Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.

Latest posts

Security Conferences in Europe – 2019

An overview of the security conferences in Europe in 2019 that I want to attend. The list is also available as a Google calendar. Feel free to suggest updates.

Google Calendar for Security Conferences Europe or as an ICS fileSecurity Conferences_vnekk5gebvbngjop592s2tqed4@group.calendar.google.com.

56th TF-CSIRT meeting & FIRST Regional Symposium EuropeTallinn, Estonia2019 January 21 > 23 QuBitBelgrado, Serbia2019 Feb 7 BlueHatTel Aviv, Israel2019 Feb 6 > 7 Vienna Cyber Security Week Critical InfrastructureVienna, Austria2019 Mar 11 >Read more.

Phishing website – beobank

Another day, another phishing website. This time again a phishing site with directory listing enabled. This phishing websites targets customers of the Belgian bank Beobank. The link to the site gets delivered via e-mail, claiming to come from the webmaster with an important security message.

This is how the phishing website looks like:

Moving up a few directories allows us to download the ZIP file containing the phishing code.

There areRead more.

OPSEC 101 : Phishing website

While I was analyzing a standard phishing e-mail my attention was drawn to the fact that the phishing page loaded remote Coldfusion scripts. The phishing mail itself is pretty default. It claims to come from e-mail support telling you that your mailbox is full.

The included cfform component allows to build a form with CFML custom control tags providing more functionality than standard HTML form input elements.

The phishing site was locatedRead more.

Hunt for devices with default passwords (with Burp)

In my previous post I talked about using the nmap NSE scripts or Hydra to search for systems with default passwords. My approach involved two steps: first learn via Burp how the authentication works (getting to know the form elements etc.) and then use this information as input for the brute force scripts.

A colleague pointed out that you can also use Burp suite for this last step.

Similar as with the previous approach, firstRead more.

Hunt for devices with default passwords

I wrote a follow-up on using Burp for both the analysis and attack phase : Hunt for devices with default passwords (with Burp).

Using a strong and unique password for authentication is a key element in security. Unfortunately there are still a lot of devices installed with a default password. This post describes how you can find the web interface of these devices.

Before we start, it’s to important to list the three different webRead more.

How to Use Passive DNS to Inform Your Incident Response

I published an article on How to Use Passive DNS to Inform Your Incident Response on the Security Intelligence blog.

This article gives you an insight on the different logging options for DNS traffic and how the historical records in passive DNS can help you during incident response. I included references to generating passive DNS data based on your traffic and which options you have for consuming it from a client perspective.

Don’t Dwell On It: How to Detect a Breach on Your Network More Efficiently

I published an article on Don’t Dwell On It: How to Detect a Breach on Your Network More Efficiently on the Security Intelligence blog.

This article describes which typical event types you should look for to detect an intrusion. The article lists 5 key steps to react when you suspect an incident is ongoing.

What Metrics Do You Need to Measure the Success of Your SOC?

I published an article on What Metrics Do You Need to Measure the Success of Your SOC? on the Security Intelligence blog.

This article describes how you can evaluate the SOC performance and growth more accurately by building out consistent measurements to review it’s essential functions.

The article covers people, roles, technology, policies and processes and also includes some tips for further tuning reporting and metrics to measure the success of your SOC.