While I am a huge proponent of security education, I loath the phrase “cyber”. And to make things worse…
From New York Times:
Banks, military contractors and software companies, along with federal agencies, are looking for “cyber ninjas” to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries.
“cyber ninjas”???
*facepalm*
But, on the positive side there are many more schools weighing in with their own security program offerings.
“There is a huge demand, and a lot more schools have created programs,” says Nasir Memon, a professor at the Polytechnic Institute of New York University in Brooklyn. “But to be honest, we’re still not producing enough students.”
Mr. Memon’s school created a master’s degree in cybersecurity last fall. So did Indiana University, whose security degree is in “informatics,” an academic field in which students find new uses for information technology. Starting in the fall, Georgia Tech will offer a master’s degree in information security online; the program is aimed at computer professionals who want to learn to deal with computer threats.
Cyberdouchery notwithstanding, I am very interested to see what the community thinks of these programs. For the full article read on.
Image credit: funky64
From Nextgov:
The first revision to Special Publication 800-37 — “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life-Cycle Approach” — will help agencies comply with the 2002 Federal Information Security Management Act, which requires them to identify and take inventories of their IT systems and determine the sensitivity of information stored on those systems. FISMA has long been criticized for focusing too heavily on compliance and not enough on monitoring and testing of computer systems for vulnerabilities.
(Image used under CC from LordSchrammi’s Flickr stream)
As of earlier tonight a project a few months in the making has finally been unleashed (pun intended). Thanks to the great guys over at Offensive Security and whoever’s awesome idea it was to team them up with the Metasploit guys, a new resource called Metasploit Unleashed – Mastering the Framework is now online.
For those of you who don’t know, Offensive-Security are the people behind the Penetration Testing with Backtrack Trainings. Now they have teamed up with HD Moore and the Metasploit folks and put together the most comprehensive Metasploit training out there.
Best of all, it is free and for a good cause.
“This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.”
To really drive the point home, they decided 2 all stars weren’t enough and threw in a 3rd team mate with Johnny Long and Hackers For Charity.
If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.
The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.
I highly recommend if you are interested in learning more about the Metasploit Framework that you float over this way and even if you’re not interested you should absolutely make a donation to HFC none the less.
Get it while its hot!
Matt
IT Execs that travel to China for work are receiving some interesting advice on taking a moment to weigh their laptops…both before and after their trip to China.
Does this software make my laptop look fat?
From CRN:
Senior executives in US IT companies have been advised by the US Government to follow extremely strict policies for visits to China which extend far beyond standard software protection.
The policies encourage them to leave their standard IT equipment at home and to buy separate gear only for use in China.
Mark Bregman, chief technology officer at security firm Symantec said he left his MacBook Pro behind in the US and took his MacBook Air whenever he flew to China. Bregman said he only ever used the Air in China and re-imaged the machine every time he returned home.
Hmm. So, is this sound advice or more FUD being driven by a vendor?
Well, let’s see,
Symantec, as a security vendor which analyses code for malware, should be considered very reliable, said Bregman.
Indeed. Or you could just avoid leaving your laptop on a coffee table like this sales guy (for a software company) did as he went to the bathroom inside the coffee shop. And yes…that pic REALLY happened.
For the full article read on.
NIST, helping find the flaws so the bad guys won’t.
From Gov Info Security:
A new report from the National Institute of Standards and Technology (NIST) examines static analyzers, software that identifies weaknesses in other programs that could be triggered accidentally or exploited by hackers.
The report, SP- 500-279, will help toolmakers assess their products’ ability to find security defects in other software, according to NIST. Eight tool developers, along with a ninth team of professional human reviewers, participated in the Static Analysis Tool Exposition, or SATE, an exercise by NIST and static analyzer vendors that began in February 2008 to improve the performance of these tools.
Every little bit helps.
The videos from the recent SOURCE Boston are now online and available to view. Which is great for folks like me who…sadly, couldn’t attend.
For the SOURCE videos wander over to Blip.tv.
The mayor of Boston’s office put out some tips for staying safe online. The second to last bullet gave me a good chuckle.
Ah, the joys of the copy & paste. Now, I have to find a low, flat location.
Here is the screencap. Just in case it gets, um, updated.
Site Link (thx quine)
There are times when a picture really is worth a thousand words.
Starting off with one of my favourites.
D’oh!
Ran across a new breach story this weekend that almost slipped under my radar from the San Francisco Chronicle. Reportedly some “overseas” hackers broke into UC Berkeley computer systems and accessed a proverbial “shit ton” of confidential information.
The databases contained 97,000 Social Security numbers, health insurance information and nontreatment medical information, such as immunization records, names of doctors whom people may have seen and dates of medical visits, said Shelton Waggener, UC Berkeley’s associate vice chancellor for information technology and its chief information officer.
Supposedly though, the large number of Social Security numbers were contained on a separate database than the names and medical histories that coincided with them. However, they are unclear if the “oversea” hackers were able to access both sets of information to be able to match them up and assemble a complete identity.
The hackers, primarily from China and elsewhere in Asia, had access to the information for six months before they were discovered. The breach exposed the records of 160,000 people, of whom 97,000 had Social Security numbers included in the database, officials said.
This is where most of these breach articles lose me. If the people providing the data for this news article honestly aren’t sure about something like the hackers forming a complete identity, how can their IP tracking technology be so rock solid that they are sure that the hackers are legitimately from Asia. Just as Asian as 1,000 email accounts “from Asia” costing a kid in New Jersey a few dollars?
Further evidence of the crack security team’s vast knowledge of this incident is evident here:
The hackers broke into the computer system Oct. 9 and were not discovered until April 9, when administrators performing routine maintenance came across an “anomaly” in the system and found taunting messages that had been posted three days earlier, UC said.
I’d prefer not to touch this part because it seems wrong and easy but what kind of IDS do they have or some seriously huge log files to know how this attack happened 6 months later. OK that is all I’m saying about that.
There are some other people that agree with my line of thought quoted at the end of the article if you’re interested.
Even the father of the web gets bitten by a scam website.
Is nothing sacred?
From Techworld:
Speaking ahead of a speech he is due to give this week at Web Science 09 in Athens, Berners Lee made the revelation as he spoke of his dismay at the medium’s dispiriting lack of security.
“The worst thing that has happened to me was when I tried to buy a Christmas present from a company that looked like a bona fide company on the internet and then actually they were a completely fake company. I think I am yet to get the money back, but it wasn’t a lot,” said MIT professor Berners Lee with a helplessness that will strike a chord with the web’s growing number of less famous victims.
This helps to illustrate the point that a phishing site or fraudulent retailer can nail, well, anyone.
Be careful out there.
