Tuesday, December 15, 2015

No, sir, I have no experience but I'm a big fan of money.


I like it, I use it, I have a little. I keep it in a jar on top of my refrigerator. I'd like to put more in that jar. That's where you come in.

Friday, December 11, 2015

Interesting Phish


Interesting phish attempt. Emailed to my work account. It links to what looks like an Outlook Web Access page.









































Links to this page. Yeah, sure. I'm gonna just login right now...


Wednesday, December 9, 2015

Cyber Chip - Scouting info



Today's youth are spending more time than ever using digital media for education, research, socializing, and fun. To help families and volunteers keep youth safe while online, the Boy Scouts of America introduces the Cyber Chip. In developing this exciting new tool, the BSA teamed up with content expert NetSmartz®, part of the National Center for Missing and Exploited Children® and training expert for many law enforcement agencies.

Netsmartz® has created a Scouting portal showcasing Cyber Chip resources, including grade-specific videos, for each level. Check it out here. 

Topics include cyberbullying, cell phone use, texting, blogging, gaming, and identity theft.

http://www.scouting.org/Training/YouthProtection/CyberChip.aspx

Thursday, November 12, 2015

Pentagon Farmed Out Its Coding to Russia


The Pentagon was tipped off in 2011 by a longtime Army contractor that Russian computer programmers were helping to write computer software for sensitive U.S. military communications systems, setting in motion a four-year federal investigation that ended this week with a multimillion-dollar fine against two firms involved in the work.
...
On Monday, NetCracker and the much larger Virginia-based Computer Sciences Corporation—which had subcontracted the work—agreed to pay a combined $12.75 million in civil penalties to close a four-year-long Justice Department investigation into the security breach. They each denied Kingsley's accusations in settlement documents filed with the court.

More:

Friday, September 25, 2015

Rare and red supermoon lunar eclipse to present Sunday night spectacle - The Washington Post



With clear skies on the evening of Sept. 27, the plump Harvest Moon takes on crimson coloring – during a total lunar eclipse. Don your fall jackets, grab a hot mug of hot chocolate – with marshmallows, of course – and meet the neighbors outside for a cosmic chat. Watch heavenly glory unfold.

To make matters more interesting, the reddish, eclipsing moon will be in "perigee" phase – which means it is closest to the Earth for September, and in fact, it is the closest point all year – what some call a "supermoon." A so-called supermoon appears 14 percent bigger and 30 percent brighter than when the moon is farthest away from Earth.

https://www.washingtonpost.com/blogs/capital-weather-gang/wp/2015/09/24/rare-and-red-supermoon-lunar-eclipse-is-sunday-night-spectacle/

Wednesday, September 23, 2015

Monday, August 24, 2015

Elon Musk's Hyperloop - the futuristic transportation system that’s faster than an airplane to start construction in 2016



  Hyperloop passenger capsule version cutaway with passengers onboard. © teslamotors.com
Remember the hyperloop – the futuristic transportation system that's faster than an airplane that no one thought possible just years ago? Well, the visionary Elon Musk's idea just got a new lease on life: we could see construction as early as 2016. 
A public opening of the five-mile test track in Quay Valley, California is slated for 2018.

More:
http://www.futurologyalert.com/2015/08/elon-musks-hyperloop-to-start.html

Tuesday, July 21, 2015

fsn - "It's a UNIX system! I know this!"


Even though it was never developed to a fully functional file manager, it gained some fame after it appeared in the movie Jurassic Park in 1993.[1] In a scene in the film, the character Lex Murphy, played by Ariana Richards, finds a computer displaying the interface. She exclaims "It's a UNIX system! I know this!" and proceeds to restart the building's access control system, locking the laboratory's doors. 

More:

Why We’re Not Recommending “FIPS Mode” Anymore - Microsoft Security Guidance - Site Home - TechNet Blogs

 Straight talk from Microsoft, but I'm not sure they have given us much we can use to convince our auditors.

More:
http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

Monday, July 6, 2015

US jets intercepted Russian bombers off the California and Alaska coasts on July 4


On July 4th, two pairs of Russian Tupolev Tu-95 bombers approached the US West coast, causing the Air Force to scramble to intercept the planes before they breached US airspace, two senior defense officials told Fox News.

The first incident reportedly occurred at 10:30 am ET off the coast of Alaska, when NORAD identified the Russian planes and two F-22s hurried to intercept them. Another incident occurred at 11 am ET off the coast of central California, and was responded to by two F-15s.

The Russian bombers they intercepted are capable of carrying nuclear weapons, but sources do not indicate whether or not they were armed.

More:

Thursday, June 4, 2015

Sourceforge Hijacks the Nmap Sourceforge Account




From: Fyodor <fyodor () nmap org>
Date: Wed, 3 Jun 2015 00:56:23 -0700

Hi Folks!  You may have already read the recent news about Sourceforge.net  hijacking the GIMP project account to distribute adware/malware.  Previously GIMP used this Sourceforge account to distribute their Windows  installer, but they quit after Sourceforge started tricking users with fake  download buttons which lead to malware rather than GIMP.  Then Sourceforge  took over GIMP's account and began distributing a trojan installer which  tries to trick users into installing various malware and adware before  actually installing GIMP. 

More:
http://seclists.org/nmap-dev/2015/q2/194

Monday, May 25, 2015

Google: Security questions across websites are very easy to guess


FTA:

For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users' answers for the question "Favorite food?"

… With 10 guesses an attacker would be able to guess 39% of Korean-speaking users' answers to "City of birth?"

As for English-speakers favorite food, the most common answer is, not too surprisingly, "pizza."

More:

http://bgr.com/2015/05/22/google-security-passwords-secure-easy-guess/

Thursday, April 16, 2015

First time at RSA Conference? How to have the most fun. #RSAC


I'm missing RSA this year. :( 
My rude advice to one of our less senior guys. I think this works for nearly everyone except the Sales guys. Sorry Sales guys.

I would pack your typical office clothes. Khaki/grey/black pants. Dress shirts (not white) or Polos are best. Definitely no ties.

There will be lots of guys in suits. Those guys are all Sales guys. Avoid them unless they are from something you use or you really want info about.  Unless, of course, they are handing out invites for after parties.  

You identify yourself as a potential customer (and get invites to parties and dinners) by not looking like another Sales guy. 

There will also be guys that look like they run the EFF and just left DefCon or CCC. You know what I mean.  Those guys will have either sandals with socks or Doc Martins. They either don't own a comb or don't care.  Embrace these guys and engage with them. They are usually the smartest guys there and have tons to tell you and killer stories. That said, Sales guys think they don't actually plan to buy anything, so they don't get invited to parties, except maybe to add some credibility to the company. You don't want to be identified as those guys either. 

If you connect with any wireless network check it out beforehand.  RSA typically provides one. It will be well advertised.  Don't get suckered in to using anything that you aren't sure about.  Right now, remove all of the default wireless networks (linksys, dlink, etc.) SSIDs from your phone and laptop. There are security "researchers" who will set up rouge networks and will snag all the Sales guys.  Who knows what they plan to do.  Not as bad a DefCon or CCC, but still…

Last advice.  Set up a Google Voice number and only hand that out when asked for it by Sales guys.  Don't plan to ever use that number again.  If you can, change the phone on your registration as well. You will get inundated with calls for years after the show if you give them your desk number.  All the companies buy the lists of attendees and contact everyone.  They are pretty adamant that they need to talk to you and demo their stuff.

Have fun!  Send me some pictures.

Tuesday, February 24, 2015

VA Secretary Robert McDonald apologizes for misstating military record - The Washington Post


You can be outraged if you can state, without looking it up, the difference between Special Forces and Rangers. How many of us can do that?  Some Special Forces don't think this is that big of a deal either. 

From the article:

Wood quoted retired Army Col. Gary Bloomberg, a former Special Forces commander, calling McDonald's claim "a boneheaded statement." But Bloomberg said he and other former special ops officers did not consider it as egregious as some other misrepresentations.

"No one got really crazy about the whole thing, compared to some of what we've seen," he told the Huffington Post. "It's a lot different from guys running around faking their special forces credentials. … I can see [other former special forces soldiers] going, 'Hey, check out this boneheaded remark,' but I don't see the gravitas that I would with a guy wearing medals he didn't earn.'"

Monday, February 23, 2015

What Good is Tor in 2014?

 Tor is not a privacy slam dunk. #NewAmCyber

It's probable, especially in the wake of the recent NSA revelations, that government agencies such as the NSA and CSIS sniff traffic on many exit nodes.


More:
http://resources.infosecinstitute.com/good-tor-2014/

Friday, February 20, 2015

Replacements - The Ledge Lyrics

 I have heard this song at least a thousand times, but I've never looked at the lyrics.

Wow. Strong and sad. I think I knew that kid.

I'm glad I was able to get tickets today.

See you guys in DC in May.

http://www.metrolyrics.com/the-ledge-lyrics-replacements.html

Thursday, February 12, 2015

Jeb Bush just revealed the social security numbers of a bunch of former constituents


Dear "eGovernor" Bush,
Privacy protection is an important part of the job. Who is your security officer? You have a security officer, right?

In a ham-handed effort at transparency, the likely 2016 Republican presidential candidate Jeb Bush just released a trove of emailsfrom his time as Florida's governor—but the emails included confidential messages, personal information and even social security numbers from thousands of people. What was he thinking?

The un-redacted email dump was first identified by the Verge, which found emails that, among other things, discussed the firings of public employees. In some emails, petitioners sent their social security numbers to Bush, who was famously responsive to email inquiries from his constituents.


Friday, January 30, 2015

I was quoted in an FCW article on mobile device security.



Striking a balance with mobile device security


Agencies face a delicate balancing act when it comes to providing mobile security.

On the one hand, IT departments seek to extend endpoint security to a growing population of mobile devices. It's easy to see why: Smartphones can go missing along with agency data, and mobile devices in general can introduce malware to enterprise networks. On the other hand, employees want the ease of use of consumer technology, and agency managers covet the potential productivity boost.

More:
http://fcw.com/articles/2014/12/08/striking-a-balance-with-mobile-device-security.aspx


Saturday, January 24, 2015

Best Alternatives to Tor: 12 Programs to Use Since NSA, Hackers Compromised Tor Project

 Here are a list of programs you can use now that Tor has been breached (Note that some of them like Disconnect and Peerblock are not full-scale replacements for Tor and Tails uses Tor):

More:
http://www.idigitaltimes.com/best-alternatives-tor-12-programs-use-nsa-hackers-compromised-tor-project-376976

Thursday, January 15, 2015

New CISSP Domains



CISSP Domains, Effective April 15, 2015

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  • Asset Security (Protecting Security of Assets)
  • Security Engineering (Engineering and Management of Security)
  • Communications and Network Security (Designing and Protecting Network Security)
  • Identity and Access Management (Controlling Access and Managing Identity)
  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  • Software Development Security (Understanding, Applying, and Enforcing Software Security)