Sunday, September 6, 2015

Apple IPhone Accounts Hacked Using KeyRaider Malware

Palo Alto Networks and Weip Tech have uncovered a hack that involves over 225,000 Apple IPhone accounts so far. This hack is accomplished with a malware called KeyRaider on jailbroken IOs devices. It is reported that "the malware intercepts iTunes traffic to steal data from random user accounts, whose devices have been compromised through installation of malware-ridden jailbreak apps from untrusted sources." Compromised accounts could ultimately be charged with bogus purchases by the attacker. Here is a link to an article that explains how to detect if your device has the virus and how to remove it.

http://www.ibtimes.co.uk/how-detect-eliminate-keyraider-malware-jailbroken-ios-device-1518567

Saturday, September 5, 2015

Memory Leaks and C, C++

Greetings,

I just wanted to review some quick facts about security architecture and design, more specifically memory leaks. Its concept you should be familiar with if you plan on taking the Security+, CISSP, etc.

Characteristics of Memory Leaks

When programs are written in object oriented programming languages programmers need to allocation memory space for each object that is created in the program. Once the object is no longer required by the program its memory space should be de-allocated to free up memory resources for the system to use. Some programming languages does leaves that to the programmer to accomplish herself. Other languages provide that capability automatically with a built-in garbage collector. When programs are poorly written with objects using up memory and never releasing the memory back to the system we call this a memory leak. The memory leaks are considered a vulnerability and if discovered by hackers they can be exploited to crash the system in a denial of service attack.

One thing to keep in mind about memory leaks is that they are common in languages that have no built-in automatic garbage collection. Languages such as C and C++ lack a built-in automatic garbage collector and leaves it to the programmer to manage memory allocation. Java, C#, Haskell and a host of other modern languages automatically get rid of objects that are no longer required by the application. It is encourage to use the programming languages that have garbage collection automatically. Even experienced programmers can have a memory bugs in a program that contain thousands of lines of code.

If you are taking the CISSP examination just remember that memory leaks are common in C, C++, and other languages that lack an automatic garbage collector and it is uncommon with Java, C#, and other languages that do have built-in garbage collection.

20 Must Have Skills for Information Security Professionals


Here are 20 most important skills Information Security Professionals should have according to O*NetOnline.org:


Critical Thinking — Using logic and reasoning to identify the strengths and weaknesses of alternative solutions, conclusions or approaches to problems.

Reading Comprehension — Understanding written sentences and paragraphs in work related documents.

Complex Problem Solving — Identifying complex problems and reviewing related information to develop and evaluate options and implement solutions.

Speaking — Talking to others to convey information effectively.

Active Listening — Giving full attention to what other people are saying, taking time to understand the points being made, asking questions as appropriate, and not interrupting at inappropriate times.

Writing — Communicating effectively in writing as appropriate for the needs of the audience.

Judgment and Decision Making — Considering the relative costs and benefits of potential actions to choose the most appropriate one.

Time Management — Managing one's own time and the time of others.

Active Learning — Understanding the implications of new information for both current and future problem-solving and decision-making.

Monitoring — Monitoring/Assessing performance of yourself, other individuals, or organizations to make improvements or take corrective action.

Systems Analysis — Determining how a system should work and how changes in conditions, operations, and the environment will affect outcomes.

Management of Personnel Resources — Motivating, developing, and directing people as they work, identifying the best people for the job.

Systems Evaluation — Identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.

Coordination — Adjusting actions in relation to others' actions.

Instructing — Teaching others how to do something.

Negotiation — Bringing others together and trying to reconcile differences.

Operation Monitoring — Watching gauges, dials, or other indicators to make sure a machine is working properly.

Quality Control Analysis — Conducting tests and inspections of products, services, or processes to evaluate quality or performance.

Service Orientation — Actively looking for ways to help people.

Social Perceptiveness — Being aware of others' reactions and understanding why they react as they do.


Reference: http://www.onetonline.org/link/summary/15-1122.00

Friday, September 4, 2015

One Reason to Pay Cash at the Gas Pump

Today while I was at the gas pump I noticed a skimmer. I wanted to write about it to make you guys aware of this scam. To be safe its better to pay cash at the pump.

skimmer video

Certified Cloud Security Professional CCSP

I have decided to pursue a certificate in Cloud Security. All data and applications are living in the cloud now days. Pretty soon even the operating systems will be on the cloud too.

It's cool that (ISC)2 has teamed up with Cloud Security Alliance (CSA)to create the CCSP credential. I plan on doing consulting working in information security. This credential will definitely help me demonstrate my knowledge about cloud security.


Certified Information Security Professional

It's official, I'm a CISSP now. After several weeks of study and review, I took the exam for the first time and passed. I was sweating bullets that morning for six hours long thinking to myself that I failed the test. I was surprised to see the words "congratulation" on the piece of paper the proctors give out at the end of the exam. Too bad ISC2 does not give out a score--I really want to know how well I did on the exam. I felt like I did poorly but that might just be me being too hard on myself. I think I might have over studied for this test even.

One thing I would recommend to CISSP candidates is to consider free study guides first before spending thousands on training seminars. You can save money by self-studying. This is already an expensive exam to pay for. Now, if your employer is paying for your training then by all means take advantage of it. The reason I'm recommending for self-study is because the topics and sub-topics are not that complicated. This exam is a "mile wide and an inch deep". If you can find enough time to go over all the material thoroughly then you will most likely pass it.

To all those planning on taking the CISSP exam good luck.

Sunday, June 23, 2013

NSA Whistleblower Edward Snowden is Proof that Humans Are the Weakest Link in Security Systems

I've said it before in my other blog posts that regardless how secured you think a system is, there is always the chance of a compremise. You would think that out of all people the CIA would have known this.For this post, I'm going to focus on the biggest reason for system vulnerbility--humans. Internal controls may be put in place to mitigate risks and employees for whatever reasons will find ways to circumvent the controls. The computers, network devices, and softwares will malfunction here and there, but when you come their efficiency with humans hardware and software are more reliable.

In Edward Snowden case, he rationalized that he had justification to violate his organization's policy. NSA may have some shortcoming that violates the public's privacy, but I think Snowden went about this the wrong way. Just my humble opinion. Was Edward Snowden ethically right or wrong for leaking details of classified NSA mass surveillance program? Its hard for me to really answer that. The lesson to learn here is that people in your organization will be the most likely cause of information  leaks. People will always rationalize to justify the reason for violating company policy.

Some may argue that Edward Snowden just wanted publicity or some may say he was genuinely looking out for the American public. I say beware of who you trust with your information.