New Frontiers in Hacking
Just when you though it was safe to have a device implanted in your body to deliver electric shocks to your heart, there’s this:
A Heart Device Is Found Vulnerable to Hacker Attacks [Barnaby J. Feder, NY Times]
It turns out that the risk of someone actually hacking a pacemaker is rather small, since the researchers were testing this on a device that wasn’t implanted, and they were within 2 inches of the device at the time.
These devices utilize a wireless radio to allow doctors access to monitor and reconfigure them without opening up the patient again. Normally this is done in the office, with a device placed near the implantation site, so it seems unlikely that someone is going to sit in a local coffee shop and give all the older patrons heart attacks.
In addition to the risk of someone “tweaking” a pacemaker’s settings, there is also the possibility that they would be able to obtain some private medical data from the device, which should raise some additional concerns about patient privacy.
There is some hope, however. The researchers suggested some enhancements to provide some defensive capabilities to these devices. These included notification of access attempts, authentication of connections, and key exchange. Obviously, since these devices have a limited power supply, they are focusing on ways to do this with little or no power coming from the device itself.
The full report can be downloaded here.
I’m officially a CISSP
I’ve been meaning to write a post about passing the CISSP exam, but the time to do so has eluded me, until now.
I received the results of the CISSP exam on October 11th, four days after I took the test in New York City. Naturally, I was thrilled, and posted as such to the SCC. Wasting no time, I had my manager, who is a CISSP (among other certs), fill out the endorsement form. I promptly faxed the form, along with my resume, to (ISC)2. And then I waited.
According to the email, it was supposed to take 2-3 weeks for (ISC)2 to process my information and validate that I met the requirements for the certification. So after 3.5 weeks, with no other communication, I started to get concerned. After emailing support, I received the following response:
We apologize for the delay but our system has not been able to process any certificates for three weeks due to a very large upgrade. We expect to begin again this week. We ask that you give two weeks to actually receive your certificate. If you still do not receive it, please write back. Thank you for your patience.
So when did I receive word that I am officially a CISSP? November 15th, fully five weeks after the news that I passed the exam. And I didn’t receive my certificate until over a week later, November 24th.
I suppose it could be worse. A colleague of mine took the exam in mid-October in Florida, and he just received his exam results yesterday. While waiting five weeks for their verification process was annoying, waiting over four weeks just to get the exam results must be downright painful.
Onward to the CISSP
Well, there’s no turning back now! I finally scheduled my CISSP exam.
That’s not to say I can’t reschedule, but I’m going to pretend that’s not an option so I don’t deviate from my study plan. When I study for an exam I tend to go to all out, so I’ll be reading (or re-reading in some cases) the Shon Harris All-in-One Exam Guide, the official ISC^2 guide, and the Krutz & Vines CISSP Prep Guide. And I’ll be spending many hours running through the practice questions on CCCure.org.
I have been following a number of discussions in the blogosphere and the SCC regarding the value of the CISSP certification. While this has been debated by far more experienced security professionals than I can claim to be, I’ll explain why I am continuing down the CISSP path.
The CISSP certification has been described as “an inch deep and a mile wide.” This is meant to indicate that there is a vast breadth of material covered, but not much of it is explored beyond the basics of that topic area. This implies that a CISSP is not expected to be an expert on any of the 10 domains of the CBK, but rather has a sufficient level of all-around security knowledge.
I see the CISSP as sort of a minimum requirement for most security professionals. It’s not going to impress many people in the field that you have it, but if you don’t, you’d better be prepared to demonstrate why you didn’t need it.
The CISSP is not a Ph.D. It’s not even an M.S. It’s a certification that demonstrates you were able to survive the somewhat arduous exam and meet the experience requirements. It’s likely to get you a pass into the “good pile” in an HR resume selection process, and it can be a marketing tool for a consultant to assert their expertise. It may also give you a bit of a salary increase in your current position.
But let’s be honest; becoming a CISSP is not the culmination of your career. Either you are going to continue learning and growing as a security professional, or you are not. The CISSP shouldn’t be seen as a high water mark; it’s more of a checkpoint along the way.
Jumping Ship
Sorry for the long lapse in posting, but I started a new job a few weeks ago, and I’m still adjusting to the schedule. I also don’t know what their blogging policy is, so I’m going to keep things vague for now about the company. What I will tell you for now is that it’s a much larger company than I have ever worked for, by a factor of about 30. This is obviously a bit of an adjustment, but I’m starting to get a handle on the way things work for such a large company.
Why did I change jobs? Don’t get me wrong, I loved my old job. I was the main security guru in the place, and I had my hands in every IT-related project that came through. I enjoyed working there, and the majority of my coworkers were great people. It came down to some advantages that the new position offered that the old one simply didn’t:
1. I was “recruited.” - Never discount the power of ego. I hadn’t posted an updated resume in over 6 months, but this company came looking for me anyway. It felt good to be sought after, instead of doing the seeking.
2. Location - I had an awful commute at my old job. On an average day, it would take between 1-1.5 hours to travel in each direction. Forget about days when it was raining or snowing.
3. Compensation - Not that I was that underpaid or anything, but the new company made an offer right off the bat that was a considerable increase in my salary.
4. Larger company - With a larger company comes a larger and more complex and diverse infrastructure. While I may have worked on firewalls from vendors such as Cisco and Juniper, I have never had the opportunity to work on a Check Point.
5. Larger team - As I mentioned, I was the main security guy at my last place. Not that I have a problem with that, but I’ve only been in the security field for a few years, and I know I still have a lot to learn. This place puts me in a team with a number of highly experienced security professionals. I may be a little out of my depth at times, but I can learn a lot from the people I’m working with.
That last reason is probably the biggest reason for making the jump. I do my best to keep expanding my security knowledge by reading and testing out new tools, but there is something to be said for working with people who have been doing for a lot longer, and who are more than willing to answer any question I can throw at them.
We’ll see how it goes. My first couple of projects involve firewall management centralization and network compliance management. I’ll post again soon with some details on the products I’m looking at.
Time to dump your cell phone carrier
I haven’t had too much use for FreeConference.com, at least not so far. I only tried it once to get an idea for how it worked, but I never needed to hold a large conference. After all, I’m not on the list (at least not yet). As far as I can tell, it’s a great service that a lot of people find useful.
So why, oh why, do certain cell phone carriers feel the need to block access to this service? After all, you are paying for the call; shouldn’t you be able to call who you want? The answer is, of course, that these carriers would rather force you into paying for their services than let you use their network to access a free service. Sounds sort of illegal, doesn’t it?
Here’s the message from FreeConference.com, with some suggestions:
Dear FreeConference User:
AT&T/Cingular, Sprint, and Qwest Are Blocking Your Conference Calling
As of Friday, March 9, it’s come to our attention that Cingular Wireless has begun blocking all conference calls made from Cingular handsets to selected conference numbers. If you call our service, you receive a recording that says, “This call is not allowed from this number. Please dial 611 for customer service”.
Earlier this week, Sprint and Qwest joined in this action, blocking cellular and land line calls to these same numbers. This appears to be a coordinated effort to force you to use the paid services they provide, eliminating competition and blocking your right to use the conferencing services that work best for you.
Don’t Let AT&T/Cingular, Sprint, or Qwest Take Away Your Right to Use the Conference Service of Your Choice!
We Need Your Help! Please Take the Actions Below:
Whether you are one of their customers, or an organizer who is being impacted by these uncompetitive actions, please file a complaint with the FCC or send an email to your State Attorney General to complain about this monopolistic practice to limit the choices of consumers.
You can also let these companies know how you feel about their attempt to block competitive services:
- Sprint Customers can click here or dial *2 from their Sprint Phone
- Cingular Customers can click here or call 1-888-333-6651
- Qwest Customers can click here or call 1-800-860-2255
Your FreeConference Team remains steadfastly committed to bringing you simple, convenient and reliable conferencing services at the lowest cost possible. We appreciate your support in this endeavor.
Your FreeConference Team
I found this originally on SSAATY.
Should we worry more about insiders or outsiders?
I’ve been having a little bit of a debate with a colleague of mine. Walking into an environment with only the most basic security measures in place (patch management, AV, moderately restrictive firewall policies), where should you focus your time? Obviously, the complete picture needs to be dealt with, but would you spend more time hardening against external attacks, or against an insider threat?
I am of the opinion that, once you have the basics in place, you need to focus on the insiders, such as DBAs that have unrestricted access, network admins who use one shared administrative account to administer everything, and users who have local administrative privileges. Many of the problems you are defending against on the outside are black and white issues - Do I need to disable any services on this web server? What ports should I allow through this firewall? What should I log and where should I log it? And so on.
On the other hand, decisions to restrict access to insiders come up against a lot more resistance, both for business and political reasons. No one wants to be told they shouldn’t be trusted with the level of access they have, it’s an affront. Also, there are many more complicated situations for internal users. Maybe restricting write access to USB for all users would be a great security measure, but what about the admins who need to transfer data back and forth? All these problems have solutions, but the time it takes to resolve them makes it necessary to dedicate a larger portion of your time to these efforts.
Maybe I’m way off base here. I’m not saying external threat mitigation is a cakewalk. It’s just that after the basics are taken care of, I think more effort is required to secure things from the internal perspective. Ok, I’m ready…tell me why I’m wrong.
CompUSA memories
Reading this post by Ryan Block brought back memories, both good and bad, about my own experiences working at CompUSA. I would consider CompUSA my first job in “IT,” even though the majority of it was so far removed from anything technical it barely qualifies. However, it was my first real exposure to people with technical jobs that did not relate to programming. Prior to this I thought that to be in IT, you had to be a programmer.
While the majority of my time spent at CompUSA could be termed “retail hell,” it did give me access to many different types of hardware and software, from many different vendors. I started in the software department, and vendors came in on a regular basis with freebies in an unsubtle attempt to bribe us into pushing their products over the competition.
Similar to Ryan, I then moved into the Upgrades department, selling the higher-end products that had to be locked away behind the counter. I was also trying to become a repair tech, and meeting with resistance. Working in the Upgrades department was somewhat enjoyable, and when it was slow I could go next door to the tech area and check out what they were working on.
Overall, it was good experience, if a bit painful. Then again, that would be my description of most jobs in retail. All in all, I’m not really that broken up over the fact that there will be no more CompUSA stores in my area.
Jury Duty
I had to perform my civic duty recently, and answer a summons for jury duty at my local courthouse. Not many people are excited by this invitation, and I was no exception. In fact, I had already used up my one automatic postponement, so I knew I wasn’t getting out of it.
First impressions: security at the jury entrance was like going through the airport, with less of a line, and no nonsensical restrictions. While I was not allowed to bring food or drinks into the facility, I was not forced to throw out a tube of moisturizer in my backpack, for instance. I assume if I had any weapons or other sharp objects I would have been forced to discard them. Also, I had to leave my cell phone in the car, as camera phones are a no-no.
While the security at the entrance was tight, I had some concerns. First, no attempt to check my ID was performed in my entire time at the courthouse. I had to present my summons, but beyond that, I could have been anyone. Not that many people are going to crash jury duty, but if someone was motivated to do so, I doubt they would have much difficulty.
Second, the smokers are given their right to light up in a small fenced-in terrace outside the main waiting area. Good for them, but I question how difficult it would be for someone to pass something to (or from) one of the smokers.
I also have a (minor) complaint. Why, when there are 3 potential courthouses that the juror pool can be summoned to, do I get stuck with the only one that doesn’t offer WiFi? I spent the better part of 6 hours — don’t get me started on that one — waiting to be called into a courtroom, reading old magazines, when I could have been on my laptop getting things done (i.e. posting this complaint earlier).
In the end, I wasn’t picked for the final jury, and I was thanked for my service and sent home. While I understand justice is a process, it was unfortunately a lengthy and uneventful process in this case.
Should Microsoft quit the AV business?
An illuminating study was performed by AV-Comparatives, comparing various popular antivirus products. I haven’t had the opportunity to test out OneCare, Microsoft’s antivirus offering, but I assumed they had released a product that was at least comparable to other mainstream antivirus options. Apparently, I shouldn’t assume.
ccording to the comparison, Microsoft scored an abysmal 82.40% total on-demand detection of viruses/malware. That’s over 6 percentage points lower than the the next-worst contender (Dr. Web, at 89.27%). At the other end of the spectrum, Avira PE Premium, G DATA Security AVK, MicroWorld eScan Anti-Virus, F-Secure Anti-Virus, Kapersky Labs Kapersky AV, and AEC TrustPort AV WS were all rated above 97% detection, which AV-Comparatives calls their “ADVANCED+” certification level.
Keep in mind, it’s only a 1.x product from Microsoft, so they may be leaving room for improvement. But I expected more from Microsoft with all the marketing about their security initiatives.
Here’s the full results of the test: http://www.av-comparatives.org/seiten/ergebnisse_2007_02.php
Found via PCMag.
WordPress Remote Code Execution - Upgrade NOW!
Over the weekend, there was a notice about a security exploit that was inserted into the install files for WordPress 2.1.1. Care to guess what version of WordPress this blog was running? Don’t worry, I wasn’t about to volunteer that information until I actually had the upgrade taken care of. Upgrading WordPress isn’t an entirely painless experience, but at least it’s a well-documented process.
If you are running WordPress 2.1.1, and you haven’t already done so, go to this link immediately, and follow the instructions to upgrade to 2.1.2:
WordPress 2.1.1 dangerous, Upgrade to 2.1.2
Note: I appear to be having some difficulty creating links, post upgrade. I’ll see what I can do to resolve the problem and update this post.
Update: Problem resolved
Family Security Series
The Family Security Series, by Michael Santarcangelo (aka The Security Catalyst) was launched on Friday. In case you missed it, here was the invitation video:
http://www.youtube.com/watch?v=1h5CUUar19U
To view the first episode of the podcast, go here:
Episode 1: Operating System and Application Updates
I’m interested to see the feedback to this series, because I am one of the contributors, along with Andrew Hay, Peter Clark, and Alvin Liau.
Forward this to all your friends and family members who you feel could use a good primer on security.
Training Options
I have been given the opportunity to attend a few training courses. Of course, not having been given this option by an employer before (aside from the occasional book or CBT), I want to make the most of it. As a predominantly self-study type of person, I’m not really sure what constitutes a good instructor-led training. I’m hoping anyone who reads this might be able to help me out.
When considering my options, I’m looking for something relevant to my position as an Information Security Analyst. That being said, I’d also like to stick to the vendor-neutral offerings as much as possible. While it might be useful at some point to go down the Cisco or Juniper path directly, at the moment I would rather have a broader scope.
When I search for security training, the big name that keeps coming up is SANS. I know they have a large number of course offerings, and they appear to be pretty well-regarded. If I were to go this route, I’d probably look at the GSEC course, or the GCFW. I haven’t been able to find many other vendor-neutral security training options.
To complicate things a little further, I’d like to find something in the eastern half of the United States. I am told the likelihood of getting my training budget approved are inversely related to the distance from my office. Since I’m am in the greater New York metropolitan area, that kind of knocks SANS San Diego out of the running.
So how about it? Any great training out there that you’d like to share?
Congratulations to Martin
Well, I feel a little embarrassed to be so behind the crowd on this one, but I want to congratulate Martin McKeay on his new position as Security Evangelist for StillSecure! I remember his post from 6 months ago when he stated his dream of becoming a security evangelist, and it’s great to hear that it came true for him.
I don’t know Martin personally, but from seeing his work on his blog and his podcast, I am quite impressed by his knowledge and the amount of time and effort he puts in. He is one of the people I am trying to emulate on this blog, because I think he has the right idea on blogging in general, and security blogging in particular.
Again, congratulations to Martin, and good luck!
StillSecure Appoints Well-Known Security Expert Martin McKeay as Product Evangelist
DST Update
Unless you missed the memo, you’re probably already aware that due to the Energy Policy Act of 2005, the Daylight Savings Time change will be occurring 3 weeks earlier this year in the US.
If you did miss the memo, you’ve got some catching up to do. Virtually every device and every operating system that has a clock will need to be updated. This has an impact to everything from logging to calendar appointments.
Here is a short list of some of the updates I have found:
Microsoft: Preparing for Daylight Saving Time changes in 2007
Cisco: U.S. Daylight Saving Time (DST) Changes for 2007
Oracle: Oracle Database Daylight Saving Time Update Guide
Blackberry: Daylight Saving Time 2007
This is by no means a comprehensive list. I thought it would be helpful if I listed some of the major vendor’s DST information, but you should look at anything running software on your network, whether it’s a network device, appliance, server, or application.
Welcome
Welcome to my blog. My name is John Biasi. I am a security professional, and I hope to use this blog to help advance the discussion of Information Security, and to increase security awareness as well. I’m not too sure what form this blog will take at this point, but I will definitely be bringing my work home with me to discuss important topics that I come across on a daily basis. I may mix it up a bit with other geeky tech news, if you’ll indulge me.
So feel free to come back often, or subscribe to my RSS feed, and I hope to give you something interesting to read, and I’ll hopefully meet some interesting people along the way.
