Wednesday, December 15, 2010

Meet Evan Kohlmann: The Terrorist Search Engine

Meet Evan Kohlmann "The Terrorist Search Engine"

However, despite having an unprecedented success rate inside the court as an "Expert Witness" in putting bad guys to jail, a lot of IT Security Experts are questioning his research and investigation methods.

One good question from a fellow IT Security Professional posted at Schneier on Security:

@Clive "court recognized Expert Witnesses"

This is related to the profile on Kohlmann. There was the comment on "if his method is sound". Well what's an expert? Someone who knows what they are talking about. How can you tell they are an expert? They know more than me.

Kohlmann should be being challenged by the opposition lawyers as to his qualifications and knowledge. But what can a lawyer really know about any experts’ area? They usually just get the CV and "has testified in many trials of this nature" kinds of anecdotal assurance. While the opposition can try to challenge an expert's testimony they really can't try to impeach an expert, can they?

They are limited to putting their experts up to testify, to rebut the other side’s expert. So the jury has two sets of conflicting expert opinion. What's needed is an expert cross examining the witnessing expert to reveal those misstatements, lies, distortions, and 'reduction in detail' that technical people use to make complex ideas understandable by executives, lawyers, judges, and their juries.

In my opinion, every research and investigative methodology, framework, etc. in used by an expert for Computer Forensics purposes and presented in Court, should be heavily scrutinized no matter how effective and successful it is when it comes to putting bad guys to jail. Of course we value the credibility and integrity of the Expert based on his track record, but as technology progresses things are getting easier to be digitally manipulated, even worst, "hacked".

But Evan Kohlmann, I think this guy is legitimate. His obsession in tracking terrorist on the Internet for years is what made him an expert in this field of investigative IT research slash counter-terrorism. I think you can compare him to an 18 year-old teenager; obsessed in browsing Facebook, looking for new and old friends.

Sunday, October 10, 2010

Defenders of the Cloud: Certificate of Cloud Security Knowledge (CCSK)

As Cloud Computing adoption rises, more and more experienced IT Security Professionals are suiting up for the challenge, upgrading their existing arsenal with new concepts and best practices in securing the various layers and components that makes up Cloud Computing.

Since I am in the IT Security and Cloud Computing industry, I am starting to notice the certification initials "CCSK" alongside their CISSP, CISA, CEH, Security+, PMP, ITIL and other noteworthy titles. This is a strong indication that IT Security Professionals do recognize the new challenges that Cloud Computing brings to the table.

The Certificate for Cloud Security Knowledge (CCSK) is pioneered by the Cloud Security Alliance (CSA) So far, the industry support for the first ever certificate in cloud security knowledge is showing accelerated growth garnering support and participation even from major companies.

As one of the members of the early adopters of the certification, the main reason why I want to be part of the initiative is to show my dedication and passion in the new technology and play my part in generating positive public perception on how individuals, small business and large enterprise can harness the power of the cloud without thinking of too many risks.

There is a gap that exists big between traditional Information Technology security concepts and Cloud Computing security concepts. The co-mingling of data from various customers in a centralized or shared server, is one of the major characteristics of Cloud Computing as defined by the National Institute of Science and Technology (NIST). This gap is what the Cloud Security Alliance aims to fill, by providing industry-standard best practices on how to adopt and implement Cloud Computing securely. Cloud Computing adoption is all about losing control in a gracious manner.

Learn more about the Cloud Security Alliance Certificate in Cloud Security Knowledge (CSA-CCSK) here:
Cloud Security Alliance

Other noteworthy links:
NIST Cloud Computing Group

Thursday, July 29, 2010

RTP Packet inspection without hurting the quality of the voice

Nice, I would like to try this solution, deep packet inspection on RTP streams coming in (and out) of your enterprise network without degrading the quality of the voice:


Attackers can spoof the firewall and SBC into determining that the RTP stream is safe to relay. Passing the attacks through the RTP stream is called Vunneling. The alternative is to inspect the RTP packets which can slow down the transmission and distorts the voice.

The Salare solution , vPurity software, relies on a number of techniques to solve the Vunneling problem. Network Behavior Analysis (NBA) is employed by Salare. The passive NBA technique is well known for producing many false positive and false negative alerts. Salare's Active NBA virtually eliminates false positives. This is accomplished by introducing stimulus events and observing the reaction or non-reaction This provides accurate and precise recognition of the traffic types passing through the network.

The Salare technique inserts distortion in the packet that destroys embedded data and executable transmissions; this distortion is not perceptible by the listener. The insertion does not impact the quality of the voice conversation.

Complete article and links here:

Wednesday, April 7, 2010

Making the Cloud Trustworthy

Yet another Cloud Security initiative, is an initiative by pioneer computer networking company Novell.

"Mission Statement: To Promote Education, Research and Certification of Secure and Interoperable Identity in the Cloud

The Trusted Cloud Initiative will help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. We well develop reference models, education, certification criteria and a cloud provider self-certification toolset in 2010. This will be developed in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate."

Trusted Cloud focuses on the notion that eventually it will be us users and the industry itself, that will make the Cloud more secure and trustworthy. We need to start trusting the Cloud, we need to start educating users what to and what not to expect when they join the bandwagon of Cloud Computing, we need to reiterate to users that the Cloud is not the solution for the recession, and finally, we need to let them know that Cloud Computing services, may it be Software-as-a-Service (SaaS), Platform-as-A-Service (PaaS) and Infrastructure-as-a-Service (IaaS) is now a mature and capable platform that promotes business and IT objectives alignment. Trusting the Cloud is a win-win situation, but of course with a few caveats.

We just don't have the solid security framework yet to manage and implement effective IT controls. Which is what the guys at and is working on. It might be early, but I would like to thank these guys for driving the Cloud Computing community to the right path of security with a common sense in mind, and not completely reliant on well-known IT controls and "best practices" which does not really scale and apply well to Cloud Computing.


Sunday, April 4, 2010

Jolicloud OS for pen tests works, at least for me

Yet another lightweight, built-for-the-web OS, Jolicloud OS works well with my pen testing ways, at least for me. Why does it work for me you ask?

It detects my netbook's native Wi-Fi card out of the box. And I love that feature alone.

After playing around with the standard apps that comes with it, the next logical step is for me to install my security apps, and being a Gnome-based Linux distro, this is super-easy to accomplish.

Fire up the Terminal app located at the Accessories menu and apt-get install away:

sudo apt-get install wireshark
sudo apt-get install zenmap

And to install Metasploit, you need a couple of things to do, which is beautifully covered step-by-step by this guide:

Why not use BT4 instead? Installing a persistent BT4 is a little bit cumbersome for script kiddies like me. BT4 is awesome, everything is in there, but most of the time I will only use a couple of the tools there. For a sniffer learning the hacker ways like me, that will be Wireshark, NMAP and Metasploit. And I would like to thank Carlos "dark0perator" Perez for this excellent piece of advice he gave on a previous episode of the multi-awarded Podcast Security Weekly. If you want to learn the craft, don't use an all-in-one distro. Download and install Ubuntu, and work your way there. This has been my mantra for the past two years.

If I were to market the hacker ways to the public, I would pre-package these tools on social-networking centric, lightweight OS like the Jolicloud. My security apps icons are right next to my Facebook, Gmail, and Pidgin IM app, and that adds a little bit of a cool factor and a political statement that we are indeed in the age of point and click hacking.

Play safe kidz.

Monday, February 15, 2010

Asterisk Dialstring Injections

It's like an SQL Injection attack, trying this one now on my VoIPSec lab. Time to fix those Asterisk cookbooks guys! - Ron

exten => _X.,1,Dial(SIP/${EXTEN}@testsip)
He writes: “And if ${EXTEN} = “000@testsip&SIP/333” what turns out to happen then is similar to SQL injection :-( He is exactly right. Many VoIP protocols, including IAX2 and SIP, has a very large allowed character set in the dialed extension, a character set that allows characters that are used as separators to the dial() and the queue() applications, as well as within the dialstring that these applications send to the channel drivers in Asterisk. A user can change the dial options and dial something we should not be able to dial in your system. This article describes the issue in more detail and gives you some help on how to avoid this causing trouble in your Asterisk server.
complete technical details here:

Sunday, February 14, 2010

CloudAudit A6 - The Audit, Assertion, Assessment, and Assurance API

CloudAudit and the Automated Audit, Assertion, Assessment, and Assurance API (A6)

The goal of CloudAudit (codename: A6) is to provide a common interface that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.

CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds.

The CloudAudit/A6 Working group was officially launched in January 2010 and has the participation of many of the largest cloud computing providers, integrators and consultants. You can find out more about CloudAudit by visiting the Forums.

For someone involved in the Cloud Computing industry, information assurance and compliance, this is freakin' awesome! I would like to congratulate everyone involved, especially security guru and fellow-grappler Chris Hoff (Cisco) of

Find more about the A6 initiative at and please spread the word!


A playground for network security enthusiasts, innovators and early adoptors

Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.