Research

Books

	While finising my Master's Degree in Computer Science at the UPM university I had the opportunity to write two books with my girlfriend, about Java (the programming language) and Corba (the distributed communication framework). They were used as the course material for several training courses we taught there:
"Programación en Java" , Servicio Publicaciones UPM, ISBN: 84-85632-87-7, October 1998. "Arquitectura de Objetos Distribuidos CORBA" , Servicio Publicaciones UPM, ISBN: 84-85632-97-4, January 2000.
During 2001 and 2002, while finishing my Master as a "University Expert in Security and E-Commerce" by the UNED-DIEEC, I wrote a security book about the TCP/IP protocols and their associated services. I released it under the GNU Free Documentation License to make it extensively available:
“Análisis de seguridad de la familia de protocolos TCP/IP y sus servicios asociados” , GNU FDL, First Edition, June 2002. PDF file: (MD5: 92f99f347dd2cbefe704f4cab38dcfad) ZIP file: (MD5: 73565f33523de972b5b89e07c5a535f9) The book focuses on the different threats, attacks and vulnerabilities associated to the TCP/IP protocols family, plus the methods, countermeasures and tools required to be protected against these. Additionally, some of the services running over TCP/IP have been analyzed. The book has an eminent technical focus, covering many details, and includes an extensive list of Web references in its bibliography and appendices.
Thanks to all of you who have sent me your opinion and feedback about how valuable you found this book during these years. Thanks also to all of you who have published it all over Internet: RedIRIS, CryptoRed, TLDP-ES/LuCAS/Hispalinux, ArCERT, Bib. Informática, MundoPC, elhacker, WebSecure, LMData, ABCdatos, Bossma, datafull.com, Todo-Linux.com, Shell Security... Google.
I was a technical reviewer of the “Securing HP-UX Step by Step” SANS book (comming soon, 2005).
	Technical editor for the "Linksys WRT54G Ultimate Hacking"book, written by P. Asadoorian and L. Pesce, and published by Syngress in June 2007.

SANS/GIAC Practicals

Between 2003 and 2005 I have been working very hard to pursue the top SANS/GIAC certification, the GSE. Along the way I have had the opportunity to publish several papers associated to each of the individual practicals required for each of the certifications:

Subject Title Cert. When? Incident Handling Real World ARP Spoofing GCIH August 2003 Intrusion Detection Detecting Real World ARP Spoofing attacks and other IDS detects analysis GCIA December 2003 Auditing Auditing 802.11 wireless networks (Linksys BEFW11S4) GSNA February 2004 Unix Linux kernel rootkits: protecting the system’s “Ring-Zero” GCUX May 2004 Firewalls The IPv6 menace... and GIAC Security Architecture GCFW August 2004 Forensics Computer Forensics Investigation - Analyze an Unknown Image GCFA December 2004 Windows Practicals Termination (March 2005) GCWN May 2005

SecurityFocus

SecurityFocus Infocus feature articles are in-depth feature articles divided into eight areas of interest: Penetration-Testing, Firewalls, Microsoft, Unix, Intrusion Detection (IDS), Virus, Incident Handling, and Foundations. Each area is aimed at helping readers to properly implement effective security measures as well as introducing readers to new technologies, methods, and potential concerns.

"Sebek 3: tracking the attackers, part one". Raul Siles, GSE. 2006-01-16. The first of this two-part series will discuss what Sebek is and what makes it so interesting, first by looking at the new capabilities of version 3 and how it integrates with GenIII Honeynet infrastructures. "Sebek 3: tracking the attackers, part two". Raul Siles, GSE. 2006-02-13. The second article in this honeypot series discusses best practices for deploying Sebek 3 inside a GenIII honeynet, and shows how to patch Sebek to watch all the attacker's activities in real-time. "Wireless Forensics: Tapping the Air - Part One". Raul Siles, GSE. 2007-01-02. This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics. Part one of this article focuses on the technical details and challenges for traffic acquisition, and provides design requirements and best practices for wireless forensics tools. "Wireless Forensics: Tapping the Air - Part Two". Raul Siles, GSE. 2007-01-08. The second part addresses the main considerations and challenges for wireless traffic analysis, including advanced anti-forensic techniques and some legal aspects associated with this discipline.

Hakin9

The Hakin9 Starter Kit, bimonthly magazine, is a step-by-step guide to hacker techniques. It covers basic techniques of breaking into computer systems. This magazine starts with entry level examples of the most popular security topics. Each issue will be devoted to concrete topic. It covers a couple overview articles to define what information/system security is, the basic terminology, and then an overview of some of the main technical components necessary in information/system security

"Knock Knock Knocking On Firewall’s Door" (Volume 1, No. 2. - 2/2007) This entry level article constitutes a brief introduction to a concept known as port knocking, and specifically to one of its derivatives, Single Packet Authorization (SPA). From a practical perspective, the article provides a step-by-step guide for beginners to deploy fwknop (an open-source SPA implementation) using FC6 Linux, and provides additional links for those interested in getting in-depth knowledge about these technologies.

SANS Advisor

The SANS Advisor newsletter specializes in very short, pragmatic articles on whats new at SANS, security, operations, audit and IT related legal topics. You can subscribe to receive a free notification through your SANS portal account.

"Chatty Windows Wireless (WiFi) Networks" (Volume 1, No. 3. - September, 2005) Brief article (Technology Corner) describing the information disclosure performed by your Windows system when the wireless network card is switched on. An extended article detailing the research performed is available here!!

SANS Research & Analyst

SANS performs vendor neutral analysis and research on security products and technologies. One of the research programs is the "SANS Product Testing Program".

"SANS Testing Report on LogLogic LX 2000 Appliance" - Jerry Shenk, Raul Siles & Stephen Northcutt. The SANS Institute just completed testing of the LogLogic series 3, LX 2000. Through its evaluation, they found that the LogLogic LX 2000 was able to consistently and accurately collect log data at 150 percent of its rated capacity – at message rates exceeding 4,500 messages per second – without losing data. Tools evaluated by the SANS Product Testing Program are selected by SANS Instructors and its Industry Analysis Advisory Board and testing is conducted at SANS approved facilities.

On 2006, SANS released a new program called the "SANS Industry Analysts", focused on performing research to identify new trends in the IT, IT Security, Operations and IT Audit markets.

"Penetration testing: Assessing Your Overall Security Before Attackers Do" - June 2006 By Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Siles and Steve Mancini. Sponsored by: CORE Impact

RaDa

At the end of the summer of 2004 I developed a piece of code called RaDa (Raúl & David) with my colleague David Pérez. RaDa is a trojan horse backdoor that can be used by an attacker to control a system in your internal network from Internet through the HTTP protocol; its main goal was to demonstrate how even pretty secure network perimeters can be compromissed. This malware specimen was published in the "Hand me the remote, Ma!" SANS@Night presentation, by my friends David Pérez and Jorge Ortiz, during the SANS Network Security 2004 conference in Las vegas on October 2004. A limited version was also used for the SotM32 security challenge. The concepts behind it are based on Setiri , a trojan that was presented in the Blackhat USA in 2002.

Honeynet Project

SotM (Scan of the Month)

During October 2004 I led the Honeynet Project Scan of the Month (SotM) challenge, number 32, together with my colleagues David Pérez and Jorge Ortiz. Its purpose was to analyze a home-made malware binary, a limited version of RaDa, in an effort to reinforce the value of reverse engineering malware, and improve (by learning from the security community) the methods, tools and procedures used to do it. Our outstanding official write-up is available here!.

Whitepapers

HoneySpot: The Wireless Honeypot. Monitoring the Attacker’s Activities in Wireless Networks. A design and architectural overview. I’ve developed a paper to create awareness and help to guide the deployment of wireless honeypots, mainly centered on 802.11 (WiFi) technologies. The paper is focused on providing a design and architectural overview for the deployment of wireless honeypots, coined as HoneySpots.

Open Source

While working on the different security research projects I have been involved with, I found some bugs associated to the always amazing and incredibly useful open-source software available on Internet; so when possible, I have tried to help solving them (all the documentation is provided in the tool's language, typically in English ).

Snort NIDS: MWM search method (October 2003) Adore-ng Linux kernel rootkit: re-export syscalls table (May 2004) Autopsy forensic browser: "dcat" free disk management (May 2004) Sebek honeynet tool: UDP packet length (May 2005) Sebek honeynet tool: "write" patch (December 2005) Honeywall CD-ROM: "roo" Honeynet gateway (May 2005)

Press & Interviews

During my career as a security professional, I've been interviewed or been part of press releases or events related with the IT security industry. Sorry but, as you know, journalists not always reflect what someone really said :

March 2007: As a member of the Spanish Honeynet Project, I was interviewed by the CiberP@ís, the technology magazine of El País, the Spanish newspaper with the largest print run. September/October 2006: I was interviewed about intrusion detection, incident handling and Honeynets on issue number 10 (Year II) of the Spanish Edition of the E.Security (European Security) magazine. June 2006: I took part on a Re@ Seguridad round table (or press breakfast) where we analyzed the security of the wireless environments and technologies. The event was published in the July 2006 issue of this IT security magazine. September 2005: One month after obtaining the GSE certification (GIAC Security Expert) on August 2005, we're interviewed by the CiberP@ís, the technology magazine of El País, the Spanish newspaper with the largest print run.

Others

I've also pubished other security-related articles and whitepapers:

Autumn 2006: I wrote an article about "Deperimeterization - what, why, how?" in the Autumn 2006 issue (Volume 1, Issue 1) of the Information Security Now magazine published by the BCS-ISSG (British Computer Society - INFORMATION SECURITY SPECIALIST GROUP). November 2007: I slightly contributted to an article written by Paul Asadoorian about "Attacking consumer embedded devices" in the (IN)Secure magazine, issue 14.

KYE (Honeynets)

I've been a technical editor, contributor and/or reviewer for the whitepaper series published by The Honeynet Project, known as KYE (Know Your Enemy):

Know your Enemy: Web Application Threats. February 2007. Know your Enemy: Behind the Scenes of Malicious Web Servers. November 2007.

Challenges

During the last years (2000-2004) I have taken part in several security challenges and even won some of them . I'm fond of them because they are an excellent opportunity to practice and learn new security concepts:

June 2006: 2nd creativity place in the “Star Hacks, Episode V: The Empire Hacks Back” (answers) by Intelguardians (Ed Skoudis). March 2004: Winner of the “Lord of the Ring-Zero” by CounterHack.net (Ed Skoudis). February 2004: 4th place (1st Honorable Mention) in the “You’ve been hacked" by CounterHack.net (Ed Skoudis). November 2003: 3rd place in the “Spinal Hack" by CounterHack.net (Ed Skoudis). May 2003: Winner of the “When Trinity Hacked the IRS D-Base..." by CounterHack.net (Ed Skoudis). May 2002: 11st place in the “The Reverse Challenge” by Honeynet Project. June 2002: 5th place in the SotM 21 by Honeynet Project. February 2001: 5th place in the SotM 12 by Honeynet Project.