Monday, December 27, 2010

Bank of America Suffers DDoS Slowdowns

Read full article at Bank of America Suffers DDoS Slowdowns

Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Monday, December 13, 2010

Training Camp For Your DODD 8570-1 Requirements

I've taken all my IT training through TrainingCamp. Their instructors are the best in the business, you'll get the finest training available. TrainingCamp can provide all your U.S. Department of Defense Directive 8570.1 certification requirements. Among others, these include CompTIA A+, Network+, and Security+, ISC2's CISSP (Certified Information Systems Security Professional) and SSCP (Systems Security Certified Practitioner), and ISACA's CISA (Certified Information Systems Auditor).



Read full article at Training Camp



Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Monday, November 29, 2010

Iran admits uranium enrichment centrifuges hit by malware - Yahoo! Singapore Finance

Just goes to prove that no system is immune to infection.

Read full article at Iran admits uranium enrichment centrifuges hit by malware

Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Sunday, November 21, 2010

Happy 25th Birthday to Windows 1.0: The Bland Bust that Started it All

Many who will read this aren't old enough to remember 1985. 1985 was the year of "Back To The Future", I saw it in theaters..with my wife. That was the year I bought my first computer. No it did not have Windows on it. We went to this computer store in Fayetteville, NC. I remember the salesman showing us an IBM PC, you know, they had the clickity-clack keyboard and green screen? Instead we bought a Kaypro computer. It used CP/M. I'm not gonna attempt to tell you much about it, here's a link to it KAYPRO.

Read full article at Happy 25th Birthday to Windows 1.0: The Bland Bust that Started it All

Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Monday, November 8, 2010

Protect Yourself from Programs Hackers use to Read Your Wireless Emails

The article doesn't go far enough. With this freely available tool, and almost no knowledge, a hacker can not only read your email and post to your accounts, they can literally take control of your computer and use it to commit any number of computer crimes. All without the knowledge of the user, all audit trails will lead to the user.

For the ethical hackers in the audience, here's the link to Firesheep. Contrary to the article, it is not a Firefox add-on, at least it's not available at Mozilla.org.

Read full article at Protect Yourself from Programs Hackers use to Read Your Wireless Emails

Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Friday, October 22, 2010

The Road to CISSP: Final Chapter

The wait is finally over. After nearly 18 months of study, two CISSP seminars, and a few thousand dollars, I finally passed the CISSP exam on September 26th. It was brutal, taking me exactly 5 1/2 hours to complete, with only one break. I was sick on drive home, convinced I had just blown more than $1300 for the hotel stay and exam, not to mention 40 hours of leave from my job.

But, I felt much better after I got home and went through the material to check on some of my answers. Still, the CISSP exam is one of those things that very few people feel good about when they are done. It is unlike any other test you may take, it's rare to find a question you can just open the book and find a direct answer.

In fact, it's quite common to read a question and say to yourself "oh, I know the answer to this one", only to find none of the given answers fit. The moral of the story is that in a perfect world you get a perfect answer. Information Security Security, though, is not a perfect world, especially when you have a business to run, a finite budget, and long list of things to do with that budget. On the exam, it's rare to get a question and the optimal answer is one of the choices.

As a person with a IT technical background this was particularly hard to grasp. In the Microsoft world, the answer to an exam question is always whichever is the Microsoft best practice, and you can usually point it to one of Microsoft's textbooks for a direct answer. CompTIA and Cisco are much the same.

To be honest I was shocked when I got the email, I read it several times to make sure I read it correctly. After I finish the application process, which involves and endorsement by another CISSP and submitting a resume with all relevant experience, in a month or so I'll get the certification.

Part I

Part II

Part III


Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Sunday, August 1, 2010

UAE to Suspend Blackberry Service on Security Fears

This is disturbing, something you don't like to see in a government as a whole. The excuse points to nation security threats, but that's just a convenient way to clamp down on human rights. And what is next? If their real concern is nation security, then Blackberry usage is just one part of big can of worms. What about SmartPhones, or internet and message access in general for mobile phones? It can't be far behind.

The reality is the advantages of having an open society with this kind of technology far out weigh the disadvantages. At least that's the way we see it in the free world.

To be honest, I know nothing about the political makeup of the UAE or it's leaders, nor it's history. I'd have a hard time finding it on a map. But it doesn't take a rocket scientist to see this suspension is much about political maneuvering and much less about security.




UAE to suspend Blackberry service on security fears

Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Friday, July 9, 2010

The Road To CISSP, Part III

It was a long horrible winter, but now that summer is here I am making plans to go back to the CISSP seminar before October. This time I'm armed with all the class materials and notes from the seminar. There's tons of material covered in the seminar that cannot be found in off-the-shelf books. The experience of going through the seminar and sitting for the exam is invaluable.

The other big stumbling block was my technical background, and lack of managerial focus. That's not to say that computer geeks are too anal retentive to master the CISSP exam. In my experience, and I emphasis in MY experience, those people who have a background in network management seem to excel with their CISSP endeavors more so than us PC and server people. I know that my biggest hindrance was that I think like a technician, and much less as a manager. But that's my job. The CISSP exam is really much less about Information Security than management. I'm completely convinced that all managers that have even the smallest dealings with computers, networks, or any electronic information, should be required to attend the CISSP seminar.

I was troubled, though, by what I heard from many of the other students. While a few of us were technicians and this is a logical career progression, only a hand full of the students were actually doing any type of security work. The rest sounded like a broken record with the same reason for attending. Due to some new law, regulation, or upper management decision, they were "drafted" to attend. Some had no real idea what CISSP was, and did absolutely no pre-studying. Let's hope those people went back to their employers and advised them whom they SHOULD have sent or should send to the CISSP seminar.

If you're familiar with the United States Department of Defense (DOD) Directive 8570-1M, then you know there has been a huge push for the last few years to get the their IT workforce security trained and certified.

Now if you're not familiar with DOD 8570-1M, it's an Information Assurance (IA) program to require training and certification for both IA technicians and IA managers. It has it's good and bad points. It raises the bar getting an IT job DOD wide. But at the same time I think it has diluted the quality of achieving certifications. CompTIA Security+, for example. I thought it was a difficult exam, I took it during the MCSE boot camp. We didn't use the freebie practice questions off the net like some schools do. They gave us a 380 page Powerpoint file to study. You had to know the difference between MAC, DAC, and RBAC; you had to know the difference between brute force and birthday attacks. But many thousands of people, with zero experience, simply study the practice questions freely available across the web, and pass the exam as well.

Let me clarify, I'm not completely against using practice questions. If you are experienced, and you use authentic study resources or attend training, practice questions can help highlight knowledge shortcomings of the exam objectives. The ethical dilemma arises because just about every batch of practice questions freely available (and even those you can pay for) have actual questions, word for word, from the real exams. Using them is a line you should think hard before crossing, Microsoft, CompTIA, Cisco, and lots of other vendors will ban you for life if you get caught. From that point you'll be making a career change, because you won't be working in IT anymore.

Fortunately, I think the CISSP exam is still immune to this. This is due in no small part to ISC2's circa 1970's method of administering the exam - pencil, paper, and a mark-sense form. And the exam questions are so wide spread, and not to mention they have thousands of questions in the pool, plus variations. I'd almost say it's next to impossible to completely prepare for the CISSP exam and know going into the exam with any certainty you are going to pass. It's the only IT exam I've ever taken that I didn't know before hand whether I was going to pass. Not many CISSP examinees have a warm and fuzzy about the outcome when the proctor tells them to break the seal on the exam booklet and begin the exam.

When I said that I felt it was more of a management exam, I was referring to the constant juggling that managers do with money, people, safety, reputation, etc. In any given circumstance, any one of those could be the most important item. You have to think like you're the top security person in the company. Security is not an absolute, black and white thing like it is as a Server administrator or a firewall engineer. For example, server administrators routinely implement group policies, such as requiring a 17 character complex password with special criteria. Risk is mitigated by tightening access. The CISSP has to balance the requirement for increased access security with its users ability to continue to perform their jobs. That may seem like a no-brainer at first glance, but what if there are remote users coming in through a slow VPN connection that timeout before the increased authentication requirement can be facilitated? What if your users have legacy computers that cannot use passwords longer than 8 characters, and replacing those systems is not an option? Not so black and white anymore.

You can be an expert at configuring firewalls and servers; you can be the best Active Directory engineer to ever breath the name Microsoft. None of it will help you on the CISSP exam. You need to be able to advise the Company CIO, DAA, or other leadership on the best course of action to secure his (or her) network. It has to be within the company's financial reach, it has to adequately safeguard the company's information, risks must be mitigated or eliminated; additionally, it must allow the company to continue it daily business and it certainly cannot negatively affect profit. The employees have to be trained in security appropriate for their responsibilities. And did I mention the ever growing list of state, federal, and international laws, guidelines, standards, best practices, etc.

As the top Security person in your company, every decision has to weighed against the company's bottom line, liability, business goals, objectives, and day-to-day operations, at least for the CISSP exam.

Doesn't sound that difficult, right? Been there and done that, and it's not a walk in the park by any stretch of the imagination. It's 6 hours of mostly silence, where your peripheral vision is the width of your desk. Your hand cramps from writing so much, but after sitting through the seminar, the hand hurts before you start the exam. You sweat, and tense up, and your eyes hurt. For us older people, we get flashbacks of being back in high school (back when pens weren't allowed in the building and the only keyboard was on an IBM Selectric typewriter). You can take breaks, but with 250 questions, you have to budget your time closely.

Chances are, you'll be a zombie for a day or more after the test. You'll get to work on Monday (ISC2 does allot of testing on Sunday), and you'll be spouting all this new knowledge to anyone that will listen, "did you know...? "hey, you know how we do it this way, well that's wrong." Other than failing the exam, the other thing I found hard to live with was the realization of the things that are totally screwed up in my organization and networks. I just spent a week getting educated on all the best security practices - period. If you're just an insignificant nobody like me, that has absolutely no influence over anything, it can be very large and bitter pills to swallow.

I hope this was informative. I'll be publishing another article soon on my Windows 7 adventures. I certainly appreciate your indulgence, so I leave you with this. Like my best friend and mentor at work reminds me daily "John, some days it's not worth chewing through the restraints." Keep the faith!


Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews


AddThis Social Bookmark Button
Add to Technorati Favorites

Sunday, April 18, 2010

Microsoft slams coffin lid on Vista

Ok, with a show of hands, who didn't see this coming? Seriously, the handwriting was on the wall when Microsoft put out Windows 7. Windows Vista will go into the history books in the same category as Windows ME, a BUST.

Funny this is, where I work we are actively fielding Vista, as per U.S. Air Force directives. The rumor on the street, however, is the DOD is close to releasing Windows 7 for use. This would be a sweet change from the many operating system transitions in recent history that have taken 2+ years, after public release, to approve for DOD use.

I bought a Dell touch screen computer that came with Windows Vista home 64 bit, and Dell sent me a free Windows 7 upgrade. I waited to setup the machine will I had the upgrade, so I basically has a fresh Windows 7 installation on a new PC. It's much cleaner and lighter than Vista, and it's Microsoft support hasn't expired.


Microsoft slams coffin lid on Vista • The Register

Regards
John Crawford

AutismZone
Accokeek Computers
Mamas Best Recipes
The Cartouche - Science Fiction Reviews
AddThis Social Bookmark Button

Wednesday, February 10, 2010

Anonymous Unfurls

This is disturbing. To think there are entities out there that wield such power. There's a youtube video that was sent to the Australian government, telling them of the impending DDoS attack (or Distributed Denial Of Service attack). The audio portion is the warning, the video is just a bunch of scenery footage that is unrelated to the audio. Apparently this group take its porn seriously, and is quite resentful of the Australian government's attempts to censor it.

The DDoS was so severe, according to the article, "Parliament’s website was felled after getting 7.5 million hits a second. Usually, it receives a few hundred a second". That's pretty massive. Let's hope these people are patriotic enough to be on our side when there's a crisis and those critical systems really need to be operational.

Read More http://www.wired.com/threatlevel/2010/02/anonymous-unfurls-operation-titstorm/#ixzz0fB7uq4m3



Anonymous Unfurls ‘Operation Titstorm’

Posted using ShareThis