About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

ūüéĄ My Holiday Wish ūüéĄ

Five years ago I changed course, changed my life, and discovered this community. It has been an incredible journey, and there is still so much more ahead to learn and explore. My holiday wish is not for me but for you all, this community and the people here I have come to know. I want to give you the gift in my heart, appreciation and gratitude for finding welcome and purpose here, the sense of wonder for what you know and share, delight in how each of you shine so distinctly like beautiful stars to light my tree.

You may not see this, but I do. You may not believe in yourself and your abilities, but I do. And I watch with wonder and delight as you share your discoveries online for others to learn from; as you reach for that next bar, one rung higher, and go after your goals be they OSCP, giving a talk, literally and figuratively learning to fly. I soar along with you in that vast expanse of clear blue sky, limitless in its possibilities.

I feel your words and hurt along with you when you are brave enough and open to share your pain and loss. I wish for your comfort and healing, conveying support in emojis and 140 characters but giving all the hugs and love I can when we get to meet up in real life. Because those times together are precious gifts, where we get to build friendships and strengthen those bonds.

So many of you have enriched my life in ways you cannot know, and opened doors for me so that I can learn, grow and keep exploring. You inspire me with your ideas and passion, so that I follow your threads and read your blogs to learn from you, with you. Your words push me to keep trying, to look deeper. You fill my heart with your compassion and care for others, recognizing the basic needs of others here, calling out wrongs and standing up for rights.

My wish is to honour you by paying it forward, seeking ways to help others find their way here, to lift up those around me so they can soar and then cheering you on until I am hoarse. I wish for you to follow your dreams and believe that you are more than good enough to go after what you want. You make a difference because you are here.

WISP org and scholarship winners

I will follow this up on Twitter and try to share as many handles of you as I can for a list of the wonderful guiding lights you are. ‚̧ԳŹ

I would also like to personally thank and celebrate the wonderful people who are the founders, staff and volunteers at The Diana Initiative. I am so blessed to get to work along with you to make this event happen, and to support and encourage women in this amazing field.

Finally, I want to give my heartfelt thanks to those who have stood by me when the road was rocky, who rescued me to my first ShmooCon, encouraged me to submit my first talk, welcomed me at my first hacker con at Circle City. You know who you are and your love and friendship has carried me here. <333

I wish you all a very happy holiday however you are celebrating today, and may you have the love of friends and family to make this time warm and wonderful. You are the lights on my tree and the hope in my heart. Love and peace!

InfoSec Women: Leaders and In Charge

There was a recent twitter thread asking for a list of women-owned or led InfoSec businesses. I’m capturing that valuable content to share and signal-boost here. These are leaders, builders, breakers and change-makers. I have so much respect for all of them!

This list is by no means complete and I apologize for any oversights. Please help me continue to build it to share forward.

Diversity, Equality, & The Diana Initiative 2019: What We Can Achieve Together


It’s the constant question: what it will take to fill all the empty roles in cyber security? And the ongoing challenge to gain a strategic advantage as adversaries continue to up-the-game in tech and tactics. Let’s start here. Draw a bigger circle. Invite people in who don’t conform with traditional requirements because what we’ve been doing isn’t getting things done. Different experiences, cultures, backgrounds – these expand our field of vision in terms of understanding by widening the lens we see through. We need to look beyond what we expect to see to find what we’ve been looking for. The fact is, we con’t know what we don’t know – but you can bet there is someone out there who does. Have we opened the door to let them in?

There has been growing realization and appreciation for what collaboration and communication bring. Just look at the power of fusion groups, or when various international law enforcement agencies work together to take down dark web markets. Let’s talk about synergy, when two or more entities combine to create a result that is greater than the sum of their individual efforts. We’re limiting our potential when we set limits on others. You can hear my thoughts on this episode of the Insecurity Podcast by Cylance.¬† Here’s some basic definitions to get us started.

Diversity:¬† reflects the full spectrum of human differences to include race, ethnicity, gender identity, sexual orientation, age, social class, physical ability or attributes, religious beliefs, ethical values, national origin, political preferences and more. It’s time that panels, workplaces, boards reflected everyone in our society and on the basis of merit.

Inclusion:¬† ensures there is involvement and encourages empowerment, to recognize the inherent worth and dignity of all. A sense of belonging is promoted and nurtured; respect is shown for everyone’s values and practices, talents, beliefs, backgrounds, and ways of living.¬†It’s time to stop discarding people and ideas because we don’t like how they are different.

Equality:¬† ensures that individuals or groups of individuals are not treated differently or less favourably because of their race, gender, disability, religious belief, sexual orientation and/or age. Think “Equal pay for equal work” and no more glass ceilings.

blackhatlogoI am excited and honored to have been invited by Salesforce as a speaker at their feature event at BlackHat this August,¬† “How to Make Equality a Priority in the Security Industry”. I aim to carry forward what’s been said by those in our security community, to represent and respect.


Go ahead – ask me how proud, how excited I am to be part of¬†¬†The Diana Initiative¬† (TDI).¬†We’re back for our third year in Vegas, right in the midst of all that is Hacker Summer Camp.

Yes! Everyone is welcome. We’re about inclusion and diversity. Let’s do a quick refresh on what those mean.

For those who don’t know what got us here, this is us:


Yes! You can still register online to come. At only $30 it’s a bargain, but you have to register to attend.¬†

TDI is a smaller, comfortable, less-intense version of the big conferences going on around us, set in its own oasis at the Westin Las Vegas, just a short walk down from the Strip where Defcon is being held. This year we’ve gone above and beyond to offer all the good stuff attendees hope for:

Talks & Trainings.¬†This speaker list is a wishlist of topics and expertise! Three tracks featuring technical and non-technical talks, as well as a separate training track. Outstanding contributors who’ve got amazing ideas and insights to share in a smaller, more intimate venue that will encourage and inspire some great conversations after.


CTF. Yes! In response to popular demand, we are having our first-ever capture the flag (CTF) event, involving some of the coolest, brightest folks in our community to plan it all out. We even have a CTF 4N00BZ training because everyone has to start somewhere, and this is an encouraging and supportive environment to make sure you do! This one you have to register for in advance and it’s FREE.

earringsLockpick Village:¬†If you haven’t tried it, you’re in for a treat. From experience (really!) it is a life-skill, especially when you leave your keys 700 miles away and discover that at 2:00 am. It also brings people together as they share the fun of learning a new skill together, and encourage each other. It’s FREE. Plus, you can buy the picks and some fabulous lockpick earrings while there.

Soldering Village: Ohhh who does not love blinky badges?! You can learn how to make your own at our Soldering Village. We have a terrific instructor who will walk you through the process, set you up with the tools and supplies, and help you make your very own keepsake badge.

Career Village: Opportunities abound. TDI has always been about networking and mentoring. Attendees can meet with professionals to have their resumes reviewed, schedule a mock interview to gain interview skills, and meet in-person with company representatives who are hiring.


Let me leave you with this. I was recently a guest on the InSecurity Podcast by Cylance with Matt Stephenson, where we had a candid conversation about diversity and equality, how far we’ve come and the distance left to go. Have a listen and I hope you enjoy it as much as I did. When it comes to making the changes we need in diversity, inclusion and equality, there’s a lot more to be said and done and our journey is just getting underway.


Yes you can! Submitting an InfoSec CFP

We all needed this page at one point. Or more. I know I did and thank you to the people in our community who had stuff like this for me to find. I‚Äôm adding recent updates from great community members. The fact is I have learned so much from all of your talks, and I would love to learn more. My turn to pay it forward so that you will have your turn at the podium.¬†ūüėä

‚ÄúDo that thing which scares you‚ÄĚ

Why talk? Why not just write or post? Well, a talk is more than just words on a screen. We get to see and hear your passion, which elevates your concept to another level. And we get to see ‚Äď you! In a community of introverts, facetime is powerful. We love to learn by watching videos of talks given. Like yours. The other plus is that you get to attend a Con, which if you have read any of my posts, is both incentive and reward.

I know. It seems so difficult. Feels so scary. But the best advice I can give you as you start out is this:  give a talk. You may be able to start small, with a local meetup group. Someplace you feel comfortable, where you can talk for 20 minutes or more, on something you are excited to share and would love to explain. Okay. Pep talk over. You are good enough, smart enough and one of us. We want to hear what you have to say and we are willing to help you do it. Go for it!

Timing is Everything

There are many CFP or Call for Presentations opportunities throughout the year, although most are familiar with the flurry of activity around March/April for Black Hat/Defcon/BSidesLV/Diana Initiative.  Deadlines can be 5 months or more before the Conference takes place meaning deadlines and due dates need to be tracked. Get out your wall calendar and start marking it up now. Don’t let this opportunity pass you by.

Where to Start

Where to even begin? Here. So relax and just start by reading to see what it is all about. There are people to reach out to in our community if you want to do this, including me.

Watch the videos of past presenters from where you want to speak. Or those who talk about what you want to talk about. Know what has already been covered so you can bring something new. Or get a sense of what is trending. Plus, you can see how people deliver a talk. How slidedecks are put together. What humour works. Check out talks on this site: http://www.irongeek.com . Adrian Crenshaw has recorded talks at many conferences. You’ll find good stuff here. And there are still talks on YouTube.

Is this your first time? Don’t be shy. We all had a first talk. BSidesLV offers Proving Ground, a fantastic program at the start of their CFP phase to invite new speakers and pair them with a mentor. I know. That is how I started and it was amazing. Even better are the relationships you build here which carry forward, along with the learning. Because InfoSec is a community and our strength is in our people. Now I mentor and learn so much from my mentees. Total win-win. Learn more here: https://bsideslv.org

The Diana Initiative¬†offered mentoring for CFP submitters this year after first round selections. I was one of the mentors, and all three of my mentees actively worked with me, revised their original submissions and were accepted. Way to go!! Your idea is a diamond in the rough ‚Äď mentoring helps give it that polish to shine in all its glory.

How To List

I am basing this on a terrific resource made available to our Diana speakers this year by Circuit Swan, who is actively involved in a number of events and has critically evaluated many submissions.

  • Titles matter. Avoid buzzwords, keep it short, test it out on folks. You need to make sure it says what your talk is about.
  • Abstracts market your piece. This is the short and interesting blurb we all want to read in con schedules and programs to decide what we cannot miss. You need to catch people‚Äôs attention to get them as attendees. Your abstract should clearly state
    • what you are talking about
    • why you are giving this talk
    • who your target audience is
    • what takeways attendees will leave with (yes, candy can be included here)
  • Outlines are everything. This must be so much more than just bullet points and random cliches thrown together. This is where you demonstrate not only your subject matter knowledge, but your commitment to deliver something worthy of your audience‚Äôs time and attention.
    • Walk the reviewers through your topic from beginning to end in an orderly fashion.
    • Start with an Intro, then work your way through each section of your talk with main points, examples, demos, and takeaways or learning points for attendees.
    • Don‚Äôt forget your conclusion and Q&A portion.
    • Then, ADD in how much time you estimate each main section will take. Intros should be short, with one slide about you that will not take more than a minute at most to present.
    • Go back and re-read the submission requirements to make sure you followed the rules. Blind submissions do not want you to reveal yourself so leave your name, workplace, online persona and any identifying details out unless explicitly asked for.
    • Take care. Go over everything and check spelling, formatting, any acronyms that are not spelled out in full.

Want to see a good example to work from? Check out this sample submission from ShmooCon.

Great Online Resources

Kat Sweet has both given talks and evaluated them. Trust her. She is friendly, so smart, and very good at talks. Great starting place.

Hacks4Pancakes is a wonderful resource for our community. Her guidance is true, and if you don’t know her blog, then let’s correct that right now. She has given and evaluated talks, and shares the wisdom of her experience at Tisiphone.net.

Daniel Miessler recommends what you need to know about putting together a good talk. It starts with an idea that develops far beyond words on a page. You want to make sure you know about format, deadlines, requirements etc.

Nikita weighs in on Defcon hopefuls. Now you are ready to hear the hard truth. Let’s make that paper stand out in a sea of submissions. You can be among the chosen, but only if you make your talk worthy.

‚ÄúNew Year wish list of an Infosec Conference Content Reviewer‚Ä̬†Kymberlee Price 2017. Kymberlee has reviewed submissions for KasperskySAS and is on the content review board for Black Hat, among others. This is her wishlist as a reviewer, and very helpful.

2016/03/30/ How to get your talk accepted at Black Hat.  Why not aim high? Here are some suggestions to help you get noticed from one of the top-tier conferences, and Stefano Zanero, attendee and reviewer.

The Growing Threat of Botnets & Cryptominers

On Friday June 7, I had the pleasure of being invited back a second time to speak students in the cybersecurity program at Sheridan College’s Faculty of Applied Science and Technology.¬† This is such a great way to encourage the next generation, to give back to our security community, and I honestly think I’m the one who learned more from the students in our fun discussions afterward! Thank you so very much for asking me.

As promised, a little overdue, here are my slides and I hope they are helpful.


Over the past two years we have seen an evolution in botnets from instruments of mass disruption to exploit-enhanced armies amassed from hundreds of thousands of  vulnerable IoT devices used for cryptomining and control.

Attackers have turned from ransomware to miners in their quest for monetization, seizing the opportunity for a guaranteed return on investment. No risk, no overhead, no ransom. There is a wealth of resources in enterprise environments to feed the high CPU and energy demands of hungry miners while evading detection. Attackers are leveraging widespread critical vulnerabilities on enterprise systems to gain access and propagate. And once inside those data-rich enterprise networks – there are other opportunities to be mined for both criminals and nation state attackers.

As we move past outages to destructive payloads what should we expect
when weaponization meets automation? That’s what I wanted to do with this talk – present the evolution of botnets and miners from annoyance to adversary, and discuss how we need to reassess our attack surfaces from IoT to enterprise.

Since January 2018, when I first read about the massive cryptomining botnet, Smominru, I was hooked and had to learn more about how hundreds of thousands of vulnerable IoT devices could become zombies in a botnet army that was used to mine bitcoin. Last year I spoke on the rapid evolution of botnets, but cryptominers have taken on a life of their own, and present an increasing threat to enterprise systems, which are often behind in patching cycles and therefore vulnerable to opportunistic attackers, ready with exploits.

When it comes to botnets, we perceive an increasing attack surface in terms of IoT devices, but malevolent cryptominers have discovered the land of opportunity in enterprise systems, where there is an abundance of CPU power and energy sources so they are less detectable. Botnets have increased by more than 500% since 2017, and there has been a fifteen-fold increase in cryptomining across 2018 into 2019.¬† Attackers have leveraged sophisticated exploits from the Shadowbrokers stolen cache of NSA goodies, like Eternal Blue to gain access and spread. But they are also making the most of Windows systems and internals, utilizing Powershell, and ‚Äúliving off the land‚ÄĚ to
evade detection.

With a guaranteed return on investment at almost no cost and no risk, cryptominers present a ‚Äúnothing to lose, everything to gain‚ÄĚ incentive for criminals and attackers. But how seriously are they being taken as a threat by organizations? In my opinion, not seriously enough. While current facts may not show them as a blip on the threat radar screen, the tactics and evolution warn of what is coming. I’ve tried to share two years of my fascination and research on how botnets and cryptominers have moved from annoyances against individuals to weaponized attacks on enterprise systems.

The simple fact is, you won’t find what you’re not looking for. Enterprise systems don’t have a great detection rate for cryptominers. My objective is to create awareness around how attackers are leveraging current enterprise vulnerabilities in conjunction with
sophisticated exploits so that botnets and miners evade detections in place. Because once they’re in your network, they can do a lot more than mine bitcoin.

I provide some details on which CVEs, which exploits, and which tactics are being used by attackers; which ports should be monitored and are used by miners; how Linux, Docker and Mac are now targets; and articles and sources on recent attacks. Some attacks I use to illustrate are:

  • Kingminer: bruteforce entry on servers running MS IIS/SQL, disabling
    configuration file with API for evasion
  • PSMiner: backdoor Trojan cryptominer targeting Linux and MacOS via
  • Docker Rigs: Cryptojacking campaigns on vulnerable docker rigs
    leveraging CVE-2019-5736 to overwrite the runc binary and create a
    container escape to write arbitrary code
  • Smominru: Massive cryptomining rig leveraging EternalBlue and WMI
    WireX: Botnet of Android devices infected through Google Playstore
    apps to connect them to a headless Web browser and encrypt malicious
    traffic using SSL

CVEs/Vulnerabilities used for RCE:

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security
    Bypass Vulnerabilities.
  • CVE-2010-1871: JBoss Seam Framework
  • JBoss AS 3/4/5/6: CVE-2017-10271: Oracle WebLogic wls-wsat Component
    Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component
    of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager – Command Execution
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload

So, yeah, if you’re working in a medium to large organization then chances are excellent you’ve got some of the above in your enterprise network environment. Do I need to remind you about those active exploits against Oracle WebLogic – again? Go patch!

Hackfest 2018

Hackfest has to be one of my favourite security and hacker conferences. Located in beautiful Quebec City, Quebec, it’s the perfect opportunity to meet up with friends old and new over a good beer, sugar pie and of course poutine.

2018 marked the 10th anniversary of Hackfest, and the second year of the extremely popular Social Engineering CTF. There was a special epic edition of The French Connection podcast – yours truly was invited to join the group to talk about all the things in both French and English, as the glasses kept getting topped up.

Hackfest is known for its excellent trainings before the event, and people come yearly just to participate in the legendary CTF. However, there was so much more to do, and attendees brought their kids along to join in the fun of makerspaces and badges.  I loved getting to try my hand at soldering.

And of course there were the talks. Kudos to my friends Cypher and Pam for an excellent talk on analyzing hacked data services and their tool Breach Analytica.

I shared my thoughts on the evolution of botnets from DDoS annoyances to malware-laden weapons of mass disruption. You can enjoy my talk here:



The Power of Our Community

A few short weeks ago, a dream of mine came true. I spoke at DerbyCon.¬† Twice, infact – I’m still pinching myself. But best of all was that I got to speak about something that matters so very much to all of us – community. Our infosec community.


2018 has been an extraordinary year of opportunity and personal goals realized, and I don’t want to take any of it for granted. Over the past four years since falling down the rabbit hole of wonder known as InfoSec, I’ve been very fortunate to have given talks at many conferences, and it matters because speaking at “hacker” cons is how I have really been able to grow and develop, where I get to build meaningful connections with our community by giving and receiving knowledge. My badges are a powerful tangible timeline for me, starting my journey from when I first came here with nothing,¬† during an awful period in my life. Each badge is a foothold on that mountain I climbed, imbued with what I learned, strength from those who helped me, pain from those who didn’t, and my desire to learn more, try harder. I see the faces of people I’ve come to know and love, places that are now familiar, memories filled with amazement and laughter. All of that fills me with gratitude and hope and a childlike wish to reach for the stars.


I have never expected anyone to pay my way, and I never will.¬† For my first trip to Vegas, and my first ever talk, I came down with a box of cereal bars and the good will of friends who let me crash in their rooms. Thanks to BSidesLV Proving Ground, and working as a volunteer, I had food, shelter and enough to get a pass to Defcon.¬† It was more than I ever dreamed of, and everything I ever wanted. I met people who believed in me, who shared the same passion for InfoSec I had.¬† I am forever grateful to the friends I made who welcomed and supported me during those early days, and for the doors BSidesLV opened up. What I get from giving talks and going to infosec cons has been life changing, and it’s made me a better human because I think how I can help, what I can give back, what I can share. I’m sharing this to encourage anyone who thinks they can’t get there from here, who’s faltering just now and needs someone to say “I believe in you.” Yes you can!

This is my way of saying “Thank You”.¬† There is profound joy in discovering your passion, and being able to follow it.It is a gift to be part of a community of learning, and I have learned so much from so many of you, even those who think they are new, or have nothing much to share. I wandered a very long time before I found my way here, but when I did, I knew I was home, I belonged here in all the ways I had never belonged in the rest of my life. And gathered along the way during my journey here I bring experience, humility, compassion, determination and so much more to help us build, strengthen and grow this wonderful community we are.

This is the talk I gave at DerbyCon about all we are, and the potential we have. I hope you can see yourselves in the reflection of the respect and appreciation I have for you.  We are beautiful in our imperfections. We are infinite in our possibility. We are better together. I believe in us.



A Bevy of Botnets

Trickbot & Mirai & VPNFilter
Botnets do more than put things out of kilter
Ransomware, miners & banking crime rings
These are a few of my favourite things

Ah botnets Рthey scare and fascinate me, like a really good horror movie.  And given the horror show that IoT has become, that is rather apropos.  At the beginning of January I became fascinated with what we have all seen develop into The Year of the Botnet.  That fascination led to research which led to talks and now to this blog post.  Because there are just so many good stories here to tell.

Something wicked this way comes …

Imagine a zombie apocalypse ‚Ķ of crockpots? Welcome to the connected hell of IoT, where ‚Äúset it and forget it‚ÄĚ really is a best practice. Default passwords are de rigeur. And embedded system vulnerabilities are everywhere. Have we even factored in the tsunami of unsecured connected devices being acquired by the developing world?
Botnets have moved beyond the realm of script kiddies playing the Grinch at Christmas with Playstations & X Boxes. We need to look at these as more than an attack of annoyance or inconvenience. They have become one more weapon in a digital arsenal for the games nationstates play, no referee, no playbook.

biggest ddos recorded

At the beginning of January, we saw a flurry of activity as Mirai variants got busy out there. More importantly, 2018 is to coinminers what 2016 was to ransomware. And coinminers go together with bots like peanut butter goes with jelly.

My hit list of the biggest and baddest:

Smominru: Holy carp but this one was a giant mining rig that opened the floodgates in January and caught my attention by the sheer size. This is one of the biggest, most successful cryptojacking botnets currently active.  It netted $2.3 billions by leveraging EternalBlue to find and enslave more devices. Superpower: evades sinkholes.

Necurs: The hits just keep on coming. The largest spam botnet in the world discovered ransomware just in time for Thanksgiving last year. Necurs is known for delivering some of the nastiest stuff out there. And serves as a pointed reminder that threats don’t disappear forever.

Mirai and its spawn: Mirai was a watershed moment, bringing the east coast to its knees with an unprecedented prolonged outage. That source code was released, and has been manipulated like playdough in the hands of attackers. The past six months have brought about significant evolutions in what the botnets target and what the botnets can do. Progeny include Satori, Matsuta, Okiru.

Satori: This is an attack bot, hijacks cryptocurrency miners, steals funds, launches SSoS attacks. It survived a takedown attempt in December. Then it went after those tasty GPON routers. Port 8000 sure was busy in June. Lots of port scanning for devices with that open via their WAN interface in response to the XionMai PoC , a buffer overflow vuln CVE-2018-10088. That’s a lightweight web server package often embedded in the firmware of some Chinese routers and IoT equipment. Then the botnet authors added support for a second exploit. (See  Bleeping Computer June 15) This had a PoC also online for D-Link DSL-2750B routers, exploitable via ports 80 and 8080.

I’ll spend a little more time on Satori because it showcases how the release of the Mirai code has pushed the evolution of botnets.¬† Satori selectively scans for vulnerable IoT devices, and exploits – no surprises here, Huawei. And … the code for Satori was posted on Pastebin for free.


Hide n Seek: Persistence pays off. Here’s the pivot we’ve been waiting for. This is the first time a botnet has achieved persistence, and I don’t have to tell you that’s a bad thing. There are a few other interesting enhancements that indicate attackers are looking beyond what we see bots currently used for: a custom built peer-to-peer communications set up; multiple anti-tampering techniques so that nobody can interfere; leveraging exploits.  This bot has had three updates, increasing its capabilities significantly each time. It moved from basic IoT cameras to a host of other IoT connected devices and a range of architectures. Now, it can go after Android devices. For a botnet whose sole purpose thus far has been to go forth and grow, they just seriously upped their game.

VPNFILTER:¬† Who didn’t get the notification from the FBI about turning off their SoHo routers to flush this malware.¬† This hit around June, with all the bells and whistles than come with a Nationstate backed investment. TLS – ha! bypassed that security. Man in the middle attacks on incoming web traffic. What had security folks doing a double take was that this malware wasn’t about just co-opting these devices for a routing attack but to actually pwn the device completely and take ALL the data going through it – yes, attention online shoppers. According to the Talos team, the attacks were extremely targeted, pinpointing credentials. This went after ALL the routers, 500,000 in 54 countries, gobbling up those vulnerabilities. It hasn’t gone away, it’s just gotten better at what it does and added even more routers to its growing collection. And yes, it most definitely has persistence.

PROWLI:¬† This infected 40,000 web servers, modems and IoT devices in what is described as a “diverse operation” that leverages known vulnerabilities and brute force attacks for credentials. Targets of choice included Drupal, WordPress and Joomla sites, hitting exposed SMB ports.¬† The malware spread via the R2R2 worm to load a Monero miner, and infected the CMS platforms with a backdoor.

Mylobot:¬† Evasion. Infection. Propogation. There’s a whole lot of upscale tricks this new malware came loaded with. AntiVM, ant-sandboxing, anti-debugging, process hollowing, code injection. This botnet is multipurpose, ready to be loaded with keyloggers and trojans, or cause a DDoS. Superpower: seek and destroy other malware.

Anarchy:  Rome wasn’t built in a day but Anarchy botnet sure was. 18,000 devices were tracked when security researchers saw a serious uptick in scanning Huawei devices on July 18. Yeah, no problems with those. They were looking for CVE-2017-17215, which is a critical flaw that can be exploited through port 37215. Attackers can send packets of maliciousness in attacks and remotely execute code to enslave and control these zombies. A hacker called Anarchy has declared this their creation per security researcher Ankit Anubhav on twitter. This vulnerability was leaked in Dec 2017 and used in the Satori botnet. The code to compromise the Huawei routers was made public in January and used in both the Satori and Brickerbot botnets, as well as spawn of Mirai botnets.

And I think I saved the best for last …

Torii: New on the scene, this one joins the hall of infamy as only the 3rd botnet to achieve persistence, Torii does not appear intended for the mundane purposes of DDoS or cryptomining.¬† It uses no less than 6 techniques for persistence, and is designed for a dizzying array of CPU architectures. Torii has a modular design so that it can be multipurpose, designed to do the dirty work under layers of encrypted communications. Nobody knows what its actual purpose is or who made it, but thoughts are this could be the backdoor to something even bigger. Time will tell …

BYOD and IoT  
We all know about Shadow IT. And the joys of trying to manage BYOD. Everyone brings their own stuff in. Or uses their own stuff remotely. The intermingling of unregulated tech and sensitive data is terrifying but real. SOHO routers are heart of botnets, enslaving attached devices. What does this look like if it goes beyond routers and webcams flooding access?

Bad bad bad bad things …

What aren’t we taking into consideration that attackers could leverage next? I have a few theories for you about ICS and sensors working overtime.


Most botnets have tasks to fulfil. Which means they need to call home, and that reveals the C+C servers so that you can eventually track them down. So here’s the next pivot: what if they don’t have to call home? What if they have one job: to go forth, infect and grow. We’re talking about a wormable botnet, self-propogating, that leverages some of the best available exploits out there, like EternalBlue. With no human required. Up to now, botnets have mostly been monetized for DDoS and sold on the darknet, unless they being used to amuse skiddies. The exception was Mirai, which was used as retribution in targeted attacks against Brian Krebs, and a major provider in France. DDoS became a weapon, not just an outage.

The fact is that attacks evolve. Where could attackers go with this? What if attackers level up to nationstates? The devices that make up an army don’t need to be sophisticated. In this game it’s about quantity, not quality.

How much damage can they do? Weaponized botnets are no mere annoyance. Their capacity to create extensive outages or deliver malicious and damaging payloads is far beyond inconvenience.

What do you get when you combine unpatched vulnerabilities, existing nation-state exploits, millions of enslaveable, inherently insecure devices and self-propogating malware? What if you could use time delay, to evade notice and make less noise? Leverage multiple attack methods, based on operating system? Establish persistence? Oh ‚Äď and it‚Äôs all automated.





























An Epidemic of Healthcare Breaches

Isn‚Äôt it ironic? Following the massive Equifax breach of 2017, and the fallout from the OPM breach in 2016, how is that there are still monolithic breaches in 2018?¬† How the #@*^&$ does this keep happening? I started charting a breakdown by sector and severity here. And I‚Äôll also show disclosure dates because the time discovered vs the time revealed has huge impact to those caught up in a breach. It‚Äôs time used by the bad guys to sell the data and use that data for fraud. Victims deserve to know as soon as possible so they can choose what action they take to protect themselves, rather then rely on someone else to do that ‚Äď badly ‚Äď for them. A year of credit monitoring just doesn‚Äôt cut it.

What disturbs me is the amount of healthcare data out there, and the number of breaches, which exposes some very sensitive information of some very vulnerable victims. I’m going to continue to dig into this and show what I find. A special shout out to folks who are working hard to secure healthcare: I am the Cavalry, @JoshCorman, @_j3lena_, @_odddie_, @beauwoods to name but a few.

Here is the link to the spreadsheet Breach Report I am keeping and you are welcome to use what I share with the reminder to always be sure to cite your sources ¬† This is just the tip of the iceberg. I’ll do my best to share updates and links.

Where should you look if you have been breached or suspect you have? I recommend ‚ÄúHave I Been Pwned‚ÄĚ by Troy Hunt, and there are other resources out there. Lots of people are doing great work in this field to whom I give all credit. I like to check DataBreaches.net

The Diana Initiative 2018

diana banner

Like many, I am counting the sleeps until Hacker Summer Camp happens this year in Vegas. I am more excited for this than my kids ever were for sleep away camp!  Cons are where we reconnect with each other and do some major facetime irl. As someone special has told me, each year it becomes more about attending to see our people than to learn the things.

This year, I am volunteering at 3 events, speaking at 3 events, and trying to see all the events lol! (alas not Blackhat since I can’t pay my way there and am not a speaker). Most of all, I’ll be helping host an event for the second year. The Diana Initiative¬†¬†is a two day conference where we celebrate diversity, women in InfoSec, and help attendees pursue a career in information security and technology.¬† The conference is all-inclusive, because we want everyone to learn to work better together.¬† If you want to attend please do – be sure to register online because we won’t be able to accept walk-ins.

Our theme this year is “Hacker Family: Our Diversity Unifies Us” which resonates with me the more I get to know our community. I think of our hacker family dinners – because as many of us will attest, this community has become our family. Each of us brings¬†something unique to the table, and when we share that knowledge and experience, there is a feast of learning and growth.¬† I didn’t get here without some help and support along the way, and this is how I get to repay that and pay it forward. We build our future by nurturing and growing the next generation and those to come.

This year we have expanded our talks to two speaking tracks, featuring technical as well as non-technical so that our attendees can show all they know! The submissions were outstanding and I give huge congratulations to everyone – our list of talks is fantastic! Exploits, imposter syndrome, IoT, CFPs, python and cryptography to name some of the topics covered. Here is our Diana Initiative Schedule so you can see the list of talent.

But wait – there’s more.¬† We are thrilled to announce we are featuring four incredible keynote speakers:

Thursday 9:45 am Shannon Morse @snubbs¬† “Personal Branding as an Infosec Influencer – Building a Career from Scratch”.¬† Shannon is Hak5’s host, producer and lead editor, and and actively promotes security and women in tech.

Thursday 5:00 pm Elizabeth Wharton @LawyerLiz “The Skirt Shoots, Scores and Soars”. Liz actively speaks on IoT, drone, and aviation cyber security issues, as well as hosting the Lawyer Liz podcast.

Friday 9:45 am¬† Keirsten Brager @KeirstenBrager “Seconomics: How to Earn More Money and Influence in the Next 5 Years”. Keirsten is well respected as an author and speaker promoting strategies for success and helping to change the game.

Friday 6:00 pm Amanda Berlin @InfoSystir “Hackers, Hugs and Drugs – Mental Health in Infosec”. Amanda is well known for her involvement in the community, on the Braking Down Security podcast, and for her book with Lee Brotherston,¬† “The Defensive Security Handbook”.

Support and goodwill from the community has been more than we could wish for. Huge thanks to¬†Risky Business Podcast host Patrick Gray and sponsors Signal Sciences, Remediant and Bugcrowd who are hosting a special mentorship cocktail hour¬†from 6-7 pm at Alexxa’s Bar @ Paris on the Las Vegas Strip Tuesday, August 7th. They have invited Diana Initiative attendees along with Risky Business listeners who identify as women; registration details are on the Diana Initiative registration form.


Once again, Lockpick Extreme has offered to host our Lockpick Village, which was a tremendous success last year. This year, they will also be offering a lock pinning workshop, which you must pre-register for on our online form.

We want to help attendees follow their passion for infosec and build their careers so we’ll be holding a Career Fair with resume workshops, mock interviews and the opportunity for professional headshots. Some of the most talented and experienced folks in infosec will be giving their time in individual sessions to help our attendees who have registered online.

And this is Summer Camp so yes, it will be all fun and games for a little while. We are hosting a Quiet Party on Thursday night and a Loud Party on Friday night, with board games, challenges and opportunities to meet people and talk about our diverse interests in a relaxed, comfortable setting.

It takes a village. I am moved beyond words by the support, encouragement and caring expressed by our volunteers and sponsors – this would not be happening without you. Each of you is making a real difference, and helping us to build something that goes far beyond a two-day event. That is why we chose the word “initiative” – to embody the spirit of a movement, and represent change and progress as ongoing. And I am honoured to be part of this dedicated, talented team who have put their whole hearts and countless hours into doing the multitude of things required to bring our event to life. We are here because we share a belief in what we do, and we answered a call to help make things better.

Let’s make this happen again! Can’t wait to see you in Vegas!