Are you interested in CISSP certification training? Get one from Shon Harris, the infamous author of "All-in-One CISSP Certification" Book. Get in class or online starting at only $1,000!

Download free resources (articles, tips) from Shon Harris personally: http://www.rtek2000.com/courses/CISSPresources.html

CISSP exam is considered one of the most difficult since you have to be ready to answer 250 questions within 6 hrs with only small breaks at your own discretion. It took me 4 months of hard work to get ready for exam.

I used several free and paid materials, wrote multiple notes, extracted various information that could be related to the area of study. If you are thinking about getting CISSP certified, here are my "10 Rules for Success" (full article read here: http://securecyber.blogspot.com/2007/04/i-passed-such-relief.html)

"10 RULES FOR SUCCESS"

I have developed the "10 Rules for Success", and I feel that some of them helped me to answer most of the questions properly (some of them were posted on the blogs, so I accommodated them for my own interpretation):

1. Read every question AND every answer word by word:

a. You can find a tricky question/answer that you can otherwise miss easily (I had two of them on exam)
b. You will understand better the difference in answers even if they are quite similar (I had 7-10 of those on exam).

2. Skip the long-text questions and the difficult questions and don't spend time on them right away, just put them aside so far.

3. If the question is to find the right answer, eliminate the wrong answers first. If the question is to find the wrong answer, mark all CORRECT answers, first.

4. Control your time, so you can define or change your exam taking strategy on-the-fly.

5. If you answered to the question but still unsure if you are correct, put a large question mark sign next to a question. When you have some time left before deadline, review them again (I have corrected 3 answers).

6. Make sure that you allocate at least 10-15 min for filling out the answers in the answers form.

7. Before the end, check if you filled out ALL answers (it's easy to miss one-two).

In addition:
8. Dress appropriately (bring a warm jacket or sweater just in a case).

9. Have at least 8 hrs of sleep at night before exam and arrive 25-30 min prior to the exam to read through your cram sheet.

10. You will need your confidence during exam. Build your confidence by learning as much as possible and passing the quizzes at the level at least 80%. If you don’t know the correct answer to some of the questions, it must not shake your confidence.

Think like a manager of a large corporation and take your chance choosing one answer based on real-world situations.

Feel free to comment or ask questions.

Idea came thanks to cktricky from: http://cktricky.blogspot.com/

A bunch of sites on the web give you different pages depending on the browser you use to view it. I know when I was a web developer compatibility was the bane of my existence, as I'm sure it still is for all the web devs out there.

Well, sometimes this leads to bad coding practices, or even the old "Google Bot gets to see everything" feature. Well, I had an idea to take Burp's Intruder and "Brute Force" any compatibility coding that a site may have.

Especially if there is a restricted section of the page that you know is there, but don't have access to.

To start off you need a list of user agents. I pulled mine from the User-Agent Switcher lists I found on the web since they are in easily parsed XML.

From: http://www1.qainsight.net:8080/2007/05/18/Four+Links+To+UserAgent+List+And+An+Update+To+The+Useragent+Import.aspx

I downloaded: http://qainsight.net/content/binary/AgentStrings20070517.xml

There are plenty of ways to parse XML in your scripting language of choice but here is some dirty bash script that worked for me:

cat AgentStrings20070517.xml | grep "useragent=" | grep -v "\*" | awk -F '"' '{print $4}' > useragents.txt

Next, we set up our Intruder instance:

 

And import useragents.txt into Intruder and kick it off.

If any of the 'payloads' come back with anything different, it's definitely something to look into.

Cross-posted from Room362

One of the first things security professionals recommend when you install new programs, systems or hardware is that you change the default password immediately. 

And, if a system has been breached or is vulnerable to a potential breach, most security professionals recommend your Users change their passwords as a precaution.

Now, what if the password was hard-coded into the system and could not be changed without throwing all systems into chaos and disrupting or halting operations?  

And what if the default password for your software had been shared in online forums since 2008? 

That would never happen, right…?

Unfortunately this is exactly what has happened to Siemens and their SCADA software.   SCADA (supervisory control and data acquisition) software is commonly used in utilities and has become a popular target for hackers of all types. 

For example, Stuxnet malware is targeting Siemens SCADA software, searching for certain software and then applying the hard-coded password to access the access control database.   

Once this database is accessed the malware can steal information.  Changing the passwords and blocking the malware’s attempts may create even bigger issues.   

So, what are the lessons learned here?

1)      Default passwords are and always will be a major vulnerability. 

2)      Passwords should not be hardcoded into a system.

3)      Passwords should not be shared on online forums and if they are, the password should immediately be changed!

4)      Changing passwords should not cause systems to stop working.

If you work in a utility or organization utilizing SCADA software…be aware and be prepared.

I found this interesting article recently talking about the data breach involving Lincoln Medical Center, Siemens, and FedEx. (link below)   The story is an excellent illustration of the new challenge for covered entities (CE). 

If the recent rules proposed by HHS go through as expected a CE is responsible for their business associates (BA) and the BAs and their subcontractors are required to be HIPAA HITECH compliant,  Many of these BAs and sub-contractors who also become BAs have never heard of HIPAA HITECH. 

HHS estimates 1 to 2 million new BAs will need to become compliant.  HHS also states that if a BA agreement exists they expect the BA to be compliant with the terms of their agreements, now.  No waiting periods, no grace periods, be compliant, now.

The next big challenge for both CEs and BAs is proving compliance.  There is no third party with authority to certify or accredit for HIPAA HITECH.  The BA needs to prove their compliance in order to get and keep their business relationships in healthcare. 

The CE is required to only do business with compliant BAs.  Our Compliance Metertm fills the gap by displaying the current level of compliance in four areas, policies, procedures, forms, and tasks. 

At a glance the CE can see whether the BA is compliant and if necessary drill down to view their policies, procedures, forms, and determine whether they have completed all of their assigned tasks.  The Helper assigned to the account also provides oversight.

We can help BAs get compliant for as little as $125 and stay compliant for as little as $35 per month.  This meets the "reasonable and appropriate" criterion specified by HHS. 

Once they are compliant they can display the Compliance Metertm or deploy it to their business partners.  A simple, cost effective and efficient method of meeting HIPAA HITECH standards and being able to prove it.

Cross-posted from Compliance Helper

Leading up to the arrival of version 2.6.35 of the Linux kernel, The H published the final two parts of the Coming in 2.6.35 series, GNOME 3 was been delayed until March of 2011 and Oracle shut down PostgreSQL test servers. Anti-virus makers offered protection against LNK malware, 170 million Facebook data sets were collected and a hole in WPA2 was discovered

Hacking human gullibility at Defcon

Defcon A hacker competition that challenges contestants to trick employees of large companies into divulging potentially sensitive information aims to show how human gullibility is the biggest security vulnerability of all. During its first day at the Defcon hacker contest in Las Vegas, it had clearly achieved its goal.…

Don't squid me, bro....

Attacks on rise

Warning of an uptick in attacks, Microsoft plans to issue an emergency update to patch a critical Windows vulnerability that hackers are exploiting to seize control of PCs.…

In the United States and other countries new legislation has been introduced, or will be introduced, regarding the mandatory disclosure of security breaches in which privacy sensitive information is involved.

Companies have to report such breaches to the government, and in case of large breaches, press reports are issued to inform the public.

Although this is in general a good development - we all want to reduce data breaches - one could wonder what the effects are for infosec professionals. Politicians hope that companies will increase their efforts to reduce breaches, to prevent financial damages and loss of reputation.

One could wonder whether all companies will choose this path.

Management teams prefer to reduce risk and cost. The legislation forces companies to disclose breaches, but does not force companies to find them. Given these circumstances, a possible option to reduce risk is to decrease the chance that security breaches will be found.

Will companies try to prevent incidents by increasing the workload for their security teams on other issues, such as compliance and management reporting, or by reducing the headcount of the team as pre-emptive damage control ?

Will management teams reward or punish a security analyst when deciding on yearly bonuses when that analyst traced down a data leak which subsequently causes bad publicity and large financial damage to the company due to mandatory disclosure ?

What should professionals do when an employer refuses to accept an incident happened, or when they get instructions to ignore the mandatory disclose regulations ? Should you go public anyway - which will cost you your job, or should you follow orders ? If you do, are you liable, or is the management team liable ?

Although I fully support the intent of mandatory disclosure legislation, I think it can put people in complex positions. After all, companies hire infosec professionals to protest confidential information, and to prevent bad publicity and financial loss due to security breaches.

Governments expect these same people to breach confidentiality, by disclosing confidential information on security incidents, causing damage to the interests of their own employer ?

Will the government assist an infosec professional who will get into conflict with his employer because he followed the rule of law on these matters in any way ? Will the government prosecute them when they don't breach confidentiality when the company decides not to report the incident ?

 

Recent articles published in the Guardian have revealed that fraudsters are continuing to cold call people, claiming to be a Windows support tech and getting the users to give them remote access to their PCs in the guise of helping them update their systems – as long as the user hands over £185.

This scam has actually been around for quite some time and whilst police may struggle to stop criminals from setting up business under a new name once they have been shut down, the potential victims can take control of the situation by putting the phone down.

It is, however, concerning that people are still willing to not only give a cold caller their card details, but also allow them remote access to their computers.

These people are taking huge risks with their personal data, not to mention the potential illegal content that could be installed whilst the machine is under someone else’s control.

It’s not clear where these criminals are getting their call lists from. Comments on a Guardian article reveal that the data could be leaking from other Indian call centres that call people for legitimate reasons.

What is clear is that the callers know what they are talking about.

They seem to be highly trained technicians and can therefore easily befuddle the less technical-minded computer user into granting unfettered access to their PC and handing over their card details for the privilege.

The easiest way to prevent becoming a victim of this scam is by knowing that you only allow someone you know and trust to have access to your computer, and by putting down that phone on all others.

Cross-posted from NetworkBox

Most new domain names are malicious.

I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.

Society's bottom feeders have always found ways to use public infrastructure to their own advantage, and the Internet has done what it always does which is to accelerate such misuse and enable it to scale in ways no one could have imagined just a few years ago. Just as organized crime has always required access to the world's money supply and banking system, so it is that organized e-crime now requires access to the Internet's resource allocation systems. They are using our own tools against us, while we're all competing to see which one of us can make our tools most useful.

My thinking when I created the first RBL (now called a DNSBL; mine was the MAPS RBL though and so that's how I still think of it) back in the mid/late 1990's, was that universal access between e-mail servers was a greater boon to the bad guys than to the good guys, and so I worked to create a way that cooperating good guys could make their mailers less accessible. While I didn't reach my objective of stopping spam, I did help establish the "my network, my rules" theory of limited cooperation for Internet resources. Simply put, it's up to every network owner to decide who they will or won't cooperate with, and the way to get your traffic accepted by others is to be polite and to spend some effort trying to avoid annoying folks or letting your customers annoy folks.

Here, in 2010, I've finally concluded that we have to do the same in DNS. I am just not comfortable having my own resources used against me simply because I have no way to differentiate my service levels based on my estimate of the reputation of a domain or a domain registrant. So, we at ISC have devised a technology called Response Policy Zones (DNS RPZ) that allows cooperating good guys to provide and consume reputation information about domain names. The subscribing agent in this case is a recursive DNS server, whereas in the original RBL it was an e-mail (SMTP) server. But, the basic idea is otherwise the same. If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider.

ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define "the spec" whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.

The first public announcement of DNS RPZ was at Black Hat on 29-July-2010 and then at Def Con on 30-July-2010.

The current draft of "the spec" is here. No backward-incompatible changes are expected, and both reputation providers and recursive DNS vendors are encouraged to consider developing products that use this format to express DNS reputations.

The current patches for BIND9 are shown below. We expect this functionality to be part BIND9 9.7.3 which is several months off. Customers of ISC's BIND support should contact ISC before applying these patches or any other patches to their production systems.

• BIND9 9.4-ESV-R2 patch
• BIND9 9.6-ESV-R1 patch
• BIND9 9.7.1-P2 patch

Comments and questions can be sent here. I'd especially like to hear from content providers who want to be listed by ISC as having reputation content available in this format, and also recursive DNS vendors whose platforms can subscribe to reputation feeds in this format. An online registry will follow.

We're about to enter a bold new world where the good guys do not automatically grant the use of their DNS resources to bad guys. I don't like the need for this but I'm finally pulling my head out of the sand. So, let's party.

Written by Paul Vixie, President, Internet Systems Consortium, Inc.

Microsoft will be releasing an out of band update to Windows to address the LNK vulnerability which exploits malformed shortcut icons

Selling fear: The Vivos network, which offers partial ownerships similar to a timeshare in underground shelter communities, is one of several ventures touting escape from a surface-level calamity. Radius Engineering in Terrell, Texas, has built underground shelters for more than three decades, and business has never been better, says Walton McCarthy, company president. The company sells fiberglass shelters that can...

Dust up over supposed evil particles

A futurologist has defended his controversial warning that "smart dust" is liable to become a future information stealing threat.…

Article by Michael Gregg

With all the talk of the cyber security bill that wound its way through congress, it is interesting to note the findings of the recent Federal Cyber Security Outlook for 2010 survey.

This poll found that 74 percent of respondents believe that a network attack on the government’s IT infrastructure is expected in the next year.

While there is much to debate with regard to these findings, I think we can agree that there is a need for greater network security in the government realm and in the private sector.

The real question is…where do we start? 

With limited funds and budgets tight, every penny spent on IT security must be justified.  One area with good returns can be gained despite limited funds is training and end-user awareness. 

Many attacks are now targeting end-users.  Web 2.0 sites and social sites such as Twitter and Facebook have become much bigger targets in the same way that email used to be (not that it isn’t a target anymore).

Here’s where training can reap big returns. Something as simple as a periodic email, newsletter, or a lunchtime event that occurs once a month can be used to inform users of these current threats and the types of attacks to be aware of.

This type of training can help users spot trends and techniques used by hackers, which can reduce the effectiveness of social engineering and phishing techniques. Like it or not, security has to become a much bigger part of everyone’s computing experience. 

Much like most states require seatbelts while driving in automobiles, safe computing is going to require increased awareness.

Do you provide security training to your end-users?

 

Free White Papers:

Top 10 Skills in Demand in 2010 

Top 10 Security Concerns for Cloud Computing

10 Essential Security Polices

How Vulnerable Are Your Cisco IOS Routers

Global Knowledge is the worldwide leader in IT and business skills training. We deliver via training centers, private facilities, and the Internet, enabling our customers to choose when, where, and how they want to receive training programs and learning services

 

What happens in Vegas...

Security shortcomings in Black Hat's newly established streaming media service allowed a security consultant to hack into the system and see presentations for free.…

The Defense Technical Information Center (DTIC) serves the DoD community as the largest central resource for DoD and government-funded scientific, technical, engineering, and business related information available today.

Originally developed in World War II as a resource on enemy technology, the DTIC has morphed into a valuable, if underutilized tool, for understanding the technology bases for enemy attacks.

Publicly Accessible Information

Authorized visitors can search DTIC's publicly accessible collections and read or download scientific and technical information, using DTIC Online service. DTIC also makes available sensitive and classified information to eligible users who register for DTIC services.

The DTIC consists of a large relational data base coupled with convenient and powerful Information Analysis Centers (IAC's) that mange issue related searches and updates/maintenance to the database.

An Information Assurance/Cyber security Information Analysis Center (IATAC) is one of the more recent efforts and offers valuable information and tools for researchers.

Scientific and Technical Information Network - The Heart of DTIC

The Scientific and Technical Information Network (STINET) is a database that contains data and information for various defense-related research reports. The database raw material contains reports on a topics ranging from science and engineering to Information Assurance/Cyber Security from a large number of sources.

Users can research the latest cyber security technology, laws and standards, new products and a wealth of relevant, timely information.

There are various levels of access to STINET:

• The public database is available to the general public regarding unclassified documents with an unlimited distribution.
• A private database has a private URL that allows for searches to be made for unclassified material with limited distribution.
• The classified database contains Confidential and Secret documents, in addition to the unclassified material.
• Finally, there is a hard copy DVD that contains material only for unclassified, confidential, and secret documents.

All levels of STINET access contain material from the 1900s to present but potential users are security screened as part of the user qualification process.

Information Analysis Centers - The Front End for Researchers of Scientific and Technical Information (STI)

DTIC Information Analysis Centers, or IACs, are organizations that are charted by the DoD and operated by DTIC with the mission of helping researchers and other interested parties.

IACs provide free answers to simple questions and projects, while also allowing their services to be utilized for extended projects and Technical Area Tasks (TATs).

The Information Assurance Technology Analysis Center (IATAC), an IAC that focuses on Cyber Security issues, provides the Department of Defense (DoD) and related agencies with existing, historic and emerging scientific and technical information (STI) to support Cyber Security/information assurance (IA) and defensive information operations.

This information includes technologies, tools, and associated techniques for detection of, protection against, reaction to, and recovery from information warfare and cyber attacks that target information, information-based processes, information systems (IS), and information technology (IT) in the DOD and related agencies.

The STI products and services resulting from IATAC efforts are intended to increase the productivity of Cyber Security researchers, as well as other concerned Cyber Security participants.

This is accomplished through timely dissemination of authoritative, accurate, and high quality reports and answers to subject matter inquiries through the IATAC.

Under-utilization - A Marketing Issue

As valuable as the database and services are to the Cyber Security community, the DTIC is relatively unknown. As a result, the IATAC is a valuable if underutilized resource.

Although any party interested in the scientific or technical developments that underlie Cyber attacks or defenses can significantly benefit from the information developed, qualified and analyzed by DTIC and IATAC, awareness of the value of this asset is limited.

As an organization DTIC can benefit from better promotion and modern marketing to the DOD and related agencies. But the task, given the size of the community is daunting and will take significant effort in the coming years.

Hacking ATMs to spit out money, demonstrated at the Black Hat conference: The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the...

If you're anything like me, you're heartily sick of Twitter spammers. It's Friday, so might I crave your indulgence for a little experiment here in The Long View? (I promise: there's nothing here about the Apple iPhone 4.) The microblogging service seems to be plagued with thousands of bots, mindlessly tweeting gibberish. Any search for a popular term -- such as, ohhh I don't know, Apple iPhone 4 -- seems to throw up a huge, steaming pile of automated tweets from an army of fake Twitter users. But what's really going on here?

read more

Quickest crypto off the mark

The UK's Cyber Security Challenge has announced the winner of its prologue crypto puzzle, as well as the solution - for anyone still struggling to find an answer.…

Free On-Demand Webcast - Virtualizing the Hard Stuff