December 27, 2012

Skyfail AKA CyberSkyfall

It's the end of 2012 and another Bond movie is still cyberstalking unwary theater-goers...

Top three funniest moments I've been witness to in person this year was going to the Skyfall showing with the BSides Delaware conference, after a Bond-themed tailgate party organized by @DeviantOllam, complete with Vesper Martinis! 

Imagine about thirty BSides attendees watching a Bond movie and trying to behave themselves.  That's bad enough, if it was Thunderball or Dr. No. or even A View To a Kill or Quantum of Solace. Those bad guys had their own silly plots but they were all, um, cyber-less, or at least a lot less cyber...

Not Skyfall, oh no.  Skyfall revolved around a Stuxnet-like theme of cyber terrorism/war/etc. that COULD have been well-executed, but just wasn't.  Anyone in the BSides conference could have earned a quarter million dollars as an expert consultant to the script-writers and made it better than it was.  Since the script-writers and producers deemed it absolutely un-lame to just write a bunch of cyber-sounding nonsense, hilarity ensued in that dark theater in Wilmington.  It was hard to keep a straight face and stay quiet.  It turned into a hacker version of an episode of Mystery Science Theater 3000.

I happened to be sitting next to @SpaceRog, who knows a thing or two about hacking and defense.  Let's just say that as the show went into cyberdouchery territory, then further into FUDtaculariousness, I kept feeling twitches and hearing winces from my immediate right.  If it was possible to kill a person with "cyber," the Skyfall producers might have found it, and it involved zero pacemaker-hacking, just really, really terrible writing. 

The preview is available on the tubez here Check it out and imagine, if you haven't seen it already, the head of MI6 AKA M dealing with a very bad situation, revolving around theft of classified information as well as cyber-terrorism in the way of blowing things up and causing things to crash.  SCARY STUFF!!!  She's getting a lot of heat from her political masters and is pretty frustrated with her imploding career.  Cyber-badness caused this.  Mistakes were made, solutions to be found, and right quick...

As a tribute to the lazy ridiculosity that is the Skyfall cyberscript, I bring you a Twitter hashtag I've been working on for a few days.  Won't you be my cyber-neighbor and participate?


#Skyfail  (Originally #CyberSkyfall and #SkyfallCyberLines)

-"Don't mind me, I'm just inducing acute cirrhosis over here..." M, we'd really rather u didn't drink all da Jager b4 noon

-"So he's in AND out AND in, is that right?" Yes, M, I'm afraid so. "Gimme your weapon, I'm going to shoot him myself."

-"If he's already in AND out, what are we doing 2 make sure he doesn't come back?" M, he's still here, never really left.

-"Why can't we stop him from getting in?" M he's already IN. "Can we stop him from getting out?" He's out already. "WHAT?"

-"What's the SIEM telling us? We spent a bloody fortune on it, after all." M, the db types don't get along w GUI types...

-If only we'd listened to that guy from Gartner when he came 2do the benchmarking assessment. That Spider chart was cool

-Quick, Nigel, get me the hyperZ Purple Pill escape preventer, I think he's bypassed our Deep Header Locator!

-Maybe if we use the cross-over cable on the PwnPlug we can reroute the application-aware honeypot 2 active-defence mode!

-"How're we doing on the isolation phase of the incident?" M, the manual says we're still in the OMG WTF BBQ phase. "I C."

-"Why didn't we find this vulnerability before we got hacked?" M, we discarded all CVSS scores below 8.73... "I see"

-Hack ScarJo's email, you get 10 years prison. Hack MI6 & u get 2 molest 007. What's wrong with this pic?

-"Don't be such a wuss, it's just a .BAT file..." By @CaseyJohnEllis

-When this is all over and we're done with the SCADA/HVAC remediation, I'm going to EuroDisney...

-How come Dr. Evil gets a power swivel-chair and I don't, hmm? Can u tell me that? "Maam, we had 2 airgap the control..."

-Um, change request form for removing USB port control... Signed by one "Tupac H@x0r." In crayon. Really, guys? 

-Yes, I know South Carolina got a $700k bill from Mandiant, but they're the only ones we have who work weekends!

-We finally gave up on figuring this out by ourselves n called Mandiant. No, they're not technically cleared for this...

-Like Sting said in his song: "When the world is running down, you make the best of what's still around!" AMIRITE?

-It's M, she's gone over the edge. Finally discovered the depth of our incompetence. She really can't handle the truth

-More coming in Skyfail Part Deux.

June 24, 2012

It Ain't Me Babe (InfoSec Awareness Edition)

Hidee ho, neighbors!  Let's fire up the cathode rays on ye olde youtubez and sing-song sing-along once more, to the tune of Bob Dylan's It Ain't Me Babe.  It's only appropriate to bring Dylan back, since we haven't (ab)used him since the BSides track The Cons They Are a Changin' almost a year ago.

This song's content is a bit more introductory, unlike some of the advanced topics we covered in We Didn't Start the (Fire)Wall and We Didn't Start the (Next Gen Fire)Wall.

Get ready to sing like you can't, Dylan style, with ShpanTazer'd lyrics, of course...

Securely yours,

gAli G AKA @Shpantzer

It Ain't Me Babe

This particular version is sung by Joan Baez, who explains that it's an 'anti-marriage' 'protest song.'  You learn something new every day!  Feel free to sing it like Dylan, though, it's more annoying to your cubicle neighbors that way...

Go away from my Windows
Leave at your own chosen speed
I'm not the one you want babe
I'm not the one you'll bleed

You say you're looking for someone
Whose password's weak but thinks it's strong
To click you and install you
Whether you are right or wrong
Someone to open each and every .jar

But it ain't me babe
It aint' me babe
It ain't me you're phishing for, babe

Go lightly on the ledge babe Go lightly on the ground
I'm not the one you want babe
I'll only let you down

You say you're looking for someone
Who'll never call the feds
Someone to choose your fake AV
Someone to buy your meds
Someone who will pay for all your scams

But it ain't me babe
It ain't me babe
It ain't me you're phishing for, babe

Go melt back in the net, babe
Everything I have you want to pwn
There's nothing in here to exfil
And anyway I'm not alone

You say you're looking for someone
To click your links each time you spear
To not update Reader and Flash
And to help finance your beer
A sucker for your fraud and nothing more

But it ain't me babe...

May 01, 2012

Sympathy for the Devil: Public Relations Re-Examined

Sympathy for the Devil:  Public Relations Re-examined

AKA Carnival Barkers meet Infosec LARPers

Mood music...

Pleased to meet you
Hope you guess my name!
But what's puzzling you
Is the nature of my game...

I stuck around San Francisco
When I saw it was a time for a change
Bombed RSA with buzz words
Liquid Matrix screamed in vain

I paid the analysts
gave awards to finalists
When the FUD it raged
And my pitches main-staged

Pleased to meet you
Hope you guess my name, oh yeah
Ah, what's puzzling you
Is the nature of my game, oh yeah
(woo woo, woo woo)

I watched with horror
While your antivirus corps
Fought for three decades
For the gods they made
(woo woo, woo woo)

Just as every cop is a criminal
And all the sinners saints
As heads is tails
Just call me Lucifer
'Cause I'm in need of some restraint
(who who, who who)

So if you meet me
Have some courtesy
Have some sympathy and some taste
Use all your well-learned politesse
Or I'll lay your soul to waste...

Public relations types, they're not LITERALLY the devil, right? PR/Marketing/Sales is so maligned, hated, despised, ridiculed and loathed by many security professionals that the mere thought of those words brings to mind FUD, willful technical ignorance (if not maligned neglect) and just general ridiculosity of the third kind.

That said, I wanted to shed some light on these dark arts (...) in a series of blog posts, in order to understand how the sausage is made and find points in the security marketing/pr/sales kill chain where we can make any improvements.

We all use security products and services but can’t stand the whole song-and-dance, so let’s look behind the curtains and delve into the way this works from soup to nuts. (Does that sentence have three analogies or whatever-you-call-those-things?)

Rather than my usual, oh-so-satisfying approach of lambasting PR from my comfy chair, devoid of any context and meaning, this time I reached out to Jennifer Leggio, aka @mediaphyter, who has been involved in ‘the community’ for years. Jennifer also happens to be Vice President of Corporate Communications for Sourcefire (, @Sourcefire), so she has experience working with a 'legit' vendor that's been around for a while and isn't known for relying on FUD for 99% of its revenue stream. Sourcefire, as you may know, is a purveyor of fine squishy pink Snorty pigs and, of course, some cool network security products!

"ASTERISK": I've never had a business relationship with Sourcefire so no is the answer to your questions regarding pay-for-play on my blog).

Basically, PR is more than writing crappy press releases before RSA... PR is part of a larger process that involves product marketing, business development, reporting to Wall Street, signaling to the M&A market and other hidden forces.

Here’s what I learned in a bit of informal QnA:

Q. What’s a typical “day in the life” of a PR professional supporting a company like Sourcefire?

A. It depends on the day. As a PR professional, you need to be ready at a moment’s notice to flip between proactive and reactive modes. Some days we’re knee deep in content development for strategic campaigns, which could or could not include bugging reporters and analysts, and other days we’re mapping along to competitive or market movement. Flexibility is paramount.

Q. What are the top three misconceptions of PR in the practitioner community?

A.  Hmm, only three? OK, here goes...

1. All we care about is FUD (fear, uncertainty, doubt), or we create the FUD, or generally, we are only harbingers of FUD. That is lazy PR. The good ones are more proactive than reactive. The great ones help shape what the market is thinking about.
2. Not *every* PR person wants to put a researcher in an ironed button-down shirt and tie and give them a corporate pitch to deliver. Sometimes you don’t mold clay, you figure out how the clay unmolded (aka a gritty, brilliant researcher) is already a beautiful piece of art and work with it. Let us.
3. That one of us represents all of us. Some are more social. Some flit from conference to conference. Some you don’t even know, but they could be most talented because they are working rather than self-marketing. At the core of it, remember we are not identical creatures. It’s a wonderful thing.

Q. How can vendors make better use of l33t PR skillz?

A. I cannot say this enough. I’d type it in all caps if it wasn’t an Internet faux pas. Bottom line? PR needs to be part of your overall business strategy. Beyond PR, corporate communications from PR to social to analyst relations and, even in some cases, investor relations, can have a direct impact on your bottom line and financial perception. So stop treating PR as an afterthought, a noise creator, a buzz generator. Think smarter. If your PR agency or internal PR team is not helping sales sell, creating stories that field marketing can use to push deals into the pipe or sales can use to push deals through the pipe, then your PR team is not doing its job. Sometimes it’s because the right chips aren’t in place. Sometimes, it’s because they aren’t enabled to do so. Sometimes, the internal folks get it but they just have a bad network of agencies who think that the “cold calling buzz machine” and handshakes at conferences is all you need to drive business. However, if you let PR “in” and you have the right team in place, it’s pay dirt. I’m lucky that Sourcefire really gets this. Now, the pressure is on me and my team to perform. And I wouldn’t have it any other way.

Q. Let’s reverse-engineer a PR end-product, like a pre-RSA announcement of a product or service.  How does that work?  Starting with the announcement, walk it back to the source for us. Who’s involved, etc. 

A. Oh, this is a long one. Announcement planning generally starts months and months ahead of the news cycle. And, if you’re smart, you’re engaging with industry analysts according to roadmap schedules versus announcement schedules (because, of course, they are your allies for selling, strategy awareness, though a lot of people forget that). It’s complex. For fun, let’s say Company A is announcing Widget B at Security Conference Extraordinaire on January 1.

The internal PR team should have weeks ahead, if possible, notified all external agencies of the coming dates so that local plans driven by sales priorities could be developed. Internal PR then needs to conspire cross-functionally with product marketing, and together they must skip in lock-step with other teams for message and story development, content development, many other things that would bore the people reading this, and then they break off to focus on external communications, web development, collateral, field communications, channel communications, and so on.

Stuff (press releases, blog posts, pitches, social media plans of attack, etc.) is developed. Outreach to press usually begins 2-3 weeks ahead of launch, but for huge overcrowded or more bloated events, longer might be necessary (Note: there is a small but distinct window of opportunity between “too early” and “too late” on most influencer event calendars. If you know them, as you should, you know in your gut when this is). You book meetings. WIN! No? Yes, now you have to properly prepare all spokespeople, which for an event, is many. Briefing docs and research is conducted. Sometimes, regional spokesperson training. Preso development (though I do not believe in PPT for press meetings, but that’s another conversation...). For journos not attending the event, embargoed pre-briefings the week before. For the event folks, on-site “hell fire” coordination to ensure everyone is in the same place at the same time. After the event, you relax. No? No! Then you’re chasing them for coverage, trying to make them remember your story amid a bevy of crap (because, of course, *our* stuff is *never* crap).

Complete this sentence:  

PR is... an artform. Really. Stop laughing, technical folks. (Editor's note: I'm not laughing. I would be, except that I've consulted to a couple of niche security vendors and one of the hardest things I've ever done in 11 years of infosec consulting is write a not-horrible pre-RSA press release, announcing a partnership between my tiny client's startup security company and a major multi-billion dollar infosec gorilla... That's despite six years as a co-editor on the SANS Newsbites between 2002 and 2008. Doing this well is not easy...)

PR is not... merely cold calling influencers. More than ever, PR professionals must be business strategists who see the bigger picture, understand the map from air cover to the bottom line, and know how to build sustainable relationships beyond the low-hanging coverage fruit.  

PR does this right... So many variables. However, if you find the perfect mix of strong leadership, good spokespeople, great products, good external and internal PR teams, your achievement of desired results is endless.

PR needs to do this better... This is not a “what can you do for me?” field. Maybe it was, and quite honestly, maybe it is outside of enterprise tech. But, in computer security, if your only reason for reaching out to influencers to help your agenda and you never give back, prepare for failure.


I learned something new about PR today, how about you? 

I'd like to thank @mediaphyter and the Academy of Self-Promotion Pictures for the opportunity to give the true PR professionals a break and to help them help us... We can learn a lot from PR pros so I'll be bringing more PR, Marketing and Sales professionals to my tiny little soapbox on this corner of the internet, to rationalize away their horrible behavior better understand their role in the security ecosystem ;-)

We now return to our regularly scheduled infosec snark programming.