You are here


Observations on information security.

The First Textbook Certified by the NSA

CNSS LogoI received an email this morning announcing that Elementary Information Security has been certified by the NSA's Information Assurance Courseware Evaluation program as covering all topics required for training information security professionals. Here is the certification letter.

This is the first time thay have certified textbooks. In the past they've only certified training programs and degree programs.

The evaluation is based on the national training standard NSTISSI 4011. The book also covers the core learning outcomes for Information Assurance and Security listed in the Information Technology 2008 Curriculum Recommendations from the ACM and IEEE Computer Society.

Wordpress tag: 
Post category: 

Replacing a Hacked Password

HackI just received a couple of spam emails from a friend who had had her email account hacked. The hacker sent the spam to everyone on her contact list. Here's what I told her:

First, replace your old password!

Second, choose a password that can't be guessed based on text in your emails!

Third, write down the password. Keep that piece of paper till you remember the password without looking.

Post category: 

A Hack at Best Buy?

This morning I received a flurry of unexpected email messages from Best Buy's "Reward Zone," one of those preferred customer programs. I was reading email when the messages arrived, so I immediately tried to log in to the account and check its status. I couldn't log in, so I immediately called Best Buy.

Wordpress tag: 
Post category: 

Passwords and Entropy

Entropy with decimal diceMy friend and colleague Al Dowd pointed me to Troy Hunt's blog post last April on password entropy.

Post category: 

The Ultimate USB Attack

After finishing a blog entry about the Homeland Security test using hacked CDs and USB drives, I took a look at a much nastier - though more expensive - attack.

Wordpress tag: 
Post category: 

Penetration via Human Nature

Bloomberg has posted an interesting summary of recent hacker triumphs based on social engineering attacks. The fundamental piece of hard news was that the US Department of Homeland Security ran a test last year in which they dropped CDs and USB drives around near some US government offices. The test detected that 60 percent of these were inserted into government computers.

Wordpress tag: 
Post category: 

Looking at Lulz

LulzSecI've been looking at the various files LulzSec has uploaded from their victims. These include Sony (several different sites on separate occasions), PBS, the game company Bethesda, Fox TV, Nintendo, and a computer security company called Unveillance. They actually defaced the PBS site, posting a bogus article claiming that dead rapper Tupac was located alive

They also extracted the hashed password file belonging to the Atlanta chapter of Infragard, an FBI-affiliated organization, and cracked a bunch of the passwords. The site is now offline.

My initial impression is that these folks are using some fairly simple attacks, like SQL injection, to retrieve a lot of the data. Note that in most cases they didn't actually deface the victim. I suspect they would have if they could have. Thus, they're taking advantage of the weaknesses they do find.

Post category: 

"Cracking" Passwords

There's been buzz in computer hardware blogs over the past few days about how faster processors (and GPUs in particular) are rendering strong passwords "useless." One experimenter, named Vijay Devakumar, posted a description of his success at cracking passwords, which has been recently picked up by bloggers on

Post category: 

RAID Backups Redux: Snow Leopard

Grumble, grumble.

There has been an update to the DiskUtil program that prevents my RAID backup procedure from working.

The version I am running - Version 11.5.2 (298.4) - no longer provides a "Remove" or "Demote" function when a RAID drive is missing or offline. I've found two ways around this. I recommend the first approach for regular use. The second is only provided to illustrate a bizarre feature of Apple RAID.

Wordpress tag: 
Post category: 

More on Comodo

A fellow calling himself (herself?) "ichsun" claims responsiblity for breaking into the Comodo CA to create bogus certificates.

He has posted (pasted, actually) a series of statements on that describe what happened and provide some evidence to support his claim. Note that the link above will probably go sour in a while, since Pastebin's policy is to recycle the pasted storage periodically.

Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer