Skip navigation

There’s been quite a lot of conversation on Twitter by the InfoSec community about the CISSP. Most of the hubbub has been generated by the Skytalk given by Timmay and a little help from Jericho at attrition.org. I was one of the fortunate folks to have a (nearly) front-row seat for this talk and I’ll be the first to say that I agree 100% with what was said. The title of the talk was “Why You Should Not Get A CISSP” – not “All CISSPs Are Dipshits” or “If You Have A CISSP: Kill Yourself” or “You Shouldn’t Be Hired In The InfoSec Community If You Have A CISSP”. There are plenty of folks out there who have a CISSP and are great assets to the community and are far better InfoSec folks than yours-truly. The main point of the talk was how the claims of the (ISC)2 regarding the CISSP don’t hold true. Timmay did a great job debunking their claims and having solid evidence to back them up. Jericho’s bit in the talk was over the ethical portion and why the CISSP isn’t all that and a bag of Frito’s. I’ve linked to the Skytalk slides earlier in this post; if you’d like more information on the ethics part, I’ll point you to attrition’s rant. I will state that several of my points in this blog are directly from the Skytalk and/or the attrition site. I don’t want Jericho to be plastering my name on his site any time in the near future. :)

I, myself, don’t have a CISSP. I don’t ever plan on getting it unless it’s absolutely required (e.g. DoD work, etc.). I’ve read the material in several iterations over the past years and it honestly hasn’t changed much since the first time I looked it over back in 2005. I’ve applied (and got) jobs in the past that said a CISSP was required; however, I usually had to do a bit of trickery to my resume to get to the first interview. Several years ago, I added “Actively working towards the CISSP” in the certifications section of my resume. This would usually get me past the first hurdle and get my foot in the door. Once they talked to me for 10-20 minutes, they’d see that just because I don’t have letters after my name I was still a credible InfoSec candidate. A few years back, I decided to change the wording a bit: “Does not hold the CISSP certification”. Funny enough, this worked just as well if not better! I would get questioned about it, but nobody has required me to obtain the certification. I will say that I do hold a B.S. in Computer Technology from Purdue with a bit of my Masters in InfoSec as well – though my 8 months of Masters work doesn’t appear on my resume. It’s also worth noting that my work and residence is in Indiana: the brain drain of the USA. Usually once people get their education in Indiana, they leave. Plain and simple. The job market is better elsewhere and unless you’re fortunate enough to find a good-paying job around here, it’s usually easier to find work in other states. I will say this: I probably know about 40 or so people with certs from the (ISC)2 in Indiana (I may know more, but they haven’t mentioned that they have one) – out of those 40, I would probably only trust the opinion of roughly 7 of them. The majority of them like to regurgitate buzzwords from the latest sales pitch they were thrown by $securityvendor. They’re also the ones that brag about their security prowess and form little cliques in larger InfoSec gatherings. I don’t have time for that type of dumbfuckery.

Back to the CISSP. It’s now being compared to the MCSE in the 1990′s – you do a brain dump for 7 days, take the test, get more than 70% and BOOM! CISSP acquired! You don’t need to have a real working knowledge of security to pass this certification. Employers were chomping at the bit to get folks with MCSEs back in the 90′s and companies looking for InfoSec folks (at least from the job search stats shown in the talk) “desire” it…some “require”. I throw the CISSP in the same ring as the C|EH. Both provide some historical data, but they’re broad. Just because somebody has a C|EH doesn’t mean that I want to immediately utilize this person for penetration testing services. I’d rather have the one who has the years of service under their belt and can talk coherently about the topic. Again, not to say there aren’t C|EHes out there who can’t; but there is definitely a collective of them who wouldn’t know what to do with a shell with privileged access if it was given to them.

Then there’s the code of ethics. Technically, by attending Defcon (a convention the (ISC)2 has said they do not condone) you’re violating their CoE and your CISSP should be revoked. However, this will lead to another issue: if somebody wants to report you to the (ISC)2, it must be done via a certified letter and reviewed by a committee. From what was told in the talk, you more or less have to go on a shooting spree for them to revoke your certification.

However…there may be hope! The (ISC)2 appointed Wim to the board back in Jan 2012 and indi more recently. It’s going to take a lot more than two guys to turn this around, but it’s a start. Does the (ISC)2 have a permanent black eye from it’s past years? Is there a chance it can redeem itself as a worthwhile cert in the minds of some folks in the community?

I’ll say this again in closing: I don’t think you’re a douchebag if you have a CISSP, a C|EH, or any other certification. I’ll think you’re a douchebag if you act like an elitist prick who can’t back up their talk and actions in the InfoSec community.

It’s been a busy week for folks like Yahoo! Voices, Phandroid, Billabong, and FormSpring: over 1.5 million passwords have been dumped – some hashed…some plaintext.  Instead of focusing on HOW these occurred, I’m more focused on the public’s reaction.

I’ve been following many of my local news sites and their coverage of these ‘hacks’ this week.  They’ve all been fairly informative, though most of them haven’t offered a lot in the way of helping people check to see if their email was compromised even though some very reputable sites are making this easier for the general public.  I’ve tried to give as much information to these sites about where they can go to check into this information and it seems to be pretty-well received.  What I find interesting is how people are reacting to this news: they really don’t care.  Seeing comments like “[...]if they want to sift through my 1,000s of junk mail, they can have it!” or “I use GMail so I kno[w] I’m safe.”  Granted, this is only a small sample of the general population and there are some folks out there asking how they can check to see if they were ‘hacked’, but I’m seeing more and more comments like the examples given above.

Is there a growing trend of people getting used to this type of thing?  Are they even aware of the repercussions?  What can infosec nobodies like myself do to help educate?

Considering I don’t really advertise my little blog anywhere, I’m sure not many folks are out there saying to themselves, “Hey! What happened to that b10w guy?! HE PROMISED UPDATES! *flips computer desk*”  I had a draft that I left unfinished from back in March. I like where was I going with it, but need to put a bit more thought behind it.  I think I’m going to do a series of posts over the next few weeks over how to get security buy-in at your company.  I figure since I’ve dealt with this in some fashion over the past 10 years, I should be able to talk fairly intelligently on the subject and will hopefully get some feedback from other folks.  I think I’ll call it the “InfoSec Back to Basics” series.  Yeah…that sounds dandy.

Well here I am; I’m back and still not having a clue in what direction I’d like to take this blog.  I’ll start by giving a few updates on myself and there may be some security-related items thrown in the mix as well.  I started a new job a few months back and am getting settled in quite nicely.  I have quite a few opportunities and challenges in front of me (read: very big lack of security), but it’s nothing I haven’t dealt with in years past.

In about three weeks I’ll be headed to BlackHat, BSidesLV, and DEFCON 20!  This has to be one of my favorite times of the year where I finally get to see some of my favorite InfoSec folks and see some great talks!  Oh yeah…there are also a few parties to attend.  The fine folks over at LiquidMatrix put together a table of all the parties each year, you should go check it out if you’re going to be in attendance that week!  Other cons of note that I’ll be attending during the remainder of 2012 include: DerbyCon and…well…that’s it.

…and now for a few InfoSec failures since my last post:

  • NeedADebitCard - This one’s pretty self-explanatory after you click on the link. I wonder how the PCI-DSS feels about this one?
  • Flame - LET THE BUZZWORDS FLY!  This little piece of malware came out from under a rock back in May and every Anti Virus/Malware and “Advanced Threat Protection” company started salivating over it.  Some folks even claim that they were the ones to stop Flame dead in its tracks.  That dog & pony show seemed to last a few weeks and then fizzled.

 

Well, it’s been a little over two years since I posted here.  I’ve changed jobs since my last posting and I’ve matured A LOT in this crazy field of InfoSec.  I might not post daily or even weekly, but it’s time I start getting some of these ideas on virtual paper.  So…here’s hoping this run lasts longer than nine posts!

Open Source Information Gathering
First things first: you need to download Chris Gates‘ Brucon presentation “Open Source Information Gathering” [PDF] NOW!  I wasn’t fortunate enough to attend Brucon, but I took away a lot of great information from this presentation.  Lots of talking about the use of Maltego and other great sources/sites to help you gather information on businesses, people, etc.  By the way, if you do any sort of information gathering/recon work and you’re not using/haven’t tried Maltego – you need to give it a try!  They have a Community Edition that’s free to use and a license of it is VERY reasonable!  There, I’ve officially whored out my first product on my blog!

Powershell Ping Sweep
I’m a HUGE fan of powershell!  I’m definitely not a master at it, but I can definitely get around with it.  If you don’t know much about powershell or how to use it – this would be a good introduction!  The blog entry at securitywhole.com deconstructs the powershell command for a very helpful ping sweep.  Make sure to check their blog often – the next post over there is going to be the powershell version of nslookup and brute-force reverse DNS lookup!

Bank Sues Google After Email is Sent with Sensitive Info to Wrong Address
I’m not going to lie – I’m not a huge fan of Wired.  However, when I read this story it make me chuckle a bit.  Brief summary: bank employee sends an email with sensitive information unencrypted (information that isn’t supposed to sent in the first place) – employee realizes that it’s going to the wrong address – employee tries to contact email owner – employee receives no answer – Bank sues Google to try and get information about the owner of the email address.  Oh, they’re also asking the court that the information be under seal so that the information isn’t disclosed.  Since a good part of my life revolves around compalince, it just leaves me saying that if you’re going to send confidential information: encrypt it!  In this case, don’t send information that isn’t supposed to be leaving the confines of the office in the first place!

I check Jeff Moser’s blog from time to time – the guy is wicked smart and his posts are always very interesting and educational.  This week’s post is no exception: A Stick Figure Guide to the Advanced Encryption Standard (AES)!

Offensive Security has officially released the free version of their online training course for Metasploit!!  The best part about it: as Metasploit evolves, so will this training/documentation!  Since MSF evolves on an almost-weekly basis, they definitelyhave their work cut out for them!  After perusing the site a little bit, I have to say that this training is very thorough and will help the folks new to MSF and even the more experienced folk may learn a thing or ten.

The current course is being offered as donation-only.  So, if you take the course and you like what you learned – make a donation to help a great cause!  There’s going to be a video/PDF version of this as well in the future, but it’s currently being held back until MSF v3.3.

HOT OFF THE PRESS: The fine folks at liquidmatrix just got word that a new version of BeEF has been released!  I believe Dave sums it up the best by saying “For those of you who might not be familiar with the tool its a browser exploitation framework that’s full of WIN!”  As an added bonus, it includes integration with Metasploit!  For more information and screen shots, head on over to Dave’s post at liquidmatrix or just visit BindShell.net!

@Jabra just released this video showcasing all of the new features in BeEF 0.4 – check it out!

SMB2 Remote Exploit Released
Last week an exploit was released dealing with SMB2 casing a DoS on Vista, 2008 Server boxes and the Win7 RC. This week, a well-known security company released a module that contains the remote exploit for this vulnerability. So now you have a choice: DoS the box or 0wn the box. The SANS ISC has released a blurb about this and some workarounds that’s probably worth a look-see and The Register has a decent story about it as well.

HITECH Act Encryption Loophole
The HITECH Act (as well as PCI-DSS) has consumed my time (read: overtaken my life) for quite some time now, so it’s no surprise that I bring up things from this from time to time.  The Register talks about how the Act states that if an organization utilizes encryption (mainly at a disk-level), they’re under no obligation to report a breach to their clients – essentially giving these companies a ‘get out of jail free’ card if a breach were to happen.  Just because you can encrypt your data doesn’t mean you shouldn’t be held liable for a breach of information!

Other Fun Tidbits:

Social-Engineer.org is LIVE
What better way for me to really expand my horizons by leaps and bounds in the realm of social engineering than to have a great resource such as an all-inclusive website focusing solely in this field?!  Social-Engineer.org has some amazing authors and contributors – most I’d say are top in their field (Chris Nickerson, David Kennedy, H.D. Moore, and Mike Murray just to name a few) and will bring a ton of information to the table!  Some other notable parts of the site include:

  • The monthly newsletter that’s going to contain “tips and tricks on Social Engineering, Deception Detection, Influence, Neuro Lingusitic Programming, Interviews, tactics, skill enhancers and early bird announcements on some very important industry related items.”
  • The Resources page that contains helpful tutorial videos and tools
  • Most importantly, the Framework – this contains the newest and most innovative information regarding social engineering and is constantly growing thanks to the contributors to the site

Sharing Files Over SocNets??
Ever wanted to share files on your hard drive with people on Twitter and Facebook? NOW YOU CAN! This gets filed in the ‘Are You $#%&ing Kidding Me!?’ category.  From what I’ve read, the PogoPlug device sits on your external USB hard drive and allows you to share whatever resides on that drive.  Can you say P2P via SocNets??  I have a feeling that maybe @Agent0x0 will take this a bit further at some point (I hope, I hope, I hope!)?

New Security Tools Released by Microsoft
HelpNet Security released a quick blurb about the Software Development Lifecycle team at MS releasing two new tools: BinScope Binary Analyzer and MiniFuzz File Fuzzer.  Both I believe are pretty self-explanatory.

Securabit Live Podcast Tonight!
The good folks at Securabit are doing a live podcast tonight (actually…it’s right now) with their special guest: Paul Asadorian from PaulDotCom.com!  Take a listen and learn a thing or two!

Follow

Get every new post delivered to your Inbox.