Thursday, December 10, 2015

Security Automation and AWS

In the past I was primarily a software engineer who blogged about software engineering and technology and was exploring and researching security. Now I am moving towards being a security professional that uses software to automate security, networking and compliance. For this reason my old blog has much more information and this one is currently a bit sparse. That, and the fact that a lot of my recent writings now reside on an internal blog for my company to help our developers at my job. Hopefully I will find time to write more here in 2016.

About two years ago, I made a few changes to align with the work I want to focus on in the future, which is based on work I found most interesting in the past. This entails AWS, security, automating complex processes and analyzing data - especially network traffic and financial data. I was accepted into the Master of Security Engineering from SANS Institute program the same month I started the Seattle AWS Architects and Engineers Meet Up. Through the SANS program I wrote a case study on the Target Breach, a security awareness kit for cloud developers, and have have obtained multiple SANS certifications. Additionally I have obtained AWS certification and as you can see the meet up has grown quite large.

Many of the projects on my resume are related to automation of processes. I need to add to this list the process for IP allocations and deploying security groups, subnets and NACLs for applications in over 60 VPCs for multiple lines of businesses. As for data analysis and security, around 2005, I wrote a WAF (web application firewall) after discovering via network traffic anomalies that my web server was hacked. The early pages of this blog include some traffic analysis from someone who was quite clueless about network traffic when I started doing this. By the time I was through I was able to very granularly control who got access to the forms and pages on my web sites based on network traffic, visitor fingerprinting and http request profiles.

Now I am studying packet headers in an advanced intrusion detection class and pen testing, and thinking about how all the things we are doing in information security can be automated. The number of ways systems can and are being compromised is mind-boggling. It is clear that it is not feasible for human review of complex designs that span applications, databases and data warehousing, networking, email systems, storage, back up systems, proxies, domain controllers and much more to prevent all vulnerabilities. Changes are constant and required for a business to innovate and remain competitive. The only way to keep up with the constant change and provide adequate security review, compliance and auditing is through security automation.

AWS is, in a way, the automation of processes revolving around configuration management. It is pure genius. I used to think when I was driving down to my rack at Internap to reboot a server, or attempting to change a hard drive in a custom built server (and frying it because I put the wires in backwards) what a pain it was and if someone could just automate all these horribly manual things their company would explode exponentially. It wasn't a business I particularly wanted to run - I hired someone to run my back ups because these things bore me to the point I don't trust myself to do it. But I wanted someone to do it. And Amazon has. All these manual, time wasting, error prone things we do in data centers and software deployments can be automated, so we software people who live in the logical realm and are not fans of boxes and wires can focus on other things.

When I requested to join the AWS team at Capital One, I had been evangelizing AWS at work (even sent our CIO a link to the Gartner report and a presentation I made after attending the AWS architecture training) but I had no idea at that point the speed at which AWS would be adopted at Capital One or that plans were underway to have our CIO speak at re:Invent in 2015. I simply believed that AWS had matured to the point it was highly feasible for use even at a financial institution, not to mention the benefits it provides to companies trying to remove barriers to innovation. The security processes used by AWS were better than things I had seen being done internally at any company where I had ever worked. The list of certifications offered by AWS Compliance is impressive. I also felt that the speed at which you can automate was unbeatable. The rate at which Amazon produces new features that make development easier cannot be matched by most companies trying to create an internal cloud.

In my opinion, the biggest value AWS provides for security, are tools to manage your inventory, the state of your environment, event triggers and auditing. The things you lose by not running everything yourself are offset by contracts that state what Amazon is responsible for and the ability to have separation of duties and 3rd party auditing of actions taken on the AWS platform by people in your organization. Of course you still need to implement things correctly on AWS to maintain security - but there are a lot of security tools which, for most companies, make things a lot easier and more secure than what they are currently doing in house at this time.

For this reason I'm a huge fan of AWS and hoping to pick up more projects related to security and automation both at work and through my side business on this platform. Hopefully I will be able to find some time to add some additional thoughts here in the near future about how AWS can help companies improve their security posture, if implemented using AWS and security best practices.

If you happen to be reading this prior to January 18, 2016, please register for our upcoming Seattle AWS Architects & Engineers meet up with - which will also cover some of these security and automation topics.

Thursday, January 01, 2015


Curl is a like a browser that runs from a command line to get content from a web site. I'll explain that in five pieces:

1. View a web page in a browser
2. View the source for that page
3. Use Curl to get source for a page
4. Why is this useful?
5. How can it be detected?

1. View a web page in a browser

To get to a web page you type the URL in a browser.

For example:

What you really received when you requested that web page was a file containing code that your browser interprets and transforms into something you understand.

2. View the source for that page

If you want to see the code you can do the follow these steps below:

You'll see something like this:

3. Use Curl to get source for a page

Note: download all open source software at your own risk.

Download curl:

Open a command window.

To get the code for a web site (preferably your own - please read last section):

curl [web site url] 

Just like with a web browser it will get the source:

View help:

curl -h 

To put the source you requested into a file:

curl [url] > [file]

curl > radicalsoftware.html

The command above puts the source for into a file called radicalsoftware.html

To see if a specific string exists in the code you retrieved, you can use grep on Linux:

curl [url] | grep [string]

For example if I want to see if there is a line of code in the source that contains the string "F5" I can do that as follows:

I worked on one project at F5 Networks troubleshooting some Java code that was crashing during performance testing, so there's one line of code on my web site with a link to F5 and that line shows up as the output of my command.

3. Why is this useful?

There are many potential uses, good and not so nice. Here are a few:
  • Monitor a web site for a particular value to ensure it is up and running
  • Monitor a web site to see if a particular value appears on that web site that wasn't there originally
  • Monitor your web site content to ensure it was not altered between deployments (one of multiple ways to do this)
  • Scrape all the content from a web site by spidering through all the urls to evaluate the content offline by an automated program (hackers, competitors)
  • Scrape all the visible content from a web site when you don't have FTP or other access to the source code. Generally this is probably illegal activity because anyone who owned a web site would be accessing it through alternative, more efficient means.
  • Automated submission of web requests for performance, security and automated testing -- or for someone trying to use a site in a non-standard, automated way.

3. How can this be detected?
  • Automated traffic from non-sophisticated users of this and related tools will have obvious request headers indicating this is not human traffic.
  • Automated traffic typically has different traffic patterns that doesn't  match human traffic patterns.
  • Excessive, repetitive traffic generally is not human, though it could be an entire organization behind a proxy server.
  • The source IP may be spoofed or compromised, but you can see the IP address sending excessive or repetitive traffic and block it.
  • Abnormal paths through web sites may indicate a non-human visitor.
  • Traffic from IPs in parts of the world where you don't do business is indication of potential mischief.
  • Placing honey tokens and pages you don't advertise on your web site and then watching for traffic hitting those tokens is indication of a potential bot.
  • In my case back in 2005 I wrote a kind of web application filter that would analyze requests and block traffic like this. It's not running at the time of this writing. You can see the results of traffic I discovered in this blog's history. Now there are commercial web application firewalls that do similar things.

Saturday, September 13, 2014

Target Breach Case Study

I was curious about what happened exactly in the Target Breach (as much as can be gleaned from publicized documents) and how such a breach might be prevented.

Since I had just started my expedition into the SANS Institute Master of Information Security Engineering program and had to write a paper, one of the options being a case study, this sounded like as good of topic as any. I talked to the SANS instructors that sent me down the path of white listing software and hardware encryption. I was also able to use the knowledge gained in SANS 5100 - Enterprise Information Security, otherwise known as Security Essentials, Bootcamp Style.

I was then very fortunate to be able to connect with security experts related to POS devices with hardware encryption, a security leader in a major retail organization and a deputy CISO who spoke at an event I attended on the issues faced by security professionals in the current environment.

The whole experience was very gratifying and I greatly appreciate the help from both the people at SANS Institute and the industry contacts, some of whom went to great lengths to help understand technologies involved and review the paper in great detail.

I hope others will find ways to prevent further credit card breaches by understanding the nature of the attacks and the pros and cons of the proposed solutions.

One big take away from the paper was that EMV chips protect people's cards  doesn't always work. It seems to me it would be better to prevent the data from being stolen in the first place. There was a lot of publicity about EMV cards after the Target breach which distracted from the reasons the credit cards got stolen in the first place. 

Since I wrote the paper have been reading about VISA's token service, which basically uses a token instead of the actual credit card in the transaction process. This protects the credit card number itself, however if the token is stolen I would think that could be used just as the credit card would be. [edit: met a guy at a meet up who says the tokens are ever only used once - like a nonce? Also card on chip is protected so if you destroy the magstripe failover is not possible. Also Apple is trying to be the pin provider - kind of like multi factor authentication I would guess - but I haven't really looked into any of this myself). My initial take is that minimum it is a way for banks to replace the token without having to issue a new credit card and change your credit card account, which in the Target case cost them about $200M. I have not yet researched how this would work with old school POS machines and would assume retailers that had not upgraded would be subject to the same fail over problem as as the EMV chip solution (possibly unless you destroy the mag stripe). Maybe I will look into this more later, but right now I have to move on to another class and a new topic.

Tokens and EMV are great ideas, but don't solve the underlying security problems that cause the credit card data (or tokens) from getting stolen in the first place. Which brings more value - protection after the fact or underlying security - depends on your place in the credit card food chain (banks paid a lot of money to replace credit cards and refund invalid transactions in the Target case) and how fast all retailers update their equipment to use this new technology. Both would probably be ideal and improved detection of the theft is probably even more critical.

Another point was reiterated by everyone I spoke with, is that compliance does not equal security. The compliance check lists don't cover all the threats and can't keep up with the number and complexity of the customized attacks.

Understanding network traffic seems like a very important issue given the fact that trusted ports were tunneled and networking equipment designed to prevent malicious traffic for the particular protocols supposedly running on those ports were bypassed.  

Not having enough or adequately trained security staff also seemed to be a factor.

Some of the security experts I met with felt that this must have been an inside job at least in part, however I could not find documentation to support this theory so left it out of the paper.

Overall it was a great experience and I hope some people find value in reading it. I'd love to get feedback.

The paper is now published in the SANS Reading Room - whitepapers section:

Saturday, July 19, 2014


I noticed recently that Brian Krebs, well known (infamous among hackers) security blogger, is writing a book called Spam Nation which is available for pre-ordering on Amazon:

Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door

Then I ran across this interesting blog post about stock spam and the spam kings:

Spam is what started me down this whole security path. I wondered why the heck I was getting 900 spam messages per day. I started correlating the headers and I figured out that the same messages are coming out of servers of large companies like HP and Microsoft as well as smaller companies. I started reporting the spam but no one would do anything about it. I wasn't sure if anyone was really even paying attention to the emails so eventually I stopped reporting and just blocked IPs sending spam from my servers and blogged about it.

I wonder if this stock spammer noted in the post above was responsible for the spam being generated on my server in 2006 which I wrote about in these blog posts:

When I reported that my server was hacked to my hosting company in 2006 because it was generating traffic on port 25 that wasn't from any my systems, they didn't believe me (Rackspace). I was running an online hostel booking system for someone I met in Australia that was clearly hacked. I pinned down anomalous traffic and order patterns. Whenever I restarted my web server, it would get hit in quick succession by five random IP addresses - and it was a very low volume web server. I would then get one small order and no more. I was able to stop the malware initially by turning of my mail server. Miraculously shutting down my mail server and blocking traffic on port 25 resulted in a huge increase in bookings. Then an odd thing happened. My "customer" in Australia who purchased the business from the original customer complained they were getting too many bookings and wasn't getting emails. My next step was to turn off the services one by one until I determined which one was sending the spam. Suddenly my "customer" called and cancelled the web site after the bookings increased once again. It was all very odd.

Now I'm pretty sure that the hack was somehow tunneling through SMTP or at least using SMTP to send messages related to the attack. I have never believed that spam is just spam. There is no way that many people are buying Viagra from a random email. Given that hackers used ICMP traffic to send data between systems in the Target breach I have even more inclination to believe that spam is being used for covert communications that is not all spam or possibly used in some other way to infiltrate systems or remove data.

I had to fight to get my outbound firewall logs turned on to show me all the GOOD traffic back in 2006. I was told not to worry, I have a firewall. It's all just noise. The first sys admin wouldn't do it for me. I called back later in the evening when I knew a different person would pick up the phone and had a better idea what to ask for so I sounded like I knew what I was talking about. (I was a bit clueless then trying to figure things out with no help from anyone).

When I was able to pinpoint the malicious activity and showed my hosting company the traffic on port 25 that wasn't mine, no one would believe me. They said they ran a virus checker and everything was fine. In fact, I got the boot from RackSpace. They paid me to go away.

Do you believe me now?

Not that I care anymore. 

I'm just really curious what the book will say and if it will give me any additional insight.

Sunday, June 29, 2014

Amazon Account Phishing Email

Amazon phishing email...
Received: by with SMTP id v125csp390758oif;
        Fri, 20 Jun 2014 17:13:32 -0700 (PDT)
X-Received: by with SMTP id gg15mr7635763wic.0.1403309611555;
        Fri, 20 Jun 2014 17:13:31 -0700 (PDT)
Received: from ( [])
        by with ESMTP id f9si4695864wie.75.2014.
        Fri, 20 Jun 2014 17:13:31 -0700 (PDT)
Received-SPF: none ( does not designate permitted sender hosts) client-ip=;
       spf=neutral ( does not designate permitted sender hosts)
Received: from ([])
 by with bizsmtp
 id GoDW1o00c11am7y01oDWtF; Sat, 21 Jun 2014 02:13:30 +0200
Received: (qmail 21984 invoked by uid 19142416); 21 Jun 2014 00:13:30 -0000
Date: 21 Jun 2014 00:13:30 -0000
Subject: update your account
X-PHP-Originating-Script: 19142416:send.php(2) : eval()'d code
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: amazon>
 html xmlns:v="urn:schemas-microsoft-com:vml"
 meta http-equiv=Content-Type content="text/html; charset=windows-1252">
 meta name=ProgId content=Word.Document>
 meta name=Generator content="Microsoft Word 12">
 meta name=Originator content="Microsoft Word 12">
 link rel=Edit-Time-Data href="amazon_fichiers/editdata.mso">
 title>Mise à jour de vos informations n /title>
 /* Font Definitions */
 {font-family:"Cambria Math";
 panose-1:0 0 0 0 0 0 0 0 0 0;
 mso-font-signature:0 0 0 0 0 0;}
 panose-1:2 11 6 4 3 5 4 4 2 4;
 mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
 {font-family:"Lucida Sans";
 panose-1:2 11 6 2 3 5 4 2 2 4;
 mso-font-signature:3 0 0 0 1 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
 font-family:"Times New Roman","serif";
 mso-fareast-font-family:"Times New Roman";
a:link, span.MsoHyperlink
a:visited, span.MsoHyperlinkFollowed
 font-family:"Times New Roman","serif";
 mso-fareast-font-family:"Times New Roman";
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
 mso-style-link:"Texte de bulles Car";
 mso-fareast-font-family:"Times New Roman";
 {mso-style-name:"Texte de bulles Car";
 mso-style-link:"Texte de bulles";
 mso-fareast-font-family:"Times New Roman";
 font-family:"Times New Roman","serif";
 mso-fareast-font-family:"Times New Roman";
@page Section1
 {size:595.3pt 841.9pt;
 margin:72.0pt 90.0pt 72.0pt 90.0pt;
 !--[if gte mso 10]>
 /* Style Definitions */
 {mso-style-name:"Tableau Normal";
 mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
 font-family:"Times New Roman","serif";}
 meta http-equiv=Content-Language content=fr>
 !--[if gte mso 9]> xml>
  o:shapelayout v:ext="edit">
   o:idmap v:ext="edit" data="1"/>
  /o:shapelayout> /xml> ![endif]-->
 body lang=FR link=blue vlink=purple style='tab-interval:35.4pt'>
 div class=Section1>
 div align=center>
 table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=500
 0cm 0cm 0cm 0cm'>
  tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes;
   td style='padding:0cm 0cm 0cm 0cm;height:22.5pt'>
   div align=center>
   table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=489
   1184;mso-padding-alt:0cm 0cm 0cm 0cm'>
    tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
     td style='padding:0cm 0cm 0cm 0cm'>
     div align=center>
     table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=490
     1184;mso-padding-alt:0cm 0cm 0cm 0cm'>
      tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
       td width=490 style='width:367.5pt;padding:0cm 0cm 16.5pt 0cm'>
       p class=MsoNormal style='line-height:15.0pt'> strong> span lang=EN style='font-size:9.0pt;font-family:"Lucida Sans","sans-serif";
      mso-fareast-font-family:"Times New Roman";color:lime;mso-ansi-language:
, html xmlns="" xmlns:xsi="" xsi:schemalocation="">
   meta http-equiv="Content-Language" content="fr">
   meta name="GENERATOR" content="Microsoft FrontPage 6.0">
   meta name="ProgId" content="FrontPage.Editor.Document">
   title>Mise à jour de vos informations n /title>
.MainBorder {
 background-color: #CCCCCC;
 padding: 1px;
.body {
 background-color: #FFFFFF;
 margin : 0px 0px 0px 0px;
.MainBG {
 background-color: #FFFFFF;
.MainText {
 title: Main Text;
 font-family: Arial, Helvetica, sans-serif;
 font-size: x-small;
 color: #000000;
.GraphText {
 title: Graph Text;
 font-family: Arial, Helvetica, sans-serif;
 font-size: xx-small;
 color: #111111;
.CClink1 {
 font-family: Arial, Helvetica, sans-serif;
 font-size: x-small;
 color: #3E69BD;
.TemplateWidth {
 width: 600px;
.TemplatePad {
 padding: 0 15px 15px 15px;
.GraphBG {
.BarBG {
.StatTable {
.HiLight {
 font-family:Arial, Helvetica, sans-serif;
.HiLight2 {
 font-family:Arial, Helvetica, sans-serif;
 letter-spacing: -2px;
.TableHdr {
 font-family:Arial, Helvetica, sans-serif;
 background-color: #E7F2F4;
.TableHdrBrdr {
 border-top:1px solid #E7F2F4;
 border-bottom:1px solid #E7F2F4;
 body leftmargin="0" rightmargin="0" topmargin="0">
   html xmlns="" xmlns:xsi="" xsi:schemalocation="">
 body leftmargin="0" rightmargin="0" topmargin="0">
 p style="color: rgb(51, 51, 51); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 1px 0pt 8px; font-family: Arial, sans-serif; font-size: 12px; line-height: 16px; background-color: rgb(241, 241, 241);">
Your account will expire in less than 48 hours. br>
it is imperative to conduct an audit of your information is present, otherwise
your account will be destroyed . Just click the link below and log in using your
email and password. /p>
 table border="0" cellpadding="0" cellspacing="0" class="callToAction" style="font-family: Verdana, Arial, Helvetica, sans-serif; letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 0px 0px 10px; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; background-color: rgb(241, 241, 241);">
   td bgcolor="#ffa822" class="actionLinkContainer" style="margin: 0px; padding: 1px 10px; border-width: 1px; border-style: solid; border-color: rgb(191, 191, 191) rgb(144, 141, 141) rgb(144, 141, 141) rgb(191, 191, 191);">
   a style="color: rgb(8, 68, 130); text-decoration: underline;" href="">by
  clicking here /a> /td>
 p style="color: rgb(51, 51, 51); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 1px 0pt 8px; font-family: Arial, sans-serif; font-size: 12px; line-height: 16px; background-color: rgb(241, 241, 241);">
For more information, see span class="Apple-converted-space">  /span> a style="color: rgb(8, 68, 130); text-decoration: underline;" href="">Questions
and answers /a>. /p>
 p style="color: rgb(51, 51, 51); font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(241, 241, 241);">
Sincerely, br>
Amazon /p>
 p style="color: rgb(51, 51, 51); font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(241, 241, 241);">
Copyright  2014 amazon, Inc. All rights reserved. amazon is located at 2211 N.
First St., San Jose, CA 95131.

Target Breach and releated POS Breach Articles

Articles about the target breach:


Number of cards updated to 70 million


Missed alerts:

Human considerations:

Federal lawsuit

Removal of corporate officers:

CISO should report to CEO

Target CEO Resignation Due To Security Issues

Cards Sold on Black Market

Started with an Email attack against HVAC vendor

Ward Off POS Attacks

Chip Cards to Prevent Credit Card Information Loss

Talent in Hacking, Not Security

EMV (Chip and Pin) credit cards alone cannot protect data

Car Washes had PC Anywhere installed on computers. End of life by Symantec, not used in years.

Tips for Protecting Point of Sale (POS) systems

Small business & mobile POS

Protecting POS systems

Separate VLANs

VLANs vs Subnets

PCI is not enough, POS Malware kits, warnings and auditing software ignored or shut off

FBI warns of more retail attacks

Hackers that wrote the malware

Memory scraping malware











PCI Compliance                                                                                                          




Joined Financial Information Sharing Center


What has done to prevent


Waiting for a major problem before taking action:


Chip and Pin Solution




Attacks on key employees


VLANs vs Subnets


POS security:



Net diagram - hunch



Monday, May 26, 2014

Windows NCSI (network connectivity status indicator) - Annonying.

I noticed while reviewing my network traffic in Wireshark (analyzing packet headers studying for GIAC) I discovered my computer was connecting to a Microsoft domain with "ncsi" in it. Looked it up and is for a service called Network Connectivity Status Indicator. It pings Microsoft every so often to figure out if you are connected to the Internet or not. That's annoying useless traffic if you ask me, plus it's like big brother is watching. I figured out how to turn it off here:

It worked fine in Windows 7. In Windows 8 you get this screen that makes it look like it's not working when really it is - you connect to the Internet just fine but Microsoft reports that your wireless connection has "limited" connectivity.

When I turned this feature off it seems like my connection is faster. Not sure if just imagining. Didn't actually measure but really noticing a difference.

I also noticed this traffic was again on Edgecast CDN. As noted on Twitter (@teriradichel), Edgecast is a CDN therefore should be directing me to the nearest point to get the content which seems to be a point in Washington or Oregon. Instead they were sending HTTP traffic from my machine to Europe. That happened yesterday - didn't see that traffic today.

Sunday, May 25, 2014

UPnP - SSDP Protocol

Doing some protocol analysis for a security test and noticed a lot of SSDP traffic in Wireshark. Wondering what it was and the security implications so did some research.

This protocol is used for UPnP (universal plug  n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address

It may be a good thing - helping you connect to your printer, TV, etc.

Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.

What it is:

Disable in Windows 7

US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:

Denial of Service attack noted by FortiGuard:

In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:

Whitepaper from January 2013 discussing UPnP security flaws:

Another article on exposed devices from February 2014:

ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:

A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:

Not completely disabled due to Windows Messenger Issue:

Code - connecting to devices using SSPD

Thursday, March 27, 2014

Advanced Persistent Threats - Cloud Security Alliance - Notes

Zscaler presentation -

Advanced Persistent Threats - an attacker who is persistently, repeatedly, stealthily trying to break into your system until they succeed.

No single solution solves this problem.

Look at outbound traffic to figure out what is escaping.

Plan for failure.

APTs will get into the system in ways you never thought possible.

Attackers seek error pages that reveal system information useful in attack.

Leakage = systems returning information in error messages and failures.


SQL injection - many steps to get database structure piece by piece until finally able to create a query to steal all credit cards.

Using view source on web pages to find information not visible on the pages.

Applications need to have security built in up front.

Phishing is number one way APTs are getting into systems.

Look at traffic going in both directions.

Attacks are sending data encrypted. Need to look at SSL traffic.

Inspect mobile devices - laptops, phones.

Log everything

Correlate logs (use SIEM)

Forensics is only as good as the data provided.

The better the interactive reporting, the faster you can respond.

Protect everything, always, everywhere.

All users - especially executives.

All devices (especially mobile)

All content - especially encrypted

- block or inspect - Downloads/ executables
- Data Loss Prevention

If all else's fails - disconnect the Internet (ha.ha.)

Sunday, March 16, 2014

Pfizer - Spam

Today I have 5,634 spam messages (since my last post).

No wait, 5,636.

Just in case you'd like to see the frequency is one about every 30 seconds.

Pretty much all of them are coming from American Pfizer. Supposedly. But as my last post shows the mails are coming from all over the world.

 Oh wait - make that 5,639.

Hmm. Interesting.