iPad Security Hole

ipad security hole

ipad security hole

This list of government emails is why the Department of Defense does not usually implement bleeding edge information technologies into operational environments. These DoD emails were taken from an iPad prototype and lists early adopters of the system. The iPad and AT&T had a gapping security hole dealing with Safari. The vulnerability allowed gray hat hackers the ability to harvest the e-mail addresses that iPad 3G buyers provided to activate their device.

My job as the resident “security guy” places me at the butt of jokes that serve as the passive aggressive means of venting the frustration that my co-workers feel about the strict military and DoD policies. Security is almost never appreciated until an information system’s security is broken or breached. And even then solutions only come after blame and public humiliation.

Why did so many important government figures decide to risk using the new iPad without proper military grade testing and scrutiny is the biggest question. I would expect a start up in Silicon Valley to grab an iPad the first day it comes out but not U.S. military organization in the middle of two wars.

more here:

http://money.cnn.com/2010/06/09/technology/iPad_email_breach/index.htm?postversion=2010061009

http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed

Evil Plug-ins

I love plug-ins! I love them on Firefox, WordPress, Dreamweaver and now on Chrome. It has crossed my mind that some of these plug-ins could be created and distributed by very smart people with criminal or mischievous intent. But the reality of bad plug-ins didn’t hit me until I noticed a link on digg.com about Stealing Logins using Google Chrome Extensions. I am no programmer but understand enough to see how cleaver it is.

Basically, someone creates a innocent looking extension or plug-in, they distribute it and the innocent looking plug-in/extension sends your personal information to where ever.

How can a person avoid this?! I guess the safest way would be to not use ANY plug-ins and extensions.. but that is over kill.
I know that I am pretty paranoid about WordPress extensions/plug-ins but the open source community is pretty good about peer reviewing, testing and reviewing some of the more popular plug-ins. When it comes to software I depend heavily on reviews of others who have used the product. If there are no reviews (even on forums or dev/plug-in sites), I usually consider the app to risky.

Sometimes what I do is try the app/extension/plug-in on a site/blog I don’t care as much about. In the case of browser plug-ins, I use a single trusted browser with minimal plug-ins to do important sensitive/personal transactions. Most of the stuff I do on the web does not require so much scrutiny.

Unfortunately, there is always a risk with plug-ins, apps, and extensions. All we can really do is manage the risk, by being careful and suspicious.

Thanks Mr. Grech for the knowledge.

Find an IT Security Jobs

So do you have any suggestions for someone starting out in IT Security? What certifications, knowledge, training, forums, do you suggest? They will pay for the A+ cert, Network + and Security + certification. Do you have any suggestions for someone just starting out in security? After CompTia what should I focus on. Although I’m not sure yet of my final career goals, I’d like to first get a job very quickly in IT security, hopefully with the government, state, or any local government; when I say quick I mean within the next few weeks Thanks Rob for whatever info you can suggest

Hello,

If you want a job fast I would suggest checking out simplyhired.com. I would also put my resume out on Monster.com, if you have not already done so. If you want a security job the security+ is the way to go, but also consider doing a search on monster and simplyhired to look at the skills and certifications that employers are looking for. Pay particular attension to keywords and phrases that they are using. You will know the keywords/phrase because they are repeated in nearly every resume for your chosen career path and/or job title.

How I get Jobs Fast
For example, in my career “system security engineer” and “information security officer” I see the following keywords/phrases over and over: security clearance, cissp, 8500, diacap. If noticed that when I have these keywords on my resume, I get calls almost DAILY from all over the US. Here is how you can do the same:
1) Find a good job title that fits what you do or what you want to do
2) Do a search for that job title [use google, simplyhired.com, monster.com, dice.com or any other search engine/job database]
– Read through the job results and try to find keywords/phrases that seem to be in most or all of the jobs listed
3) Try to get as many of the applicable keywords/phrases in your resume
– Either have the skills required for the chosen job title or begin working toward them
– I am not suggesting that you put lies on your resume, you’ll have to look for job titles that you have experience & skills in
– Don’t mess with stuff that completely out of your league or level of expertise, be honest on your resume
– Sometimes employers will take you if you are willing to learn the skills or earn the require certification/degree in a certain time frame. Put that on your resume.
4) Put your resume [with keywords/phrases in place] online, as many places as you can

Research Employer Demand in certain locations
I am from California and I have been trying for years to find a decent job (for what I do) there. They’ve got them in southern California but almost none in Northern. California seems to be lacking jobs and then they don’t want to pay comparable to the cost of living there. I noticed that Cali has a LOT of networking jobs. If you type in CCNP in simplyhired.com for Cali, you’ll find a lot of good paying jobs. The problem is that CCNP is a very difficult certification to get (or so I’ve heard).

I would recommend checking out what sort of IT skills employers are looking for in the area you want to work. For example, even though I have lots of certifications, most of the ones that I have [that are still active lol] won’t help me for moving back to Northern California. I researched it and found that they are mostly looking for Network Engineers [as of 2006-2010] and my Cisco routing and switching skills are still developing.

Play Capitalisms Game: Start a Business
Another option is to start your own business. This may sound daunting, but believe it or not my website elamb.org qualifies as a business. It took me about 1 year to get it making money, but now it makes between $400 – 800/month without me even looking at it. It has made as much as 2k and I know people who make more in a month then many people make in a year with their blogs. It is becoming harder and harder to be an employee. Companies do the bare minimum to take care of employees, the economy goes in a recession (or worse) and hard working people can not find a job and the value of the dollar flutuates on a downward spiral. It seems the only way to be comfortable in this new “capitalism” is to have multiple streams of income.

If you are interested, start at your states business page and here

Thanks,
Rob E.

DIACAP Essentials + IA Control Validation Training (part 1)

UPDAT: 2014 – Risk Management Framework for DOD IT released.

I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

You Hack US, We Nuke You!

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

Validation: Track the Results

If you are doing Certification & Accreditation then you know it’s all about the documentation.

But its not just about reviewing the documentation that a system is supposed to have. If you’re in the business of getting systems validated sometimes you’ll have to produce the documentation.

An IA Analyst, system security engineer or Information Assurance Officer (IAO) usually documents the results of their security tests. For example, if they run a Retina Scan they will want to generate a report that has the results of that network or system scan.

DoD Information Assurance Certification & Accreditation (DIACAP) Knowledge Service, the Enterprise Information Technology Data Repository (EITDR) and other IT profile databases have very detailed information on what the final Validators are looking for.

If you’re in line with the final validators you will not have much of a problem, because they will approve the system and move it on to the Designated Approval Authority (DAA).

Dangers of Surfing the Web with an Admin Account

If you bought a Dell or Gateway, more than likely you only have one account on your computer with no password. That account runs as the administrator. If your system has no user name or password applied, it is running as an administrator account.

This is how so many people get viruses. When you surf the web as an administrator is allows malicious applications (viruses, worms, Trojans and other malware) to download to your computer and run as the administrator. This means they can replace system files with viruses, create back doors and harm other computers on your network. They can also spy on you manipulate your browser or do anything else they want to do.

One way to greatly minimize the effects of viruses is to create accounts on your system and only use the administrator account when its necessary. Create a limited user account that you use when surfing the web, getting into your email or doing other small tasks that don’t require downloading or installing applications.

With a limited account, even if the malware is downloaded, it will not be able to install.

More GMAIL Problems

This was news I could not ignore because I really, really like Gmail. These hacks are ridiculous. I hope that google is getting a handle on this. It looks like the accounts are getting hacked with some sort of script that runs from a site or email while gmail is opened:

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

derad: Malicious “Security Warning” Popups

Here is some good quick advice from my fellow blogger Debra Radcliff:

Panda Security reports increased spread and success of popup “security warnings.” These warnings popup when people surf the Web and hit a malicious or infected Website, and keep flashing their warnings until the user goes to the link, at which time they get infected.

No legitimate security company would do this to a computer, so don’t click the link. Instead, disconnect from the Internet, clear your browser history and restart your computer. If your browser is still flashing warnings, the system will need to be disinfected through anti-virus or a computer restoration service.

Usually these false security warnings are a symptom of something much worse. I’ve had some that will actually not allow you to do much of anything but click on the link in their fake pop-up. What I did was a system restore, but you can also boot in Safe mode and attempt to clean the system.

419 the Nigerian Scam, the movie

Sorin Mihailovici is making a movie about the Nigerian scammers.
Sorin Mihailovici

419: the Nigerian Scam is about the scam e-mails that people receive daily. The Internet is flooded with e-mails promising money-making business proposals, lottery win notifications, and fabulous inheritances. This is the story of how one man’s involvement with such an Internet scam ruined his life. Before I started shooting, I myself exchanged a few e-mails with real scammers from Nigeria and Ivory Coast. They even send me “documents” certifying all kinds of positions and deals that they have. The inclusion of this real correspondence with the scammers gave an added level of realism to my film.

Heckle Spray

I hope the movie goes viral, goes on CNN all major news outlets so that people will be cautious about the traps set on the web’s ruthless anarchy. The price of true freedom only available in the newly discovered digital landscape.

While I don’t think an ‘eye for an eye’ type justice will come to all of the third world country online scavengers, I do believe there is hope for potential victims. My hope is in the spark of awareness that can be ignited by media like Sorin Mihailovici’s movie or this little blog. If I can help even one person NOT send a penny to an online liar, then I feel like these words I publish are worth it.

1 2 3 4 6