 Marcus Carey of SunTzu security firm & founder of DoJoSec | The March 5th DoJoSec was the second one of their monthly briefings I have attended. Although it is almost a three-hour drive from New Jersey, these evening sessions have been worth attending. I had to miss April's session because of schedule conflicts, but plan to attend the upcoming sessions of what has been called "dinner theatre for security geeks." Since the videos of the presentations are available (embedded & linked on this page), I won't bother summarising them in detail. Just watch the videos. Rather, I'll highlight some of the things I found especially interesting in the presentations. iPhone Forensics - Walter Barr and Sean Morrissey I had heard much about iPhone forensics from Jonathan Zdziarski, so I was interested in hearing what these fellows had to say on the subject. One of the interesting aspects of the presentation was the influence of the speakers' different professional background when it came to the issue of "jailbreaking" iPhones in the course of forensic examination. Morrissey came out of law enforcement background while Bar did not. This difference was the most evident when they covered "jailbreaking" iPhones to extract evidence data. Bar saw jailbreaking as an option. Morrissey strongly insistented that jailbreaking should not be used. Besides Apple's claim that jailbreaking iPhones is illegal, the use of "hacker tools" might open up challenges in court where opposing attorneys imply one is using "criminal" or somehow suspect tools. He exhorted the audience to do forensics right so we don't have bad cases and alluded to the forensic problems in the OJ murder case. The "hacker tool" & potential for court challenges stirred up quite a lively discussion during the Q&A. Some people pointed out that valuable security/forensics tools such as Wireshark could be maligned as "[criminal] hacker tools" and yet we use them, so why avoid jailbreaking tools. The problem appears to be that jailbreaking tools don't have as strongly established reputation for constructive uses as do Wireshark, nmap, nessus, and many other dual-/multi-purpose tools. Snort - The Forensics Tool? - David Warren Because I have been dealing with malware and network analyses recently, I was particuarly interested in seeing what Warren had to say. The main thing I got was that Snort's rules features and its support for extensive text and hex pattern searches make it handy for going through packet capture data. Cyberwar is BS - Marcus J. Ranum I looked forward to hearing Marcus Ranum's take on popular cyberwar concepts. I had read his thought-provoking "Six Dumbest Ideas in Computer Security" and saw that even if I didn't agree with everything he said, his ability to make us think more deeply about security was a valuable talent. Ranum's presentation was even better than I had expected. I am not even going to bother summarising anything else from it. Just view the video. enjoy, and think! Cheers. P.S. Dustin L. Fritz has more photos from the March DoJoSec Monthly Briefing on his blog. | |
 Bar & Morrissey speaking on iPhone forensics | ||
DojoSec Monthly Briefings - March 2009 - Wally Barr & Sean Morrissey from Marcus Carey on Vimeo. | ||
 David Warren reminding us of computing in the early 1980s. Remember the TI-99/4A home computer? | ||
DojoSec Monthly Briefings - March 2009 - Dave Warren from Marcus Carey on Vimeo. | ||
 Marcus Ranum speaking on cyberwar | ||
DojoSec Monthly Briefings - March 2009 - Marcus J. Ranum from Marcus Carey on Vimeo. | ||
A couple of nights ago, I finished the two-hour online test for the basic Certified Homeland Security Professionals (CHSP) certification. I passed. I am quite happy. (One of the reasons is that I am among the program's technical advisors. Flunking wouldn't be a big disaster, but it would be somewhat embarrassing. <blush>) The CHSP is a new training & certification program designed for US homeland security practices, laws and resources. Currently, the program offers a basic overall homeland security course and a biosecurity & bioterrorism specialisation course. Although there are fees for the courses and the certification exams, there are some freebies, including a homeland security news blog, available via the CHSP Learning Portal. You can sign up for a free guest account there. Jonathan "J.D." Abolins |  |
- Mood:
accomplished
  |
The evening sessions include sandwiches and other food. The folks at Sun Tzu Data like to call it "dinner theater for security geeks". I guess, to play upon a Bruce Schneier phrase, this is a "security dinner theatre". <g>
The first presentation was given by Chris Daywalt and Eoghan Casey (pictured pointing to a chart; "Eoghan" is pronounced like "Owen"). They spoke on "offence in depth" by intruders and how a too quick of an attempt to contain and eradicate/clean-up the intrusions may be self-defeating.
They mentioned the NIST SP800-61 Computer Security Incident Handling Guide and the Incident Response Life Cycle. Sysadmins figure they know the scope of the intrusion and respond with containment, eradication, and recovery procedures. But, as the two fellows noted in their "tag team" delivery, many intruders used multiple modes of attacks, tools, and communications channels. So, the response addressing only one of the attack prongs will tip off the intruders and they'll lay low. Once the sys admins believe they've completed the clean-up, the other attack prongs can be used to continue the exploitation of the systems. One of the key preparation points Daywalt and Casey stressed is to know what's normal for your systems.
The second presentation was on "No Tech Hacking" by Johnny Long (pictured on the right). This is the third time I've heard Johnny Long give this spiel, but it was still fun and informative. This particular presentation had an interesting touch because many of the places shown in the slides were in Maryland. So Johnny Long slipped a few comments about the locations. (You can read a sample chapter from his No Tech Hacking book here.)
The DoJoSec session was worth the six hours round trip from New Jersey to Columbia, MD. I cannot attend the sessions regularly, but I hope to visit a few more of them. If you are in the Baltimore/DC area and are interested in low cost info security education, check out the DoJoSec sessions.
I'm glad I attended the DoJoSec instead of the DoDoSec session.
J.D. Abolins
- Mood:
determined
I recently learned about the Web Wise Kids Internet safety education group's YouTube section at http://www.youtube.com/webwisekids. May be useful for parents, teachers, and students looking for educational resources.
Disclosure: I personally know some of the people involved with the Web Wise Kids group.
Disclosure: I personally know some of the people involved with the Web Wise Kids group.
USENIX, the Advanced Computing Systems Association, is now making its past conference proceedings open to the public. Lots of good stuff here regarding security, Linux, networks, mobile systems, and more.
The USENIX past conference proceedings: http://www.usenix.org/publications/libra
The Security Symposia proceedings:
The USENIX past conference proceedings: http://www.usenix.org/publications/libra
The Security Symposia proceedings:
- Usenix Security Symposium 2007
- Usenix Security Symposium 2006
- Usenix Security Symposium 2005
- Usenix Security Symposium 2004
- Usenix Security Symposium 2003
- Usenix Security Symposium 2002
- Usenix Security Symposium 2001
- Usenix Security Symposium 2000
- Usenix Security Symposium 1999
- Usenix Security Symposium 1998
- Usenix Security Symposium 1996
Finished posting, proceeding to get some sleep,
J.D. Abolins
- Mood: accomplished
- Music:99 Luftballons - Nena
From The Science of Experience in 28 Feb 2008 Time magazine:
Usually, this ability is good. But I have also seen instances where I could done better if I put in more effort and went further. Lately, I have been pushing myself a bit harder to put more effort into my education. This is important as I fill in some of the "Swiss cheese holes" in my education.
<< [Anders] Ericsson's primary finding is that rather than mere experience or even raw talent, it is dedicated, slogging, generally solitary exertion — repeatedly practicing the most difficult physical tasks for an athlete, repeatedly performing new and highly intricate computations for a mathematician — that leads to first-rate performance. And it should never get easier; if it does, you are coasting, not improving. Ericsson calls this exertion "deliberate practice," by which he means the kind of practice we hate, the kind that leads to failure and hair-pulling and fist-pounding. You like the Tuesday New York Times crossword? You have to tackle the Saturday one to be really good. >>From the December 2007 Scientific American Mind article The Secret to Raising Smart Kids:
<< Many people assume that superior intelligence or ability is a key to success. But more than three decades of research shows that an overemphasis on intellect or talent—and the implication that such traits are innate and fixed—leaves people vulnerable to failure, fearful of challenges and unmotivated to learn.These two items caught my attention because I have been dealing with innate abilities & efforts issues for years. I've always been a good student and that has been helpful. I could pick up most subject by listening to the lectures and reading the books once. It isn't so much memorisation as the ability to figure out how things relate to each other.
Teaching people to have a “growth mind-set,” which encourages a focus on effort rather than on intelligence or talent, produces high achievers in school and in life. >>
Usually, this ability is good. But I have also seen instances where I could done better if I put in more effort and went further. Lately, I have been pushing myself a bit harder to put more effort into my education. This is important as I fill in some of the "Swiss cheese holes" in my education.
J.D. Abolins
- Mood:
hopeful
Harlan Carvey is a very knowledgeable fellow about computer forensics, especially WIndows forensics. I've seen several of presentation at the RCFG GMU conferences. His books -- Windows Forensic Analysis and Perl Scripting for IT Security Professionals -- are worth checking out. if you are interested in computer forensics.
Also worth checking out is his Windows Incident Response blog. Even if you don't work with Windows, this blog has many good postings insights applicable beyond Windows alone. Here are couple of particular useful ones for people seeking to get into computer forensics:
1. Getting started, or forensic analysis on the cheap gives an excellent list of free (cost-free) tools. At the end, Carvey adds this important point about computer forensics: "Also, all of the technical tools and techniques are for naught if you (a) cannot follow a process, and (b) cannot document what you do." I am by no means a computer/network forensics expert but I have seen enough things to say he is quite correct.
2. Getting start, pt II isuggests using the free cheap tools as a resource for the interview process when hiring people for computer forensics work. I particularly like this:
Also worth checking out is his Windows Incident Response blog. Even if you don't work with Windows, this blog has many good postings insights applicable beyond Windows alone. Here are couple of particular useful ones for people seeking to get into computer forensics:
1. Getting started, or forensic analysis on the cheap gives an excellent list of free (cost-free) tools. At the end, Carvey adds this important point about computer forensics: "Also, all of the technical tools and techniques are for naught if you (a) cannot follow a process, and (b) cannot document what you do." I am by no means a computer/network forensics expert but I have seen enough things to say he is quite correct.
2. Getting start, pt II isuggests using the free cheap tools as a resource for the interview process when hiring people for computer forensics work. I particularly like this:
The whole point of the use of these tools and techniques as training and evaluation resources would be to get analysts thinking and processing information beyond the point of "Nintendo forensics", going beyond pushing a button to get information...because how do you know if the information you receive is valid or not? Does it make sense? Is there a way to dig deeper or perhaps validate that information, or is there a technique that will provide validation of your data?Amen!
Jonathan "J.D." Abolins
- Mood: determined
- Music:Fire of Freedom - Black 47
Nice presentation. Also a good one for teachers and students.
Condé Nast's Protfolio has a nice interactive page showing some of the new security features for the new version of the US $5 note. The Note for Note link shows how the Euro (€) has additional security features. Other links show the appearances of the US dollar through its history and the "life" of a dollar note.
My doctor told me I was "as sound as a dollar", should I now worry? <g>
J.D. Abolins
- Mood:
awake - Music:Abode - Azam Ali
Dark Readings reports on Shane Kelly passing the tests for the Certified Ehtical Hacker certification.
Kelly turned to computing as "an escape" from bullying amd became quite proficient.He earned the certification at New Horizons Learning UK in Birmingham.
I congratulate him for the accomplishment. I hope that he will develop his skills beyond the certification course and such.
Some general comments about "learning" hacking, nothing to do with Shane Kelly per se...
Hacking is something I do not believe can be fully taught by any set of courses. Oh, the courses may help but there's much more to "hacktitude". Also, among hackers the certs are just paper; it is what the person can do that matters. Employers might go by the paper certifications, but real life situations will sift out the "paper tigers". Being adaptable is crucial because the technology is changing.
Kelly turned to computing as "an escape" from bullying amd became quite proficient.He earned the certification at New Horizons Learning UK in Birmingham.
I congratulate him for the accomplishment. I hope that he will develop his skills beyond the certification course and such.
Some general comments about "learning" hacking, nothing to do with Shane Kelly per se...
Hacking is something I do not believe can be fully taught by any set of courses. Oh, the courses may help but there's much more to "hacktitude". Also, among hackers the certs are just paper; it is what the person can do that matters. Employers might go by the paper certifications, but real life situations will sift out the "paper tigers". Being adaptable is crucial because the technology is changing.
Some people say I am a "certifiable" ethical hacker.. or least "certifiable. <g>
J.D. Abolins
- Mood:
geeky
Last week, I got see one of the thought provoking "Did You Know?" videos from the Shift Happens educational project.The text and icon style graphics convey sets of statistics to communicate how the world is changing and the education needs the changes require.
I like the video because it presents things I see in the Networked World in a clear and interesting manner. Also, the newer version of "Did You Know?" avoided giving some alarmist impressions about the global trends that an older version did.
Here's is the video from YouTube:
The video is available from many other sites.
One of the sites, dotSUB.com has the video translated into several languages. That's a nice resource for the global subject matter of the video. I did find, however, the Arabic and Hebrew translations on dotSUB.com rendered with the text running the wrong way and, for the Arabic, the letters not being connected in the normal fashion. [Sample screen shot] This appears to be a problem with my Flash rendering software, not the videos themselves. (A significant clue is that copying the texts from the videos and pasting them in my text processors correctly renders the Hebrew and Arabic.) So if you find a similar problem, don't assume it was the translators' fault. Meanwhile, it looks like I have a system tweaking project for the next LUGip hardware SIG meeting. <g>
The video is licensed under a Creative Commons Attribution Non-Commercial Share-Alike license and the source files for the Flash video are available for download. So you can translate and modify the video according the licence.
I like the video because it presents things I see in the Networked World in a clear and interesting manner. Also, the newer version of "Did You Know?" avoided giving some alarmist impressions about the global trends that an older version did.
Here's is the video from YouTube:
The video is available from many other sites.
One of the sites, dotSUB.com has the video translated into several languages. That's a nice resource for the global subject matter of the video. I did find, however, the Arabic and Hebrew translations on dotSUB.com rendered with the text running the wrong way and, for the Arabic, the letters not being connected in the normal fashion. [Sample screen shot] This appears to be a problem with my Flash rendering software, not the videos themselves. (A significant clue is that copying the texts from the videos and pasting them in my text processors correctly renders the Hebrew and Arabic.) So if you find a similar problem, don't assume it was the translators' fault. Meanwhile, it looks like I have a system tweaking project for the next LUGip hardware SIG meeting. <g>
The video is licensed under a Creative Commons Attribution Non-Commercial Share-Alike license and the source files for the Flash video are available for download. So you can translate and modify the video according the licence.
J.D. Abolins
- Mood: satisfied
The Oregonian reports on an "old tech" lesson learned by Lake Oswego Junior High students when the school's computers were shut down for nearly four days. The systems had to be shutdown following a malware incident. Among other things, the students had to send "snail mail" home to their parents and many struggled with addressing the postal envelope:
It is an interesting report. I often look at various activities dependent upon technology and think, "how would we carry on if the power went out?"
Resilience is a good thing. It is not only a matter of alternate technologies and tools; it is also a matter of skills and resourcefulness.
Many people my age and older may look at the story of the students struggling to address postal mail and lament the supposed "dumbing down" of the younger generations. This would be a big mistake. How many of us have the skills that our grandparent's or great grandparent's generations considered to be necessary? The sets of necessary skills change with time and, in the 20th Century, the pace of change increased. As new sets of skills are adopted, older ones may fall into disuse and not be learned by younger people. They don't have a need to learn them just as most of us don't need to learn how to handle a horse carriage.
The Oregonian article did have some good comments from Shelley Pasnik, director of the Center for Children & Technology. (The CCT has some interesting information on its Web site.) Among things she was, "Students might not know their phone number, but they know how to quickly access it... Kids have to negotiate a glut of information that is available to them." When reference tools are readily available, the need to memorise can be seen less vital. But knowing how to evaluate information from reference sources and how to use the information becomes more critical.
Though proficient in e-mailing and text messaging, some of the eighth-graders wrote their address in the upper right-hand corner where the stamp goes. Others had the city first and the name last. A couple were unsure of their street address.The article goes on to describes ways the teachers and students had to find alternative ways of doing things without the computers, Internet, electronic chalkboards and other visual equipment they use daily.
"It surprised me," said their teacher Aletia Cochran, who quickly taught them the ways of old-fashioned snail mail.
It is an interesting report. I often look at various activities dependent upon technology and think, "how would we carry on if the power went out?"
Resilience is a good thing. It is not only a matter of alternate technologies and tools; it is also a matter of skills and resourcefulness.
Many people my age and older may look at the story of the students struggling to address postal mail and lament the supposed "dumbing down" of the younger generations. This would be a big mistake. How many of us have the skills that our grandparent's or great grandparent's generations considered to be necessary? The sets of necessary skills change with time and, in the 20th Century, the pace of change increased. As new sets of skills are adopted, older ones may fall into disuse and not be learned by younger people. They don't have a need to learn them just as most of us don't need to learn how to handle a horse carriage.
The Oregonian article did have some good comments from Shelley Pasnik, director of the Center for Children & Technology. (The CCT has some interesting information on its Web site.) Among things she was, "Students might not know their phone number, but they know how to quickly access it... Kids have to negotiate a glut of information that is available to them." When reference tools are readily available, the need to memorise can be seen less vital. But knowing how to evaluate information from reference sources and how to use the information becomes more critical.
J.D. Abolins
While browsing Amazon tonight, I found listings for a toy company that produces wooden alphabet blocks in various languages. The blocks are available in Arabic, French, Greek, Hebrew, Italian, Russian, and Spanish. Oh, by the way, an English set is available.The blocks are made in the USA by Il Cocco di Mamma of Boston. They have the letters of the alphabet and pictures with related text on them. They look nice for a unique decoration. They are a bit too pricey for me, $35 on Amazon.com. But they might make great gifts for some people and that's why I'm mentioning them.
Jonathan "J.D." Abolins
- Mood: cheerful
November 30th is Computer Security Day. Its goal is "to remind people to protect their computers and information". Although "Educating Users" is one of "The Six Dumbest Ideas in Computer Security" list by Marcus Ranum (later I should post more on the thought provoking list), education and reminders can still be helpful.
The Day's organisers have posted suggested activities, including:
The suggestions mention commercial and shareware software -- mainly about registering & paying for them--, but are silent about free and open source software. Also, there's no mention of cryptography options. With the growing number of data breaches, including the HMRC breach in the UK, cryptography is an important data protection tool.
Fortunately, one of the Computer Security Day suggested activities is to send the organisers an item to add to the list.
The Day's organisers have posted suggested activities, including:
- Change your password. Cambie su contrasena. Modifier votre mot de passe.
(By the way, look at this item on Bruce Schneier's blog.) - Back-up your data. (after being certain that it is virus-free.)
- Verify that passwords are not "Posted" and all other keys are secured.
- Hold a discussion of ethics with computer users.
- Install all security-related updates to your computer's operating system.
- Consider the privacy aspect of the data on your computer and protect it.
The suggestions mention commercial and shareware software -- mainly about registering & paying for them--, but are silent about free and open source software. Also, there's no mention of cryptography options. With the growing number of data breaches, including the HMRC breach in the UK, cryptography is an important data protection tool.
Fortunately, one of the Computer Security Day suggested activities is to send the organisers an item to add to the list.
J.D. Abolins
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
