How to use the lock in your web browser’s location bar

How to use the lock in your web browser’s location bar

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Read more

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

A security professional fights back against tech support scammers

I guess Matt Weeks is as sick as I am of tech support scammers, because he developed a way to fight back, in the form of a Metasploit module that exploits a software defect in the AMMYY remote access tool that these scammers sometimes use. Metasploit is a tool that penetration testers use to demonstrate–with permission–how hackable a computer network is. In this case, the would-be victim is penetration testing someone without permission. Run the module when the scammer connects to the would-be victim, and he or she gets a command prompt on the criminal’s PC. At that point, the would-be victim can break their computer, perhaps by deleting critical files, corrupting the Windows registry, or something else. Anything you can do from a command prompt would be possible at that point.

I’m anything but heartbroken that this threat exists, although I’m not going to do this myself. Let me explain. Read more

IT jobs shortage? Slide over to security

IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.

Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.

I made that transition, largely by accident, so I’ll offer some advice. Read more

What Linkedin is good for

Alistair Dabbs posted a nice, curmudgeony anti-social-media rant over at The Register. In part, he asked what Linkedin is good for, noting it’s never netted him a job or a useful contact.

I found his piece entertaining, so I thought I’d talk about how I use Linkedin, besides dodging recruiters who blindly type “cissp security clearance” or “security analyst st. louis” and message every single person who comes up. Read more

Spritz promises to revolutionize speed reading

I found a reference this week to Spritz, a promising smartphone/tablet app to help people read faster. Much faster. I tried the demo of the technology and could almost keep up with its 500 word-per-minute pace right away.

Now, I’ve always been a fairly fast reader, though I’ve never felt any need to have someone time my speed. I just know I read faster than most of my classmates did. But I know I don’t normally read anywhere near 500 words per minute. My typical blog posts are usually about 750 words, so that would be reading one of my posts in a minute and a half.

I’m interested in it, though, because I’ve resolved to read more this year. You can roughly estimate 100 pages at 25,000 words, so at 500 words per minute you could read a 200-page book in about an hour and 40 minutes.

I’m not sure I would want to rush through something really dense and technical at that rate–especially not something like the CISSP Common Body of Knowledge–but when the other choice is not reading at all, it’s obviously much better than that. And nothing says you have to pick one way of reading or the other. You can read a book quickly and come back and read the tougher parts more slowly. Some people say you shouldn’t read without taking notes; but running a book through Spritz is a fast way to find out if a book is worth sitting down and reading with a pad of paper–or, ahem, laptop with a word processor–next to it.

Details of how it will work are a bit sparse. Hopefully the app will be able to read your existing e-book library. If it exists as a walled garden where you have to buy books within the Spritz app, that seems like it would limit its usefulness to me. We’ll see. This is definitely a technology I want to track.

Why last week’s “news” of the NSA’s quantum computer project doesn’t bother me

Last week, another Snowden leak surfaced that stated that the NSA is working on a quantum computer capable of breaking all known current encryption, trivially.

I didn’t find this shocking. Read more

Another day, another router backdoor

Ars Technica dropped this bombshell toward the end of the day yesterday: A backdoor in Linksys and Netgear (and possibly other) routers. The exploit works on a weird port, so it’s not remotely exploitable, nor is someone going to drop it with some crafty Javascript like the recent D-Link backdoor, but it’s not out of the question at all for malware to do a pivot attack. Here’s how it would work: Once a computer is infected, it could attack the router and infect it too, so that once someone disinfects their computer, the router could re-infect the computer at a later date. A router is a great place to hide, because nobody looks at it, and they have ample storage on them to exploit..

What can you do about it? Read more

How to get started in regulatory compliance

I had a search query about getting started in regulatory compliance, which I’ve written about before, but more from an organizational perspective. That won’t help you much from a career perspective.

I think most any CISSP will answer that question similarly, so I’ll take a stab at it. Read more

Don’t be too impressed with Snowden’s “ethical hacking training”

I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.

For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.

Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.

I also know about this training that Snowden put on his resume. Read more