I would like to invite you to this years OWASP BeNeLux Event, I won't give a talk this year but I happily invite you as part of OWASP BeNeLux Program Committee:

Quick Facts


The agenda is a sound mix between Application Security, Forensics,  Risk Management and represents the current security landscape at large rather well: Building security into Applications in Enterprises, Managing Application Level Vulnerabilities, Source code review on a large scale. It also has 2 innovative talks on exploit mitigation and sandboxing javascript. 

Especially the talk about javascript sandboxing (JSand) has all my attention as it represent an interesting challenge that is hard to get right knowing the context within which javascript operates. It claims to be complete, requiring no Browser modifications and enforced client-side. The talk will also given at ASAC 2012 


Both the training day and the conference day take place at:
KU Leuven (University of Leuven)
iMinds-DistriNet Research Group
Celestijnenlaan 200A
B-3001 Heverlee
How to get there: http://distrinet.cs.kuleuven.be/about/route/
Hotel details: https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012#tab=Venue

[ Updated : Added  "10 Common Mistakes of Incident Responders" at the bottom]

The following post will brake one major rule I adhere to  when blogging, a post shall have not more than 10% of content that is not authored by myself. The content of this post resonated so well with me however that I decided to make an exception.

The following is attributed to Alit-Reza Anghaie a.k.a Packetknife.com. For those of you in similar situations I can only warmly recommend to consider and follow the advice. The emphasis is mine.

[Start of Excerpt] 
Alit-Reza Anghaie
I've had a fairly long and quite unintentional career in InfoSec ranging from Academic to Entertainment to Defense. Along the way a lot of mistakes were made or observed. This post marks the first in many installments to share lack of foresight turned into a graying face ghillie.

I'm not quite sure of the right format but I'm going with a Top Twenty - so I'll keep on the biggest pain points as I see them.

A post within the "straight to the meat" category :

There was a talk at Defcon 20 entitled "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2", by Moxie and David Hulton - the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.

This post gives a quick rundown with references on what you need to know, enjoy - Thierry

History :
1999 - Bruce Schneier and Mudge document the vulnerability [2]
2011 - Sogeti releases POC performing the same attack against MS-CHAPv2 [4]
2012 - Defcon Talk detailing the flaw and  release of SAAS to crack the key within 23hours [3]

I updated BTCrack Open Source Edition (BTCrack OSS) to version 1.01 by patching 2 bugs that were reported by Michael Ossmann and Carl Dunhamm.


The  primary goal of BTcrack is to crack/recover the PIN and reconstruct the link-key from a previously captured Bluetooth pairing exchange. Together with Eric Sesterhen I released an open-source version of BTcrack in 2006 which since then is part of the tools included in Backtrack. You will find more information on BTCrack  and a POC video here.



  • List of Volatility Plugins
    Leading the Open-source memory analysis field (Forensic, IR, exploit dev)
  • IDA Toolbag
    Excellent new set of tools for IDA PRO
  • Inception
    Upto-date Firewire Toolchain to dumping memory over the firewire interface. This allows also to unlock locked workstations as Firewire, per design, allows full access to memory over DMA.
  • Cryptshark
    .NET library using  Blowfish, BCrypt, SCrypt, and PBKDF2 for any HMAC - following my blog post on how to store password securely, if your into .NET give it a look.



Tools / Techniques

Flame / Malware

Microsoft's Certificate Fiasco



Due to the latest row of high profile websites being compromised and parts of the password hashes being published here's a quick crash course on storing passwords "securely", for those that want a quick heads up. In this case I'd define securely as "Offering a suitable time window of resistance against recovery after being compromised". I will keep this post short and sweet and use links where possible for those interested in more information.

Update:  After reading this blog post read the interview of Brian Krebs with Thomas H. Ptacek on the matter. 
Update: Wrong bcrypt link fixed, update the Year bcrypt was presented.



Putting things into perspective, below are the most common forms of storing passwords (order from worse to best) :
  • Storing credentials in clear text
  • Storing credentials using a hash (MD5, SHA, SHA256) 
  • Storing credentials using unique salt per entry and a hash (MD5, SHA, SHA256)
  • Storing credentials using bit/key stretching mechanisms or being overall time expensive (PBKDF2, bcrypt, scrypt, phpass)

My Reads

News Articles

Updated Posts :

  • The Post "Attacker Classes and Pyramid " has been updated to the third iteration. The post was updated in terms of coherency but I also added my OWASP BENELUX presentation entitled "The Rise of the Vulnerability Markets - History, Impacts and Mitigations". The presentation underlines the rationale behind the Attacker centric concept and the proposed Attacker Triad.
Slide Deck :

Notable excerpts : 
The analysis of 54 exploit kits (mapped to the Opportunitsts/Mass-market class) lead to the following results:
Results : In order to protect against all tracked exploit-kits you had to patch 19 vulnerabilities in 2009, 24 in 2010 and 4 in 2011. That should be hardly a challenge and confirms the sophistication put forward in the Attacker Triad.

 The analysis of 54 exploit kits (Source: Contagio) lead to the following results:

Following up on my blog post a few months ago entitled "PCI compliance, Security in isolated systems and Parking Tellers Part 1" - I took a brief look the other day at another Ticket issued by a Parking Teller in Luxembourg.

Updated :
  • Clarified some of the explanations
  • Masked Luhn number

Ever since I started my career in information security I was both interested and intrigued by metrics applied to vulnerabilities (or metrics in general for that matter). CVSS is certainly not new and I had to make the choice whether to use it or not in the past and I always wanted to share some issues I had with it. This blog post laid dormant in DRAFT state since 8 months and I decided to publish it in parts rather than wait another year to finish it.

This blog series will explain a few elements of CVSS and in particular the points I feel are unclear, misleading, old or simply unfit for purpose.

This post assumes that you are accustomed to CVSS, if you are not, you may want to have a look at : http://www.first.org/cvss/cvss-guide.html