Archive for September, 2007
DoD 8570.1 ISSEP coming?

Honestly, you probably could get away with a Security+ for a while (if your already in a govt security position) because the 8570.01M indicates the need for a Security+ at the very least at IAM 1.

But if your position actually requires you to take an IAM roles at the Field Operating Agency enlcave systems or some other MAJCOM equivalent level than you should go for the CISSP. The DoD is talking about requiring an **Information System Security Engineering Professional certification, ISSEP (a certification that actually requires the CISSP to even take the test) for enclave systems.

This table is taken straight from the DoD 8570.01M:
dod 8570
from tao security

More on the 8570:
http://iase.disa.mil/eta/index.html#8570training

**Notes: The 8570 FAQ mentions that “Future updates to the Manual will incorporate specialized elements of the IA workforce. Chapters on System Architecture and Engineering and Computer Network Defense Service Providers have been drafted and are currently entering the formal DoD staffing process.” I haven’t been able to find the new 8570 Draft that refers to ISSEP, ISSAP (specialized CISSP) but I’ve been seeing it in slides and at briefing for about a year now.

Here is what is being proposed. This would actually affect me (I may have to get an ISSEP or ISSAP). Security+ will not cut it if this passes in the next DoD 8570 Draft.

Chapter 10: Information Systems Security Architects/Engineers
Level IASAE I IASAE II IASAE III
Certs CISSP CISSP ISSEP
ISSAP
Chapter 11: CND Service Providers
Role CND Analyst CND
Infrastructure
Support CND Incident Responder CND
Auditor CND SP Manager
Certs GCIA MCSA Security
SSCP GCIH
CSIH CISA
GSNA CISSP-SSMP
CISM

Ref: www.disa.mil/conferences/2007/briefings/iatool_training.ppt (slide 19 from DISA Conference)

SCAM InterShipCo import export email SCAM

*******************BULLSHIT SCAM***********

[b]InterShipCo.[/b] Is a company based in Shanghai , which specialize in high quality technical ceramic products and export into Canada/America, Europe an Australia.

Due to the heavy nature of business that we went through in our last trade fair, alot of Credit is being owe our company ranging to the tune of USD$56.5 million. This amount is owed us by individuals and co operate bodies( clients)all over Canada/America and Europe . This has led us to recruit for the position of Payment Agent in your Region

[b]REQUIIREMENT FOR POSITION ARE:[/b]
1.Honest, Responsible and Dedicated .
2.Having no problem with the Authorities
3.Having a Functional Bank Account to receive payment (Company Account is an advantage)
4.Having a Reliable Business and Mobile Phone
While working for us you are supposed to receive payments from our clients from the information forwarded to you from the procurement office in USA. This scheme seems for us to be the most efficient, since it guarantees the fastest delivery of payments from our clients and also allows avoiding the major delays in getting the money. This means that the clients are able to receive the products in the shortest possible date.

[b]WHAT IS YOUR INTEREST?[/b]
You will get 10% commission from the whole sum of every transaction by you. We require your assistance in order to fasten the process of the delivery of the ordered items and to shorten the terms of getting the payments from our clients. Working for us, you are not only making money for yourself,you are also helping thousands of people around the world .

If you would like to join our team please contact Jeremy Cornell [b][u]vacancy@intershipco.com[/u][/b] with the following informations below:

[u]FULL NAME:
CONTACT ADDRESS:
TEL/FAX NUMBER:
EMAIL:
AGE:
MARITAL STATUS:
FAMILY SIZE:
PRESENT EMPLOYER:
OCCUPATIONAL STATUS:
PRESENT INCOME:
COUNTRY:
[/u]

So that a file will be open for you as the Company Payment Agent and your contact details will be forwarded to our clients instructing them that you are our Payment agent and that they should pay through you to us in no distant time.

Thank You for your time.
Jeremy Cornell
Staffing/Managment Group

***************BULLSHIT SCAM*************

Information Security – Google

Information Security

Subject: Information Security Posted: Wed Sep 12, 2007 9:04 am (GMT 0) Topic Replies: 0 Hi, Currently all our libraries have generic logins for talis alto so that alto can be left logged on for all staff to use.


Talis Forums – http://www.talis.com/forums/


Personal Information Security IV


By John Sumser

The difficulty with a conversation about information security in the domestic American marketplace is that few people are really interested in solving the problem. Instead, the recent brouhaha is essentially a marketing component of the


Recruiting.com – Recruiting.com – http://www.recruiting.com/recruiting/rss.xml


The Fifth Annual Global State of Information Security


Awareness of the problematic nature of information security is approaching an all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate. Surprisingly, however, enterprise


Forum of Incident Response and… – http://www.first.org/newsroom/globalsecurity/


The Death of Leadership in Management


Category: Security Basics. Paper Added: September 12, 2007.


SANS Information Security Reading Room – http://www.sans.org/reading_room/


My wife is pretty, smart, AND security conscious


By m1a1vet@infosecplace.com (Michael R. Farnum)

The lady said that for some reason they couldn’t find our credit card information in their system, so they could not credit our card. So, she asked my wife for our credit card number. My wife told her that she was not comfortable giving


An Information Security Place – http://infosecplace.com/blog

Encrypt ALL gmail traffic

Another great post from dmiessler:
Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like any other legitimate service provider, encrypts login traffic, but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

http://dmiessler.com/blogarchive/why-you-should-encrypt-all-of-your-google-activities-poc

Guinness Customers Promotion SCAM

***************SCAM********SCAM************SCAM******
GUINNESS® CUSTORMERS PROMOTION
Dv-2007 program
Guinness plc, South Africa.
St Christo road (Sun City)

FINAL_ NOTIFICATION.
We happily inform you about our (guinness® national lottery program)held on the 12Th of September 2007, which you enterd as a dependent client and finally took the 1st position in our second category winners, that falls within the west africa region. Your email was attached to the ticket number(44-40-23-777-01) which made you a winner of $500,000 Thousand dollars and your name being recorded in our guinness world book of record as the 1st lucky winner of the year 2007. You have been approved the sum of $500,000 Thousand dollars which will be sent accross to you through a guiness draft immediately. All emails are selected randomly through a computer ballot which subsequently won you the sweeptake of guinness internet web lottery.

CONGRATULATIONS YOU EMERGED OUR WINNER!!!
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
This is part of our security mearsures to avoid double claiming or unwarranted taking advantage of the situation by other participant or impersonators.
Here is our fiduciary agent responsible for your winning claims.
MRS LILY SMITH
EMAIL:lilysmith_fiduciaryagent@yahoo.co.uk

GUINNESS® CLAIMING SECURITY AGENT.
= = = = = = = = = = = = = = = = = = = = == == = = =
You are required to forward the following details to help facilitate the processing of your GUINNESS® CLAIMS OF CERTIFICATE.

Fullnames
Residential address

Phone number
Occupation
Sex
Age
Present country
Marrtal status.

ONCE AGAIN CONGRATULATION!!!!
Yours sincerely
BERNARD COLINS.

GUINNESS®CUSTORMERS PROMOTION.

WARNING!!!! WARNING!!!!
KEEP THIS INFORMATION CONFIDENTIAL AND BE CAREFULL OF SCAM MAILS

Hilarious SCAM. Don’t fall for it.

EITDR – enterprise information technology data repository

EITDR

30 Aug 11 – Update *USAF Recently changed the functionality of EITDR

To all System Security Engineers and Information Assurance Officers,

Here is something you might need to know. The Air Force is conducting all MANY of its certification & accreditation through the EITDR database none of its C&A (soon Risk Management Framework) through EITDR. The USAF is moving to the eMASS. As of Aug 2011, the USAF is still using EITDR to do IT portfolio management (to remain compliant with FISMA). EITDR feeds into the DoD IT Portfolio Registry (DITPR) database. Each branch has its own methods IT registry: the Army’s has the Portfolio Management System (APMS), Navy/Marines have the DITPR-DON. All of these system are used to “record investment review and certification submission information, FISMA assessments, E-Authentication status, and Privacy Impact Assessment status” (office of the assistance sec of the navy).

Each branch has an agency that controls these databases for example, the Air Force has the Air Force Communincations Agency (AFCA) AFNIC, the Army has the Installation Management Agency. These agencies moderate the certification & accreditation process. The IT Lean (aquisitions process) and the SISSU (security, interoperability, supportability, sustainability and usability) processes are integrated into the EITDR/DITPR-DON/APMS. Once you complete all the questions for you registered system, you will have accomplised complete SSAA, DIACAP, and even ISP packages.

For more information search the public.afca.af.mil (USAF). Everything you need to know is there. Also call or email AFCA/EV to learn more.
Army can go –>https://www.us.army.mil/suite/folder/4920492

NSL provision in PATRIOT Act struck down by federal court

The National Security Letter (NSL) provision of the PATRIOT Act was
struck down today by federal court judge Victor Marrero. The
controversial NSL provision has allowed the FBI to secretly demand
access to records held by organizations like libraries and Internet
service providers. National Security Letters, which can be used without
probable cause or judicial oversight, also impose “gag” restrictions on
recipients, forbidding them from disclosing that they have received the
letter.

http://arstechnica.com/news.ars/post/20070906-patriot-act-provision-stru
ck-down-by-federal-court.html

Fgpyyih804423 in 160 seconds. How Safe is Your Windows Password?

The multi-platform password cracker Ophcrack is incredibly fast. How
fast? It can crack the password “Fgpyyih804423” in 160 seconds. Most
people would consider that password fairly secure. The Microsoft
password strength checker rates it “strong”. The Geekwisdom password
strength meter rates it “mediocre”.

–> http://www.codinghorror.com/blog/archives/000949.html

The liberty/security debate

From FISA fixes to appointing a new attorney general, Congress will have
many opportunities to have an honest, open discussion.
September 10, 2007

This nation is overdue for a serious conversation about how to balance
liberty and security — a conversation that must include not only the Bush
administration and a heretofore compliant Congress but the public as well.
Citizens shouldn’t have to guess about how much privacy they are
sacrificing in the war on terrorism.

Congress will deal with this dilemma on several fronts in the coming
months. It must enact permanent legislation to replace this summer’s
temporary “fix” in the Foreign Intelligence Surveillance Act. It will take
a new look at USA Patriot Act provisions — declared unconstitutional last
week by a federal judge — that allow the FBI to obtain telephone and
business records with “national security letters” that don’t require a
judge’s approval and swear some recipients to secrecy. Finally, Senate
confirmation hearings for a new attorney general will require the nominee
to say whether he or she shares Alberto R. Gonzales’ expansive view of
presidential power.

more

China ‘tops list’ of cyber-hackers seeking UK government secrets

China ‘tops list’ of cyber-hackers seeking UK government secrets

China leads the list of countries hacking into government computers that
contain Britain’s military and foreign policy secrets, Whitehall sources
said yesterday.=20

The emergence of Beijing as one of the most hostile state hackers has
been highlighted in the United States this week, with allegations that
the Chinese People’s Liberation Army tried to extract secrets from a
computer in the Pentagon office of Robert Gates, the US Defense
Secretary.=20

President Bush suggested that he intended to confront China directly
over the claims that it has been trying to hack into Pentagon and other
US government computers. Mr. Bush hinted that he was prepared to risk a
diplomatic rift by raising the sensitive issue with President Hu Jintao
when the pair meet in Sydney today at the Asia-Pacific Economic
Cooperation (Apec) summit.=20

More
http://www.timesonline.co.uk/tol/news/world/asia/article2393979.ece