Archive for August, 2007
Which Security Certification Should I Get?

If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.

The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I didn’t create the rules, I just hack them.

Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man'”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..

For average bastards like you and me, the CISSP is way to go.

I do agree with DMiessler and Mckeay:

“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.” — dm

“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay

Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.

So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).

A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.

You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.

Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.

Serious Beginner
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.

Novice Security

After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.

I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.

Now checks this out:

“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2

Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.

*NS-non sense

FBI point, click, Spy

The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act.

The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation’s telecom infrastructure than observers suspected.

It’s a “comprehensive wiretap system that intercepts wire-line phones, cellular phones, SMS and push-to-talk systems,” says Steven Bellovin, a Columbia University computer science professor and longtime surveillance expert.

More at has the System Security Plan for the push button survielance system:

The DCS 3000 is an Electronic Surveillance (ELSUR) collection system that supports
Criminal Law Enforcement (CLE) as well as Foreign Intelligence Surveillance Act (FISA) Pen
Register investigations. The Operational Technology Division (OTD), Electronic Surveillance
Technology Section (ESTS), Telecommunications Intercept and Collection Technology Unit
(TICTU) developed and deployed the DCS 3000 system in Central Monitoring Plants (CMPs) in
various FBI offices. This SSP documents the security policies and procedures for the DCS
3000 system. In addition, this plan delineates responsibilities and expected behavior of all
individuals who access the system. This plan establishes the approved operational baseline
and configuration and is the basis for the type certification and accreditation of the DCS 3000,
regardless of the physical location of systems within the FBI. This document has been prepared
in accordance with guidance provided by the FBI Certification and Accreditation (C&A)
Handbook Version 2.1, June 1, 2005.

The entire System Security Plan Certification & Accreditation Plan for the DCS3000

State of the North American Union: Mexican Trucks Begin Crossing Border Saturday

The decision to open up the borders for the sake of business was made in the 90s by the first Bush, finalized by President Clinton and nurtured by David Rockafeller (CFR). The entire package was called the North American Free Trade Agreement [NAFTA]. Many of the same concerns were brought up back then.

Truckers from Mexico will be delivering goods as early as 2007 Labor day weekend.

The expected employment effects of NAFTA were by far the most common point of debate and were at the center of a series of Senate Finance Committee hearings held during Sep., 1992 and again in Sep., 1993. It was well understood that NAFTA would lead to job decreases in some sectors and job creation in others. The main point of contention was the expected net effects of NAFTA on employment. The position of the committee members, the administration and public witnesses on this point were often polarized. Senator Donald Riegle Jr. (D-Mich.), for example, noted in his opening statement at Sep. 8, 1992 Senate Finance Committee hearings, “The main export we are going to ship to Mexico under the agreement, apparently, as it has been negotiated here, is going to be jobs.”(5) This sentiment was echoed by Thomas R. Donahue, secretary-treasurer of the AFL-CIO as he noted in his prepared 1993 statement, “In brief, the AFL-CIO believes that the adoption of [NAFTA] would seriously harm the US economy, resulting in the loss of hundreds of thousands of American jobs and a decline in the nation’s standard of living.”(6) Whereas administration witness, US Trade Representative, Carla Hills, held the opposite view as she noted in 1992, “This agreement will generate new, higher-paying jobs for Americans. More than 600,000 Americans now owe their jobs to our exports to Mexico. This number is expected to swell to over 1 million by 1995 with NAFTA.”(7) — Find Articles

“What a slap in the face to American workers, opening the highways to dangerous trucks on Labor Day weekend, one of the busiest driving weekends of the year,” said Teamsters President Jim Hoffa.
Joining the Teamsters in seeking the emergency stay were the Sierra Club and Public Citizen.
“Before providing unconditional access throughout the country to tens of thousands of big rigs we know little to nothing about, we must insure they meet safety and environmental standards,” Sierra Club executive director Carl Pope said.

The Federal Motor Carrier Safety Administration, in a statement, said it was working closely with the department’s inspector general “as his office completes an additional assessment of the program and we prepare a detailed response to that report.”The Bush administration said last week it would start the cross-border program once the Transportation Department’s inspector general certifies safety and inspection plans.

The elected officials voting on NAFTA were influenced greatly by the cold hard cash of lobbyists who wanted it to happen. David Rockafeller & Dick Cheney of the Council on Foreign Relations had a LOT to do with NAFTA.

Dick Cheney keeping CFR Secrets

Add to My Profile | More Videos

But why would the CFR support this:

Is this really going to happen:

If there is a North American Union, why isn’t on the news:

bonus conspiracy theory: Hacked?

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.

— More at Symantec

REAL threats for federal ID mandates

The US federal government is threatening states who don’t participate in the REAL ID Act.    

A showdown is looming. If the Real ID law stands, residents of states that refuse to comply wouldn’t be able to use their driver’s licenses as identification to engage in federally regulated activities, such as boarding airplanes or entering a federal court house. The law sets a deadline of May 11, 2008, though states could apply for a five-year extension. — Boston

Other posts:


Bruce Schneier’s Defcon Badge Goes for $200+

on schneier's cryptological dick
Get off of Bruce’s dick..

I was hoping to snatch it up for $3. To my surprise, it is over 200 duckets! The hell with that.

Note to Self: Google has a Security Blog

Googles Security Blog is thin on the posts but here it is: Google Security

Plaza East public housing development Security Cameras Ineffective?

An article at the SF Chronicle discusses the ineffectiveness of 178 cameras in a public housing development.

“[The cameras] have never helped police officers arrest a homicide suspect even though about a quarter of the city’s homicides occur on or near public housing property, city officials say.

But it may not necessarily be the security cameras that are ineffective as much as the security program using that tool. The article inadvertently mentions this:

NOBODY MONITORS THE CAMERAS, and the videos are seen only if police specifically request it from San Francisco Housing Authority officials. The cameras have occasionally managed to miss crimes happening in front of them because they were trained in another direction, and FOOTAGE IS PARTICULARLY GRAINY AT NIGHT when most crime occurs, according to police and city officials.

Without a proper security program that requires tasks such as an individual monitoring the cameras, a camera system is simply a deterrent for some crimes instead of a proactive extension of security to preventing most (if not all) crimes.

India @ 60

Happy Birthday, India! Welcome to the arms race. You’ve gone from most enlightend, wise and anchient spiritual civilization to Westernized nuclear power.

Sarcasm aside, I think its great that India is sprinting into modernization. As a nation they have already done a lot to stimulate a global economy. I guess the standoff with Pakistan is inevitable.

“Gandhi’s dream of a free India will only be fully realized when we banish poverty from our midst,” Singh told a crowd of thousands of dignitaries and schoolchildren dressed in the orange, white and green of the Indian flag, referring to independence leader Mohandas Gandhi. —newstaronline

Security was tight across India for the festivities. Police stepped up security around the Taj Mahal, India’s famed white-marble monument to love, saying there was a specific threat to the site.

p.s. thanks for producing the most beautiful woman in the world:

Aishwarya Rai

Miss World 1994 

ton of movies

Google Space

Google has an unorthodox style of business that continues to astound me. For one thing they started giving out 2 gigs of free space while Yahoo/MSN and others were still giving 250M and closing out accounts after 30 days of no activity. They also give 1gig of space for pictures with Picasa. Now they give 6gigs for hard drive space for a measily $20/year.

There were some rumors about them doing something called “gdrive” which would be an application that would use a bit a space on personal computer around the world. Genius! I can be quite secure too. I saw some technology built into the Sidewinder Firewall that effectively seperated every service in its own area of hard drive so that if that service was comprimised it would not do damage to the rest of the system.