Thoughts on 2013

marriedI awoke at the start of 2013 and life was spectacular. I was a few months married (bank accounts reset), had put together a rough plan for honeymooning around the US and even started executing the purchasing of flights etc (bank accounts reset take two). I had also recently had some really interesting discussions with @WadeAlcorn regarding a potential “little” side-project, and of course all the other bits and bobs I was spending time with, various Rails, jQuery and AWS projects. I can’t forget to mention my continued efforts on what I was doing in the 9-5, providing the absolute best information and application security consulting advice and services to our customers that I could.

On the personal front, 2013 saw my love and adoration for my wonderful wife Tenille continue to grow and flourish. We had our highs and lows, moments of despair and absolute joy. Some of the best times of my life I’ve experienced over the past few years, and 2013 was no different. Our trip to LA, Portland, Seattle, New Orleans and Hawaii was nothing short of absolutely spectacular. We got to experience some fantastic music events (The Bronx in their hometown, LA, in an amazing art deco theatre; Local Natives in a 100 year old ballroom in Portland; The New Orleans Jazz Festival), some fantastic meals (in particular the cuisine we sampled in Portland and New Orleans), some breathtaking beers (once again, thank you Oregon you wonderful state of beer) and amazing scenery, particularly in Hawaii.

Shortly after returning home we were welcomed with the news that we would be having a little baby within about 9 months. With excitement and trepidation we both knew that our lives were about to change for ever.

new life

Throughout the entire year I also found myself spending more and more time on that side-project with Wade, co-authoring the Browser Hacker’s Handbook. Working so closely with Wade and Michele @antisnatchor was also filled with amazing highs and lows. As far as challenges go, working on this book has easily been one of the more difficult things I’ve been involved with. Not just from a research point of view, but re-discovering how to apply a high degree of rigour in writing in a consistent, concise and clear manner. Oh, and lets not forget the endless cycles of reviewing and reviewing and reviewing. I would be lying if there weren’t a few moments where I wanted to throw in the towel, but working with these two brilliant security researchers and professionals (not to mention the other talented contributing authors and reviewers we’ve been fortunate enough to get involved) has been such an amazingly fulfilling experience I’m glad I didn’t. Over 1,100 emails and 2,000+ commits later and the book is getting very close to completion.

On other projects I continued my efforts with BeEF (various back and frontend commits, with a focus on the rex console UI, (mobile) browser detection, LastPass SE modules, and an implementation on the WebRTC internal IP detection).

I also released my first version of the SAMM Self Assessment tool, which immediately got some interest from the OpenSAMM project leads for further inclusion with the official OWASP Project. I really enjoyed hacking this together, not only because I got to spend some time with jQuery, but also getting a really good opportunity to play with deploying and scaling this Rails app on AWS services with the excellent Rubber tool (a cloud-wrapper for capistrano). With a few clicks of a button I’m able to scale app servers and DB servers, and then add/remove them from the Amazon’s Elastic Load Balancers. Combine this with S3 and CloudFront to provide a CDN for all the static assets (once again, automatically pre-compiled during a deploy to EC2) and voila. I must admit, it was really fun to spend some time seeing how the app would go throwing against it.

I can’t forget the ongoing maintenance of the Devise Google Authenticator gem for Rails’ Devise. Hopefully one of the quicker ways to provide 2FA to your Rails apps. The GH project has 83 stars and the gem has been downloaded over 7,000 times from rubygems, so that’s not too bad.

I’ve also been spending a fair amount of time working on a simple threat modelling application, but you’ll have to watch this space for more on this throughout the year.

browser hacker's handbookOn the professional side of my life Asterisk has continued to grow and grow. We’re in the process of moving into new premises and we’ve grown by a couple of excellent consultants too. Our first employee is not only someone I deeply respect, but I would consider a good friend, so I’m super happy that Jarrod agreed to dive into the exciting ocean of boutique information security consulting with us. We’ve been beating our targets, and things are feeling really positive, I’m very excited to see how we continue to grow in 2014.

2013 ended on the highest peak when Tenille brought our little baby girl into the world. We’ve only been home with her for a few days now, but I’m so amazed with how well both she and Tenille are doing.

Here’s to 2014 being even better!

SAMM Self Assessment Tool

This is primarily a reblog from our Asterisk Labs post here:

Over a year ago I wanted to have more of a play with Rails and jQuery, at the same time, I was also interested in providing a really quick way for people and organisations to perform a lightweight OpenSAMM self-assessment. And so SSA was created.

–Original Post–

Asterisk are happy to be releasing their first public beta of the SAMM Self Assessment Tool, or SSA. One of our favourite OWASP projects is the OpenSAMM project, and for those who haven’t seen OpenSAMM before, it is a framework to help organisations to evaluate their current software security practices, and build measurable targets and plans for improving these practices.

Part of OpenSAMM includes conducting assessments (you can’t manage what you can’t measure right?). The OpenSAMM methodology categorises these assessments as either Lightweight or Detailed. SSA aims to provide a very simple way to perform this Lightweight assessment, and compare your current status with some pre-canned target states. And literally, that’s it.

We’ve used this tool on a number of engagements to quickly gauge where an organisation is, and it’s certainly helped with figuring out the ‘current state’ of an organisations software security maturity.

There’s currently two different ways you can use SSA:

  1. You can visit and complete the checklist directly. You don’t even have to save your assessment anywhere if you don’t want. On the other hand, if you want to store your results, there’s a few ways to do that, such as in your cookies or online in a database. For online storage you need to Sign Up, either with a username and password (please don’t re-use your passwords folks), or you can sign in with a Google account too.
  2. Clone a copy of the Rails app and spin it up somewhere locally. We recognised quite early on that some organisations may feel uncomfortable with tracking this sort of information on the Internet, so, if you have the capability, sure, feel free to clone the repository locally and do what you wish.

SSA is being released under an MIT license, and our intent is to give it back to the OWASP community for further enhancements. We have a high level list of proposed features available on the GitHub page, but currently they’re being developed on a ‘When Christian Has Time and is Sober’ timescale. SSA forms part of our Toolkit, of which we’re slowly publishing other tools and utilities too. So watch this space!

As always, we’re really interested in your feedback, queries, concerns, issues. So feel free to send us queries via @asteriskinfosec or as Issues on the GitHub project.

Week of Big Data Sec Viz (hehe), Android Assessments, Rubygems Compromise, Phishing and a bunch of awesome vids


Just some security things that I’ve found interesting (read: they rocked)..

5 Minutes with the Packetloop Beta – The Packetloop presentation at Ruxcon last year was one of the highlights for me, Michael Baker did a really good job of demonstrating (even last Nov) utilising compute clusters to analyse and give the security defender a heads up of large data sets. This video is a really good look at the UI and yeah, it combines a bunch of stuff I enjoy, especially visualisation, and large-data-set analysis. (Phew, got through that without saying cloud or big data!)

Android Application Assessment – A fairly extensive walkthrough of performing an app assessment against apps on Android. Nuff said.

Rubygems Site Recovers from Compromise – I’m a little slow in posting about this, but the community driven rubygems site suffered a breach due to the recent Ruby YAML issues that surfaced a couple of weeks ago. Apart from the article, I actually found their incident response process of shifting their ‘working’ log to gdocs (check it here).

How do I phish?@Zeknox‘s (Brandon McCann) writes up a fairly in-depth look into how he performs phishing campaigns as part of penetration testing exercises. A good one to bookmark for when you need to perform these sorts of assessments yourself. (Thanks again to Rob Fuller for this).

Bill Shocker – hits 600,000+ Android phones! (Exclamationpoints). (In China only?) From what the article seems to be stating is that this malware turns the phones into a botnet of phones, although currently it appears to be using them for sending SMS’ at the profit of the attackers.


… and then a bunch more non-security stuff …

It’s All AcademicAndy Budd writes up a great article on the disjoint between academics and those working in the web industry. The ‘paraphrased’ conversation is great, and something that I found very odd when I shifted from academics into the industry.

The larger our past gets the smaller our present feels – A great short film that Kottke posted the other day. Great style, and, interesting message about time, and our perception of time as we age. This is certainly something I’m starting to perceive as I get older, and things get more and more difficult.

Valve & JJ Abrams Working on a Movie – I’m a gamer, well, when I have time (which, this year is looking very unlikely), and this news is fairly interesting .. but .. the cynic in me is sort of assuming it’s just gonna suck.

Mockumentary on Physically Unlikely Amusement Park Rides – .. this .. this was fantastic. I really enjoyed the style, the scientist, the ridiculous rides, and how it starts off and is ‘almost’ realistic, but then just plummets into the ‘wtf’. It sort of made me think of Cube.

Recent Readings on Safe Coding, Extracting DLLs, Lockpicking, Stripping, Photography and Git

Security articles I flagged (for fun or .. whatnot):

Are You Practicing Safe Coding? – Personally I have a love/hate relationship with these style of infographics, this one in particular is almost like a flattened marketing/slidedeck. Eh. Anyway, this image does hold a lot of stats in a single place, and does have a fairly open call to action to check out the rest of Veracode’s stuff. (Oh, and don’t forget that infographics are ruining the web).

HowTo: Extract ‘hidden’ API-hooking BHO DLLs – Ever had a chance to play with Volatility? If you haven’t definitely check it out. Great way to analyse volatile memory. This tute walks through trying to find a malicious browser helper object hooked into IE performing some nasty mitb stuff.

Turn a Bra Underwire into a Lock Pick – Need I say more? This is a security article AND an awesome party trick!

10 Evil User Tricks for Bypassing AV – Thanks to @mubix‘s #sharedlinks.

Cross Device Attacks using Cloud Sync (iCloud example)Nitesh writes up another Apple-esque security article. This time looking at how whilst iOS is generally considered a secure platform, when you introduce syncing applications you introduce a weaker link in the chain, namely, a desktop computer. This is compounded when you’re using syncing applications for business processes, which are also then synced to your crappy out of date home PC. All this and more! (read the article ya slackers).

Hacker Blackmailed 350 Women into Stripping on their Webcams – .. Social engineering .. what can’t it do?

Security flaws in UPnP – millions at risk – When the R7 guys aren’t making MSF kick ass, they do security research. This is unlikely the first time you’ve heard about this issue as it’s done the rounds lately. I’m aware they offer some self-test tools now too if you want to check if you’re vulnerable.

.. The rest of these are not so security focused (but .. sort of..).

Awesome secret drawer – Watch the embedded Vimeo – this wooden chest with the hidden drawer is fantastic.

Poor Sleep Prevents Brain from Storing Memories – I have a pretty shocking memory. Sometimes I don’t sleep too well. I’m not really convinced in my case these issues are related.. but, interesting research regardless.

Eddie Adams’ Pulitzer Winning Image – This well known (and super powerful) photo from Feb 1st 1968, Vietnam. There’s not many art forms where the power of your creation is something which even you as the creator can’t bear to face. Interesting insight into the image and the impact it had on society and the photographer.

MS embracing (Open Source) Git – I found the MS article provided a much clearer picture of their intents, and their approach to open source software, especially compared to the original article.

Recent Readings on Criminals, Android Botnets, Pen Tester Bootcamps, Stealth Films and SPAAAACE TRAVEL

Written to the sweet relaxing sounds of the new Villagers album, Awayland (for those indie fans). I know I’m a bit late on my ‘attempt to post every Friday’ post thing, but, Friday turned into a bit of a clusterfudge, so excuse the delay (plus, Australia day over the weekend <insert dranks>).

Security articles that caught my attention:

Actually, I really was a criminal.. – I found Rich’s post really insightful and refreshing. I also think it’s a fairly common occurrence for those involved in the info sec space to have done similar things themselves, just, not as common for those people to publicly post about it. Kudos.

Android Botnet Infects 1 Million Plus Phones – I didn’t read too much into the ‘extremist’ title of this post, but, I don’t think that this sort of thing should be too surprising to security peeps. Phones are just computers right? And as they continue to grow in popularity and drop in price, well, of course malicious actors are going to focus their attention on them. I know a personal interest of mine is in using BeEF to target mobile devices, in this way, you could effectively coerce untold number of devices to perform actions on your behalf just through their browser.

Pen tester launches infosec bootcamp – I’m glad to have worked with, and hung out with, Snyff on a few occasions, and I’ve really gotten a lot out of his PentesterLab for quite some time, and now that he’s making more of a move to make this material available this is only a good thing. Another one of Snyff’s ‘free’ services is the PNTSTR Bot. His bot sends me a ‘pen tester’ question once a week via a DM. It’s a great little ‘test yourself’ activity that takes less than 30 seconds, and, I look forward to the challenge every week.

Movie filmed entirely in Disney Theme park – Not strictly a digital security post, but, I certainly found the concept really interesting. The crew and actors pretty much had to ‘stealth’ film the movie, referring to mobile phones for notes and scripts, and using as discrete camera setups as possible. I hope this inspires more of these sorts of things.

Application Framework Security – Jerry Hoff over at OWASP has started a new Project to document the security controls available in common development frameworks. It’s a good reference (if just at the beginning), and hopefully it can be extended to integrate and interlink with other OWASP projects like the T10, ASVS, etc.

Some tech/dev stuff:

Visual Event – for when you need to dig into JS events. Hat tips to Vitaly for the link.

LICEcap – for when you need to capture a portion of your screen and immediately convert it into an animated GIF. .. obviously for .. you know .. legitimate reasons.

MS Going its own way on Audio/Video spec – .. god damnit WHY does this shit happen? Just when you think browsers are starting to all meet at an apex of compatibility *bam* – we’re going to do our own thing. I really dislike IE, mainly because of the experience and bloat of it, but, there’s all this underlying gumpf that, when I think about it, also grinds my gears. (Goes back to rocking backwards and forwards on his angry man chair).

Firefox Phone – I’ve seen a few presentations on the Boot to Gecko (BTG) / Firefox OS over the past 12 months. Primarily at OWASP events. And I’ve been interested in the ‘everything is a web app’ phone (a little bit like Chrome OS), except, in this case, everything is HTML and JS. Obviously from a BeEF point of view I was salivating, but, from a new player in the space, I’m also keen to see how it goes. Plus, obviously, being completely customisable.

Motivational / inspirational (?):

Putting Things Into Perspective: Space – I was enthralled by the entire 19 minute vimeo, and it was one of those moments (that you may not experience that often) when you realise just how small we all are, and how profound it must be to a) see the entire earth under you and b) see the sun surrounded by the darkness of space, as opposed to the blue sky we normally associate with the sun.