Python Adventures – 02

The noob in me means I should read the instructions first, the engineer in me says I can figure it out, I don’t need no stinking instructions! How quickly I forget the last time I attempted this method with Ikea kitchen cabinets, um…..Moving swiftly along; I fixed my Windows RStudio installation issues. I had this strange assumption that RStudio would come with R. Similarly to how Visual Studio comes with C#. Assumptions and IT rarely work out well.

R goes hand in hand with Python if you want to break out of metrics beyond averages, using a normal distribution or standard deviation. If you want to crunch juicy, more advanced numbers R is the way to go. I’m new to R and I know just enough statistics to be slightly mathematically dangerous J

Remember, numbers are your friend, they justify the return on IT Security investment, i.e. your paycheck.

To download R, go to the CRAN project page and choose a close mirror for the newest package which is R-3.1.1 for Windows 32/64. Although the title of the package screams security vulnerabilities, my version was patched to 2014-08-18, the day I downloaded it. Once R is downloaded and installed, RStudio can be installed and it works straight away on Windows.

Let’s say I have 5 assets and I want to put them in a data frame with vulnerability counts:

#R data frame example similar to Data-Driven Security Listing 2-1

#create a new data frame of 5 IT and OT assets and vulnerability counts

assets.df <- data.frame(




#review the data frame structure & content


#review assets as now added in


#shows a sample or slice of the available operating systems input


#Addition of a new column with IP address information & new column

assets.df$ip <- c(“″,”″,””,

“”, “”)

#Display assets only with greater than 10 high vulnerabilities & new column


#Categorize assets in zones and add a new column

assets.df$zones <- ifelse(grepl(“^10.10.2″,assets.df$ip),”Zone1″,”Zone2”)

#final inspection of code input



If all goes well your run output will look like this:


 #R data frame example similar to Data-Driven Security Listing 2-1
> #create a new data frame of 5 IT and OT assets and vulnerability counts
> assets.df <- data.frame(
+   name=c("ControlRoom-PC001","PLC-002","RTU-003","DCS-004","FilePrint-SVR005"),
+   os=c("WinXP","Fatek","GE_D20MX","DLink_DCS-2000","W2K8"),
+   highvulns=c(25,5,12,6,0))
> #review the data frame structure & content
> str(assets.df)
'data.frame':    5 obs. of  3 variables:
 $ name     : Factor w/ 5 levels "ControlRoom-PC001",..: 1 4 5 2 3
 $ os       : Factor w/ 5 levels "DLink_DCS-2000",..: 5 2 3 1 4
 $ highvulns: num  25 5 12 6 0
> #review assets as now added in
> head(assets.df)
               name             os highvulns
1 ControlRoom-PC001          WinXP        25
2           PLC-002          Fatek         5
3           RTU-003       GE_D20MX        12
4           DCS-004 DLink_DCS-2000         6
5  FilePrint-SVR005           W2K8         0
> #shows a sample or slice of the available operating systems input
> head(assets.df$os)
[1] WinXP          Fatek          GE_D20MX       DLink_DCS-2000 W2K8          
Levels: DLink_DCS-2000 Fatek GE_D20MX W2K8 WinXP
> #Addition of a new column with IP address information & new column
> assets.df$ip <- c("","","",
+                   "", "") 
> #Display assets only with greater than 10 high vulnerabilities & new column
> head(assets.df[assets.df$highvulns>10,])
               name       os highvulns        ip
1 ControlRoom-PC001    WinXP        25
3           RTU-003 GE_D20MX        12
> #Categorize assets in zones and add a new column
> assets.df$zones <- ifelse(grepl("^10.10.2",assets.df$ip),"Zone1","Zone2")
> #final inspection of code input
> head(assets.df)
               name             os highvulns        ip zones
1 ControlRoom-PC001          WinXP        25 Zone2
2           PLC-002          Fatek         5 Zone1
3           RTU-003       GE_D20MX        12 Zone2
4           DCS-004 DLink_DCS-2000         6 Zone1
5  FilePrint-SVR005           W2K8         0 Zone2












Python Adventures – 01

I completed Learn Python the Hard Way Exercise 0: The Setup & Appendix A: Command Line Crash Course by Zed A. Shaw. The command line section was a refresher but I’m unfamiliar with using PowerShell vs a command prompt in Windows and I never used pushd and popd before. Something new is always cool. There was one caveat with my PowerShell: -p didn’t work for me, I had to use –path instead.

I figured it best to download the Data-Driven Security book code from Wiley as I’m prone to typos. That way I can test the clean, working code if my results fail epically. Prior to moving forward to chapter 3 of the book, one must delve deep into the Data Frame. The book code had Python Listing 2-2 but I’m having trouble with 2-1, 2-3 & 2-4 due to my Windows RStudio installation.

Nothing helps installation frustration like reference materials J

Short Introductions to Python, Pandas and R references:


Learn Python in 10 minutes



by Stavros Korokithakis

10 Minutes to Pandas by the Pandas Development Team

A (Very) Short Introduction to R by Paul Torfs & Claudia Brauer SHA256: d847c553386deaf8e85a718c91ef5ec122d31d3faf4c291b5a1f6e1ceb8ab5d2

The R Markdown cheat sheet by RStudio




Python Adventures – Setup

I’m following the book Learn Python the Hard Way, recommended by @stevemcgrath. I want to tackle some serious data for security analytics using Python and R as well. Ultimately, I wish to create some cool, easy to understand visualizations. The main goal is to complete the book Data-Driven Security and kick some serious security data analytics.

First, I started by installing Canopy 64 bit on Windows 8.1 and Ubuntu 14.04. This sounds easy, it wasn’t. Neither OS version installation worked out of the box. I adjusted the graphics options in the Canopy main area, both OS versions via: Main Screen, Edit, Preferences, Python, Inline (SVG). I will show both operating systems were feasible.

I then ran the following verification check per Data-Driven Security:


import pandas as pd

import numpy as np


test_df = pd.DataFrame({ “var1”: np.random.randn(5000) })


In Windows, I kept getting an openpyxl versioning error. This took a while to solve. After a few uninstall, re-install, “Kernel died, restarting” errors it all worked!

In Linux, I ran into matplotlib, openpyxl and fttype verison errors.

To solve fttype & matplotlib, I found a solution posted by user3888817 on Stack Exchange:

enpkg –no-deps matplotlib 1.2.1

enpkg –no-deps libpng 1.2.40

enpkg –no-deps freetype 2.4.4


To solve the openpyxl errors, I can’t remember where I found it:

sudo apt-get install mercurial


To install R, I went to R Studio Desktop Download for Windows


To install in Ubuntu I went to the Ubuntu Software Center, RStudio

To install ggplot2, at a terminal session:


sudo apt-get install r-base-core


In R:



To verify your R installation, run inside R:




test.df = data.frame(var1=rnorm(5000))

ggplot(data=test.df) + geom_histogram(aes(x=var1))




Python and R are now both installed!!! J






TSA, Opt-out and you’re a “Criminal Hacker” Yippee!

The continuing adventures of the Freedom Fondle and the nerve of some who choose to opt-out

Traveling to and from the USA, even for US citizens is a challenge. I’m getting used to the “random” SSSS on my boarding pass, intrusive and wholly inappropriate questions about my work, employer, ethnicity and religion. The accusations of carrying a fake passport because I have an “accent” or otherwise known as traveling whilst Hispanic in the USA. I travel with limited clothing as I expect them to be ripped or otherwise destroyed in-front of my eyes, again by Customs and Boarder Patrol. I stopped carrying anything which could even remotely be confused with the Arabic language. I travel with very limited, encrypted data. My family expects detainment and knows to contact a USA attorney if I don’t check in quickly enough after landing. Today was a new one and rather unexpected. I forgot to expect the unexpected with the TSA.

I opt-out when I’m traveling within the United States. This isn’t an option when flying from Europe to the USA due to an underwear obsessed, idiotic terrorist; but it is and a right whilst traveling within the USA boarders. As per usual I arrived in plenty of time for my flight, checked-in and got in the security theater TSA line for the shredding of my 4th amendment rights. As I approached the full body scanner I politely informed the male officer I wished to opt-out. Without engaging with any other ancillary officers, I waited patently to be freedom fondled in full public view. Standing up for your rights sometimes involves strangers groping my private parts, and I can live with that.

The female TSA officer by the scanner decided to loudly voice her option of those who opt-out. Standing by the full body, 4th amendment dissolving scanner. She explained to her male co-worker at a volume all in the area could clearly hear. A rant on how “all these criminals, so-called hackers, are a bunch of useless posers who should be in a jail cell not flying or pulling their BS by opting out”. For a few minutes she continued to spew her utter ignorance in an attempt to intimidate and humiliate me. I had no choice but to listen, the other passengers being screened had to as well. I wore no identifiable “hacker” shirt, just glasses and my usual pile of technology. My jacket was from an off-Broadway play, Avenue Q and I wore glasses. I guess glasses, computers and opting out is now a sure sign you are a criminal hacker that should be thrown into jail. I must have looked dangerous in my -7.00 bottle thick glasses!

Hopefully the situation will have a somewhat happy ending. When my freedom fondling by a different TSA officer began. I explained I wished to file a complaint, in writing, as soon as her glove was off. I was sent to a very understanding and sympathetic supervisor. After explaining I had absolutely no verbal or other engagement with the verbally abusive officer. I was given a form, the officer’s full name and a very friendly verbal acknowledgment that no TSA officer should act in such a verbally abusive manner. As many of the passengers on my flight heard the comments whilst being screened. I didn’t have to engage in any flight chit-chat. An added bonus for being labeled a criminal prior to boarding an airplane (?)

Not all the TSA are bad, just enough to taint the organization and cause disrepute to the actual honest hard-working agents. Hopefully my written complaint will be taken. Hackers are not criminals, nor are those who opt out. Those in government positions which chose to openly attempt to intimidate people into giving up their rights are.

We are the Calvary! Attackers & ArcSight ESM

Detecting compromised hosts affected by Droppers on compromised with a correlation engine

I was alerted the by a really proactive collogue via a whitelist. Further digging lead me to an excellent dissection up by Dancho Danchev. This might be a watering hole or just a nice money making opportunity. Recently journalism websites have been targeted for Watering Holes, however money is usually the bigger reason.

How can ArcSight ESM or similar correlation engines for detection if any of your organization’s assets have been affected?

Proxy and DNS and some IPS/IDS & Firewalls monitoring can report domain names and IPv4 addresses. In most cases both domain name lists and IP address lists are helpful for basic proactive detection.

IP4 & Domain watch list from my collogue and the Dancho Danchev blog and two additional domains I found for a Filter.
Detection Ratio is
how many URL Scanners in Virus Total detected any malicious code:


Domain Name

Detection Ratio




Virus Total Report             


Virus Total Report       


Virus Total Report         


Virus Total Report     


Virus Total Report                


Virus Total Report          


Virus Total Report                 


Virus Total Report            


Virus Total Report  


Virus Total Report  


Virus Total Report 


Virus Total Report                


Virus Total Report          


Virus Total Report       


Virus Total Report


Virus Total Report


Virus Total Report



A list for Filters & or Active Lists to help verify infection or issue. Redirection or secondary related information after the infected, compromised website is visited and your organizations asset is possibly redirected to further mayhem.


Domain Name



Website Screen Shot

Last Scanned 31/12/12




The attack is carried through the HTTP protocol.

How to detect via ArcSight ESM

  • Setup your Filter (s) “NBC-Com Suspect Attackers” which includes both the IP and the Domain Name information
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_IP” if you only have IP logged data
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_DN” if you only have IP logged data
  • Open a new Channel with log data from a Firewall, Web Proxy Server, DNS Server or any Connector which contains IPv4 or Domain Names
  • Set the dates of the Channel back to at least 21/02/2013
  • Add Protocol = HTTP & OR Port = 80 as a condition of the Channel
  • Add in the Filter(s) as a condition of the Channel
    • Protocol = HTTP & OR Port = 80
    • Filter = “NBC-Com Suspect Attackers”
  • Give the Channel time to load, adjusting the sliding timeline as required for performance and monitoring
  • Investigate hosts communicating with the suspect external actors
    • Assign higher priority to those end points which are most critical, try to communicate the most externally, behave in a strange manner or breach the perimeter.
    • I commonly add these suspect hosts to an Active List to observe as Potentially Compromised Hosts if they are not re-imaged or otherwise cleaned.
    • Use the data to build out a report showing how many compromised assets your department caught that anti-virus or anti-malware could not J




Power outages, mud and slow internet

ITSec Challenges in a less developed country Appropriate Reddit

It is a strange feeling when the tour book is strangely correct about your holiday location. There really is only 1 international ATM machine for an island of 330,000 people. The power goes out, allot. The police take up, um, “road side collections” and can be quite heavily armed. I don’t know when I felt more scared, being taken sued last year or when my father-in-law politely drove off after refusing to pay an on the spot fine/bribe. Tanzania like any other country has challenges. Some, quite frustrating to IT goals such as extremely expensive, low quality, slow internet service or frequent, unstable quality electricity. It is possible to have the necessary technology to run an organization in the harsh IT environment.

Friendly tips for basic IT sanity in Tanzania

  1. Don’t expect electricity clean, stable electricity all the time.
    1. Use uninterruptable power supplies on all your desktops.
    2. Have building battery backups of a generator with fuel.
    3. Always connect your electronics to a power strip that is at least a surge protector.
  2. Expect to lose your stuff.
    1. Any country where the majority of the population lives on about $1.70 a day gives way to desperation/petty theft.
    2. Employees can be easily bribed by your competition. Pay and treat them well.
    3. Encrypt your drives, from hard drives to SD cards. It is far better to just lose your smartphone with encrypted data than to lose your smartphone with sensitive or embarrassing information on it which is accessible.
    4. Weather and the environment is harsh, think about hardware failures.
  3. Limited number of talented IT technologists
    1. One of the islands we visited, part of Zanzibar has received electricity in 2010. Schools near Dar es Salam have no desks let alone electricity. Computer technology is new here.
    2. Learn some Swahili, it will help you explain issues. Google translate Swahili is in its infancy and cannot currently be relied upon.
    3. Research your staff or support company well. There are very few options but ask around before you sign any contract or new hire.
  4. Bandwidth is not up to European standards.
    1. Some Europeans and Asians have the good life when it comes to the internet. Lightning fast speeds and great quality. This is Africa.
    2. Expect to pay allot for any internet services.
    3. Have a backup provider just in case yours fails.
    4. Do not take the cheapest unless it is a promotional deal from a reputable provider.
    5. Use a router/modem that also has a 3G or higher backup connection. This can keep your office or you up and running if your provider loses power.
  5. Cost and availability
    1. What is available in other parts of the world might not be in Africa.
    2. High end hardware or software might not be sold or supported here due to lack of customer base.
    3. If you must import hardware bring spares.
  6. Security
    1. Availability: Backup to a mirrored drive, save to the cloud uploading and synchronizing as required. Use more than 1 DNS provider and do not solely rely on your ISP.
    2. Integrity: Lock down those USB drives and use end point protection.
    3. Confidentiality: install encryption software for hard drives, cloud backups and email. The government and possibility others most likely monitor unencrypted communications

Tanzania and similar countries are challenging but can yield successful IT implementations. Few places in the world make the challenge worth it. Beaches, live coral, lions, elephant, galloping giraffe and the Rift Valley. The people are generally happy, beautiful terrain, enticing lagoons and cultures.

I didn’t plan on spending my New Year’s Eve covered with mud after trying to push a SUV out of an impassible road. Luckily someone came along with a shovel by chance within an hour. Our rescuers tried to tow us out but the rope broke. Although it was the best New Year’s Eve ever, we could have avoided the mud baths if we had packed a rope and shovel.


























Hospital patient insecurity due to lacking patches or decent passwords

This time only 493,000 patients lost their privacy, systems left wide open for years.

A hospital in Gouda, the Netherlands called Groene Hart Ziekenhuis (Green Heart Hospital) had according to Bonnie at the Nederlands Genootschap van Hackende Huisvrouwen (Netherlands Society of Hacking Housewives) and reported to the journalist Brenno de Winter (@brenno) allowed weakly configured servers which contained confidential information accessible to the internet which contained patient data for almost half a million people. These sensitive systems had been left in an insecure state for several years. This is nothing new in the Netherlands; the same group reported a similar data leak involving over 800,000 Dutch citizens and residents at another facility in July, 2012.

Information which was exposed:

  • Patient Name
  • Date of Birth
  • Address
  • Tax ID number (BSN like US Social Security number)
  • Telephone number
  • Patient number
  • Insurance number
  • Diagnosis
  • Medication
  • Lab results
  • X-rays and similar medical imaging
  • Treatment plans

Why was the information accessible?

  1. Unpatched and outdated versions of Microsoft, Adobe Flash and VMWare. Recently the CSIS Denmark released a report that highlighted 99.8 % of malware or virus infections could be mitigated by patching these applications along with Adobe Reader and Java.
  2. The password for the administrator account was ‘groen2000‘. The password is both easily guessable and extremely weak 40 bit strength. Using Jack the Ripper, and a beefed up system could crack the password in seconds. I wonder if 2000 was the last year the systems were patched?

Why are medical facilities, hospitals, insurance companies and doctor offices seemingly so lacking in security and unsympathetic towards patient privacy?

  • Shockingly, the maximum fine in the Netherlands for data breaches is only 4,500 euro. This is cheaper in some cases then implementing anti-virus or buying a decent firewall. My previous Dutch GP once told me without flinching “Our systems are secure because we use MacOS, no anti-virus is needed.” If the punishment is cheaper, way cheaper that remediation I would take a fine any day.
  • DRA the agency tasked with ensuring data privacy and investigating breaches is staffed with about 80 personnel, which includes all support staff whilst the Dutch Animal Police has over 500 officers.

Link to original story:

More proof that patching, keeping systems on supportable versions and strong, secured passwords are a basic requirement for you and all organizations. Lastly, Dank uw wel/thank you very much to Bonnie and the
Nederlands Genootschap van Hackende Huisvrouwen, it is good to know we have highly technical, expert, hacker housewives willing to take a risk and help protect our privacy when governments fail to do so.





Patches! We don’t need no stinking Patches!

And you thought implementing a vulnerability program was too expensive!

Recently the CSIS Denmark released a report which highlighted 99.8 % of malware or virus infections could be mitigated by patching five key applications. Those applications, some of our favorite:

Internet Explorer – Lots of bells and whistles elements built into the browser which must be kept up-to-date for them all to be as secure as possible. IE is now a very secure browser for the most part, if kept patched! As with all browsers, if there is a dodgy website setup to exploit a browser weakness, unless it is a zero day (rare), patching will protect from this risk and is easy to deploy locally and administratively.

Windows Vista & Server 2003 – Both operating systems need to be kept up-to-date with a roadmap for upgrade to Windows 7 & Server 2008 respectively. If you weren’t aware, most users would rather still use Windows XP over Vista and would love to be upgraded to Windows 7. Both Server 2003 and Windows Vista have been out for a number of years and those naughty cyber-criminal syndicates are very familiar with exploitation. The operating systems are weaker than their upgrade counterparts due to some architectural flaws. An operating system infection is dreadful, you can’t trust any installed applications or the OS itself. They can also take the greatest amount of time and highest cost to remediate.

Adobe Acrobat Reader/Writer – The business, internet, research, and education necessary applications all computer users at one time (or 20 times today) have used much to our delight and frustration. Due to the widespread usage of the apps and lack of patch management they are a juicy, luscious easy target.

Java JRE– Again, widespread usage and lack of general patch management is a driving force behind infections. Also, this application, similar to many Adobe products, suffers from a less than favorable security reputation.

Here how expensive not patching and vulnerability testing is:

You have to call the CEO and or the board to an emergency meeting. A trusted third party supplier infected your network and compromised very publically a primary database of customer information. It seems quite sensitive customer information that is. The CEO and or other higher up well known for arse-chewing or at least the level that can terminate you instantly is on vacation. As an extra bonus, it is 2 am his/her friendly, understanding corporate officer’s local time. No matter if your IT Security department had sign off, documented meetings, warnings etc.… to the upper management or board that a program was needed it will still cost reputation, business and possibly jobs before the dust is all cleared.

If you are new to the topic, a fantastic resource for assistance is Reddit NetSec and need some solid answers. Try to avoid loss from the door being left unlocked to all your organization’s information because of an aged or insecure application that in most cases just needs a free patch. If your patch and vulnerability testing is lacking, get up to speed now. If all else fails, you can learn to use some new tools and update your CV/resume, just in case due to pressures within your organization there is a risk of ever having to make that loud, uncomfortable and/or demoralizing phone call.

There are low cost, awesome, high feature, speedy tools that can be used to express the importance of patching and vulnerability testing. They also have a low learning curve for new users:

Nessus– There is a limited free version which is perfect to perform quick (non) commercial tests. If you contact them and explain you wish to use a demo with more features I’m guessing they will likely send you one. Once you use Nessus it’s a fairly easy sell after presenting the app’s generally solid results.

FOCA-This is one of my favorite tools, always impressed when I use it. It is a succulent, meta-data driven beauty that makes basic to medium level pen testing feel like a holiday on a warm tropical beach during winter. At a push of a button, to paraphrase from their Hack in the Box presentation: Perfect for the lazy pen-tester. FEAR the FOCA!

Belarc Advisor– There are fully functional (free) home and low cost corporate versions. Its HTML based and can be parsed with functions such as displaying software keys, if patches were correctly installed with hyperlinks for rectification, review of user accounts and a custom security score. I have used it for more years than I care to reveal lest I date myself out of the abundant job market.






Regarding the lack of Blog updates

Freedom of speech in a litigious society can be an extremely expensive proposition. My Advocate, although extremely experienced is as one would expect as equally expensive. We have a legal fund via insurance which only pays for <15 hours of his expert time. In June, 2012 we lost our home and cat to an electrical house fire, leaving us only with some clothes, our dog and unexpected bills for replacement of necessities, rent costs for our new temporary accommodation (the Wi-Fi is horrible). JK47 had to bring me some clothes and of all things deodorant before we presented. Amazing all the stuff/crud/clutter you don’t think about until it is literally up in smoke.

As such, we cannot afford at this time to have our attorney review every single digital conversation public or private. Due to the threat of severe financial repercussions I have chosen to self-censor these past few months after JK47 and I presented in NYC for The Last H.O.P.E. This was prompted by very stern legal correspondence from the same law firm Apple uses the week of our presentation. This self-censoring unfortunately had to include personal conversations with friends and family via email, Tweets, LinkedIn, blog, conference attendance and anything regarding the IT based security domain.

The current president of the US, Obama, recently spoke to the UN regarding the continued global legality of blasphemy and the idiotically dubbed and smarmy film short “Innocence of Muslims“. I was inspired by one small piece of advice; the answer to controversial speech is not censorship but more speech.

This blog will again focus on actual IT related topics, such as correlation engines, multiple layers of OSI security, malware, bots, covert communications channels, etc…. Some things my foray into DefCon badges has taught me: I suck at photography and I love the beauty of IT security. I read RFCs for breakfast! Additionally, we have formally requested a blanket authorization in writing from Baker & McKenzie for my conference attendance so hopefully I can participate again within the community.

Thank you for your patience during this issue.