Forensics & Security of Memristor

May 1, 2008

2008 April: A new type of electronics has been created that will allow flash memory to retain system state data. In other words, you could be in the middle of typing a document, all the power could shut down and when you were able to get the system back up, you’d be exactly where you left off. This is not the same as some sort of application based data recovery that saves periodically to a temp file on the hard drive (such as MS Word document recovery) we are talking about your entire system’s state being instantly saved (remembered) by a memristor computer. So the memristor is more like the human brain. That also means your system could have an instant “light switch” type boot exactly where you left off.

Scientists Create First Memristor: Missing Fourth Electronic Circuit Element
For the former, Williams says scientists can now think about fabricating a new type of non-volatile random access memory (RAM) – or memory chips that don’t forget what power state they were in when a computer is shut off.

That’s the big problem with DRAM today, he says. “When you turn the power off on your PC, the DRAM forgets what was there. So the next time you turn the power on you’ve got to sit there and wait while all of this stuff that you need to run your computer is loaded into the DRAM from the hard disk.”

With non-volatile RAM, that process would be instantaneous and your PC would be in the same state as when you turned it off.

Scientists also envision building other types of circuits in which the memristor would be used as an analog device.

Indeed, Leon himself noted the similarity between his own predictions of the properties for a memristor and what was then known about synapses in the brain. One of his suggestions was that you could perhaps do some type of neuronal computing using memristors.

But this got me thinking, what does this mean for forensics? Won’t it be easier to know exactly what a criminal was up to before the cops busted his door down? How long does the data say in the memristor RAM? I’m certain there would be ways to erase the memristor RAM memory at intervals.. maybe even encrypt the memristor data. One might even be able to use normal RAM as a front end and the memoristor an optional back up. There might also be really cool (scary) spy equipment planted in your system or clamped easily to a bit of wire on your CAT5 LAN cable that would capture all packets.

Popularity: 3% [?]

Written by elamb.security · Filed Under Security Awareness/ISSA

How I got into Security

June 13, 2007

Martin McKeay over at the Network Security Blog asks “How did you get into Security?” That is a good question. Its something that I’ve been asked and what I like to ask others in the business.

Up until recently, I’ve done security my entire adult life very reluctantly. I started off in the military as Security Policemen (now called security forces). I was a security specialist and was groomed into law enforcement. The description sounded like special forces. And even though security forces do some pretty cool stuff its NOT usually doing anything even close to what combat controllers, pararescue, Force Recon, Navy Seals and Delta Force do. Instead its like the Air Force version of infantry (when I was in we even trained with the Army infantry at Ft Dix).

I had about five years learning every aspect of physical security. I later “cross trained” into communications expecting to do some hardcore technical stuff. And I did, but while I wanted Routers I got the help desk and later pure security (firewalls, IDS, C&A packages, COMSEC, EMSEC) a little of everything. My experience in the military made it easier for me to pass the CISSP which covers a little of everything.

These days I teach certification classes and do auditing, policies, consulting as well as certification and accreditations.

Popularity: 7% [?]

Written by elamb.security · Filed Under Computer Security, Security Awareness, Security Awareness/ISSA, Super GEEK

Security+ Instructor: Communications Security domain

September 9, 2006

Today, I did my first certification lecture.

As I think about how many common public speaking mistakes I made out of nervousness, it makes me laugh. I repeated things like “um”, “and what not”, “that kind of stuff”. I studdered and stammered.

I did my best so I still feel good about what I did. It is actually volunteer work for the local ISSA chapter as well as a way to get “CPEs” or Continued Professional Education points toward my CISSP certification (have to get 120 in the course of 3 years).

It was actually a really good refresher course for me. I love helping people so it was a pleasure to put out some helpful material to fellow Information Security professionals, but I need to get better at public speaking.

Our local Information System Security Association Chapter here in the Springs puts on certification classes a few times a year for Comptia Security+ and the CISSP. I hope that they eventually drum up enough interest for certified ethical hacker course.

Popularity: 4% [?]

Written by elamb.security · Filed Under Certification/Security+, Main Digg, Security Awareness/ISSA

Training on Security+

September 25, 2005

I will be doing training on the Security+ for the ISSA-COS. I'm
traing the Communcation Security portion of the test. This is one
of my favorite sections.

I told the ISSA guys I'd do it as long as I didn't have to train on Crypto which is one of my weaker subjects.

I'm excited about the training because I feel like I will really be
able to help people ace this test. Most security professionals
who have been IT for more than a couple of years won't have a problem
studying for it and passing it.

It really is just basic technical information security
stuff. There is also a lot of support on the Internet for
this test: practice tests, guidance on what to study, and
encouragement.

Don't sweat this test. Especially if you've studied.

Popularity: 5% [?]

Written by elamb.security · Filed Under Certification, Certification/Security+, Computer Security, Internet and Information Technology Security, Security Awareness/ISSA, security

The ISSEP: Information System Security Engineering Professional (ISSEP) certification

September 14, 2005

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification. Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea.

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process. System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs. It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to.”

System Security Engineers tasks:
Discover Information Protection Needs
Define system Security Requirements
Design System Security Architectures
Develop Detailed Security Design
Implement System Security
Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
System Security Engineering
Certification and Accreditation
Technical Managment
U.S. Government Information Assurance Regulations

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF).

My co-worker recently took the test and he said it was more difficult than the CISSP. The CISSP is easily THE most difficult test I've every done. Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
www.nsa.gov
www.isc2.org

Popularity: 11% [?]

Written by elamb.security · Filed Under Assurance, Assurance/DIACAP, Assurance/DITSCAP, Assurance/SSAA, Certification, Certification/CISSP, ISSEP, Security Awareness, Security Awareness/ISSA, security

Taking the CISSP: part 1

August 25, 2005

I took the CISSP. I really don’t know what to say about it aside from acknowledging that it was extremily difficult. Andrew Briney’s article is the most accurate description of the CISSP test. Briney says, “It’s a mystery wrapped in riddle inside an enigma.”

His other very true point:

“The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”

For me the hardest part were the answers. I feel like I’ve mastered the art of studying for a test. The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down. Its very difficult to cover all 10 domains effectively.

I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass. If I don’t study, I fail. I’ve learned to live with this. I know my weakness. I just second guess myself too much on every answer. I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray. For me that is where the difficulty lies. The CISSP wants you to choose the “best” answer. So while many or even ALL of the answers might be true, there is only one BEST answer. But my best might not be your best.

I’ve taken many certifications. They have become almost a hobby of mine. In June, I took the Security+ hoping it would help prepare me for the CISSP. First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School. There is NO freakin’ comparison… NONE, do you hear me! The preparation that I put into the Security+ is what help me in my CISSP success. That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I’ve taken many certs. And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry. With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now. Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills. While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee. Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP. Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test. I tell you, this test beat the shit out of me. They give you 6 hours to complete the test and I finished in 5 1/2 hours. When I was done, I was sure I’d failed. I started trying to think of ways I’d pay the company back since they would not pay for a failed certification. I also started studying for the repeat. I was pleasantly surprised when I got the ”congradulations” email.

Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp.

This is the best online CISSP resource I have found: www.cccure.org.

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.

Popularity: 12% [?]

Written by elamb.security · Filed Under Certification, Certification/CISSP, Certification/Security+, Computer Security, Security Awareness/ISSA, security

ASIS and ISSA join forces

August 18, 2005

Today I went to the ISSA luncheon. The local ISSA chapter joined forces with an organization called A.S.I.S International (formerly American Society for Industrial Security).

ASIS seems to be composed of a lot of physical security professionals (ie protecting critical infrastructure). Where ISSA assists its members in attaining CISSP, forensics certs and the Security+, ASIS concentrates on Certified Protection Professional (CPP), Physical Security Professional (PSP), and Professional Certified Investigator (PCI).

With my background in physical security, I fit right into their world. I plan on attending one of their meetings in the future.

Between ASIS and ISSA members we filled an auditorium. With that kind of networking something big is begining to happen in Colorado.

Todays presentation of a smart card readers system had a lot of cross over appeal for both information security professionals and physical security professionals alike.

Popularity: 3% [?]

Written by elamb.security · Filed Under ASIS, Security Awareness/ISSA, security

Security+ vs. CISSP Part 1

July 18, 2005

I took the Security+ certification test. I didn't read any books but I did read a lot of test questions, went to a seminar sponsored by my local ISSA chapter and I've got a few years experience in all the Security+ domains. After studying hard for a few weeks, I don't think that the test was that hard. If I had not been prepared then I can see how it might have been difficult as there are some pretty specific questions on things I did four years ago.

The Security+ is NOTHING compared to the CISSP. I've yet to take the actual CISSP cert test, but as I've been studying it is VERY clear that these tests are from different planets. It is like comparing the Comptia N+ to cisco's CCNP or CCIE… o.k. maybe not CCIE, but CCNP for sure.

I've been studying to take the CISSP on and off for about a year due to a fairly full plate. I plan on taking the test in the next few months so I've started reading up on some practice questions. My orginal plan was to get a Security+ cert so that I could prepare for the CISSP. As I've been reading the practice questions on CISSP I'm finding that the Security+ is simply not robust enough to even come close to helping me study for the CISSP.

Once I take the actual CISSP I'll be able to make a better assessment, though.

One of the most helpful items I found on was a Security+ cheat sheet. It is a very concentrated view of all five security+ domains and makes for a great study reference.

Popularity: 8% [?]

Written by elamb.security · Filed Under Certification, Certification/CISSP, Certification/Security+, Computer Security, Security Awareness/ISSA, security

Hacker Vs. Security Professional

June 2, 2005

Defcon.org, 29 – 31 July, Las Vegas, NV. $80.00 admission @ Alexis Park

Convention of hackers, crackers, programmers, security pros, black hats, white hat, gray hats the entire spectrum of security technology freaks converging on one location to discuss their favorite subject.

Once a year I am encouraged to go to numerous Security Conferences most of which turn out to be usless infomercials where vendors a trying to sell there plug in security solutions.

There are very few that have really been of value. Defcon is by FAR the best. Since it is a hacker convetion I often have trouble convicing the Government of its worth. It is good to know that FBI, CIA and possibly the NSA don't hold the same view as the Agencies I have worked for.

I can not stress the value of Defcon to Security Professionals enough.

Martin McKeay has a great site on Security issues. We discussed what the word “hacker” conveys to most people.

The original meaning of hacker was that of a technical savvy person creative enough to come up with work arounds, fixes and find vulnerabilities. This is what hacking still means to me. It is my personal oppinion that this is where you seperate the men from the boys. Hacking, in the traditional sense of the word, is the true gauge of technical skill and understanding.

These days the meaning of hacker, and hacking in general is used to address the activities of cybercriminals, or black hats. Martin and I disagree with the direction that the concept is going.

Unfortunately, his view is what most “security professionals” and the general public currently think of the whole concept of hacking, that is is criminal behavior. That is ignorant.

But, no matter how you define hacking or hackers, it is the duty of ever one who calls themselves a security professional to know the practices and mind set of a hacker, criminal or otherwise. It is like a detective or a profiler. The best detectives, investigators and profilers have an understanding of why criminals do what they do. In this same way, it is imperative that the Security Professional understand the techniques and mindset of every shade of hacker, black-white hat.

Which investigator will understand a thief better, the one with a PHD in criminology or the investigator who used to be a thief?

If the security professional doesn't know how to exploit there own systems, how effect is that security professional… And if MOST security professionals can not exploit ANY system, what does it mean to be a system security professional?

Martins Comments:

I love the 'Hacks' books from O'reilly. They've probably done more to regain the original meaning of hack and hacker than all of the protests by security professional combined. I have 4 or 5 of the 'Hacks' books sitting on my work and home bookshelves. Have you checked out Make magazine? (http://www.makezine.com/)

I wish we could regain the original meaning of the word, but I fear it's a pointless battle. To the average Joe in America today, hackers will always and forever be the evil creators of viruses and trojans. Not that Joe could tell the difference between the two.

I don't know if you remember it, but last year the guy who wrote the Sasser and Netsky viruses was hired by a German AV company (http://www.enn.ie/news.html?code=9554015). I know at least one German CISSP who was very upset at this idea, and let them know it. I also seem to remember that his employment didn't last long, but I couldn't find a link to that news. So at least one company was willing to hire a hacker knowingly and publicly.

People don't want to have to worry about the complexity of the shade of a hacker. Black, gray or white hat, if you say you're a hacker, they assume you're after their bank account number. I'll stick with calling myself a Security Professional, rather than trying to borrow from the 'hacker mystique' for publicity.

Posted by Martin at June 1, 2005 01:15 PM

ME:

McKeay.. great blog,

I was at Barnes & Nobles the other day looking for Kyle Rankin's book, Knoppix Hacks and I noticed hacking is quite the buzz word. It seems every conceivable category of Information Technology now has a book followed by (or proceding) the words hack, hacking, hacker's guide ect. O'reily has a whole series on hacks (great books): http://www.oreilly.com/hacks/

There is even a book called, “Understanding God's Will: how the HACK the equation” — (Not from O'reily)

I believe the reason for this is because hacking is cool. Its like the new and very necessary quick fix tool among this era of information overload and technical bombardment.

Many of the most famous and infamous player in this new Information Age have been Hackers. Just to name a few: William H. Gates III, KBE, Blake Ross (19 year old creator of FireFox), Linus Trivalds, Klaus Knopper (creator of Knoppix), the Woz, Paul Allen, Kevin Mitnic, Jeff Moss (creator of Defcon), all the creators of Unix, Bill Joy…

The word hacker has been hi-jacked. Its real meaning has been… hacked. That is why I was over joyed when I was introduced to the Certified Ethical Hacker certification. I have yet to take the cert. I plan on using the CISSP to prepare me for it… it is difficult from what I've seen in the Sample tests. I hope this cert gains enough credibility to take the concept of the true hacker back in mind of the Business owners.

I went to Defcon in 2003 (11 I think) and I learned a lot there. For one thing, not all hackers are evil Sasser Worm creators or apart of the “Hang Up Team” (a truly, TWISTED bunch of Russian hackers). Many of the Hackers speaking were hackers in the original since of the word. In fact, they were do-gooders! They would find exploits and try and report them imediately to the owner of the software or hardware. The biggest problem was that they companies like Microsoft and Oracle would not listen to them. They are often refered to as Gray Hats. Almost like vigilantes, where as White Hats can be considered people like you and me (mercenaries working for companies), and Black Hats just cyber criminals.

I think the concept of what a hacker is is being transformed. Why a company would hire an Internationally know Black Hat and publicize it is, to me, not smart money. I bet it would even negatively effect the stock.

Popularity: 3% [?]

Written by elamb.security · Filed Under Computer Security, I got hacked, Security Awareness/ISSA, Super GEEK, security