Security Tools News & Tips

Report: Security Certifications Boost Pay - “IT professionals with security certifications—including all versions of the CISSP, CISA, GSE, CISM, SSCP and GCFA—earned 10 percent to 14 percent premiums on their base pay over their non-certified counterparts.”

New vulnerabilities hit Firefox and Internet Explorer - There are no patches yet available from either vendor. The most serious is MSIE page update race condition, and next most severe is Firefox Cross-site IFRAME hijacking.

Encrypt and sign Gmail messages with FireGPG - “It integrates nicely into Gmail’s interface and allows you to sign and encrypt not only email messages but also text snippets from any Web page.”

Google Desktop vulnerable to attack - RSnake has discovered a man-in-the-middle attack on Google Desktop.

• Leave a comment...

An independent assessment of Windows vs. Linux. Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3 were examined to see which platform is more secure.

The results were not unexpected. Even by Microsoft’s subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat’s patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft’s ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.

• Leave a comment...

Lessons From a Honeynet That Attracted 700,000 Attacks - The Continuous Processes of Vulnerability Management: Create security policies & controls, Track inventory / categorize assets, Scan systems for vulnerabilities, Compare vulnerabilities against inventory, Classify risks, Pre-test patches, Apply patches, Re-scan and confirm fixes.

Apple patches a dozen security holes - Apple released security updates to Mac OS X operating system and other software.

MS update patches patching - Microsoft this week pushed an update to patch their patching system.

OpenOffice virus reaches across platforms - “A virus writer with something to prove has written a proof-of-concept OpenOffice document to demonstrate a way to infect Windows, Linux and Mac OS X systems with a single script.”

• Leave a comment...

Google Online Security Blog - Google has gone public with it’s new security blog. The first post says: “we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we’ll tackle is malware, which is the subject of our inaugural post.”

Top 10 vulnerabilities in Web applications in Q1 2007 - “In this study, Cenzic identified 1,561 unique vulnerabilities during the first quarter of 2007. Of the reported vulnerabilities, file inclusion, SQL injection, cross-site scripting and directory traversal were the most prevalent, totaling 63 percent. The majority of vulnerabilities affected Web servers, Web applications and Web browsers, with Cenzic classifying the bulk as easily exploitable.”

Top 15 free SQL Injection Scanners - “Checking for SQL Injection vulnerabilities involves auditing your web applications and the best way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL Injection Scanners we believe will be of a value to both web application developers and professional security auditors.”

• Leave a comment...

Mac Virus and On-Line Security FAQ - “These days it’s hard to avoid the dirty underbelly of the Internet, it’s not as bad as it seems out there if you have some common sense and know the facts Using a Mac helps too. In this little FAQ, I’ll pass on some tips and get you up to scratch regarding viruses, internet security, firewalls, on-line shopping and more.”

Ubuntu Security Resource - “If you’ve recently switched from Windows to the Linux distribution Ubuntu, you’ve probably experienced a decrease in spyware — and malware in general — on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu’s default install has its flaws, like every other operating system.”

Firefox Surfers More Likely Patched Than IE Users - “New statistics released today indicate that people who use Mozilla’s Firefox Web browser are more likely to be cruising the Web with all of the latest security updates installed than those surfing with Microsoft’s Internet Explorer.”

• Leave a comment...(0)

I received an email from (ISC)2 yesterday about the new, stricter requirements for CISSP. The new experience requirements for the CISSP certification will be effective 1 October, 2007. Basically now you’ll need five years of work experience instead of four and the endorsement must be done by (ISC)2 certified professional. I can see that (ISC)2 is trying to maintain the high standards of CISSP. So, it means new CISSPs must find and interact with other CISSPs before they can earn the title. You can find more details about the new requirement on (ISC)2’s press release.

* The minimum professional experience requirement for CISSP certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

* Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

• Leave a comment...

According to Schneier the main reasons to conduct penetration testing are:

There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you’re going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I’m going to save you a lot of money by giving you this free penetration test: You’re vulnerable.

Now, go do something useful about it.

• Leave a comment...

I’ve switched to a Mac last year. I’m glad that I did it, and there’s no looking back now. I think security is the main reason MS Windows will never be my primary machine again. To be specific it’s virus/malware/spyware. And the main reason I’ll never give up my Mac as a primary machine is because it’s much more stable, secure and cool. Although, Ubuntu might change that someday. Lets see…

Chief at IT Toolbox has a nice post on the reasons Why Security Pros Use Macs.

Security professionals need not hide behind the argument that avoiding Microsoft Products is the end-all solution to a secure computing environment. Security Professionals have much better reasons, and those were amplified when I talked to other folks at CEIC 2007 over the last few days. I was astounded at the number of Mac laptops that were present. It was easily twice the number from last year.

• Leave a comment...(0)

• (IN)SECURE Magazine issue 11 is available for download. It’s a freely available digital security magazine discussing some of the hottest information security topics.
• One in 10 web pages laced with malware - At least one in 10 web pages are booby-trapped with malware, according to Google.
• The Pirate Bay hacked - They have got a copy of the user database. That is, your username and passwords.
• 1.4 million Chinese infected over holiday week - May vacations bring trojan avalanche for gamers and filesharers.

• Leave a comment...(0)

I locked myself in for 2 months to prepare for the CISSP (Certified Information System Security Professional) exam, and now I’m back triumphant to tell the story. Yes, I just received the Congratulations email from ISC2. I’m sharing my experience here with a hope that it might be helpful to anyone who’s preparing to take the exam. There’s no doubt that it was THE MOST difficult exam I’ve ever taken.

Let me give you a general idea about this certification. CISSP is a security certification carried out by (ISC)², which is a globally recognized, vendor neutral organization for certifying information security professionals. To pass the CISSP exam you’ll have to be competent in 10 Domains of the Common Body of Knowledge (CBK):

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

To qualify to sit for the exams you need to:

Subscribe to the (ISC)² Code of Ethics.
Have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master’s Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

Update: Effective 1 October 2007, professional work experience requirements for the CISSP will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP CBK domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.

The exam itself is 6 hours long, with 250 questions based on the 10 domains. 25 out of 250 questions are for research, but you’ll have to answer all of them, and there’s no way of knowing which one is which. So, 225 questions will be scored, and you’ll have to get 700 out of a possible 1000 points on the grading scale to pass. Different questions carry different weight (marks) and there’s no way to know which question carries how much marks. As of writing this, the exam costs US$ 499 if you register 16 days ahead of exam date or US$ 599 if you register later.

• Continue reading or Leave a comment...