is poor at remembering a list Our mind is set to think about agents (and they have traits, behaviours) however we are not good at remembering sentences with abstract subjects.

Getting influenced by the environment
Posters we can see and read close to us influence our behaviour. When people are exposed to a threatening word, they move back - the symbolic threat has somehow a real effect.

If we see two unrelated words together, like "banana" and "vomit", we will think about vomit when we see a banana. In effect, we saw two words and we made a story e.g. the banana made us vomit, our associative machinery tries to find a cause.

You make a disgust face, you experience disgust. You make a smiling face, you are more likely to think that things are funny. Place a pencil in your mouth and you will think cartoons are funnier.

By partially activating ideas e.g. by whispering words, then the threshold to feel emotions related to those ideas is lower and all this happen without you knowing it consciously. It is a way to prepare ourselves.

Associative memory is a repository of knowledge. We try to suppress ambiguity, making ambiguous stimuli coherent.

It takes us very little time to create a norm. Our reasoning flows along causal lines, this happens intuitively. The coherence that we experience can be turned into a judgement of probability. However, people have confidence in intuitions that are not essentially true. We use a system that classifies things,  whether they are normal or abnormal, and very quickly. Speed is key for our brain.

Substitution: The dates experiment
Two questions: How happy are you? and How many dates did you had last month?
In that order, correlation is zero. In the reverse order, correlation is 0.66. This is an example of substitution, the emotion that reigns when answering the second one.

Subjective confidence
There is a real demand for over confidence, but this is not the secret to get real and valuable information. Confidence is not a good diagnostic to trust somebody.
The wise way to do it would be to ask what the environment is like and whether they had the opportunity to learn its regularities.

Daniel Kahneman is not really optimistic on us being able to train system 1. This is why e.g. the advertising industry addresses system 1 (emotions and not judgements) e.g. facial characteristics on political leaders (which one looks more confident?) predict 70% of elections. See reference

(minute 56) What happens to people when they are exposed to the idea of money (e.g. the symbol of a dollar), they show selfishness and lack of solidarity.

Nice things
We need to create an environment that will remind people of nice things (and not money e.g.).

Connection between selfcontrol and the general activation of system 2 is an important personality characteristic (e.g. the marshmallow test in children predicts whether they would do better when they are 20)

However, most intelligence tests we have are only for system 2.

It's hard work for system 2 to overturn what system 1 tells. Have that in mind when preparing security awareness sessions or when having a lessons learned exercise on why some security awareness sessions were not effective!

Happy system 1 and system 2 security!

The knowledge house


Book review: Up and to the Right - Strategy and tactics of analyst influence by Richard Stiennon

Have you ever wondered why decision makers are so keen on recurring to the Gartner Magic Quadrant to make product-purchasing decisions? This book by Richad Stiennon talks on how this quadrants are made. Although it is not purely related to information security, information security market participants can certainly benefit from its learning points and understand the location in the quadrant of some security products.

Organised in 21 chapters and 2 appendixes, "Up and to the Right" is an easy to read and very instructive book. This is a brief compilation of the main points of the book per chapter.

Chapter 1

Having worked as a Gartner analyst from 2000 to 2004, Richard attests that the Gartner Magic Quadrant "pay to be there" rumour is just a myth.

Chapter 2

He presents the Gartner Magic Quadrant and introduces the reader to the four different types of players i.e. niche players, visionaries, challengers and leaders, according to their ability to execute (vertical axis) and the completeness of vision (horizontal axis).

Chapter 3

This is the first chapter on which the author starts to refer to the concept of influencing markets, analysts and, eventually, prospective buyers. There we can read about many different channels such as Google, Wikipedia, Newspapers, Linkedin, Books or even Youtube and Facebook.

Chapter 4

The final conclusion to chapter 3 is what Richard calls the Influence Pyramid, consisting of five groups of stakeholders i.e. starting from the base, these are the addressable market, technologists on Internet, journalists, bloggers, CIOs and analysts.

Chapter 5
In a nutshell, the key point is to set a goal and prepare an strategy to succeed in your market's Magic Quadrant.

Chapter 6
In this chapter the author really adds meats to the bone proposing specific measures for each of the layers in the influence pyramid.

Chapter 7
This chapter provides some tips on finding the real influencers in your market.

Chapter 8
Very much Gartner internal, the author refers to a Gartner information-gathering product named Strategic Advisory Service (SAS) or the SAS-day: A product consisting of a day-long's visit of an analyst to your place, that would easily cost you some thousands of dollars.

Chapter 9

This chapter describes a different product called "the analyst inquiry", focusing in the provision of understanding how a product can appear in a Magic Quadrant.

Chapter 10

A product-alike option, however almost cost-free, is what this chapter describes: Briefing the analyst.

Chapter 11
A different version of what chapter 10 proposes is called the "drop-by briefing" if you are going to visit the analyst's city.

Chapter 12 and 13 refer to the Gartner Summit and the Gartner Symposium, two events organised by Gartner, and how to make the best use of them.

Chapter 14 and 15 focus on the role of the CEO and the sales team respectively in order to succeed in this Magic Quadrant chase.

Chapter 16 and 17 go through the important role of Wikipedia and social networks such as Twitter, Linkedin, Facebook, Google+ and blogs.

Chapter 18 mentions, under the headline of "guerrilla tactics", many additional marketing measures such as direct mail, ads in airports and radio advertising

Chapter 19 focuses on how to respond the Magic Quadrant questionnaire once we are that lucky to receive it.

Chapter 20 lists some of the actions that we'd better not do in this context and a key fact: "80% of Gartner's customer base are late adaptors".

Chapter 21 provides a final conclusion and appendix I and II provide additional resources and a FAQ respectively.

Complementing the book, I contacted the author and he shared with me the link to the free online video course on the book. Thanks Richard for that!

All in all, a nice small experience-based wisdom pill that we can also apply to IT and information security products! Enjoy!

Happy right reading!

Applying persuasion to information security

Social Psychology Professor Scott Plous mentioned a very enlightening almost 12-minute video on the "Science of Persuasion" by Robert Cialdini and Steve Martin.

Every security professional should be able to persuade their customers and users in an ethical and successful manner. I recommend to watch this video. For those who can't or who won't, here you are some learning points:

6 decision-making shortcuts or principles that govern human being's reactions and influence:

1. Reciprocity
In general, we feel obliged to answer back with kindness when we are the receivers of a nice act.

Cool tip from the video: If you describe your action while being kind, you are the first to give and it is personalised, then the reciprocal answer is even better. The statement "For you, nice people, here's an extra mint!" in the video corroborates.

2. Scarcity

Simply put, human beings like to have more from what becomes scarce. If it is not scarce, then we do not have such a big interest. So, if you would like to sell your security services, tell your customers about your unique value proposition! 

3. Authority
People follow the view of experts. Transposing the example showed in the video to the security world, if you display your security certifications, or even tell someone (even if they personally also benefit from it) to market your great professional value, your customers will follow your advice a little more seriously.

This principle has also a curious application: people get more persuaded by people wearing uniforms. Take this into account in your next social engineering engagement.

4. Consistency
People like to be consistent with previous decisions they took. This is the reason why some of the big requests are preceded in time by small enticing related requests that are far easier to be accepted.

Voluntary, active, public and, if possible, written commitments do wonders. I think this is really underused in our information security arena.

5. Liking
"Human beings prefer to say yes to those they like". Important point: Who do we like? According to Robert Cialdini and Steve Martin we like people who are:

- Similar to us.
- Complimenting us.
- Cooperating with us.

Simple but powerful facts. The most important tip then: If you are bound to negotiate security measures with a customer, talk to them first in an informal manner to identify similarities, to compliment them and to cooperate with them.

6. Consensus
In general, we do not like to be the exception. Mention what other similar customers are doing. A way to apply this to our field could be showing reputable statistics on the adoption of specific security measures.

Channelling attention to persuade ethically

Happy ethical (and costless?) persuasion!

Security site to bookmark:

A valuable security research repository

Every single week, somewhere in the world, a security conference or presentation takes place. Attending all those events is not feasible. Sometimes we do not even know whether they will offer the minimum required quality. A website publishing high-quality security content presented in these events would provide great value to our security community.

This is the aim of, an elegant collection of links to documents, presentations, videos and audios presented at security conferences, events and podcasts organised in the past years and months. Examples of linked videos are:
- SSL and the future of authentication, by Moxie Marlinspike, presented at the "Black Hat 2011".
- Are we getting better? - Hacking Todays Technology, by Dave Kennedy, presented at "Hack in Paris 2013". is an initiative of the Italian Alessandro Tanasi. From Bologna, he is present in twitter with the nickname @jekil and he is also the author of a small security-related web titled

Its value proposition is to post links to high-quality security documentation, both from the content and format viewpoint. This documentation is, at least, worth checking. helps us to distinguish the wheat from the chaff: the site currently links to over half a terabyte of information. I imagine the first user of these links is Alessandro Tanasi himself.

Every linked content is also tagged. This facilitates searching. We can find links by tag, author, date and event.

New publications linked in can be tracked via its twitter account. One suggestion for Alessandro would be to offer the chance to contribute as a content reviewer. Maybe each content curator could appear in a reputation rank according to the value they provide.

In short, this site is a demonstration of how you can create a quality product that gives value back to our community. A nice initiative to grow the personal and professional brand.

Thanks Alessandro!

A version of this article in Spanish can be found here.

Navigating through rough waves

Book Review: Essential SNMP by Douglas R. Mauro and Kevin J. Schmidt

This book is organised in 14 chapters and 5 annexes. It helps understanding how enterprise monitoring started and is being done in companies today. Specially recommendable to theorists. By no means this post will replace the reading of the book. However, here you are some of the key learning points in a very telegraphic manner:

Chapter 1 - Definition and ISO processes

A first chapter with two distinct parts, a technical one devoted to define and frame SNMP and a procedural one aiming to briefly describe ISO-related IT processes such as change management. As said, good for theorists.

The initial objective of the predecessor of SNMP was to manage Internet routers. There are three versions of SNMP. Version 3, the last one, adds security features such as strong authentication and communication confidentiality.

Two important communication concepts in SNMP: polling and traps.

In network management, polling means querying an agent. The active element that does the polling is the manager, normally the Network Management Station (NMS).

A trap is a communication from the agent in the managed/monitored element to the manager indicating that something worth being-monitored has happened.

Polls and traps can occur simultaneously.

The syntax that defines the set of elements that an agent tracks is called the Structure of Management Information (SMI). The Management Information Base (MIB) is actually the set of tracked elements using the SMI syntax. An agent can implement many MIBs. MIB-II is defined in all agents.

A first introduction to Remote Monitoring (RMON), a monitoring standard that deals with packet-level statistics related to a network.

There is a strong link to ISO standards. Their processes require that the IT systems and networks are monitored.

This chapter refers to a network management and/or monitoring concept called FCAPS i.e. fault management, configuration management, accounting management, performance management and security management.

Regarding reporting, monitoring data is the source for response time reporting, alarm correlation, trouble resolution. Change management is also a process that benefits from monitoring and reporting.

Chapter 2 - Commands and functioning

SNMP uses UDP. Normally SNMP requests are sent to the agent's port 161, responses are sent to the NMS's port 161 and traps are sent from the agent to the NMS's port 162.

Every agent is configured with 3 community strings: read-only, read-write and trap. These strings are the passwords to be able to read data from the agent, to write data e.g. reset counters in the agent and to receive traps.

According to the SMI syntax, any managed object is broken down into three attributes: Name (also called object identifier - OID), type and syntax and encoding (every instance is encoded into a string of octets).

Objects are using a treelike hierarchy, similar to an LDAP directory scheme.

The authors refer in this chapter to specific SNMP operations:

- get: instruction for the agent to send a specific MIB object.
- getnext: instruction for the agent to send a list of MIB objects (a related command is snmpwalk).
- getbulk: to send a large portion of a MIB table.
- set: sets a variable.
- response: to any of the gets.
- trap: a way by the agent to tell the server that something happened.
- notification (packet format related). 
- inform: for acknowledged sending of traps.
- report (only in version 3).

Chapter 3 SNMP Version 3

The SNMPv3 engine has four elements: The Dispatcher, the Message Processing Subsystem, the Security Subsystem and the Access Control Subsystem. This version divides the functionality of SNMP into 5 applications i.e. command generator, command responder, notification originator, notification receiver and proxy forwarder.

Chapter 4 NMS Architectures

The specs for your NMS, in terms of processing power, will be pretty humble. This does not cover however your log storage requirements. A typical data collection time period will be 10 minutes.

Certainly, placing a NMS close to the network that is managing/monitoring makes sense. Being more precise, it is recommendable to place a remote poller on each of the monitored networks that will forward events to your central NMS if required. This way we save long-distance polling requests.

This chapter also mentions the concept of trap-directed polling. This means that the polling will only take place when the NMS receives a specific trap.

Finally, a new concept called Web-Based Enterprise Management is mentioned.

Chapter 5 NMS Configuration

A first NMS that they describe is the HP's OpenView Network Node Manager (they provide a 60-day 250-node trial license). The second one they mention is Castle Rock's SNMPc Enterprise Edition.
Most NMSs have an IP Discovery function and you can load MIBs into them.

Chapter 6 Configuring agents

At least all SNMP agents have these configuration parameters: location, contact, name, read-write and read only community string and trap destination. The fact that the community strings are sent in the clear means that if you need to send SNMP information through networks you do not control, then you need either to use SNMP v3 or a VPN. I would recommend to use both.

Typical SNMP agents: Net-SNMP is the Microsoft agent, HP OpenView Agent can deal with HP-UX and Solaris, Net-SNMP is an open source agent for Unix, Concorde provides SystemEDGE for Unix and Windows, Cisco has their own SNMP agent and they also mention APC Symetra for uninterruptible power supplies (UPSs).

Chapter 7 Polling and setting

Three typical, basic and important SNMP actions: snmpget (to obtain a value from the MIB), snmpset (to write a value in the MIB) and snmpwalk (to go through a subset of the MIB).

Although most of the times we will use an SNMP-based monitoring software e.g. in the book they first present HP OpenView's command line and graphical interface, we can also create our own Perl scripts to read SNMP information from any monitored device. The Net-SNMP tools are also mentioned in this chapter.

Chapter 8 Polling and thresholds

Internal polling is done from the same machine. External polling is performed by the NMS. The local RMON agent can also perform internal polling.

In this chapter we also read about concepts such as data collections and thresholds assigned to them. Most of the thresholds are build on specific collection features e.g. "higher than X for Y consecutive samples".

Certainly, already in this chapter a open source tool for data collection and graphing is mentioned, MRTG.

Chapter 9 Traps

All different NMSs need to be configured on what they do when they receive a trap from an agent. When a trap is received, an event in the NMS is created. It is usual to assign a severity level to each of those events.

For those who cannot afford an expensive NMS, you can also create your own Perl scripts to both receive and send traps. The default destination port for a trap is UDP 162.

Chapter 10 Extensible SNMP agents

Some agents' MIBs can be extended to obtain values from an external entity such as a script running in the monitored device.

An agent can return multiple lines of output data in the form of tables.

Chapter 11 Adapting SNMP to fit your environment

A key chapter that presents how SNMP can provide value to your IT shop/factory:

A nifty example to show the use of SNMP is to generate traps that would record who is logging into a system. Those traps will be stored at the SNMP-trap receiving end. This remote sending will increase the security of those log-in logs.

A second easy business case could be the detection of core dumps being created in a system. A third one will be checking available disk space.

The list of SNMP uses is long: Port monitoring, service monitoring, web content, SMTP health, DNS and statistics from wireless access points among others.

This chapter also mentions an object-oriented Perl package named SNMP::Info. It enables reaching values in the MIB without having to know where exactly they are.

Chapter 12 MRTG

This is the chapter to go when we need to use the Multi Router Traffic Grapher (MRTG): An open-source configurable graphic trend analysis tool. Among other libraries, MRTG requires Perl to run. Graphs can be seen using a browser.

MRTG itself issues get commands, using the read-only community string, to read from the monitored devices.

Chapter 13 RRDtool and Cricket

Similarly to the previous chapter, this one also presents a tool: "The Round Robin Database Tool to store and process data collected via SNMP". Together with RRDtool, Cricket is one of its front-ends. It requires a configuration tree and presents information via a web browser.

Chapter 14 Java and SNMP

Those who have powerful machines, or prefer not to use Perl, can also create SNMP applications with Java. This chapter explains the Java package snmp4j.

Annex A Using input and output octets

Important when we need to measure network interface speeds.

Annex B and annex C present specific SNMP tools, annex D lists the SNMP-related RFCs, annex E talks about Perl modules for SNMP, annex F lists network management software, annex G mentions open source monitoring software and finally annex H presents some guidelines on network troubleshooting.

In a nutshell, I would say SNMP is your friend whenever you have to administer more than one machine.

Thanks to Douglas R. Mauro and Kevin J. Schmidt for this book!

Lights ON for SNMP!

Book review: Metasploit - The Penetration Tester's Guide by Kennedy, O'Gorman, Kearns and Aharoni

Pentesters of the world, this is a book you need to know about. This book talks in 17 chapters and 2 annexes about "the tool" for security testing i.e. Metasploit.

The first element you find in this book is a foreword by the founder of The Metasploit Project and Framework, created already in 2003 and 2004. In 2007, it was migrated from Perl to Ruby.

The following paragraphs provide a helicopter view of what the reader can find in the chapters of this book. This post by no means replaces the reading, and the careful study, of this book. On the contrary, it encourages it!

1 The basics of pen testing

This introductory chapter refers to the industry-redefining value of the Penetration Testing Execution Standard (PTES): An excellent first place to look at for those starting in this field. This chapter mentions the phases of a pen test and the types of tests i.e. overt and covert, depending on how many people in the tested organisation know about the test.

2 The basics of metasploit

Key chapter to grasp the different metasploit tools:
- Interfaces such as the console, the command line interface, the graphical user interface named Armitage.
- Utilities such as msfpayload, msfencode or even the assembly code related tool nasm shell.
- And, certainly, two commercial tools such as Metasploit Express and Pro. 

3 Intelligence gathering

Right after deciding which target to assess, the intelligence gathering phase takes care to collect relevant information before even trying out the target's security capabilities.

There are two types of data collection, passive and active. Metasploit is essential in the active intelligence gathering phase through the use of port, SNMP, SSH and custom scanners. This chapter explains how to link metasploit with two different databases i.e. MySQL and PostgreSQL.

4 Vulnerability scanning

Once the systems to assess have been identified, the next step is to scan them to identify vulnerabilities. There are many tools to scan systems. This chapter focuses initially on NeXpose Community edition, the free version of a vulnerability scanner that provides both a graphical interface and integration with msfconsole.

The second scanner that this chapter mentions is Nessus. It can also be invoked from the msfconsole and its results can also be imported into the metasploit framework.

This fourth ends up with a reference to what the authors call specialty vulnerability scanners and the possibility to use metasploit's autopown to launch attacks based on the scanners' results.  

5 The joy of exploitation

The metasploit console offers the possibility to exploit assessed systems based on the vulnerability scanning. The tester can also launch an nmap scanning from the metasploit console (msf). This nmap action can also contain specific scripts from the nmap scripting engine.

Metasploit offers a specific syntax, explained in this chapter, to proceed with the exploitation of the assessed system by configuring exploits and payloads.

6 Meterpreter

This is a special type of payload that metasploit can inject into the vulnerable system. It consists of an interpreter responding to specific command lines e.g. to capture a screenshot or to capture keystrokes.

This chapter also describes the use of a system to jump into other systems.

7 Avoiding detection 

In this occasion, the authors of the book refer to the controversial topic of antivirus evasion. They also have a small reference to file packers as a simple way to fool malware detection tools.

8 Exploitation using client-side attacks

The pages of this chapter are an introduction to a very common type of attack based on compromising client computers via e.g. browser and file format exploits.

9 Metasploit auxiliary modules

The art of pen-testing starts with metasploit auxiliary modules: A way to perform actions in the compromised box without using payloads.

10 The social-engineer toolkit

This toolkit was born with the site. This piece of work is where soft skills (social engineering) and technical mastery meet. This toolkit is a comprehensive way to deepen into client-side attacks combining different techniques based on the software that could be easily found in almost every desktop nowadays.

11 Fast-track

On top of the metasploit framework, the creator of the social-engineering toolkit, Dave Kennedy, built a Python-based tool to even further automate some advance attack vectors.

12 Karmetasploit

If the systems you need to assess are using a wireless network, then this chapter can help creating a fake wireless access point from where to launch part of the metasploit arsenal.

13 Building your own module

Currently metasploit is coded in Ruby. The creation of new modules is possible. This is one of the beauties of this framework: It grows with its community. 

14 Creating your own exploits

For those advanced ninja pen-testers out there, this chapter provides guidance on how to write their own exploits starting with running a fuzzer to discover and exploiting new vulnerabilities in systems.

15 Porting exploits to the metasploit framework

Again a chapter for those advanced pen testers planning to introduce into metasploit stand-alone exploits.

16 Meterpreter scripting

Pen-testers can also extend metasploit's scripting environment. Advanced stuff.

17 Simulated penetration test

This is the chapter you need to read if you can only read one chapter of this book: a guided example of what this book describes.

Annex A Configuring target machines
Annex B Cheat sheet

These two final annexes provide guidance, first, on how to create a testing lab to start using metasploit and, second, on the commands available in metasploit.

All in all, a reference book in the world of pentesing and code hacking/development!

Thanks a million to all the authors!

Happy exploiting!

A page in History

Security sites to bookmark: and

Information security journalism: Creating a Personal Brand

Human Resources 2.0 is revolutionizing the workplace. The relationship between employers and professionals is changing. The traditional long-term contract is giving way to other means of collaboration. These are much more varied and adapted to specific needs from both sides. In this context, the creation and maintenance of a personal and professional public brand becomes a clear value.

The world of information security also lives this change. These two sites are two examples of this new trend: by Brian Krebs, a former Washington Post reporter and by Graham Cluley, an antivirus developer in the nineties.

Brian Krebs worked as a reporter on security issues at the Washington Post for 14 years, until 2009. His interest on digital security grew since 2001, when his home network was compromised.

Unlike Brian Krebs, Graham Cluley is a security professional with a technical background. He wrote the first version of the Windows-based Dr. Solomon antivirus and, outside the security field, two MS-DOS based games, still available on their website. He was one of the security specialists blogging for "naked security", the Sophos antivirus vendor's site. In June 2013 he left Sophos, a company where he worked since 1999 and released his own information portal for Internet security,, to market his personal brand as independent security analyst. This site deals with IT security topics and it is not so cybercrime-focused as

As they both confirm, they are now their own bosses. They regularly publish security news that could well appear in general-purpose newspapers and news portals, related to espionage, newly discovered vulnerabilities or the latest security breaches.

The simple architecture of these sites makes them easy to read and follow. and are platforms that both authors use to publish news while growing their personal professional brand and marketing their expert security analysis services in the form e.g. of articles in the case of Brian and public appearances in the case of Graham.

Finally, two questions I would like to pose to the reader:
- One for security entrepreneurs: have you already created your own personal brand?
- One for security practitioners in order to facilitate public awareness of the need for 'effective' security in the organization: do you regularly provide security news to your top executives?

A version of this post in Spanish is available here.

Looking through the glass

Happy reading!