Wednesday, October 1, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Roundtable for September 27, 2008 [The Security Catalyst]

Posted: 01 Oct 2008 07:14 AM CDT

Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with 'twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points.

Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list.

Twitter: www.twitter.com

Zach: http://twitter.com/quine

Michael: http://twitter.com/catalyst

Martin: http://twitter.com/mckeay

 

Security Twits: http://n0where.org/security-twits/

 

Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.

 

PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot. 

I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help!

This posting includes an audio/video/photo media file: Download Now

ISSA Triangle InfoSeCon 2008 [Security Uncorked]

Posted: 01 Oct 2008 06:42 AM CDT

ISSA Triangle InfoSeCon 2008

Coming…
Thursday, October 16th to
Raleigh, NC

Our company, Carolina Advanced Digital, is a Platium Sponsor of this year’s ISSA InfoSeCon 2008 in Raleigh, NC. Come see us, meet our new folks and hear my talk on ‘Network Security Stripped’.. it’s the only scheduled North Carolina presentation of this talk!

Also, don’t miss Raffy’s session on “Insider Threat, Governance, Risk, and Compliance (GRC), and Perimeter Threat” at the same event. Visit Raffy’s blog

Registration is Open!
Online registration from $30/person
http://www.TriangleInfoSeCon.com

# # #

Malware contest is going on! [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 01 Oct 2008 01:51 AM CDT

Spylogic pointed me to this interesting challenge.

It turns out that the Ohio information Security Summit is hosting (and dishing out prizes too) to people who try to analyze malware and document their findings. The contest is open Oct. 1 to Oct 26, and I just love it!

Howow - hold yer horses. Malware, you said? So this gotta be dangerous? Yes? Ok. Let us check their FAQ:

"Are you using real malware? Isn't that dangerous?

Yes and yes. The malware being used in the test is malware we pulled from the wild. It will infect machines it is run on so you should take every precaution to ensure you do not infect machines or networks you do not mean to."

Ah, so I need to use my lab for this.

Seriously, I think this may be a nice way to create awareness and interest for malware out in the jungle. Unfortunately for me, I will be nowhere near Ohio in October, but I will give it my best shot anyway. First, let me find an old, battered computer I can use for this test...

,

Stripping at SecTor [Security Uncorked]

Posted: 30 Sep 2008 07:53 PM CDT

Hey, readership was down after my hiatus… I needed something catchy ;)

Next week, I’ll be unleashing “Network Security Stripped: From layered security to bare essentials” at the SecTor conference October 7-8 in Toronto.

It’s bound to be a great event- with keynotes by Johnny Long and Stepto (Stephen Tolouse) and sessions by the Hoff (with his Four Horsemen, My Little Pwnie Edition - don’t ask), HD Moore, Josh Perrymon, Bruce Potter and.. well you can read the whole roster of speakers yourself.

And I have to go first… why do I have to go first… ? *sigh  

SecTor
October 7-8, 2008
Toronto, ON
http://sector.ca
http://sector.ca/schedule.htm 

# # #

Secure Life Ep 2 [Andrew Hay]

Posted: 30 Sep 2008 05:10 PM CDT

The Very Best Rosh Hashana To Our Jewish Friends & Their Families [Infosecurity.US]

Posted: 30 Sep 2008 05:10 PM CDT

Infosecurity.US wishes the very best, healthy, happy and peaceful ראש השנה - Rosh Hashana - to our Jewish Friends & Their Families.

Reblog this post [with Zemanta]

[1] When Is Rosh Hashana

[2] Wikipedia: Rosh Hashana

New Prime Discovered [Infosecurity.US]

Posted: 30 Sep 2008 03:58 PM CDT

UCLA’s Mathematics Computing Group Manager Edson Smith, has reportedly discovered a new prime number. Kudos to Mr. Smith, who was responsible for deployment and implementation of GIMPS software on the UCLA Mathematics Department’s systems.

Reblog this post [with Zemanta]

The effort is a direct output of the Great Internet Mersenne Prime Search (GIMPS). From the Mersenne announcement: ” 45th and 46th Known Mersenne Primes Found!!!! GIMPS set to claim $100,000 EFF award!

On August 23rd, a UCLA computer discovered the 45th known Mersenne prime, 243,112,609-1, a mammoth 12,978,189 digit number! The prime number qualifies for the Electronic Frontier Foundation’s $100,000 award for discovery of the first 10 million digit prime number. Congratulations to Edson Smith, who was responsible for installing and maintaining the GIMPS software on the UCLA Mathematics Department’s computers.On September 6th, the 46th known Mersenne prime, 237,156,667-1, a 11,185,272 digit number was found by Hans-Michael Elvenich in Langenfeld near Cologne, Germany! This was the first Mersenne prime to be discovered out of order since Colquitt and Welsh discovered 2110,503-1 in 1988. The nearly decade long quest for the EFF award came down to a close race to the finish - with just two weeks separating the discovery of the two primes.

As promised, GIMPS will give $50,000 of the EFF award to the UCLA Mathematics Department for discovering the first 10 million digit prime. $25,000 will go to charity, and most of the remainder will go to discoverers of the previous six Mersenne primes. You can read a little more in the short press release.”…

[1] Mersenne GIMPS Home
[2] ComuterWorldGrid power: Sysadmin discovers 13-million-digit prime number

PhoneTag - An easier solution to dying voicemail [Srcasm]

Posted: 30 Sep 2008 03:51 PM CDT

When I used to receive 10-20 voicemail messages per day from the office, it was a complete pain in the arse to go through them each hour to make sure I wasn’t missing something important.  When the server room was down?  ”Sorry, didn’t get that memo,” was not a viable solution.  So I looked at a service called Simulscribe.  I fell in love with the service immediately.  It was simple — Sign up, redirect voicemail to their phone number and never check my voicemail again.  How do they do it?  It’s simple, as PhoneTag (previously Simulscribe) shows you:

PhoneTag

I wasn’t too skeptical of whether or not a service like this could take off.  To my amazement, I was not the only person out there that valued their time and didn’t want to waste 30 minutes per day listening to messages (most of which were junk) when they could be working, on the golf course or simply taking a relaxing bubble bath.  Today, PhoneTag has been written about in The New York Times, Forbes and even NPR (Radio?  What’s that?).

Yeah, it may not be free anymore but I still highly recommend their service to anyone that cares about how they spend 1/16th of their work day.  It’s a lot of time to be spending with a phone pressed against your ear and it can really hurt your neck.  You wouldn’t want to get hurt by listening to voicemail, right?  That’d be embarrassing.

Sometimes there is more to appliances than software [StillSecure, After All These Years]

Posted: 30 Sep 2008 03:42 PM CDT

I have had my share of blog wars with Richard Stiennon. I try to go easy on him now, so as to stay out of it. But, once again Richard shows that sometimes he just doesn't get it. His latest flub comes in a post on Nokia exiting the security appliance business.

Richard says in essence "good riddance".  He says Nokia was lucky to capitalize on Check Points failure to come to market with an appliance.  But they missed the boat by never developing their own solutions and moving into UTM (isn't UTM the answer to everything for Richard?) and other security technologies.  Richard says they should have sold 5 years ago and now of course will have to take a bargain basement price.

Richard you are wrong because you don't understand Nokia's value. They never claimed to develop great software.  They developed a great hardware platform.  Yes Nokia is a giant telecommunications company and the appliance business was never really more than a small rounding error on the bottom line I guess. But the division that ran the appliance business did a good job.

I have met with and spoken to engineers and sales people who worked for Nokia.  They were able to clearly articulate their value prop and never tried to hide the fact that they ran best of breed software on the appliance.  The Nokia boxes were quality appliances.  In a market where far too many appliances are Dell boxes with a different color bezel, the Nolia appliance was a more than just a white box.  Over the last few years they branched out beyond Checkpoint and ran several other applications on the appliance.  All in all, Nokia had a good product and a good channel. I wish they would sell StillSecure on a Nokia box.

Also, for a good explanation check out the comments to Richard's post by Gray haired security Wonk.  If you think you know who it is, mail me.

Reblog this post [with Zemanta]

PCI-SSC, you are such a tease. [Branden Williams' Security Convergence Blog]

Posted: 30 Sep 2008 01:43 PM CDT

I wandered over to the PCI-SSC site today and noticed that they have reposted the press release from August 18 reminding everyone that the new version of the standard will be announced TOMORROW.

Thanks for the reminder; I'm pretty sure we all have that date etched into our brains via green laser.

Tease....

Cars, wrap ‘em up! [Srcasm]

Posted: 30 Sep 2008 10:39 AM CDT

The idea of advertising is not a new one.  Google has mastered the online world, Clear Channel seems to own most of the real-life TV, radio and billboard advertising.  Why couldn’t we start to allow people to advertise with their own vehicles? 

Take a travelling sales guy (or girl) for instance.  They travel over 150 miles per day down the highway, stuck in traffic, stopped at red lights and parked in open lots.  Now take a product like LTLprints.  They have something that seems to be fairly waterproof, durable to the sun and it doesn’t harm almost anything.  What if we put these two together to form the greatest, movable advertising system ever.  Inexpensive to produce (under $150), could be as small or as large as necessary and it won’t damage the vehicle.

Could you imagine a swarm of PostIt, AOL, Starbucks or Whole Foods cars driving around the highway?  It would be advertising genius and could possibly make four different parties money.  The advertiser gets customers, the company that designs the advertising gets paid, the company that places the ads gets a service fee and the car owner gets a cut of the placement.

One large issue is see is the control of the advertisements that go on YOUR vehicle.  This could be solved with a simple two-way agreement system.  Half.com uses it for selling your books.  Someone opts to purchase the book (or space in this case) and the seller gets the chance to both name their price AND to take the offer or not.

Just a thought, keep it in mind if you’re looking to make big money.  And if you don’t mind, send a slice of it my way.

Google Chrome Security Advisory [Infosecurity.US]

Posted: 30 Sep 2008 08:50 AM CDT

Aditya K Sood of SecNiche has released a security advisory focused on Google’s Chrome Web Browser. The specific issue revolves around a  window object remote denial of service. Submitted to SecurityFocuses’ BugTraq, the advisory’s details follow after the jump.

Reblog this post [with Zemanta]

Google Chrome Window Object Suppressing Remote Denial of Service.

*Version Affected:*
Chrome/0.2.149.30
Chrome/0.2.149.29
Chrome/0.2.149.27

*Severity:*
High

*Description:*
The Google chrome browser is vulnerable to window object based denial of service attack. The Google Chrome fails to sanitize a check when window.close() function is called in body upload. The function is called in a suppressed manner and kills the parent window directly by default which makes it vulnerable to denial of service attack. This inability of Google Chrome diversifies the attack pattern as number of events can execute this  function without a security check,prompting a user to allow the event to trigger.

This security issue is a result of design flaw in the browser as function show stringent behavior in many cases. .Scripts must not close windows that were not opened by script,if script specific code is designed. There must be a parent window confirmation check prior to close of window.

*POC:
http://www.secniche.org/gws/poc.html
*
/NOTE: If this page is opened in Google Chrome , You need to open this POC in new window to see the killing of parent window. You can even use a Sub Tab in this.
/
*Links:*
http://www.seniche.org/advisory.html
http://www.evilfingers.com/advisory/

*Detection:*
SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are:

Chrome/0.2.149.30
Chrome/0.2.149.29
Chrome/0.2.149.27

*Disclosure Timeline:*
Disclosed: 25 September 2008
Release Date. September 27 ,2008

*Vendor Response:*
Google acknowledges this vulnerability as security bug and “fix” will be released soon.

*Credit:*
Aditya K Sood

*10. Disclaimer*
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

Reblog this post [with Zemanta]

Firefox 3.0.3 Vulnerability Reported: Remote Denial of Service Attack [Infosecurity.US]

Posted: 30 Sep 2008 08:40 AM CDT

Security Research Aditya K Sood of SecNiche has discovered, and reported (via BugTraq at SecurityFocus) a null pointer bug, leading to a potential Remote Denial of Service exploit targeting the new version of Mozilla’s Firefox 3.0.3. The full advisory appears after the jump…

Reblog this post [with Zemanta]

From the Advisory: Mozilla Firefox User Interface Null Pointer Dereference Dispatcher Crash and Remote Denial of Service.*Version Tested:*
Mozilla 3.0.3 - 1.9.0 Branch /(Specifically for Latest Version)/

*Severity:*
High

*Description:*
The mozilla firefox is vulnerable to user interface event dispatcher null pointer dereference denial of service attacks. The dispatched event created dynamically leads to firefox crash when it is called directly or in a
defined loop with number of generated  user interface events.The resultant crash results in:

Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0×0000000000000007
Crashed Thread: 0
Thread 0 Crashed: 0 libxpcom_core.dylib nsTArray_base::Length() const + 11
(nsTArray.h:66)
1 libgklayout.dylib
nsContentUtils::

GetAccelKeyCandidates(nsIDOMEvent*,
nsTArray&) + 261 (nsContentUtils.cpp:4083)This security issue is a result of unhandled exception which is a result
of null
pointer dereference.*Links:*
http://www.secniche.org/advisory.html
http://evilfingers.com/advisory/index.php

*Proof of Concept*
http://www.secniche.org/moz303/index.html

*Detection:* SecNiche confirmed this vulnerability affects  Mozilla Firefox on Microsoft Windows XP SP2 platform.The versions tested are:

Mozilla 3.0.3 - 1.9.0 Branch

*Disclosure Timeline:*
Disclosed: 28 September 2008
Release Date. 28 September ,2008

*Vendor Response:*
Mozilla confirm this vulnerability.
*Credit:*
Aditya K Sood

*Disclaimer*
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for
any indirect special or consequential damages.

KnujOn: House Passes Ryan Haight Online Pharmacy Consumer Protection Act [Infosecurity.US]

Posted: 30 Sep 2008 08:39 AM CDT

Garth Bruen over at KnujOn reports (via CNET) on congressional approval of the Ryan Haight Online Pharmacy Consumer Protection Act.

Reblog this post [with Zemanta]

From the Act: “Ryan Haight Online Pharmacy Consumer Protection Act of 2008 - Amends the Controlled Substances Act to prohibit the delivery, distribution, or dispensing of controlled substances over the Internet without a valid prescription. Exempts telemedicine practitioners.

Defines “valid prescription” as a prescription that is issued for a legitimate purpose by a practitioner who has conducted at least one in-person medical evaluation of the patient.

Adds definitions to the Controlled Substances Act relating to online pharmacies and the issuance of prescriptions over the Internet.

Imposes registration and reporting requirements on online pharmacies.

Requires an online pharmacy to: (1) display on its Internet homepage a statement that it complies with the requirements of this Act; (2) comply with state laws for the licensure of pharmacies in each state in which it operates or sells controlled substances; (3) post on its Internet homepage specified information, including the name, address, and telephone number of the pharmacy, the qualifications of its pharmacist-in-charge, and a certification of its registration under this Act; and (4) notify the Attorney General and applicable state boards of pharmacy at least 30 days prior to offering to sell, deliver, distribute, or dispense controlled substances over the Internet.

Authorizes the Attorney General to issue a special registration under this Act for telemedicine practitioners.

Increases criminal penalties involving controlled substances in Schedules II, IV, and V of the Controlled Substances Act.

Authorizes states to apply for injunctions or obtain damages and other civil remedies against online pharmacies that are deemed a threat to state residents.”

Sweden redraws it's internet surveillance law [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 30 Sep 2008 08:32 AM CDT

Last week, the Swedish government made vital changes to the law they approved this summer.

According to Digi.no (sorry, only Norwegian), the Swedish government has changed the law, and there is no longer legal to do surveillance without consent.

In July, I covered the story when the Swedish approved the new law, allowing their police and surveillance teams to tap into ANY and ALL internet traffic that came through their country - no matter if there where any suspicions or not at hand. This meant that everyone suddenly became victims, and no-one would be able stay off their radar - innocent or not.

This time, the Swedish government where forced to redo the law. They had to add a quality control mechanism, something that has been a very well accepted rule in the western world for centuries - that any surveillance must be following (not followed by) a suspicion. Thus following the principle - innocent until proved guilty.

In the past (mainly since 9/11/2001), we have seen dramatic changes in how this principle is followed. Privacy is lessened by the day. Surveillance increases - with or without our consent. Our legal rights are set aside by the governments increased lack of control. And our politicians constantly fail to understand how technology changes the world - no, not slowly, but at speeds that keeps spinning the world around so fast that no-one are really able to grasp even the smallest of implications.

Today, laws tends to come around way too late to tackle the initial challenge. And instead of allowing the technology be an enabler, they tend to force into action regulations that are no longer relevant, to challenges no longer available.

I applaud the Swedish government for extremely quick action when they discovered their error. This kind of reaction is exactly what is required to stay up to date for any government. Don't just sit around, poking your stick in the ground, waiting for someone to decide for you.

Governments challenge is to turn their reactive regulations into proactive delegations. By using laws as enablers, as opposed to regulators as they are today, governments will be able to change the way we do business, and the way we use technology. And the way we interact.


, ,

It’s the attention to detail that matters [Srcasm]

Posted: 30 Sep 2008 08:30 AM CDT

I was scanning through my hundreds of RSS feeds and decided to share this with the rest of the class –

Stock market crash confuses Google Finance — has the wrong closing price for nearly every stock!

–VentureBeat

The gist of the story is that Google Finance was showing incorrect closing prices where it has the big red numbers as proper closing prices according to their stock charts.  Who would notice this you ask?  Everyone!  It’s not a mundane detail.  Things like Google’s finance services are relied on by many hundreds of thousands of people (I would venture a guess) and that means that it’s not only for fun, money-watching extravaganzas but also for their careers.

This leads to the point of this post — Attention to detail matters.  It doesn’t matter if you’re building a house, raising a child or creating Google Finance, all of these things need a lot of attention to detail.  It’s the little things that make the difference.  Take a look at Yahoo’s old email compared to when Gmail rolled out.  They both did the same basic things.  They received and sent email, they categorized it and filed it away and they allowed email signatures.  What Google did was made it simpler with the little things.  They made the interface AJAXy and they redesigned how “folders” worked.  They turned over a new leaf when it came to the amount of storage and more.  Under the hood, the site did the same thing as Yahoo’s email but they blew them out of the water with the other pieces.

I know that a lot of this advices sounds like, “DUH!  Everyone knows that!”  But apprently that isn’t the case.  Due to a coding error, miscommunication or some other issue, Google’s Finance missed one of the mundane details.  If you had relied on their service for your job, you could be as low as the stock market really is today.

Physical Fitness #2 [Random Thoughts from Joel's World]

Posted: 29 Sep 2008 09:06 PM CDT

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader

Thank You Congress! [The Falcon's View]

Posted: 29 Sep 2008 08:25 PM CDT

Well, thank goodness, the House of Representatives saw the light and voted down the immensely ill-conceived bailout plan. Thank goodness for easily offended fiscal conservatives. Full details on the vote are available on Think Progress. Wall Street responded with its...

Secure Life Ep 1 [Andrew Hay]

Posted: 29 Sep 2008 06:07 PM CDT

SANS: Signs of Compromise [Infosecurity.US]

Posted: 29 Sep 2008 05:53 PM CDT

Yesterday’s SANS Handler’ Lorna Hutcheson posted a helpful (if you thrive on lists like I do) diary post enumerating the 10 signs of a potential compromise. Of course, if you notice these conditions (dependent upon cause), your systems are already toasted. At the very least, food for thought…

From Lorna’s post:

  1. Your logging server hasn’t logged any events or you haven’t received alerts in the last 12 hours

  2. Your FTP server/user hard drives etc. are suddenly out of disk space or maybe logs increase in size more than your normal variation

  3. Your competition’s products looks just like yours, but have a prettier color scheme

  4. Your customers start receiving spam on email addresses they used only to sign up for your service

  5. You get machine acts “funny” report from users (i.e. windows closing by themselves, browser homepage changed, etc.)

  6. Someone needs help connecting to the company’s wireless access point, you don’t have a wireless access point

  7. Complaints that software (payment processing software, web browser, etc) keeps crashing

  8. Complaints from user(s) that passwords/logins aren’t working

  9. Computer systems running unusually slow

  10. Visitors to your website complain that they get redirected to another site or one that just doesn’t “look” right

links for 2008-09-29 [Andrew Hay]

Posted: 29 Sep 2008 04:02 PM CDT

XKCD: Observable Universe [Infosecurity.US]

Posted: 29 Sep 2008 11:01 AM CDT

Los Alamos National Laboratory Data Security Shortcomings [Infosecurity.US]

Posted: 29 Sep 2008 10:40 AM CDT

Federal Computer Week’s Alice Lipowicz reports on evidentiary data culled from a Federal Government Accounting Office (GAO) report detailing cybersecurity challenges at one of our nations’ most valuable laboratory assets. Evidence points to security lapses protecting information on the Lab’s unclassified computer network.

Reblog this post [with Zemanta]

Summary statements from the report: “The Los Alamos National Laboratory (LANL), which is operated by the National Nuclear Security Administration (NNSA), has experienced security lapses protecting information on its unclassified computer network. The unclassified network contains sensitive information. GAO (1) assessed the effectiveness of the security controls LANL has in place to protect information transmitted over its unclassified computer network, (2) assessed whether LANL had implemented an information security program for its unclassified network, and (3) examined expenditures to protect LANL’s unclassified network from fiscal years 2001 through 2007. To carry out its work, GAO examined security policies and procedures and reviewed the laboratory’s access controls for protecting information on the unclassified network.”

[1] GAO: Information Security: Actions Needed to Better Protect Los Alamos National Laboratory’s Unclassified Computer Network

[2] Federal Computer Week: GAO: Los Alamos Lab has cybersecurity gaps

(ISC)2’s Newest Cash Cow: The CSSLP Certification [Zero in a bit]

Posted: 29 Sep 2008 10:08 AM CDT

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security professionals. To his credit, Mr. Tipton stated very clearly that the CSSLP is not intended to measure one’s technical skillset. Unfortunately, it’s inevitable that employers will treat it as such.

You can read all the details on their website (except for the part about the certification not being a measure of practical skills). From what I can tell, the CSSLP is just the CISSP with different CBKs, or Common Bodies of Knowledge. As with the CISSP, they are going for broad knowledge, not depth. Starting in June 2009, you can get certified by taking a paper exam, likely a multiple choice test similar to the CISSP. Why June? Because the test isn’t even written yet — I’ve heard from several sources that they are actively soliciting their existing pool of CISSPs to help write test questions.

Ah, but what if you can’t wait that long and want to get certified right away? You’re in luck. If you act before March 31, 2009, you can get grandfathered in without even having to take the exam! That’s right, they call it the CSSLP Experience Assessment, and here are the requirements:

  • Upload a resume showing three years of experience related to software security, or four years if you don’t have a college degree
  • Write short essays (500 words maximum) discussing four CBKs of your choice
  • Get a CISSP to vouch for you
  • Pay $650

Let’s examine these requirements one at a time.

Three years of experience. (ISC)2 doesn’t provide any requirements on depth of experience, other than citing the broadly-defined CBKs. Considering they are targeting everyone from software developers to security assessors to business analysts (yes, really), chances are they are going to accept any experience that is even tangential to the SDLC or software security.

Short essays on four of the CBKs. I asked the (ISC)2 exhibitors specifically what they are looking for to satisfy this requirement, and they said the essays should be a general discussion of the CBK topic, optionally citing your personal experience in that area if you have any. This messaging is not quite aligned with the website guidance, which states that the essays should be “Accomplishment Records” which are self-reported descriptions of experience. Either way, with a maximum essay length of 500 words, it’s pretty obvious that substance is not (ISC)2’s first priority. Here’s one data point for you: I spoke to someone who has already submitted the CSSLP Experience Assessment, and he said it took about an hour to write the essays.

Get a CISSP to vouch for you. Actually this can be any (ISC)2 certified person, not just CISSPs. Contrary to what you’d expect, though, the person isn’t vouching for your skillset so much as they are confirming that the attestations on your resume are accurate.

Pay $650. You knew it was coming. After all, there is money to be made. How is it that qualifying for the CSSLP through professional experience should cost $650? If you’re taking the written exam, fair enough, (ISC)2 does incur the cost of administering and grading that exam (even though the Scantron machine is probably paid off by now). But $650 for the submitted-online Experience Assessment? If we assume that the person reading these essay submissions makes a rather generous $100k per year, then $650 accounts for roughly a day and a half. Will it really take that long to read a maximum of 2,000 words and pass judgment? Of course not. (ISC)2 wants to get as many people as possible to qualify based on “experience”, seeding the initial pool of CSSLPs and netting them $650 per head for doing next to nothing.

As Lee Kushner stated during his OWASP AppSec presentation (7 Habits of Highly Effective Career Managers), “the more people who own a cert, the less relevant it becomes.” Irrelevant — that’s exactly what the CISSP has become, and it’s exactly where the CSSLP is headed. Meanwhile, (ISC)2 will sit back and watch while you and your employers continue to fill their coffers.

In closing, let me acknowledge that this blog entry probably comes across as judgmental. I accept that. I’m not ranting against the idea of certifications, though admittedly I’m not a fan of them either. I am disappointed that (ISC)2, an organization with tremendous influence, could have created something more meaningful but chose not to. Why bother when people will just fork over the cash anyway?

The Andrew Hay Butterfly Effect [Andrew Hay]

Posted: 29 Sep 2008 09:02 AM CDT

Have you ever thought that your actions impacted more than your immediate surroundings? I’m really starting to think that the books that I author trigger some sort of butterfly effect. Take, for example, the OSSEC Host-Based Intrusion Detection Guide. About a month after the book hits the shelves, the OSSEC project is bought up by Third Brigade. Now this results in a positive, especially for Daniel Cid the creator, but nevertheless a strange coincidence.

The Nokia Firewall, VPN, and IPSO Configuration Guide, the latest book I was involved with which has yet to be published, hasn’t even made it out of the printers yet and today Nokia announces that it is selling off its firewall business. From the article:

Nokia said on Monday it would focus its services development on consumers rather than businesses. Nokia said it was in advanced talks to sell its security appliances business to a financial investor, while it would halt development and marketing of its “behind-the-firewall” corporate software. The measures will affect in total around 700 staff, it said.

Nothing, to my knowledge, has resulted from the publishing of the Nagios 3 Enterprise Network Monitoring book but I do not yet know the full extent of my powers. To the 700 Nokia staff who are impacted by this phenomena…I apologize but I didn’t know what writing that book would do to the universe.

Origins of t’internet [Srcasm]

Posted: 29 Sep 2008 08:56 AM CDT

jI received this amazing chain letter from my future father-in-law and I had to pass it on (yes, I did just say I’m passing along a chain letter but it caused me to LOL, ROFL, etc so I figured it might help your Monday as well).  Enjoy. –

The True Origin of the Internet

In ancient Israel, it came to pass that a trader called Abraham of Com
Did take unto himself a young wife by the name of Dot.

And Dot of Com was a comely woman, broad of shoulder and long of leg.
Indeed, she had been called
‘Amazon Dot Com’

And she said unto Abraham, her husband,
‘Why dost thou travel far from
Town to town with thy goods when thou can trade without ever leaving thy
Tent?’

And Abraham did look at her as though she were several saddle bags
Short of a camel load, but simply said,
‘How, dear?’
And Dot replied,
‘I will place drums in all the towns and drums in between to send messages
Saying what you have for sale and they will reply telling you which hath the
Best price. And the sale can be made on the drums and delivery made by
Uriah’s Pony Stable (UPS).’

Abraham thought long and decided he would let Dot have her way with
The drums. And the drums rang out and were an immediate success. Abraham
Sold all the goods he had at the top price, without ever moving from his
Tent. But this success did arouse envy A man named Maccabia did secrete
(look it up, it means to hide) himself inside Abraham’s drum and was accused
Of insider trading. And the young man did take to Dot Com’s trading as doth
The greedy horsefly take to camel dung.
They were called
Nomadic Ecclesiastical Rich Dominican Siderites, or NERDS for short.

And lo, the land was so feverish with joy at the new riches and the
Deafening sound of drums that no one noticed that the real riches were going
To the drum maker, one Brother William of Gates, who bought up every
Drum company in the land. And indeed did insist on making drums that would
Work only with Brother Gates’ drumheads and drumsticks.

And Dot did say,
‘Oh, Abraham, what we have started is being taken over by others.’
And as Abraham looked out over the Bay of Ezekiel, or as it
Came to be known ‘eBay’ he said,
‘We need a name that reflects what we are.’
And Dot replied,
‘Young Ambitious Hebrew Owner Operators.’
‘YAHOO!’
Said Abraham.

And that is how it all began.
Al Gore had absolutely nothing to do with it

No comments: