Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

You are certified but are your qualified? Become qualified today.

Rated #1 Training

CyberSecurity NBISE

Library of Documents

Forum Postings

CISSP's Blogs

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes: 1463
Comments: 35

Top10 Links

Top10 Downloads

Who's Online

There are currently, 96 guest(s) and 34 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

Training Classes Calendar

Test of Widget

 

The CCCure Family of Portals is strictly supported by our Sponsors below and Donations.

Core Impact your compliance best friend Top Training for Top Results, delivered by Security University

FITSP the Federal Government Certification
Home of CORE Impact
Click Here to visit.		 List of Classes
Register for a class		 CLICK HERE
to get more details

Calendar of Upcoming Classes and Events


Great supplements to help you reach your certification goals


Insecure Magazine issue 27 has been released
Posted by boss on Wednesday, 01 September 2010 @ 20:13:58 EDT (21 reads)
Topic Insecure Magazine

cdupuis writes "

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

DOWNLOAD ISSUE 27 HERE (September 2010)


Issue 27 has just been released. Download it from:
http://www.insecuremag.com

The covered topics include:

- Review: BlockMaster SafeStick secure USB flash drive
- The devil is in the details: Securing the enterprise against the cloud
- Cybercrime may be on the rise, but authentication evolves to defeat it
- Learning from bruteforcers
- PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
- Security testing - the key to software quality
- A brief history of security and the mobile enterprise
- Payment card security: Risk and control assessments
- Security as a process: Does your security team fuzz?
- Book review: Designing Network Security, 2nd Edition
- Intelligent security: Countering sophisticated fraud
____________________________________________________

(IN)SECURE Magazine is supporting the following industry events:

SOURCE Barcelona 2010
Barcelona, Spain, 21-22 September 2010.
Use discount code SOURCEHN10 to get 15% off your ticket price.
http://www.sourceconference.com

Brucon 2010
Brussels, Belgium. 24-25 September 2010.
http://www.brucon.org

InfoSecurity Russia 2010
Moscow, Russia. 17-19 November 2010.
http://www.infosecurityrussia.ru

RSA Conference Europe 2010
London, United Kingdom. 12-14 October 2010.
http://bit.ly/rsa2010eu

__________________________________________________

Visit the (IN)SECURE Magazine web site at:
http://www.insecuremag.com

Subscribe to our RSS feed at:
http://feeds2.feedburner.com/insecuremagazine

Daily security news RSS feed:
http://feeds2.feedburner.com/HelpNetSecurity

Help Net Security on Twitter:
http://twitter.com/helpnetsecurity

Contact:

- For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com
- For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com

"

(Read More... | Score: 0)


September issue of Hakin9 magazine: Mobile Malware – the new cyber threat
Posted by boss on Tuesday, 31 August 2010 @ 09:40:26 EDT (92 reads)
Topic Hakin9

cdupuis writes "

 

Hakin9

September issue of Hakin9 magazine:
Mobile Malware – the new cyber threat

New issue of Hakin9 magazine already available!

Inside:

  • Mobile Malware – the new cyber threat
  • Botnet: The Six Laws And Immerging Command & Control Vectors
  • Hacking Trust Relationships – Part 2
  • Web Malware – Part 2
  • Defeating Layer-2 – A ttacks in VoIP
  • Armoring Malware: Hiding Data within Data
  • Is Anti-virus Dead? The answer is YES. Here’s why…


Download your copy NOW -- Click HERE

Mobile Malware – the new cyber threat
Julian Evans
Mobile phone malware first appeared in June 2004 and it was called Cabir. The mobile-phone features at most risk are text messaging (using social engineering), contacts list, video and buffer overflows. GSM, GPS, Bluetooth, MMS and SMS will indeed be some of the attack vector to expect this year and beyond.

Botnet: The Six Laws And Immerging Command & Control Vectors
Richard C. Batka
New BotNet communication vectors are emerging. The industry is not prepared. For the next 20 years, BotNets will be what viruses were for the last 20.

Hacking Trust Relationships – Part 2
Thomas Wilhelm
This is the second article in a series of six that covers the topic of hacking trust relationships. This article focuses specifically on Vulnerability Identification against a target system, in order to identify and exploit potential trust relationships.

Web Malware – Part 2
Rajdeep Chakraborty
In the previous section of the article Web Malwares (Part 1) we discussed various statistics that showed us the increase of Web Malware activity in recent years and why the focus of Malware authors has changed from creating havoc in the infrastructure to infecting the endpoints for various other henious purpose, we have seen it all. Once we are aware of these facts and figures, in the next section we will look into the technical Details of Web Malwares (Part 2).

Defeating Layer-2 – A ttacks in VoIP
Abhijeet Hatekar
ARP Poisoning and other Layer 2 attacks are present since many decades now and one may think that they are absolute. However, we still see them quite often on the network. The biggest advantage is easy access to sensitive information like passwords, credit card details, phone conversations etc.

Armoring Malware: Hiding Data within Data
Israel Torres
We are receiving malware daily via hundreds of facets that the Internet enables with various services; most common are via e-mail and web surfing. At any one time you can be sitting idly on the ‘net when you are presented with something that could be malicious either overtly or covertly. We’ll play through the scenario of where you’ve discovered a binary on your network and unsure of it’s purpose... and then reveal how it was done.

Is Anti-virus Dead? The answer is YES. Here’s why…
Gary Miliefsky
There have been billions of dollars in damages caused by exploiters on the Internet. These exploiters are intelligent cyber terrorists, criminals and hackers who have a plethora of tools available in their war chest – ranging from spyware, rootkits, trojans, viruses, worms, zombies and botnets to various other blended threats. From old viruses to these new botnets, we can categorize them all as malware.

Hakin9 magazine is also available in German.
Download here

Contacts Us

editors@hakin9.org
Editor-in-Chief
Karolina Lesińska
karolina.lesinska@hakin9.org
"

(Read More... | Score: 0)


Audit finds computer misuse at state employment agency
Posted by boss on Monday, 30 August 2010 @ 06:06:25 EDT (19 reads)
Topic

cdupuis writes "

As seen in the CharlottObserver at CharlotteObserver.com:

Abuses by employees included playing games on state time and making bootleg DVDs.

By Michael Biesecker
michael.biesecker@newsobserver.com
Posted: Friday, Aug. 27, 2010

RALEIGH Employees at the state agency tasked with helping unemployed North Carolinians find jobs were instead using their government computers to play games and burn copies of bootleg DVDs, a state audit shows.

The Office of the State Auditor launched the investigation at the Employment Security Commission in August 2009 after a tip to its hot line.

"This was about much more than just employees using state equipment and state work time to rip off movies and games," State Auditor Beth Wood said in a written statement. "It is also about all the personal information that ESC keeps and the people that depend on unemployment benefits while they search for work."

More than 10 percent of North Carolinians are now out of work.

According to a report released Thursday, the probe found that a systems and operations analyst in the agency's Information Services Section had installed computer software that allowed him to subvert copyright protections on movie DVDs and computer games so that he could make multiple copies.

The technician, Corey Palmer, also had installed some of the games on his state computer, and dozens of blank DVDs were found stacked on his desk.

Palmer, 43, told investigators he was using the movie- and game-copying software to "pass the time" while at work and that he had provided copies of some of the bootlegged material to his bosses, according to the audit.

Palmer was paid an annual salary of $70,316.

When investigators checked the hard drive in the state-owned computer of another employee, application manager Michael Kazura, they found pirating software and illegal copies of 19 movies and 14 television shows, according to the audit.

Kazura, 60, denied having any idea how the material ended up on his computer.

A forensic investigation of Kazura's computer found a folder containing 533 files that the employee had attempted to erase after the state's investigation of his coworker started.

In a letter released with the audit, ESC chairwoman Lynn Holmes said Palmer was fired Oct. 16.

Kazura was suspended without pay for 10 days in November. Records show Kazura is still on the state payroll, being paid $91,320 a year.

Neither Palmer nor Kazura could be reached for comment Thursday

The audit also described gaping holes in computer security at the commission.

Holmes said in her letter that her agency has developed a new computer use policy set to go into effect this month.

"

(Read More... | Score: 4)


£2.28 million fine for Zurich Insurance's data loss
Posted by boss on Monday, 30 August 2010 @ 06:03:38 EDT (83 reads)
Topic Law & Legalities

cdupuis writes "

Zurich Insurance's UK branch has been fined £2.27 million by the Financial Services Authority (FSA) as punishment for losing the details of 46,000 customers.

Zurich lost an unencrypted backup tape which contained the data while it was being transferred to a South African data storage centre in 2008. The records included customer identities, bank account, credit card and other financial information.

The company did not become aware of the loss until a year later. The fine is, to date, the largest company fine for a single data loss although HSBC were fined £3 million in 2009 for a number of separate losses of customer data.

Because the company agreed to settle early on in the investigation by the FSA, the fine was reduced by 30%.

Without that cooperation the fine would have been £3.25 million. Margaret Cole, the FSA's director of enforcement and financial crime said the company had "let it's customers down badly" noting that the company failed to effectively oversee its outsourcing and lacked full control of the data being processed in South Africa.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made" added Cole. The FSA say that, according to Zurich UK, there is no evidence that the lost data has been misused.

"

(Read More... | Score: 0)


Bank fined 9.7 Millions over poor Governance
Posted by boss on Sunday, 29 August 2010 @ 23:41:56 EDT (108 reads)
Topic Law & Legalities

cdupuis writes "Note from Clement:

This shows clearly that IT security is NOT only a technical issue.  If management fail to exercise due care and due diligence and play the role they are supposed to, they will be find guilty and will pay the price dearly.  In this case it is the law that caught them but the next time it might be a large scale compromise.   You have to implement proper security and that include audit, enforcement, and constant review.  See the article below:

Bank fined $9.7m over poor IT governance

Liam Tung | Aug 5, 2010 9:22 AM

RBS' IT systems could have let fraud go unmonitored.

UK financial services regulator the Financial Services Authority [FSA] has fined the Royal Bank of Scotland (RBS) £5.6 million (A$9.7 million) for implementing shoddy IT systems which left it in breach of the country’s money laundering laws.

The bank had implemented its treasury IT system in 2006, which was meant to screen incoming and outgoing cross-border payments.

According to the FSA, RBS neglected to check the accuracy of the systems since its implementation.

“After the initial set up, the results produced by the screening filters were not routinely reviewed or monitored by RBSG to ensure that they were appropriate.

"This meant that over time the ‘fuzzy matching’ parameters initially set by RBSG became significantly less effective at identifying potential matches,” the authority said in its decision notice this week.

For two years the bank failed to screen a single incoming payment from a foreign source. It also missed the bulk of outgoing payments by its customers, except those destined for the US.

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA.

Under UK laws financial institutions are meant to match customer transactions to the government’s treasury list, known as Her Majesty’s Treasury. The Treasury’s Asset Freezing Unit (AFU) maintains a list of people identified by the United Nations, the European Union and the UK. If the financial institution identifies a transaction that may correlate to a person on that list, it must stall the payment until it determines whether it is an exact match. If it is the bank should alert the AFU.

The FSA said it could have fined RBS $13.8 million, but offered RBA a 30 percent discount for not challenging its decision.

"

(Read More... | Score: 0)


Hackers blind quantum cryptographers
Posted by boss on Sunday, 29 August 2010 @ 21:45:08 EDT (335 reads)
Topic Cryptography

cdupuis writes "

As seen on the NatureNews web site at:

http://www.nature.com/news/2010/100829/full/news.2010.436.html

Hackers blind quantum cryptographers

Lasers crack commercial encryption systems, leaving no trace.

Zeeya Merali

A way to intercept photons of light to create a security leak has been discovered.

Quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission — they have fully cracked their encryption keys, yet left no trace of the hack.

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells.

Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. "Our hack gave 100% knowledge of the key, with zero disturbance to the system," he says.

In standard quantum cryptographic techniques, the sender — called 'Alice' for convenience — generates a secret key by encoding classical bit values of 0 and 1 using two different quantum states of photons, or particles of light. The receiver, 'Bob', reads off these bit values using a detector that measures the quantum state of incoming photons. In theory, an eavesdropper, 'Eve', will disturb the properties of these photons before they reach Bob, so that if Alice and Bob compare parts of their key, they will notice a mismatch.

In Makarov and colleagues' hack, Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it. While Bob's detector is thus disabled, Eve can then intercept Alice's signal. The research is published online in Nature Phototonics today1.

Breaking the rules

The cunning part is that while blinded, Bob's detector cannot function as a 'quantum detector' that distinguishes between different quantum states of incoming light. However, it does still work as a 'classical detector' — recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.

That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob's readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov.

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. "Once I had the systems in the lab, it took only about two months to develop a working hack," says Makarov.

This is the latest in a line of quantum hacks. Earlier this year, a group led by Hoi-Kwong Lo at the University of Toronto in Ontario, Canada, also showed that an IDQ commercial system could be fully hacked. However, in that case, the eavesdropper did introduce some noticeable errors in the quantum key2.

Grégoire Ribordy, chief executive of IDQ, says that the hack of Makarov and his group is "far more practical to implement and goes further than anything that has gone before".

Both IDQ and MagiQ welcome the hack for exposing potential vulnerabilities in their systems. Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

"We provide open systems for researchers to play with and we are glad they are doing it," says Anton Zavriyev, director of research and development at MagiQ.

Ribordy and Zavriyev stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ's system also use classical cryptographic techniques as a safety net, says Ribordy.

Makarov agrees that the hack should not make people lose confidence in quantum cryptography. "Our work will ultimately make these systems stronger," he says. "If you want state-of-the-art security, quantum cryptography is still the best place to go." 

"

(Read More... | Score: 5)


Microsoft's Security Development Lifecycle (SDLC) under Creative Commons Li
Posted by boss on Sunday, 29 August 2010 @ 21:30:18 EDT (44 reads)
Topic Awareness Info

cdupuis writes "

As seen on the great H-Online web site at http://www.h-online.com/:

Microsoft's Security Development Lifecycle under Creative Commons License

Microsoft is to change the license for its process for developing secure software. In future, the company's Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on "trustworthy computing". The resulting programme was intended to make security an integral part of the company's software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.

David Ladd, Principal Security Program Manager at Microsoft, has announced that the first two documents to be placed under the new license will be a white paper entitled "Simplified Implementation of the Microsoft SDL" and "Microsoft Security Development Lifecycle (SDL) – Version 5.0", a guide to how the company uses SDL in its product development. These can be expected within the next few weeks. According to Ladd, the company will also be going through other content on the SDL portal and relicensing it as appropriate. SDL tools are not affected by the licensing change, but will continue to use Microsoft licenses.

"

(Read More... | Score: 0)


FREE Cisco CCNP TSHOOT Webcast
Posted by boss on Sunday, 29 August 2010 @ 09:37:00 EDT (51 reads)
Topic Cisco

cdupuis writes "

FREE Cisco CCNP TSHOOT Webcast August 31st, 2010 with expert trainer and best-selling Cisco Press author Kevin Wallace, see more info about Kevin and register now at:

http://promo.pearsonitcertification.com/pages/start/plp-webcast-home/index.html?Campaign_Id=262&Activity_Id=212

Kevin Wallace, expert trainer and best-selling author of the CCNP TSHOOT 642-832 Official Certification Guide and Network Troubleshooting Video Mentor, takes you on a tour of a troubleshooting scenario that is typical of what you might see on the CCNP TSHOOT exam. Kevin walks you through an HSRP trouble ticket. You will review the theory of HSRP followed by a live troubleshooting demonstration and concluding with a Q&A session.

Join us for this Free Pearson IT Certification / Cisco Press Webcast to gain unique insight into what you can expect on the CCNP TSHOOT exam!  Register Now. Hope you can attend!

~Jamie

 

Jamie Adams, Senior Publicist

Representing technical brands of Pearson in networking technologies (IP Com, network security, storage), and all certifications including Cisco®, Microsoft and CompTIA.

Office: 317-428-3012

Twitter: @ciscopress, @pearsonitcert, and @jamieadams76

Facebook: facebook.com/ciscopress and other Pearson brands at informit.com/socialconnect.

LinkedIn: www.linkedin.com/in/msjamieadams.

"

(Read More... | Score: 0)


A new advanced security certification from CompTIA -- Fill the survey
Posted by boss on Friday, 27 August 2010 @ 22:15:40 EDT (143 reads)
Topic Training News

Anonymous writes "

A New Advanced Security Certification is on the way!

To Security Professionals – Important Request:

In case you did not know, I am a Founding Member of the CompTIA Security+ Cornerstone Committee.  I am writing this blog to ask if you would complete an important survey because of your expertise in information security. CompTIA is developing a new advanced security certification exam to follow CompTIA Security+ (or equivalent experience) and we are seeking your input on the exam objectives. We hope you’ll appreciate how important your input is to the development of this certification, and ultimately to those who follow you in their security careers.  Personally, I am excited by the cutting-edge objective set of the intended certification:  It is up-to-date and pragmatic.  It includes (speak of the devil) objectives related to:

  • Security and Social Media
  • Virtualized Desktops (VDI)
  • Insider Threat
  • 802.1x
  • Fuzzing
  • And a plethora of deep, technical, scary stuff!

To begin this approximately ten-minute survey, please go here:  https://s-xut5m-345723.sgizmo.com
In appreciation for your time and participation, CompTIA is giving away a CompTIA T-shirt to every 10th person who completes the survey.

CompTIA values your privacy. Results are completely anonymous and the data will only be viewed in the aggregate. Please complete by September 8, 2010.
Thank you very much for your participation.

Please contact research_at_comptia.org if you experience any technical difficulties with the survey.

Go ahead:  support the community and get a free T-Shirt!

Barry Kaufman, CISSP, CEH, MCSE, ITILv3

"

(Read More... | Score: 5)


Malware Contributed To Plane Crash
Posted by boss on Tuesday, 24 August 2010 @ 09:25:03 EDT (201 reads)
Topic Vulnerabilities

cdupuis writes "

Investigation into Spanair flight 5022 finds that monitoring server had been disabled by Trojan application.

By Mathew J. Schwartz,  InformationWeek
--> Aug. 23, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=226900089

Spanish authorities investigating the crash of Spanair flight 5022 in Madrid have found that malware may have contributed to the accident, which occurred two years ago, killing 154 people on board. Only 18 survived the crash and subsequent fire.

The Spanish agency charged with investigating the accident has listed the official cause as pilot error, because the pilots failed to extend the MD-80 airplane's takeoff flaps and slats, which would have helped the airplane to rise. Instead, the plane stalled just seconds after takeoff.

But the agency also found that a warning alarm meant to ensure that the pilots didn't leave the flaps and slats retracted failed to sound, and that the warning had failed to sound on two previous occasions.

According to Spanish daily El Pais, those failures, which were non-trivial, should each have been immediately logged in a maintenance system, which would have spotted the recurring fault and triggered an alarm at the airline's headquarters in Palma de Mallorca, keeping the plane grounded until the issue was fixed.

But authorities say that the maintenance system had been infected by a Trojan application, rendering the monitor useless. In addition, two engineers currently under investigation for manslaughter apparently failed to log the device faults, even though under company policies they were required to do so immediately. When they did attempt to enter the faults, the plane had already crashed, at which point they found that the monitoring system apparently wasn't working.

The judge, Juan David Perez, has demanded that the airline turn over copies of all entries in the maintenance system from the days before and after the crash.

"I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome," wrote Rick Wanner of the SANS Internet Storm Center, on his blog. "Clearly the SpanAir diagnostic system (a detective control) designed to detect anomalies in the airliners system failed, possibly due to a Trojan. Also it appears the pilots bypassed part of their pre-takeoff checklist, leaving the flaps and slats in a position not recommended for takeoff."

"This one all boils down to inadequate training and a lack of professional behavior," said a responder to Wanner's post, citing 25 years of jet avionics experience. "They had to have had ample indications that certain systems were not working, they didn't follow the checklists and they didn't abort when they failed to reach certain speeds at certain points during the takeoff roll."

"

(Read More... | 2 comments | Score: 0)


Security Professionals’ Salaries Up 6 Percent in 2010
Posted by boss on Thursday, 19 August 2010 @ 21:35:48 EDT (107 reads)
Topic JOBS

cdupuis writes "
As seen on the Security Product website at:  http://secprodonline.com/

Security Professionals’ Salaries Up 6 Percent in 2010
  • Aug 10, 2010

The median compensation for security professionals in the United States increased 6 percent from 2009 to $93,000, according to the 2010 ASIS International “U.S. Security Salary Survey.” In addition, respondents who had a Certified Protection Professional (CPP) certification earned a median salary of $118,000.

Average compensation (sum of dollars divided by the number of respondents) was $108,000, a 5.5 percent increase over last year. 2010 marks a continuation of a 5-year trend in which average compensation for salaried security professionals has risen 19 percent from $88,000 in 2006 to the current $108,000.

Other findings from the 2010 survey include:

  • Salaries of those at the bottom-rung of earners -- those in the 10th percentile --rose from $46,000 in 2009 to $52,000 in 2010, and those at the top of the scale -- the 90th percentile -- saw their compensation increase from $163,000 to $180,000.
  • The Mid-Atlantic region continues to offer the security jobs with the highest compensation ($105,000 median), up 5 percent from 2009. Conversely, the Mountain and East South Central regions offer the lowest rates of compensation, and unlike every other region in which compensation rose, these regions show stagnant or dropping wages.
  • Information and Natural Resources and Mining tied for the highest average compensation. However, the Information sector saw the greatest increase with an average salary of $142,000, up 30 percent from 2009. Natural Resources and Mining, with an average salary of $142,000, suffered a 10 percent drop from 2009 average compensation levels of $151,000.
  • Federal government and law enforcement employees report an average salary of $114,000, and the highest median of any sector at $101,000.
  • Thirty-nine percent of this year’s respondents are top-level security professionals at their organization; this group earns an average salary of $123,000 and a median of $100,000.
  • Holding a core industry certification correlates to compensation substantially higher than the salaries of peers with no certification. Those holding the Certified Protection Professional (CPP) certification, administered by ASIS, for example, report an average compensation of $118,000, 18 percent higher than 2009, and a median salary of $100,000. Those with no certification reported an average compensation of $100,000 and a median salary of $85,000.
  • Education also correlates with compensation. Thirty-one percent of respondents hold a master’s degree and report a median compensation of $122,000.

More than half (58 percent) of the survey respondents work for privately held companies, a sector reporting an average compensation of $104,000 and a median salary of $90,000. Those working for publicly held (stockholder-owned) companies (27 percent of respondents) report the highest average compensation at $124,000, with a median of $100,000.

The survey examines trends in both average and median salaries, because the two measurements can offer different perspectives; the average is a total of all items in the sector divided by the count in the sample, while the median is the precise midpoint of the range of all items reported. All ASIS members employed in the United States were eligible to participate. The results are based on 784 participants who completed the survey. The survey collected data from the current and preceding years and breaks out responses in 11 industries and 9 geographic regions. Each section drills down into 18 specific factors that affect compensation.

The “U.S. Security Salary Survey” will be available in October for $135 to ASIS members and $195 for nonmembers. For more information, visit www.asisonline.org/.

"

(Read More... | Score: 0)


Hakin9 August Issue: Securing the cloud (get your FREE copy now)
Posted by boss on Tuesday, 03 August 2010 @ 16:55:51 EDT (223 reads)
Topic Hakin9

cdupuis writes "
Hakin9

August issue of Hakin9: Securing the Cloud

New issue of Hakin9 magazine already available!

Inside:

  • Prey: A New Hope by Mervyn Heng
  • An introduction to Reverse Engineering: Flash, .NET by Nilesh Kumar
  • Web Malware - Part 1 by Rajdeep Chakraborty
  • Cyber warfare with DNSbotnets by Francisco Alonso
  • Search Engine Security and Privacy by Rebecca Wynn
  • Securing the Cloud: Is it a Paradigm Shift in Information Security? by Gary Miliefsky
  • Radio Frequency-enabled Identity Theft by Julian Evans
  • Intelligence Monopolies by Matthew Jonkmann
  • Special Report: Capturing the New Frontier: How To Unlock the Power of Cloud Computing by Mike Armistead

Download

Is Prey: A New Hope
Mervyn Heng
Misplaced your laptop or had it stolen? You are not alone.Dell and the Ponemon Institute collaborated on a study with 106 United States airports as well as over 800 business travelers to ascertain the frequency with which laptops are lost in airports.

An introduction to Reverse Engineering: Flash, .NET
Nilesh Kumar
This article is about the demonstration of Reversing of Flash and .NET applications. This is an introductory article showing basics of decompiling/ disassembling. In the first I have chosen to show reversing of Flash files and .NET files and how to patch them.

Web Malware - Part 1
Rajdeep Chakraborty
The Internet has been plagued by a variety of Malware that use the Web for propagation and as these threats loom around in the Internet it can infect even the smartest and the most tech savvy computer users.

Cyber warfare with DNSbotnets
Francisco Alonso
Botnets aren’t just a fad or items being sold and purchased like items on ebay, but are becoming carefully designed tools used for cyber war. In this article we will discuss what a Botnet is, and the next generation of Botnets over DNS.

Search Engine Security and Privacy
Rebecca Wynn
It’s no secret that search engines like Google, Yahoo, Bing (MSN) retain search data and metadata regarding searches. They are open about doing so. What’s unsure, though, is to what extent this creates a long-term threat to information security and privacy. This article briefly reviews what data is retained and stored by these search engines and what readers can do to protect their information.

Securing the Cloud: Is it a Paradigm Shift in Information Security?
Gary Miliefsky
First let me start by saying No. There’s really nothing new in the Cloud except where risk appears to shift. But does it really? I would argue that it increases your risk and there can be no shift of blame for a successful Cloud attack and breach of confidential data stored in the Cloud. You are ultimately responsible.

Contacts Us

editors@hakin9.org
Editor-in-Chief
Karolina Lesińska
karolina.lesinska@hakin9.org
"

(Read More... | Score: 0)


Today's Most In-Demand Certifications
Posted by boss on Monday, 26 July 2010 @ 12:00:40 EDT (276 reads)
Topic JOBS

cdupuis writes "

Original article on the great Certification Magazine website at: http://www.certmag.com/read.php?in=3950

An industry-recognized certification can provide you with a competitive edge whether you’re looking for a new position or trying to advance within your current firm. However, the biggest challenge when it comes to earning a professional designation is often determining which one to pursue.

Here are the four most in-demand certifications, according to Robert Half Technology’s staffing and recruiting professionals across the United States:

Certified Information Systems Security Professional (CISSP): Offered by the International Information Systems Security Certification Consortium (ISC)², this vendor-neutral information security accreditation covers 10 domains, including access control, cryptography, operations security, and security architecture and design. To earn a CISSP, you must meet certain experience requirements and achieve a scaled score of 700 or greater on the CISSP exam. The credential also must be renewed every three years. According to CIOs polled for the latest “Robert Half Technology IT Hiring Index and Skills Report,” the second most challenging functional area to fill is security, increasing the appeal of job candidates with a CISSP designation.

Microsoft Certified Systems Engineer (MCSE): This certification focuses on the design and implementation of these particular infrastructures. It’s recommended that you have one to two years of experience working with network systems before pursuing the accreditation. Earning the MCSE certification demonstrates a commitment to professional development because you must have a wide range of knowledge and pass seven exams to obtain it.

Although the MCSE designation is in particularly high demand, job candidates who have earned any Microsoft certification have an edge in the job market. Because of the ubiquity of Microsoft applications, accreditations that demonstrate your knowledge of these technologies will continue to be sought by employers.

Project Management Professional (PMP): If you want to validate your project management abilities, this credential, offered by the Project Management Institute (PMI), may be for you. You must have between three and five years of project management experience to take the exam, and the certification must be maintained by earning 60 Professional Development Units over a three-year period. The increasing complexity of IT projects, and the need to involve individuals from all over the organization in these engagements, has led to the demand for verifiable project management skills.

Cisco Certified Network Associate (CCNA): This vendor-specific accreditation authenticates the bearer’s ability to administer medium-size route and switched Cisco networks. To earn the certification, you can either pass the 640-802 CCNA exam or both the 640-822 Interconnecting Cisco Networking Devices Part 1 (ICND1) and 640-816 ICND2 exams. The CCNA designation is valid for three years, after which you must pass one of various possible exams to renew it.

Fifty-eight percent of CIOs polled for the “Hiring Index” ranked network administration as the technical skill set in greatest demand within their IT departments, further demonstrating the marketability of professionals with the CCNA credential.

Although earning one of the above certifications could be advantageous for your career, that doesn’t mean doing so is the necessarily the best move for you to make. Before pursuing any professional designation, you must ask yourself the following questions:

•    Which certification is right for me? Take into account your experience, current position and future professional goals. For instance, if you have a project management background and want to further your career in that area, a PMP certification could be extremely valuable. However, if you have no networking experience, it’s unlikely that a CCNA accreditation will boost your marketability. It’s important to understand that a certification can’t take the place of experience. Rather, it is best used to support relevant experience you already possess.

•    How much time and money are involved? Between books, study aids, training courses and exams, there will be costs involved. But there may be ways to reduce these expenses. If you’re currently employed, your company may offer financial assistance with your education. If you’re unemployed, you might consider registering with an IT staffing firm, some of which offer free training courses, test preparation and sample exams.

The time commitment can vary dramatically depending on the designation you are pursuing. The MCSE certification requires you to take seven exams, for instance, while the CCNA designation will perhaps only require one. Also keep in mind that some credentials require ongoing study to remain valid.

•    How much of an impact will a certification have on my career? This question is hard to answer. According to the “Robert Half Technology 2010 Salary Guide ,” a credential can increase starting salary by up to 10 percent. But not all certifications are created equal. Those less in demand may not boost your compensation at all or increase your appeal to potential employers by any noticeable amount. You may want to consult members of your professional network, especially those who have earned a certification you hope to obtain, or an IT recruiter for additional insight.

Dave Willmer is executive director of Robert Half Technology, a provider of IT professionals for initiatives ranging from e-business development and multiplatform systems integration to network security and technical support. He can be reached at editor@certmag.com

Original article on the great Certification Magazine website at: http://www.certmag.com/read.php?in=3950

"

(Read More... | 1 comment | Score: 0)


Kobil SmartCard Reader hacked
Posted by boss on Monday, 07 June 2010 @ 07:58:47 EDT (534 reads)
Topic Cryptography

cdupuis writes "

No broken seals:  A Windows tool allows unsigned firmware to be installed.

A vulnerability in smartcard readers made by vendor Kobil[1] allows intruders to install specially crafted firmware without opening the sealed housing. Attackers could exploit this to read PINs such as those used for digital document signatures or to display forged data on-screen. To prevent such intrusions from happening, smartcard readers are usually subjected to a special security check before they are approved. Several leading institutions had tested the Kobil readers and confirmed that they complied with the strict German Signature Law (SigG) including the German Federal Office for Information Security (BSI). The German Central Credit Committee (Zentraler Kreditausschuss, ZKA) also approved the TriB@nk device for use with the "Geldkarte" application, and Secoder, the successor of HBCI, for home banking.

In its report on the affected Kobil devices, EMV-TriCAP Reader, SecOVID Reader III and KAAN TriB@nk, the BSI found[2] (German language link): "A firmware signature verification which uses the asymmetric ECDSA algorithm and a bit length of 192 guarantees firmware integrity and authenticity when loading new firmware into the chip card reader." This means it should be impossible to install firmware that does not have a vendor signature.

The reader's boot loader is responsible for checking the signature. A hacker using the name Colibri has managed to bypass the signature check by replacing the reader's boot loader with a specially crafted boot loader. The hacker introduced individual flash memory blocks in the wrong order, so that the memory contained some parts of the crafted boot loader and some parts of Kobil's signed boot loader – which was eventually accepted by the device. However, the crafted boot loader's signature check function was disabled, which allowed the hacker to flash arbitrary firmware onto the reader via USB. Colibri informed Kobil about the problem and released a fascinating and detailed report[3] (German language link) about the hack, as well as a Windows tool and firmware updates for reproducing the issue. Using this information, The H's associates at heise Security successfully managed to inject specially crafted firmware into a "Kaan Trib@nk" smartcard reader (version 79.22).

At the end of April, Kobil released[4] security update 79.23 for the Kaan TriB@nk to close the hole(s). According to Kobil's Head of Product Management and Development, Markus Tak, the update is also designed to prevent attackers from randomly updating memory blocks in the future.


The firmware can be replaced in just a few steps using a Windows tool. Although the hole was disclosed several weeks ago, publicly available information about this problem still remains sparse. While the German Federal Network Agency, being the responsible authority under section 3 of the German Signature Law (SigG), has issued a warning[5] (German language link) about the security hole on its web pages, the information so far doesn't seem to have reached the general user base.

When asked, the ZKA said that the vulnerability was not publicised because the issue affected a "limited group of customers" who were apparently informed directly by the vendor. Furthermore, the ZKA said that the applications for Geldkarte, HBCI and Secoder are not affected by the hole. However, the ZKA's press spokesperson was unable to explain why this should be the case.

Some savings banks have at least pointed out the problem on their web pages and recommend[6] (German language link) that users send their devices to Kobil, for an update. Potential residual risks reportedly make it advisable that users don't update the firmware themselves. In any case, the new firmware hasn't yet been certified. Kobil has not provided any updates for its EMV-TriCAP Reader and SecOVID Reader products, which are also affected.

Talking to heise Security, Colibri gave his hack an intermediate difficulty rating. The hacker said he has analysed devices as a hobby for years and considers other projects such as his analysis of the PowerVU encryption used in military transmissions much more difficult. Colibri said the most involved aspect of the hack was having to write a disassembler for the Toshiba processor used in Kobil's devices.

The vulnerabiltiy casts further bad light on security certifications for systems and software. Prof. Dr. Rainer W. Gerling, the Data Protection and IT Security Officer at the Max Planck Society for the Advancement of Science said in an interview with heise Security: "This hack shows that the quality of a certification depends on the creativity and imagination of the tester. This is a fundamental problem of certifications." It seems that the BSI testers were not the only ones who lacked imagination, because T-Systems also found[7] (German language link) in an independent test that the devices comply with the safe PIN entry requirements described in the German Signature Law and Signature Regulation.

URL of this Article:
http://www.h-online.com/security/news/item/Kobil-smartcard-reader-hacked-1014651.html

Links in this Article:
  [1] http://www.kobil.com/
  [2] https://www.bsi-fuer-buerger.de/cae/servlet/contentblob/485368/publicationFile/29542/02096_pdf.pdf
  [3] http://colibri.net63.net/Smartcard-Reader-Hack.htm
  [4] http://www.kobil.com/index.php?id=1364&L=0
  [5] http://www.bundesnetzagentur.de/cln_1932/DE/Sachgebiete/QES/QES_node.html
  [6] https://www.sparkasse-kraichgau.de/privatkunden/konten_karten/online_mit_hbci/kaan/index.php
  [7] http://www.t-systems-zert.de/pdf/ein_02_sig_pro/zf_02219_d.pdf

"

(Read More... | Score: 0)


Hakin9 Magazine June edition has been released -- Get your copy now
Posted by boss on Tuesday, 01 June 2010 @ 08:33:42 EDT (618 reads)
Topic Hackers

cdupuis writes "

Hakin9 Hakin9 magazine JUNE Edition:

Is DDOS Still a Threat?  New issue of Hakin9 magazine already available!

Inside:

* Is DDOS Still a Threat?

* Jailbreaking and Penetrating with the Iphone 3G & 3GS

* Flash Memory Forensic Tools - part two

* Beginner’s Guide to Cybercrime -Understanding Attack Methodologies and a More Proactive Approach to Defense

* Pulling Kernel Forensic with Python

* More Secure PHP Server Side Source Encryption

* Securing Public Services Using Tariq

* Expert Says: Don't let the zombies take you down!

Download you copy now

Is DDOS Still a Threat?
Matt Jonkman Is DDOS, or Distributed Denial of Service, still a credible threat? Do we lay awake at night scared of when the next one might hit us? An obvious question perhaps, they are still a threat to most online enterprises. But they’re not the top of the news issues they once were. Expert Says...: Don’t let the zombies take you down! Ian Kilpatrick

Over the last year, the incidence of botnet (or zombie) attacks has been growing rapidly. Some service providers around the world have already begun to take action against botnets and there is increased interest from other service providers, and from companies, in dealing with this serious security threat.

Beginner’s Guide to Cybercrime – Understanding Attack Methodologies and a More Proactive Approach to Defense Gary Miliefsky How about why nothing with an IP address is secure and why traditional countermeasures such as firewalls, anti-virus and intrusion detection fail? Would you like to learn new methods to proactively defend against attacks? If so, you’ve come to the right place.

Jailbreaking and Penetrating with the Iphone 3G & 3GS Wardell Motley Today Smart phones are getting smarter and smarter. They are a far cry away from the Walkie-Talkie like devices from the the early 90's. Now a smart phone in the hands of skilled attacker can be used to help penetrate networks on the fly. No longer do you need to walk around with a bulky laptop to get the job done.

Flash Memory Forensic Tools - part two This second part is focused on advanced tests done on flash memory embedded in a Nokia mobile phone. Tests presented in this article are not for all as they require a well furbished lab; even that what we try to demonstrate here is that – when flash mobile forensic will leave its infancy – there are some issues forensic officers should take in consideration.

Download your copy now

Contacts Us
editors@hakin9.org
Editor-in-Chief Karolina Lesińska
karolina.lesinska@hakin9.org

"

(Read More... | Score: 0)

Our Sponsors

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

USA

Security University

Security University

MIDDLE EAST

Dubai, Qatar, Kuwait, Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

Dublin, Ireland
ESPION

Best security training you can get in Ireland

AFRICA

Yaounde-Cameroun
GetSec

The best training one can get in Cameroon

Lagos, Nigeria
Digital Encode

The best security training in Lagos and Nigeria

Most Active Members

· 1: webplu9
Total points: 15228
· 2: side_winder
Total points: 12295
· 3: Lopezco
Total points: 8510
· 4: cissp_newbie
Total points: 7593
· 5: cdupuis
Total points: 6696
· 6: mikeyoung_fla
Total points: 5490
· 7: Vladimir
Total points: 4611
· 8: MMM
Total points: 2969
· 9: damoose
Total points: 2881
· 10: educk
Total points: 2353

Today's Big Story

There isn't a Biggest Story for Today, yet.

Random Headlines

Past Articles

Tuesday, June 01
· Lifelock ID Theft Protection worries after employee data leaked to Web
Saturday, May 29
· Melissa Hathaway's Nine Cybersecurity Bills to Watch
Sunday, May 16
· Hakin9 Magazine is now FREE -- Get your copy NOW!
Friday, May 14
· TIPS and TRICKS to pass the exam and to start your study on the right foot
· Job: Trainer with full scope polygraph needed, Herndon, VA, USA
Monday, April 26
· How young upstarts can get their big security break in 6 steps
Sunday, April 25
· White House Updates Cybersecurity Orders - Stop wasting money and paper
Sunday, April 11
· IT Security Engineer, Full Time position
Wednesday, April 07
· ISC2 first exam to be delivered by VUE testing
Tuesday, March 30
· SANS founder slams 'terribly damaging' US cyber security law
· MatriXay 3.6 has been released
Saturday, March 20
· After CompTIA and ISC2 it is now SANS GIAC turn to require CMU's (CPE)
Thursday, March 18
· ISC2 is looking for proctors for the Orlando 3/20/2010 exam
· SpywareAnalytics a forum for home user security
Tuesday, March 16
· Security Professionals: Build a career plan and make more money
· Study Group Wanted in Cincinnati, OH
Monday, March 15
· Twitter announce a new service to protect their users
Saturday, March 06
· Viruses and Digital Signatures
Wednesday, March 03
· SQL Injection and Parameter Manipulation video clips
Tuesday, February 23
· NATO CISSP Study Group in Brussels

Older Articles

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 0.55 Seconds