Who's Online
There are currently, 90 guest(s) and 11 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Training Classes Calendar
|  |
The Rugged Software Manifesto
Posted by boss on Wednesday, 10 February 2010 @ 08:43:31 EST (143 reads)
Topic CISSP OSG INFO
cdupuis writes "The three authors of the manifesto are Josh Corman, an analyst with The 451 Group; David Rice, formerly with the National Security Agency and author of Geekonomics, a book about the real cost of insecure software; and Jeff Williams, the chairman of OWASP, an organization focused on Web application security. The trio announced the project at the SANS Institure AppSec Conferenc in San Francisco Monday.
The Rugged Software Manifesto
- I am rugged... and more importantly, my code is rugged.
- I recognize that software has become a foundation of our modern world.
- I recognize the awesome responsibility that comes with this foundational role.
- I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
- I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
- I recognize these things - and I choose to be rugged.
- I am rugged because I refuse to be a source of vulnerability or weakness.
- I am rugged because I assure my code will support its mission.
- I am rugged because my code can face these challenges and persist in spite of them.
- I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Official Announcement Document - 
If you want Rugged Software, join us and help define the principles, and technologies that will help others become Rugged too. Our first project is to define how people and organizations can know if they are Rugged.
Visit their website at: http://www.ruggedsoftware.org/ "
Stupid rebates for Stupid Clients
Posted by boss on Tuesday, 09 February 2010 @ 10:17:22 EST (174 reads)
Topic CISSP OSG INFO
cdupuis writes "Rebates, Rebates, and Rebates.
Are they all great and fantastic for you as a customer? Not always for sure. I have received another one in my mailbox today and as I was reading it I asked myself: Do they really think that people are that stupid?
When I see advertising where they offer a FREE laptop, a free Kindle, rebate of $500 to the person you refer, or a gift card for referral I am always asking myself how can they offer such freebies? Then my brain come to it's senses and the response is: THERE IS NO FREEBIES -- YOU ARE PAYING FOR IT YOURSELF
You the customer have to pay for those freebies. If you look at the price of the classes associated with those freebies you will quickly realize that many vendors think that you are stupid and you cannot add 1 + 1. They are simply overcharging you and then they give you a gift to make it look OK.
If I overcharge you for my classes then I can offer freebies as well. However, I think this would be against my ethics. A company should simply give the best price they can while delivering quality training. If the only reason people attend such class is to get a freebie instead of getting great content and outstanding skills and knowledge it means your class does not have much to offer in the first place.
When classes are overpriced, you are the person who pays for those freebies that's for sure. Do look at the price before the freebie is being offered, the price is so outrageous that they can offer freebies and still charge you more and make more money than most vendors out there. You will quickly notice that there is no free lunch, you are the one that is paying for the freebie because the class price is way too high in the first place. There is no SPECIAL at all.
At Security University we currently have an offer for a two for one, our normal class price is already heavily discounted but if you come to the same class with one of your colleague you can split the cost of the class in two. This gives you an amazing class for a very low price. Do check it out, you will see that we do not use complicated scheme, we like to keep thing easy and straight forward. Simply come with a friend of a colleague and you pay half of the normal price which is already lower than most vendors out there. Check it out and you will not be disappointed. This is about $1300 per person which is a great deal considering that our faculty has only Security Instructors that are well known and that have dozens of years of experience on average. We don't hire people who reads slide to you. We hire the best and only the best. If your are really found on having a freebie, we can sell the class to you at $2695 and give you a kindle or a $100 gift card. :-(
At Security University we also believe in being a responsible community player as well. Over the next three CISSP classes we will deliver we have 16 student who had paid for classes with Vigilar Intense School but their money was lost due to the closing of Vigilar Intense School. We have offered free seats to those students to help them offset the losses they have suffered. This is what responsible organizations do to help the community. Ask the freebie givers out there how many seats they have given for free?
In closing, I just want to say: Do not be stupid and don't get lured into freebies that you pay yourself. Who cares about a Kindle that cost you three times the prices when you look at the price fo the class compared with what others are charging. Get your money worth, train more people, use your training budget adequately. This is what this is all about. Not about overprice classes with so called freebies.
Best regards to all
Clement Dupuis
Senior Security Instructor and Evangelist at Security University
(Very tired of vendors who thinks we are all stupid and hope we will fall pray of stupid rebates) "
New logo for the CCCure Family of Portals
Posted by boss on Friday, 29 January 2010 @ 23:15:05 EST (180 reads)
Topic CISSP OSG INFO
cdupuis writes "Today I am happy to present our new logo:
Our new logo represent very well the mission of CCCure and it's family of portals.
It shows that our mission is Education, Information System Security, helping people worldwide.
Every month we have people from more than 125 countries that are making use of our portals. That's over 100,000 unique visitors overall. We are proud today to show our new identity, the next time you see it you will know it is not a clone, a rogue, or a fake. It is the real thing.
Thanks to all who supported us over the past ten years.
Best regards
Clement, Nathalie, and Alain
Site Owners and Maintainers
"
CPE = CONTINUOUS PAYMENT EXPECTED
Posted by boss on Thursday, 21 January 2010 @ 20:45:21 EST (360 reads)
Topic CISSP OSG INFO
cdupuis writes "NOTE FROM CLEMENT:
CompTIA has joined the rank of certification body who will require CPE's to keep our A+, Network+, and Security+ certification current as well as imposing an expiry date or renewal cycle every 3 years like other certification body are doing.
If the whole CPE things was done properly it would be great. However in most case this is use as a way of making more money by offering seminars and other cheesy training to make CPE's. When will people get serious about providing skills and knowledge as a priority.
See the announcement below from CompTIA:
CompTIA Certification Renewal Policy
CompTIA A+, CompTIA Network+ or CompTIA Security+ certifications are now valid for three years from the date the candidate is certified. The change brings the CompTIA certifications in line with the practice of other major providers of certifications for IT professionals, such as Cisco, Microsoft and Oracle.
The renewal policy also is required for these three certifications to maintain their accreditation and compliance with internationally accepted standards for assessing personnel certification programs (ANSI/ISO/IEC 17024). CompTIA A+, CompTIA Network+ and CompTIA Security+ certifications earned the ISO 17024 accreditation from the International Organization for Standardization (ISO) in 2008. ISO requires that individuals have a way to renew the currency of their certification on a regular basis. In CompTIA’s case, renewal will occur every three years.
The new certification renewal policy is applicable to all individuals who hold CompTIA A+, CompTIA Network+ or CompTIA Security+ certifications, regardless of the date they were certified. Other CompTIA certifications are not affected at this time.
Beginning January 1, 2010, a “Valid Through” date appears on all certificates and certificate holder ID cards for individuals who earn CompTIA A+, CompTIA Network+ or CompTIA Security+. The date is three years from the date of certification.
Certification renewal will ensure that individuals have the most up-to-date skills and knowledge to deal with the fast-changing IT environment.
In conjunction, CompTIA is introducing a continuing education program for individuals with multiple ways to earn continuing education credits to maintain their active certifications.
Among activities that will qualify for continuing education credits are passing a “bridge” exam or the most current exam for their CompTIA certification; teaching, lecturing or presenting on relevant industry topics; participating in non-degree courses or computer-based training; attending relevant industry conferences and events; participating in a CompTIA exam development workshop; publishing articles, whitepapers, blogs or books on relevant topics; obtaining other industry certifications; or completing industry-related college courses from degree-granting institutions.
Enrollment in the certification renewal program is expected to be available in mid-2010. "
Info for students that lost money due to Vigilar Intense School closing doors
Posted by boss on Thursday, 14 January 2010 @ 18:26:37 EST (305 reads)
Topic CISSP OSG INFO
cdupuis writes "Hi Everyone,
Today is an exceptionally great day for your clients and students that paid Intense School pre-paid fees for classes.
I have contacted SCHEV (State Council of Higher Education for Virginia) in VA - the licensing board in the State of VA and they said students can get a portion of their money refunded.
Linda Woodley is the SCHEV Director and has confirmed Intense School class fees may be refunded to the students. Below is Linda Woodley's contact information to send/email about refunding class fees.
Intense School told SCHEV no student was going to lose class fees from Intense School closing. She has been advised differently.
Your all welcome to contact Linda and I hope this helps.
Pls let me know how Security University can assist you. You have my contact info below.
'good luck with working with Linda as she really knows her stuff. ttys SJS:)
Linda H. Woodley, M.Ed.
Director, Private & Out-of-State Postsecondary Education
State Council of Higher Education for Virginia
James Monroe Building
101 N. 14th Street, 9th Floor
Richmond, VA 23219
Office phone: 804-371-2938
Fax phone: 804-786-2027 or 804-225-2604
E-mail: lindawoodley@schev.edu
Website: www.schev.edu
This information was provided by Sondra at Security University. Sondra has been a sponsor of CCCure for a long time and this is where you can get CISSP classes delivered by Clement Dupuis the owner of the CCCure Family of Portals. See Sondra's contact info below. Give her a call to book a seat on one of the many top notch qualified security classes or the world's best CISSP class.
--
Qualified Training for Qualified Results!
Sondra J. Schneider
Founder & CEO, Security University
109 Weed Ave
Stamford CT 06902
work 203.357.7744
cell 203.249.8364
www.securityuniversity.net "
Information Security Management Maturity Model (ISM3) update
Posted by boss on Thursday, 02 April 2009 @ 18:16:13 EDT (1388 reads)
Topic CISSP OSG INFO
cdupuis writes "Forwarded from:
STANDARD FOR INFORMATION SECURITY MANAGEMENT UPDATED
April the 2nd 2009, Madrid
Following a series of important updates to the Information Security Management Maturity Model, the ISM3 Consortium, with members from the US, Spain, India and Colombia, today announced the worldwide launch of version 2.3 of this advanced information security management standard.
Today, the ISM3 Consortium published the print version of Information Security Management Maturity Model (ISM3) v2.3. The method has been updated with security management metrics proven in the field, and a new approach that defines security maturity objectively as a direct result of the metrics used to manage information security processes.
ISM3 focuses on “Achievable Security” rather than “Absolute Security”. Achievable security is a trade-off between absolute security and business requirements. The traditional view that “Information Security
should prevent all attacks” is not realistic for most organizations.
ISM3 achieves its balance by mapping an organization’s business objectives (such as product delivery and profitability) directly against security objectives (such as ensuring data access only to authorized users).
ISM3 builds on successful principles from the field of quality management (Six Sigma, ISO9001), and applies these ideas to the field of information security, providing an opportunity for organizations of all
types and sizes to enhance their ISM systems and align them with their business needs. Implementations of ISM3 are compatible with ISO27001, which establishes control objectives for each process.
Implementations use management responsibilities framework similar to the IT Governance Institute's CobIT framework model, which describes best practices in the parent field of IT service management. ITIL users can use ISM3 process orientation to seamlessly strengthen ITIL security process. Using ISM3
style metrics, objectives, and targets it is possible to create measurable Service Level Agreements for outsourced security processes.
The significant features of ISM3 are:
* Metrics for Information Security – “What you can’t measure, you can’t manage, and what you can’t manage, you can’t improve” – ISM3 v2.3 is probably the first information security standard to make information security a measurable process by using metrics for every process. This allows continuous improvement, as the standard defines criteria to measure efficiency and performance.
* Capability Levels – ISM3 is the first standard that defines capability in terms of metrics, a leap that makes ISM3 orientation to continuous improvement unique.
* Maturity Levels – ISM3 comes in five different sizes, or maturity levels. This makes it suitable for a wide range of organizations, from the very large to the very small. Each maturity level is tailored to the security objectives of the target organization.
* Process Based – ISM3 v2.3 is process based, which makes it specially suited to organizations familiar with ISO9001 and those that use ITIL as the IT management model. It also works well for outsourced services
as it provides a common language for collaboration between information security clients and providers.
* Adopts best practices – implementation of ISM3 is facilitated by its extensive cross-references to other established standards. The IT governance model reflects best practices by clearly distributing responsibility for information security processes between strategic, tactical and operational levels of management.
* Accreditation – ISM systems based on ISM3 can be certified under ISO9001 or ISO27001 systems, and ISM3 can be used as a tool to implement an ISO27001 ISM system. This should increase its attractiveness to organizations that already hold quality certification or have experience with ISO9001.
About the ISM3 Consortium
The ISM3 Consortium represents the ISM3 business community. The Consortium develops ISM3 and promotes and protects the ISM3 brand.
Learn more about the Consortium at http://tinyurl.com/ism3consortium
Learn more about ISM3 at http://tinyurl.com/ism3about
Steven McElwee on ISM3 at http://tinyurl.com/ism3others
Purchase the method from http://tinyurl.com/ism3v23
###
Media Contact
ISM3 Consortium
Vicente Aceituno
C. Olimpico Francisco Fernández Ochoa 9, 28923 Alcorcón, Madrid, Spain
0034696470328 - Available 8-5 Monday to Friday, Western European Time
consortium (at) ism3.com
www.ism3.com "
(IN)SECURE magazine issue 18 has been released
Posted by boss on Friday, 26 September 2008 @ 00:56:49 EDT (1160 reads)
Topic CISSP OSG INFO
cdupuis writes "(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Issue 18 has just been released. Download it from: http://www.insecuremag.comThe covered topics include:- Security standpoint by Sandro Gauci: Closing a can of worms - Network and information security in Europe today - Browser security: bolt it on, then build it in - Passive network security analysis with NetworkMiner - Lynis - an introduction to UNIX system auditing - Windows driver vulnerabilities: the METHOD_NEITHER odyssey - Removing software armoring from executables - Insecurities in privacy protection software - A proactive approach to data breaches - Compliance does not equal security but it's a good start - Secure web application development - Avoiding a "keys to the kingdom" attack without compromising security - The insider threat - Web application security: risky business? - Enterprise application security: how to balance the use of code reviews and web application firewalls for PCI compliance Visit the (IN)SECURE Magazine web site at: http://www.insecuremag.comSubscribe to our RSS feed at: http://feeds.feedburner.com/insecuremagazineContact: - For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com - For marketing inquiries do contact Marketing Director Berislav Kucan at marketing (at) insecuremag.com
OSG NEWS: The CCCure Family of Portals Usage Agreement
Posted by boss on Saturday, 30 August 2008 @ 20:11:06 EDT (1148 reads)
Topic CISSP OSG INFO
cdupuis writes "IMPORTANT: USAGE AGREEMENT PLEASE DO READ BEFORE JOINING
This CCCure Family of Portals is offering free security education resources, forums, links, study guides, and a lot more to help you expand your knowledge and skills, further your career, discuss with other who have the same goals as you do, and of course help you reach your certification goals.
As an anonymous user on our web sites you have very limited access. Registration will give you lots of extra benefits and also allow you to access content such as our huge download section, our study guides, our quiz engine, our tutorials, our exam crams, our web links, and participation within our forums to name only a few of the benefits you will get.
Leechers are definitively NOT welcome
In computing and specifically on this portal, being a leech or leecher refers to the practice of benefiting, usually deliberately, from others' information or effort but not offering anything in return, or only token offerings in an attempt to avoid being called a leech. Do take the time to contribute articles, powerpoint slide show, study guides, videos, quiz questions, news, downloads, links, forum posting, etc... If worst come to the worst and you do not have any free time to contribute, a donation is always appreciated as our operational expenses need to be paid on a monthly basis and money allow us to hire people to review and develop new content for you the visitors.
Usage Agreement (Please read, if you do not agree, do not join)
By registering on this web site you give implicit permission and you authorize CCCure to send you advertising messages from our sponsors. The messages sent are for products or services that are security oriented. We will NOT send messages about male enhancement product or other types of get rich/bigger scams or similar products and services. The messages from our sponsors are sent only a few times a month and your email address is NEVER given or resold to anyone else. We will pass the message on behalf of our sponsors but they never get access to your email address.
The web site is self supported strictly through
donations and advertising from our sponsors
Advertisement and distribution of our sponsors messages through our mailing list is needed for our survival. Donations alone are totally ineffective and our yearly donations are very very minimal at this point. The totality of our donations usually pays for about 2 to 3 months of hosting and this is all. We must completely rely on our sponsors to survive. This is why we have such a policy above in place. The final benefit to you the members and visitors of the web site is always: FREE ACCESS
Forcing registration also ensures that we minimize the amount of junk that unscrupulous users attempt to post within our message area, comments areas, web links, download areas, forums, or any other place where they can post their unsolicited and unwanted messages. The greatest benefit of all is the fact that registration helps us in maintaining the quality of the content overall.
Once you are registered and logged in, you will no longer see this message and new menus and options will be available to you as a registered member.
If you do not agree with the policy above, please do not register
By registering you implicitly consent to our usage policy as stated above.
I wish you all best of luck in your studies!
Best regards
Clement, Nathalie, and Alain
Site Maintainers "
Our latest site administrator, meet my brother Alain:
Posted by boss on Thursday, 28 August 2008 @ 11:32:32 EDT (1142 reads)
Topic CISSP OSG INFO
cdupuis writes "As you have experience yourself, all of our portals have been growing at frantic speed.
I was totally overwhelmed by the massive amount of emails and maintenance tasks that me and Nathalie had to cater to on a daily basis. I have asked my brother to get out of retirement (nice of me) to help me with the maintenance of our portals. He agreed and I was very happy he did. Below you have a short biography of my brother Alain who also believes in sharing and giving back to the community:
My brother Alain has recently retired from the Canadian Navy after more than 34 years of Service. During his career, he has worked primarily in the information technology field as an electronic technician, computer and communications technologist, combat system engineer, and software analyst. He has held various positions such as Chief Technical Officer in charge of maintaining a mainframe computer centre and Quality Assurance Officer during the construction of the Canadian Patrol Frigates. For his last 7 years of Service in the Navy, he has worked as a programmer and software analyst for the Combat System software used on the Canadian Frigates. He has specialized in large-scale, multi-million dollars software projects.
For the past 20 years, he has assisted his wife, Lynette, in her activities with the Block Parent Program in Ottawa, Victoria, and Halifax. His family received their first Block Parent window sign in Gloucester, Ontario. In 2002, the BPLink project asked Alain to join their team as a technical advisor. Because of his technical background, Alain was well suited for the job. Shortly after, he accepted the position of Project Manager on a voluntary basis, a job that he still performs today.
We are extremely glad to have Alain onboard and it will help GREATLY to maintain proper quality of service and prompt response to your queries.
Thanks Bro!
Clement "
Why Leaders Should Care About Security (podcast)
Posted by boss on Friday, 08 August 2008 @ 11:07:36 EDT (1276 reads)
Topic CISSP OSG INFO
cdupuis writes "NOTE FROM CLEMENT:
The message above was posted on my friend Dan Swanson on his mailing list. If you wish to subscribe simply click on the subscribe link: Subscribe
Under the URL http://www.cert.org/podcast/ you will find a large collection of podcast that are extremely interesting. Do take a look and start racking up some CPE's. All of this is available for FREE, that the price I wish to pay for my CPE's.
Here is the message:
This podcast is intended to motivate leaders to pay attention to enterprise and information security, and the risks of not doing so. It introduces two landmark examples of organizations that did not treat adequate security as a high priority. It places security in a governance context and introduces how security can be viewed as a competitive advantage.
It discusses creating a culture of security, demonstrating duty of care, and determining who is ultimately responsible for security. It provides some next steps for taking action.
http://www.cert.org/podcast/show/leaders.html
Enjoy
Dan
"
Randy Pausch, Known for his "Last Lecture," Dies
Posted by boss on Friday, 25 July 2008 @ 21:41:24 EDT (1406 reads)
Topic CISSP OSG INFO
cdupuis writes "
NOTE FROM CLEMENT: I usually do not write articles that are out of topics. But his story and the presentation of Mr. Paush has really touched me in a very special way. His presentation was so full of truth about our values and life that I listened to it a few times. If you have NOT listened to it, I would recommend very strongly you do so. The lecture is at: http://www.youtube.com/watch?v=ji5_MqicxSoBELOW YOU HAVE THE SAD NEWS THAT HE PASSED AWAY: Top News July 25, 2008, 1:30PM EST Randy Pausch, Known for his "Last Lecture," Dies Randy Pausch's final talk at Carnegie Mellon, in which he celebrates having fulfilled his childhood dreams, was an international sensation By RAMIT PLUSHNICK-MASTI Associated Press Writer PITTSBURGH (AP) - Randy Pausch, the Carnegie Mellon University computer scientist whose "last lecture" about facing terminal cancer became an Internet sensation and the basis of a best-selling book, died Friday. He was 47. Pausch died at his home in Chesapeake, Va., said Jeffrey Zaslow, a Wall Street Journal writer who co-wrote Pausch's book. Pausch and his family had moved there last fall to be closer to his wife's relatives. Pausch was diagnosed with incurable pancreatic cancer in September 2006. His popular last lecture at Carnegie Mellon in September 2007 garnered international attention and was viewed by millions on the Internet. In it, Pausch celebrated living the life he had always dreamed of instead of concentrating on his impending death. See full article at: http://www.businessweek.com/print/bwdaily/dnflash/content/jul2008/db20080725_243087.htm
Problem with access to the Quiz Engine
Posted by boss on Thursday, 26 June 2008 @ 12:01:42 EDT (976 reads)
Topic CISSP OSG INFO
cdupuis writes "Good day to all,
We are very sorry for the problems you had accessing the Quiz Engine.
There was a DNS issue the prevented people to access the quiz using the URL.
This should resolve itself over the next 24 hours as DNS are being updated.
In the meantime you can use:
http://207.45.179.106/~freeprac/quiz/home.php
The URL above will take you directly to the quiz engine.
Thanks to all for your patience
Clement and nathalie "
Biometric Systems study Information produced by Shon Harris
Posted by boss on Tuesday, 17 June 2008 @ 22:35:33 EDT (955 reads)
Topic CISSP OSG INFO
The BIG and FAT IT employee
Posted by boss on Saturday, 24 May 2008 @ 18:14:44 EDT (1112 reads)
Topic CISSP OSG INFO
cdupuis writes "NOTE FROM CLEMENT:
Interesting article on health issues of IT worker. I can certainly related to this one as I have been putting on pounds over the past few years. We surely have a nice recipe for disaster in our jobs, we do not eat very well, we have stress, and we have a very sedentary employment. We have to discipline ourself into eating better, moving more, and eating less generous portions. See some statistics below:
Friday, May 16, 2008 12:02 PM/EST
IT Workers Weigh In on Health Habits
Feeling a little, shall we say, sluggish lately? You might be among the vast ranks of IT workers who have put on some extra heft while sitting at their desks.
A study by CareerBuilder.com found that half of U.S. IT workers have gained weight at their current jobs.
The study, which polled nearly 7,700 participants from Feb. 11 through March 13, found that 34 percent of IT workers report they have gained more than 10 pounds in their current positions. Even more alarming, 17 percent say they have put on more than 20 pounds!
Who knew managed services could be hazardous to your health? While the study doesn't specify anything about workers monitoring customer systems remotely, come on, you've got to admit that keeping an eye on a customer's systems from miles away by staring at computer screens surely produces far less sweat than even the minimal amount of walking to and from the truck a technician drives to a customer site for troubleshooting.
But let's not get crazy. The channel shouldn't turn its back on managed services just because that back is getting a few inches wider.
Perhaps a little more exercise during the day will do the trick, or taking better stock of what you eat. That is, if the extra weight bothers you. Hey, some people might enjoy the extra girth - who knows?
Another option for shedding some weight might be to take American Soda Machines up on its high-tech-themed soda vending machines offer. You could stock the machines only with diet drinks, or even better, water.
American Soda Machines promises that its machines offer a "fun, offbeat way to keep beverages cold, no matter the alcohol content." The company takes old machines and restores them. Restorations are customized, so if your company wants to put its logo or slogan on it, American Soda Machines will gladly oblige. For a fee, of course.
Granted, the high-tech industry's weight problem isn't going to be solved entirely by stocking customized soda vending machines. But it's a start. Think of all the calories you'll burn trying to tip the damn thing over once it takes your coins and refuses to spit out your drink.
Not to cast any aspersions on America Soda Machines' abilities, of course, but sooner or later every vending machine will steal your coins. It's a rule of some kind.
Then again, don't take advice from me on any of this. It turns out that 11 percent of IT workers buy their lunch from what CareerBuilder called "a notoriously unhealthy vending machine at least once a week."
But, hey, no matter the culprits, IT workers can take heart in another CareerBuilder finding: They are less chubby than financial services and government workers. Fifty-three percent of financial workers said they have gained weight at their current jobs, while the number for government workers is 52 percent.
For more on IT careers, click here. "
SecurAnchor Newsletter by Eric Cole
Posted by boss on Friday, 02 May 2008 @ 11:20:23 EDT (1495 reads)
Topic CISSP OSG INFO
cdupuis writes "
|
|
| April 2008 |
Vol 4, Issue 3
|
|
 |
Security in the News
Your source for up to date security headlines
|
|
|
| |
Joe Stewart, director of malware research at SecureWorks, Inc., presented the results of his research into the size of botnets at the RSA conference, and asserted that botnets control over one million compromised computers and are able to generate more that 100 billion spam messages every day.
According to Mr. Stewart, the botnet controlling the most machines is Srizbi. This botnet is also known as Cbeplay and Exchanger, and has the capability of using its 315,000 controlled machines to generate 60 billion spam emails per day.
The Kraken worm's botnet is actually the Bobax botnet, and the Storm worm has been marginalized by its addition to Microsoft's Malicious Software Removal Tool hit list, knocking it down to number five on the list.
Bobax appears to be the number two botnet, controlling 185,000 machines. It can send 9 billion spam emails per day. Damballa has been making news claiming that Bobax is Kraken, or Kracken, and Damballa claims it controls 400,000 computers. However, Mr. Stewart said that Bobax goes by the name Kraken, as well as Bobic, Oderoor, Cotmonger and Hacktool.Spammer.
Mr. Stewart has developed a technique to generate an SMTP fingerprint for the various botnets, leading to more accurate identification and counts of botnet-controlled machines. SecureWorks also sampled the amount of spam that was observed as generated by various botnet-controlled machines and used probabilistic methods to extrapolate and determine how many spam emails the various botnets could generate.
Part of Mr. Stewart's aim was to help the little guy. As he explained, "I think it matters a lot to end users what a botnet's called. They go to look for information, perhaps after they've been infected, and all they have is that it's 'Agent XYZ.'" However, if there are various incompatible naming conventions, then it might be a worm with a new alias. "Then they'd find hardly any information on what it is or what data it may be after. I hope this trickles down to end users."
|
|
Anti-Tibetan Supporter Trojan Infects Pro-Tibetan Sites
|
|
Users who browse pro-Tibet sites can be infected with the Fribet Trojan. The best guess is that the Trojan is using a VML flaw (MS07-004) which Microsoft released a patch for last year. Unpatched systems visiting these sites can be subjected to an attack that creates a backdoor on the victimized systems.
The Trojan loads a 'SQL Native Client' ODBC library and executes SQL statements sent by command and control servers. This allows the attackers to gather data or modify databases the victims' machines are connected to with the appropriate logins and permissions. The monitoring feature of the Trojan allows the interception of passwords so the attackers will be able to log in to the databases.
Shinsuke Honjo and Geok Meng Ong, researchers for McAfee, wrote that, "This Trojan apparently can be used as an alternate to SQL injection attacks, but in a more direct way. Even the administrators of secure Web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector."
|
|
 |
|
|
|
CAPTCHA Broken by Botnets
|
The Windows Live CAPTCHA system used for Hotmail and the equivalent system at Gmail have been compromised by botnets which can crack the system. CAPTCHA was designed to stop spammers from opening Hotmail and Gmail accounts. These systems display distorted characters and are supposed to force a human to read, recognize and type the characters, thus preventing the automated creation of email accounts.
CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.
Spammers like Gmail accounts because they are free and not likely to be blacklisted. Now that the spammers own these types of free accounts, more spam is coming from those free providers' email accounts. Anti-spam services then attempt to slow down the flow of spam from those compromised accounts.
MessageLabs' Paul Wood said, "We're seeing more spam coming from Gmail and Yahoo. Where a service is widely abused its reputation goes down and it's held back in the queue. This happens automatically. These traffic management controls are not designed to block messages, they are intended only to slow down their transit. For messages that are subsequently blocked there should be a reason given in the non-delivery report."
February, 2008's spam report indicated that 4.6 percent of spam is sent from Web-based mail services. The Gmail-originated span doubled from January to February to 2.6 percent. Yahoo was the worst of the Web-based mail services, accounting for 88.7 percent of Web-based spam.
Meanwhile, in India, the spam rajas who do not have the good CAPTCHA-cracking bots employ sweatshop labor for $4 per day to establish Web-based email accounts
|
|
|
|
|
The GAO report stated that, "GAO found numerous defense-related items for sale to the highest bidder on eBay and Craigslist. A review of policies and procedures for these Web sites determined that there are few safeguards to prevent the sale of sensitive and stolen defense-related items using the sites."
The GAO investigators clicked around from January 2007 through March 2008, and came up with two F-14 components (from two vendors), night-vision goggles with the friendly force identifying 'component,' body armor and an Army combat uniform.
Continuing, the GAO report made the point that bad guys getting hold of this stuff could reverse engineer it to come up with countermeasures.
This GAO report, which the GAO characterized as not comprehensive in any way, did not address whether export controls would keep bad guys from getting the stuff, nor did it look at the failed property management practices which have made stuff available in the past.
Instead, we have the CEO of Craigslist called before Congress to explain what Craigslist is. Jim Buckmaster explained that the GAO report was mistaken when it called Craigslist "a global marketplace with international reach" and that instead Craigslist was a collection of separate local marketplaces. He also explained that users are discouraged from engaging in sales which require shipping.
|
Nine Years for $1.4M Fraud
|
To continue the theme of fraud and misrepresentation, the following comparison is offered. A Columbian man has been sentenced to nine years for computer fraud. This fraud (if unchecked) could have potentially affected more than 600 people and involved the staggering (attempted and actual) sum of 1.4 million dollars.
To refresh our memories, the contractor who sabotaged the Sixth Fleet navigation computers, which affected more than one submarine and put at risk the crews of every sub in the Sixth Fleet, received one year. To even look at the dollar value associated with the submarines is the wrong thing to do, but instead one must think about the potential loss of life associated with the possibility of a sub colliding with another sub or an undersea hazard.
When Simbaqueba Bonilla was seized by federal agents, the laptop he was carrying had the names and passwords of more than 600 people, as well as other personal and financial information about those people.
|
|
Single Photon Gate Realized
|
|
|
Quantum computing at the single photon level is closer to reality with the physicists at Bristol University in the United Kingdom creating an optical "controlled-NOT" gate on a silicon chip which can act on an individual photon. According to a press release from the university, this is "the building block of a quantum computer."
A quantum bit is called a "qubit" and the new gate, which processes the photon, or qubit, can now be realized on a single chip, whereas previously the gate occupied several square meters of space on an optical bench.
Mark Anderson, an influential voice in the technology community, wrote in his Strategic News Service newsletter that, "For those who believe that quantum computing is the next big breakthrough in the computing world, and who see the logic gate as a critical component, this is a critical step forward."
Professor Jeremy O'Brien, the lead researcher on the project, said that the chip "is a crucial step towards a future optical quantum computer, as well as other quantum technologies based on photons." One of Professor O'Brien's, Alberto Politi, also explained that it was the problem of scaling that this chip solved. Previously, the photons had to propagate through the air and required large optical elements. The new chip starts to solve these problems.
The chip has also enabled the researchers to observe quantum entanglement, an interaction of two particles in such a way that the state of an individual interacting particle cannot be defined, but the collective state of the interacting particles can be.
What is most important about this development, and which seems to have been left out of the discussion in the press, is the phenomenon associated with theoretical quantum computing, which is that the foundations of modern cryptography will be rendered obsolete. Symmetric key cryptography is a probabilistic exercise, and a quantum computer can try all of the possible keys to any encrypted message simultaneously. Presumably, then, the discrete log problem and the problem of factoring large numbers will also be solved, and therefore public key cryptography will also be useless for keeping any secrets.
|
|
Search Engine Optimization
|
|
Some individuals have employed questionable tactics to get the Web sites with which they are associated listed higher in the rankings for various search terms. Individuals who conduct these activities maintain that they are not breaking the law, and are only violating terms of service agreements. Search engine optimization has been going on since the advent of the meta tag, and as the search engines have come up with new ideas about relevance and what makes a Web site appear higher in the rankings for various search terms and phrases, optimizers have experimented, intuited, and even quit search engine companies to go into private practice, all in the name of getting those who pay, higher rankings. Those of us who believed in the Web as a level playing field and some concept of fairness have felt victimized by these tactics.
Now, apparently, so too the search engine providers themselves. The search engine optimizers (SEOs) had been finding the holes in the ranking algorithms and exploiting them. Google, around 18 months ago, started to penalize sites it thought were gaming the system, and then starting blacklisting the offending sites. According to critics of the tactic, some said that Google would delist sites without any warning.
Jeremey Schoemaker, the marketer known as Shoemoney, said that, "When people are ranking for a phrase and supporting their family, and then the next day they're off the map, that's really vicious. You can literally ruin someone's life."
One of the more cautious members of the SEO community, Eric Ward, who had been derided in the community for his by the book play, warned that black hat optimization was a dead end.
One of the ways that a site was deemed to be relevant was by how many other sites linked to it. In those days, SEOs built link farms - sites which were nothing but links to the sites which were hoped to get boosted in the ratings, and to each other, so that their rankings would help the end site in the rankings. The spiders crawled the links and added things up; the SEOs knew what to do.
When the search engines got wise to this technique and others like it, the SEO community started to polarize - with some working within the guidelines and others going to more extreme and shady tactics. And then sites which were infected with malware, sometimes through no fault of their own, were also penalized by the search engines.
RSnake is an individual with some experience with Web advertising, SEO work, and runs ha.ckers.org. He said that Google is making assumptions which are erroneous in their administration of search result rankings. RSnake said, "Google can shut you down at any time. But there are all kinds of weird things that could happen to you, upstream problems, a proxy goes bad, someone takes over your site, and there's no way for you to explain that it might not be your fault. They're making false assumptions about how the Internet works, which is that the owner of the IP address is always in control of what happens through that IP address."
Variations on the theme are rampant. Innocent sites are hacked to put links in the same color as the background on the site. Other tactics are cookie stuffing and attacks on high traffic blogs. MySpace and other social networking sites are used for the same linking purposes. And the value of search is lessened.
|
| Our mission is to keep your business focused by helping you navigate the sea of security threats you face on a daily basis. Secure Anchor provides creative solutions that keep you ahead of the attacks and provide peace of mind that your critical assests are securely anchored. In addition we are busy developing software solutions to meet the threats of tomorrow.
End your newsletter with a kick -- consider a postscript to reinforce one of the key product or service benefits.
Sincerely,
Eric Cole
Secure Anchor
|
|
|
|
|
| Pointsec Protector provides a policy driven mechanism that secures an organization's sensitive information by controlling data that enters and exits a PC or server via removable media and I/O devices on any port (USB, Firewire, IDE, Bluetooth etc). |
|
Are you???
|
 |
|
|
An Enterprise businesses or government agency
|
|
|
|
In Banking/financial services, federal/local government, healthcare, business services, technology and/or manufacturing |
|
|
|
In control of devices connecting to machines in your network
|
|
|
|
At Risk if Critical Data is lost
|
|
|
Do you Need to...
|
|
|
|
Reduce financial risk of lost or stolen data on personal devices connected to PCs or servers |
|
|
|
Comply with regulatory mandates |
|
|
|
Integrate into existing infrastructure |
|
|
|
Reduce operating costs
Let us send you a FREE USB device which contains a discovery tool to detect what is your exposure to Data Loss. If you would like one just send us an e-mail at newsletter@secureanchor.com and we will send it right out.
|
|
|
|
|
|
|
Secure Anchor | 11951 Freedom Drive | 13th Floor | Reston | VA | 20176
|
 "
|
|
Login here
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Today's Big Story
There isn't a Biggest Story for Today, yet.
Past Articles
| Friday, April 25 | | · | The Academy April 2008 Contest |
| · | Great mailing lists maintained by Dan Swanson |
| · | Information Technology Investment Management from the GOA |
| Thursday, April 03 | | · | IT Compliance and Controls - Best Practices for Implementation |
| Tuesday, April 01 | | · | Centre for Internet Security Roadmap |
| Sunday, March 09 | | · | SecureAnchor great newsletter by Eric Cole |
| Friday, March 07 | | · | SecureAnchor Newsletter March 2008 |
| · | Disaster Planning Guide for Small Business owner |
| Sunday, February 03 | | · | Who is Responsible for Information Security? |
| Thursday, January 24 | | · | SecureAnchor latest newsletter by Eric Cole has been released |
| Saturday, November 03 | | · | Get the latest information on IT security in Canada |
| Saturday, October 13 | | · | IT Security Essential Body of Knowledge (EBK) |
| Wednesday, October 10 | | · | The CCCure Web Store is now OPEN |
| Friday, July 20 | | · | Secure Anchor newsletter |
| Tuesday, March 13 | | · | EDPACS: The EDP Audit, Control, and Security Newsletter |
| Monday, February 12 | | · | New Security Professionals Networking site |
| Saturday, February 03 | | · | CISSP study group forum in Plano, TX |
| Saturday, January 27 | | · | Donations are helping us to help you |
| · | Support the CCCure Family of Portals -- Please donate to show your support |
| Monday, January 08 | | · | Dissertation on Internal Threats |
Older Articles
|
Main Library Area 
COBIT© Standard 
TCSEC A1 = ITSEC F6 + E6 or ITSEC F5 + E6?
