On and Cryptocurrency Mining

“When able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near”
Sun Tzu, Art of War

I came across this article last week:

<image credits:>

If you find it TL;DR : my rough translation will be:

The news site is telling their viewers to:

  • Pay them $$$ for news access (subscription model) or
  • Show their Advertisements; else
  • Mine them some Monero/XMR

This is like premium subscription model (usual for some US news sites) vs Ads/Adsense model (freemium) vs Coinhive model. Wow! Just wow!

And from an #InfoSec perspective, I find this move so wrong on many levels. Initially, I wanted to rant out in twitter

But I chose to have an open mind and weigh things out first. Why not a blog post for on this topic? Maybe this can be a good way of “furthering the dialogue” and this is why we have this post 🙂 )

I’m not a regular visitor of All I know is that they are US/American news/opinion website. I also checked they seem to be Top 1000 site in US, Top 5000 Global site according to Alexa siteinfo

<Screen capture from siteinfo>

So green light and good website creds for me imho.

Some interesting points on their announcement (highlighted)

How does Salon make money by using my processing power?

The demand for computing power across many different industries and applications is potentially very high. We intend to use a percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation.

For our beta program, we’ll start by applying your processing power to mine cryptocurrencies to recoup lost ad revenue when you use an ad blocker. We plan to further use any learnings from this to help support the evolution and growth of blockchain technology, digital currencies and other ways to better service the value exchange between content and user contribution.


In any case, the possibilities for this sort of technology are limitless: In the future your spare computing power may go to solving the kinds of complex math problems that form the integrity of blockchains, but it can also be used for humanitarian and scientific projects such as helping research how proteins fold, to aid in biological discovery or helping pay for misdemeanor prisoners’ bail, or to see if we can better predict the impact of climate change.

Your spare computing power can even help analyze astronomical signals to figure out if extraterrestrials are trying to contact us. Some scholars have proposed using spare computing power to help secure voting and verify the integrity of democratic elections.

Uh-oh! That “spare processing power to contribute to the advancement of technological discovery, evolution and innovation” and “extraterrestrials are trying to contact us” cards again 🙂 I honestly feel this is sugar-coating the risks posed by cryptocurrency mining issue 🙂

And what will they mine?

What is Salon doing with my computer if I decide to opt-in?

Salon is mining digital currencies (for our beta, Monero). To do that, we are instructing your processor to run calculations. Think of it like borrowing your calculator for a few minutes to figure out the answer to math problems, then giving it back when you leave the site. We automatically detect your current processing usage and assign a portion of what you are not using to this process

Monero. XMR. Mucho Monero!!!

Don’t get me wrong now, I am not saying that “Monero is bad” or “Monero is evil”. I would just like to put in the discussion table that recent infosec events show that this crypto (Monero/XMR) tops other crypto in Mal activity. Some related links here and here.

(sidenote: I may write more about this Monero/XMR cryptocurrency in the future so this can be sort of a multipart post)

To sum up my thoughts, this change by is a risky security move. It’s also a tricky business model.

And I will be watching closely on how this one will unfold…

Before I end this post, here are some Disclosure/Disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin


On Capture the Flag

Do you have l33t skills on targeted attacks, Internet of Things (IoT) and Industrial Control Systems (ICS/SCADA) and cybercrime? Interested in having some extra cash (JPY 1,000,000 (approximately US $8,700) or want to have have some fun while learning and building more knowledge in the InfoSec industry?  If yes, then read on…

Trend Micro is running an educational contest called Trend Micro CTF (Capture the Flag) 2017 this month. It is a global competition intended to help build skills among young professionals (20 years old +) and seasoned veterans alike in the field of cybersecurity.

Trend Micro Capture the Flag 2017 dubbed as the Raimund Genes Cup is the 3rd of the annual CTF cyber event we are organizing, and this year it will focus on the challenges across 4 InfoSec disciplines including targeted attacks, cybercrime, IoT, and SCADA.

Trend Micro is also offering an amazing opportunity for the top 10 online qualifying teams and will cover travel expenses to Japan (up to JPY 200,000 / approximately US$1,810/ conditions apply) as well as three nights hotel accommodation. Even if you are not really interested in the prizes, this is a great opportunity for you to test your skills and learn!!!

Online qualifiers will be on June 24-25, 2017 and will be done online!

Register your team HERE

For more details please visit the Press link  and the Trend Micro CTF 2017 page

Good luck!!!

Some Disclosure/Disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin

Tags: ,


I posted google’s announcement on the SHA1 Shattering in twitter several weeks ago

And I was surprised that a fellow infosec dude replied and tweeted

and it seems that the platform he is hinting does not have migration path or plan about it (or none that we know of). And its still MD5 :(.

This got me thinking  maybe this SHA1 can be a good topic for this blog so I looked into the details so that I can explain it in a simple way and answer what’s with this SHA1 being broken? and why should we care? or should we not?
SHA1 is broken. 

Google and the researchers demonstrated this by crafting 2 PDF files with different contents but same SHA1 hash.  They released the geeky how-to docs publicly. Good visualization too 🙂

Image Credits: Shattered.IT

So in a nutshell, it’s now possible to create a file to match a SHA1 of another file. So if you are using SHA1 as primary identification of files/certs, consider migration to other hash like SHA256 or SHA3.

How easy to do the attack?

Very hard (needs 6,500 yrs of single-CPU computing power or 110 years of single-GPU power). But of course with Google firepower, they fast-tracked things up drastically (experts say this is 3 years earlier than previous projection). My key learning here is given GPU advancements + cloud computing nowadays that “very hard” attack can be “so easy”, as long as you have the right resources ($$$, kaching-kaching, moolah).

Several experts estimated that such attack needs 75K USD budget, just rent some computing firepower via AWS, problem is solved :). Imho, 75K is peanuts to nation-states and large cybercriminal groups (whether its FUD or not, not my forte).

What are the usual systems potentially impacted? SHA-1 is used for digital signatures, file integrity, and/or file identification among others. So Digital Cert sigs, Email PGP sigs, Vendor file signatures, software updates, GITs, etc may be vulnerable.

SHA1 Certs have been depracated since 2015. Major browsers is OK and safe with Google doing early protection for Chrome and (other Google-related services too) and Firefox provided a fix a day after the disclosure.

GIT and software repo have a healthy discussion with Linus Torvalds  giving some good explanation on the impact to GIT.

Should we care?

Are you (or your tools, software, systems) heavily dependent on SHA1 for file integrity? If yes, then you should care and plan the migration right away. Migration path is SHA256 and SHA3. Exploit described above is demonstrated with PDF, and since this is in already public expect other file types to follow soon. This is not IF now but WHEN.


On Ransomware

“They can beg and they can plead
But they can’t see the light
Coz the boy with the cold hard cash
Is always Mr. Right”

Material Girl, Madonna

I was planning to write about Ransomware for a long long time but I don’t know where to start. Will I start with the email that my childhood friend sent me in 2015 (frantically pleading “Halpppp me, I got this HELP_YOUR_FILE Virus and I’m doomed)? Or when ransomware first pique my interest (shout out goes out to Bundespolizei police ransomware c. 2012)? When?  What to share? Help!!!

But of course I’m good at procrastination, so as of February 2017 still zero post on ransomware 🙂 . But let’s end that because I promised that I will do more articles this year on all my blogs and I want to start it right. This is also in support of my all my infosec post belong to AVSecurityProductManager Blog, so here we go. For starters I’m sharing this Youtube video

Sorry I’m really a sucker for digital-DIY kitties. OK maybe just the bad kind of DIY kits (blame it on Vicodines of the macro poppy kit fame, sorry I’m old school virus dude mon!). Honestly I’m torn between sharing and suppressing this ransomware video advertisement in youtube. But sadly, this is a good demo to show how easy it will be creating/modding a ransomware (even dummies can do it huh). Not sure on how long this one will be up in youtube though.

I know Stampado/Philadelphia is kinda old (I think it may be active around September 2016). Maybe a decryptor is out already. But given the dynamics and motivations for ransomware (cold hard cash + someone is still paying the ransom) is here to stay, I guess this Ransomware problem will not go away easily.

Ruining Madonna’s lyrics

They can beg and they can plead
But they can’t decrypt it right
So the boys with the cold hard cash
Will buy bitcoins right???

(Please don’t kill me if my lyrics mod skills sux)

Lastly, I support NO More Ransom!!! Visit No More Ransom for more solutions and insights.

I will do a part 2 on ransomware soon…

Video credits to Youtube. Thanks goes out to Brian Krebs for his post on this topic.


On Pump and Dump Spam Run

I thought they were an extinct in the wild technological mal-species already. But just yesterday I got this spammy mail via my mailbox:


Image 1. Suspicious Email

Sorry I choose not comment on the company as I do not have verifiable info on them nr their industry. But I did not subscribe the affected mailbox to any stock-monitoring feeds so your paranoid Security Product Manager will tag this issue as SPAM. And since all my infosec post belong to this blog here are some additional security insights.

Dissecting the content of the mail…

[Name of supposed sender] here.

My NEWEST MONSTER PICK is – [company name here]. And they trade under the ticker symbol – [Symbol1] or [Symbol2]

I don’t know if you know this, but technically, 0.0001 is the lowest that a stock can trade at on the open market…

0.0001 is THE FLOOR!

So it stands to reason, if you get in at the ground level (THE FLOOR ), the stock CANNOT go lower.

So technically you have limited your downside.

Go buy [Symbol1] NOW and quadruple your money quick!

Actually the unsolicited nature of this email was the first red flag. The text “Go buy NOW and quadruple your money quick” and “So technically you have limited your downside” provide secondary red flags. Any get rich quick scheme will trigger my infosec spider-sense :).

Pump and Dump Scam run? Call it Maybe…

Some interesting thoughts on spam came to my mind which may be a good post in the future. I noted that there seems to be a “new” breed of spam mails targeting those who needs “high-end” systems users list. I don’t know if this is prevalent already. Maybe I can feature them here soon. Watch out for it. Soon.


On Potentially Unwanted

I have been busy the past few months because of these PUAs (Potentially Unwanted Apps). Honestly I consider myself lucky because yours truly was an old-school AV veteran that survived the good ol’ spyware wars (circa 2003) so connecting the dots for this technical challenge will be considerably an easy task.

As I have not posted anything for this blog for the last 9 months, I want to post my personal insights on this PUA issue. I am not sure on where to start, so maybe I will post some basic Q&A on PUAs and do series of blog post just like what I did with vulnerability assessment.

Here we go:

What are PUAs?

Potentially unwanted application or applications (PUAs), classified as grayware, refer to applications installed in a mobile device or a computer that may pose high risk or have untoward impact on user security and/or privacy. It may also contribute in consuming computing resources. It may be unwanted by the user even if it is installed with users’ consent. Most often than not, PUAs do not explicitly and completely state their functions and purpose. The impact the application causes may either inadvertently or simply be a part of its design. PUAs are created by legitimate or illegitimate software publishers.

What are the common PUA behaviors?

Here are some notable PUA behaviors:

  • Bundling – There are applications that, when installed in a device or a computer, installs other applications (bundled software) that users may not want. The primary application that installed the additional applications often trick users during the installation process with options that allow the installation of the bundled software. Applications like these may also come bundled with other grayware.
  • Advertising – displays excessive advertisements, causing interruption or annoyance to users.
  • Information collection – applications that collect information without users’ consent.

PUAs can be complex and may contain other unwanted behavior such as:

  • Exaggerated or bogus notifications
  • Lack of control for users
  • Runs unwanted processes or applications that consume computing resources
  • Provides unconventional way of uninstalling the application

Source: Trend Micro PUA Security Definition Page

Some questions that I plan to give more insights in the succeeding posts

  • Is PUA equal to Malware?
  • Is PUA an endpoint problem?
  • What changed from the threat landscape of 2003 vs today?
Tags: ,

On Vulnerability Scanning – Part 2

Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose.
Sun Tzu, Art of War

This is the 2nd part of my Vulnerability scanning post.

A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an infosec class in one of the universities here. He said this vulnerability scanning is an educational project for them.

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

On the first part of the post, I focused on the planning, high level objectives and scoping of the project. This post discusses the feedback on the other items.

Is it legal to perform a vulnerability scan from external source?

Most of vulnerability scan and assessment tools that I know of have legal implications. The legal complexity mainly depends on the which country or jurisdiction “Company X” operates. At the very least the students should know applicable laws in their respective countries. At the end of the day, it will be the lawyer and/or legal expert who can say if its legal or not so I may not the best candidate to answer this question.

Do I have recommendation on how should they do the vulnerability scanning?

For the vulnerability scan I directly participated, the usual setup is that entity being scanned and assessed provided consent and scans were made inside their network. So the key concepts here are consent and internal scanning. The target of my scans are within a defined network, and what is vulnerability being  searched have are clearly identified. The purpose of our vulnerability scan exercise is to notify and let IT admins address the “vulnerable” machines and mitigate risk of malware infection.

Their initial scope points to doing website scanning to “Company X” who is operating in “Country W” territory. They will do white hat (most probably website vulnerability scan), but the boundary between white hat (and grey hat) and black may not be clear. So for our examples sake, I reminded them that they should know the law of country W, for example if it will be in the Philippines maybe they should review Cybercrime Prevention Act of 2012 (RA 10175) and Electronic Commerce Act (RA 8792). Overall  this can be a very tricky situation especially if they will not engage Company X and do proper disclosure.

On motives, I told him to answer a simple question:

What will be the difference of the scanning they will do with what other malicious groups  (e.g. hackers) will do?

If they cannot differentiate theirs versus the bad actors in the net, then they may be inviting trouble.

Scrutinizing their initial plan I found out some interesting point : “Company X” operates in “Country W” is not entirely true. “Company X” is part of “Country W” government branch offices. So we got testers who are “Country W” citizens, operating in “Country W” territory doing vulnerability testing against “Company X” who is part of “Country Y” government. To summarize: original plan is inviting bigger trouble.

So I suggested that they do internal testing with Company X, get Company X consent and at least do responsible disclosure of the vulnerability if they find something. More on responsible disclosure can be read here

Is security “Company Y” providing a secure online vulnerability assessment tool?
I haven’t tried “Company Y”, but I know they are indirect competitor to my current company, so it might not be the unbiased feedback giver. I saw “Company Y” folks in RSA conference, and they seems cool and tech savvy. In RSAC, we always say, “we (RD guys) are all friends here when we are in RSA as it is the marketing dudes on the booths who are the one battling out the marketing mumbo jumbo. And “we are all part of a bigger ecosystem”, but in reality, there is really “Coopetition”. Coopetition is a portmanteau of cooperation and competition.

I suggested to them that they register at “Company Y” website, read the EULA/Disclaimer if their Free Online VA tool and assess “Company Y” tools capability. Just take note that in infosec nothing is really “free”.


On Vulnerability Scanning

“The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand”
Sun Tzu, Art of War

A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an information security class in one of the universities here in Manila. He said that vulnerability scanning is some sort of an educational project for them. The questions and the topic provided good opportunity for me given that:

  • I like to help my friend (he is a trusted contact)
  • This is an interesting security topic (for your geeky Product Manager)
  • My ideas here might be useful to other people (for your friendly blogger Product Manager)

So I decided to anonymize the details of our Q&A session and post the sanitized feedback here in my InfoSec blog. Rememberall your infosec post are belongs to us

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

First, I shared my standard disclosure; where I work, my designation, and my areas of expertise (Malware, Tech Product Management and related domains). Next is the disclaimer: Any information/insights I will share should be considered personal opinions. I also joked that I should not, in any way, be held legally liable for my opinion and insights 🙂 . Seriously setting this disclosure and disclaimer is, in my opinion, should be a best practice for infosec folks when sharing these types of information outside of our official work functions (maybe this one is a good idea for a future post).

My feedback:
I told him that I prefer to skip the first 2 questions (the legal and how-to/technical aspects of Vulnerability Scanning (VS). My suggestion to their group is to take some steps back and focus on the overall picture of the task and do overall planning of the “vulnerability scanning” project. Planning is the key!!!

Hackathon101<Image Credits: Willow Brugh/ Wikimedia Commons>

I then explored their project by probing with more questions. Like:

  • What do they (students) like to achieve?
  • What is the goal of this academic exercise?
  • What do they plan to do with the results?
  • Do they plan to make the results public?

Vulnerability scanning is a big topic. Planning and scoping it down will help them on this academic exercise on infosec. I also pointed out that they should put safety boundaries at the start to avoid potential technical and legal problems along the way.

To get the things started, I gave them some examples:

  • Do they plan to do port scanning?
  • How about website vulnerability  scans?
  • Does web application vulnerability sounds cool for them?
  • Maybe check Company X’s (Product ABC) vulnerability?

Examples like the ones above; along with the high level objectives and scope of the project will help them shape the project and is critical to the success.

Wow post is more than 500 words already 🙂 I plan to do this topic post in 2 parts and post the 2nd part soon

I hope you find the insights on Vulnerability Scanning helpful.

Until next blog post…


On Infosec and Tech

“It is a fool who repeats the same actions expecting a different outcome”
Grom Hellscream, Lord of the Clans

No, this will not be another blog reboot or a blog revive try. We all know what happened in 2012 and 2013 🙂 and as the mighty Grom Hellscream of the Warcraft lore once advised (see reference above) I want to do something different this year and hopefully it will have a different outcome.  So what I plan to do this 2014 (and onwards) is to put all my InfoSec and Tech posts here at


<Image Credits: Stofstik/Doge Meme Creator (Android app)>

Most of those InfoSec and tech posts will revolve on usual topics: malware, security, spam, and related insights so the blog is still headed in good direction. Ideally there should be some mash up with product management and maybe some project management from time to time. And if there will be some mix and mash with other topics of interest (like games, mobile, social media) that will be like hitting the jackpot :)) .

But I will be more realistic this time and try to populate this website first and observe if I can reach my 1 post per month target for this blog and see where this will lead us.

Wish me luck with this new endeavor!


Repost: RSA Conference 2014: The Way Forward

A repost of my previous article on RSA Conference 2014 for the Security Intelligence Blog.

RSA Conference 2014: The Way Forward

by Menard Osena (Senior Product Manager)

I attended the RSA 2014 Conference in San Francisco, which has held about two weeks ago. This year the conference offered new insights to today’s threat landscape, which will help us all plan for and protect users in 2014 and beyond.

Largest Security Conference of 2014

The attendance numbers for RSA are always impressive: this year had more than 25,000 attendees, 400+ sponsors and exhibitors, with more than 550 speakers. Such was the number of vendors that two large Exposition Halls – one each in the Moscone Center’s North and South buildings were used for vendor exhibits. The various sessions – including most of the technical track talks I attended – were in the Moscone West hall.

Earlier my colleague JM Hipolito shared her own thoughts about RSA; here is what I found most interesting there.

Opening Keynote: Finding a Path Forward in an Increasingly Conflicted Digital World

The Executive Chairman of RSA, Art Coviello, delivered the opening keynote. He gave his first public comment on the RSA and NSA controversy, as well as the need to separate the NSA’s offensive and defensive functions. But what I will remember most on his keynote is his call to governments and the security industry as a whole to adopt four guiding principles to help maintain a safer Internet for everyone:

  1. Renounce the use of cyberweapons, and the use of the Internet for waging war
  2. Cooperate internationally, in the investigation, apprehension and prosecution of cyber criminals
  3. Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected
  4. Respect and ensure the privacy of all individuals

He also reiterated the need for the security industry and governments to work hand in hand to create a safer digital world that will benefit this and the generations to come.

All of the guiding principles are all equally important, but I would like to highlight the first and second ones as being the most important.

The topic of cyberwar and cyberweapons is very sensitive, but I found the correlation between cyberweaponry and nuclear weapons compelling. I totally agree with Coviello’s statement that “we must have the same abhorrence to cyberwar as we do nuclear and chemical war.”

As for cooperation in prosecuting cybercrime, this is a topic where Trend Micro’s positions are well-known. We’ve frequently spoken about the need for researchers and law enforcement agencies to work together to prosecute the actual “threat actors”, as we believe that this is the most effective way to catch cybercriminals.

These partnerships allow researchers and police to combine their strengths and ensure that
Our efforts have netted effective results, most recently being the arrest of the creator of SpyEye.

Bitcoin Is Here: How to Become a Successful Bitcoin Thief

Uri Rivner of Biocatch and Etay Maor of Trusteer co-presented the one technical session at RSA dedicated to Bitcoins. They discussed the basics of cryptocurrency and how one can use it. They also discussed the usual use cases of Bitcoin: from creating a wallet and having your very own address, to filling the wallet with Bitcoins using an online Bitcoin exchange.

The highlight of the session for me was the a live demonstration of a hack using a SpyEye variant. In the demo, they performed a man-in-the-browser (MiTB) attack and stole the user’s Bitcoin from his wallet.

They also discussed the top cybercriminal activities that Bitcoin has been tied to. These include phishing attempts to steal Bitcoin-related website credentials, deploying RATs (Remote Access Trojans) to have direct access to desktop wallets, up to using botnets to mine Bitcoins (even though this is no longer particularly attractive).

They also explained why cybercriminals are interested in cryptocurrencies like Bitcoin. Because the cybercriminals believe that cryptocurrencies offers anonymity, they think that these will help in laundering money made from illegal activites. In addition, advanced services available in the cybecrime underground (like Bitcoin fogging services) may enable threat actors to further increase their anonymity tenfold.

In summary, the presenters said that Bitcoin is a new exciting frontier and encouraged everyone in the room to try and delve into it so that they understand its potential. They warned about the increasing phishing and malware attacks related to cryptocurrencies. They also pointed out that online Bitcoin exchanges and online wallets are low hanging fruit that may be a big opportunity for the cybercriminals. (The troubles of many online exchanges recently, including erstwhile leader Mt. Gox, have only reinforced this last point.)

The talk mirrored many of the points we have discussed. In December, we had discussed the possibility of Bitcoin’s then-record prices causing thefts of Bitcoin wallets. We had also earlier discussed how users can help secure their cryptocurrency. Overall, we share their sentiments: Bitcoin is the object of much potential, but is the subject of multiple threats as well.

Original article: RSA Conference 2014: The Way Forward first posted at Trend Micro Security Intelligence Blog.

I will try to post my personal insights on the four guiding principles and the bitcoin and other cryptocurrency issues here at soon…