Microsoft looks back at MS08-067

The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.

Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.

Read more

Don’t be too impressed with Snowden’s “ethical hacking training”

I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.

For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.

Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.

I also know about this training that Snowden put on his resume. Read more

Step 1 to landing a security job: Become conversant in security

So last week, I wrote about the difficulty of landing a security job and promised to explore it further.

And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job. Read more