Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.

Latest posts

Practical KRACKs

KRACKs (Key Reinstallation AttaCKs) is a number of vulnerabilities in WPA2, related to key handshakes between a client and an access point.

An attacker can trick a victim into reinstalling an already-in-use key. This key (the 3rd message in a 4-way handshake) is resent multiple times by the attacker and each time installed by the client, resetting the nonce. By forcing nonce reuse in this manner, the same encryption key is used with nonce valuesRead more.

What I learned by attending FOR610: Reverse-Engineering Malware / part 1

I attended SANS FOR610: Reverse-Engineering Malware instructed by Jess Garcia in Copenhagen (Sep-17). I’m now studying for certification and using captured malware samples for doing exercises. In this post I go through

Using public (OSINT) information; Behavioural analysis with sandboxes (via a public malware sandbox); Malicious Office documents.

Note that the purpose of the exercise is not to understand in detail every line of code in the malware. The analysis is done from an incidentRead more.

Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program

I published an article on IBM Security Intelligence on Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program. The article covers essential, freely available, tools for doing security risk management.

Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise

I published an article on IBM Security Intelligence on Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise.

The articles covers how you can consume indicators of compromise (IOC) received via manual sharing. Although automatic sharing is preferred not all organisations have the resources to setup automatic sharing. Manual sharing is then a good fallback compared to not sharing at all.

The steps include source and content verification, context verification, sharing properties,Read more.

Dragonfly v2 : Mindmap on energy sector targeted by sophisticated attack group

Mid 2014 Symantec released a report on a threat actor Dragonfly targeting energy companies. Early September 2017 Symantec released an updated report on Dragonfly v2 where they describe that the threat actor shifted their attention from merely observing the environment to having remote access to the environment of energy providers.

This shift could indicate that the threat actor has a changed objective, from monitoring to actually intervening and potentially conducting sabotage.

I created two mindmapsRead more.

Use Philips Hue as an IDS

I recently bought a Philips Hue light system. It allows you to control your lights via a smartphone app and set the right colour mood. Setup is easy, you connect a light bridge to your home router, connect with the app and then setup the lights. The system also includes an API to build your own apps.

In 2015 I tweeted on an episode of CSI Cyber where “good” code automagically turned green whereas “bad”Read more.

Using a Free Online Malware Analysis Sandbox to Dig Into Malicious Code

I published an article on IBM Security Intelligence on Using a Free Online Malware Analysis Sandbox to Dig Into Malicious Code.

The article is a follow-up on an earlier post from 2015 (Comparing Free Online Malware Analysis Sandboxes) where I compare the features of different free online malware sandbox solutions, how you can extract indicators of compromise and how you should integrate them within your incident management workflow. The free malware sandbox solutions reviewed areRead more.

Upgrading Apache, unmet dependencies

I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that

Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use nativeRead more.