Silicon Shecky

Infosec Practitioner

Connect

Not Much This Time

By Leave a Comment

So after the last 2 posts, This one is going to be pretty short.

The rage over certifications on twitter continued for a few days. It seems to have calmed down again. End result to me is, people are people and opinions are, well you know the rest of that old line.

Brakeing Down Security announced that Amanda Berlin (@infosystir) will be giving a version of the course she gave at the O’Riley conference “Disrupting the KillChain” Starting Feb 4 through their Slack channel. Cost is $90 for the live course and $40 for early access to the videos, if you do not want to do the live course but want to see it early. This should be a great course and thanks to Brakeing Down Security for coming up with inexpensive training for us in the infosec space. Hit her up on Twitter for access to the Slack.

Patches for Meltdown/Spectre are still causing issues all over the place. If you are patching for it, best to do it on a machine that can be reloaded from scratch.

That is all I have this week.

Time for a rant

By Leave a Comment

This post is going to piss some people off, if they read it. I love the infosec community as a general statement, but there are things that get under my skin. I understand people have opinions and thoughts, but sometimes the “rockstars” can go too far.

Dan Tentler, @viss on twitter, recently went off on certifications and using the letters after your name. If someone who is respected wants to go ahead and unfollow people and not communicate with them because they put CISSP or GCIH or OSCP after their name that is his prerogative. Slamming people for wanting to show off their hard work, especially on a more professional social media platform like LinkedIn, that is something that bugs the hell out of me. Other professions, say Doctor, Lawyer, Professor, will put those letters that they worked hard for after their name, and rightfully so, without anyone shaming them for it. Why should our profession be any different?

I know that there is a lot of controversy about certifications. I know some like the CISSP might not be thought of highly inside our profession. Still we have a lot of us who have not only gotten these certifications, but actively work to keep them through CPEs. Some certifications are thought of as mills due to them just being about memorization, yet those same things that are supposed to be memorized are, in a lot of cases, the foundations of understanding security. They are not the be all end all, but are an important building block.

The next thing about using the certification letters after your name, it allows people to see you accomplished something. Looking at the ISC(2) site as of January 1, 2018, in a world of a few billion people, there are 122,322 CISSPs (based on ISC(2) showing how many members have that certification). Over half of those are in the U.S. (79,617). Now you put it in different spots on LinkedIn and it becomes easier for recruiters to find you. It also shows you had the initiative to get training, and see it through to completion. That is big in the world of HR, especially considering how many of us do not have college degrees or degrees in something other than IT. Even then, we still posh people who have not come up through the ranks at times, but I digress. The point is that a certification can differentiate one from others, give them a leg up on getting a job.

Final point for this rant is personal vindication. The amount of times I hear/see people, including myself, talk about imposter syndrome. The amount of low self esteem in our industry is amazing. Working hard to get a certification, any of them, is something the individual should be proud of. Recently, not only I, but a few others I know of have gotten or are studying for the CISSP exam. Two of us passed and both had the same thing, we were exhausted after the exam. The four of us have been averaging 3-6 months of studying for the exam. That is a lot of work and effort for a “mill” exam. The people I know who have been working on and getting their SANs cert take the class and then take another month or two at least before taking the exam (I have seen 6 months sometimes) and those are open book exams. Why should we be ashamed of showing we worked hard to achieve something? We should be proud of it, and not afraid to show it.

Yes there are people out there who should not have X certification and have it anyways. There are people who should not be Doctors, Lawyers, Nurses and more who have passed the requirements an are one. You should evaluate each individual on their own merits, not shove them or praise them just because of the letters they have earned that are after their name. We say we need more people in our field, we talk about mentoring, but when we turn around and then decide that we look down on people who have a certification, we defeat our purpose.

We are headed for a Spectre of a Meltdown

By Leave a Comment

Time to talk a bit about Spectre and Meltdown. I know, I touched on these two last week, but there is more to discuss. There are things afoot with these two that have given me some thoughts. No, I do not think the sky is falling.

I am going to start with a little tweet that I saw:

Worrisome? Yes. Sky is falling? No. Outside of a POC with JavaScript, I have heard nothing that does not show these bugs are LOCAL which is even mentioned in the CVEs. Add on they are Data Leak and not RCE (Remote Code Execution for those unfamiliar with the term). This demo shows though that there is code to take advantage of Meltdown/Spectre. Seeing something like this makes me believe that there is code used in the wild that we do not know about yet. So, what we need to do is update ourselves. Keeping an eye on processes through things like CarbonBlack Response or similar types of tools might be able to give us some insight into this sort of exploit happening. Once Alex releases his code, it will be easier to create alerts and watchlists for such activity.

Next up on my parade with Spectre/Meltdown is IoT. We all know that IoT can be difficult at best to update. So much hard coded passwords, or no security really at all in the devices. You might think, so what if my fridge is leaking data? OSINT, passwords for Google or Amazon, what apps do the devices use? There are so man possibilities. Smart TVs, think about that. There people have passwords for Hulu, Amazon, Netflix, etc… let alone viewing history and other data. How fast are patches going to be put out for those items, and will those patches be worse than the potential exploit? Which brings me to the final thought for this post…

Ever heard of the cure being worse than the disease? This statement was a fact with the Microsoft patches. AV could cause blue screening and bricking of systems as well as just having an AMD chip. It has been said that companies like Microsoft had known about Spectre/Meltdown for a couple of months prior to the disclosure. You would think they would have been building and testing patches for it for a while if they did. Instead, it looks like the patches were rushed out. So Microsoft has stopped sending out patches in certain instances. I keep hearing conflicting reports that the key that AV vendors are supposed to put in is required not just for the Spectre/Meltdown patch but without it, all patches will stop (if you have automatic patching set up). That could affect home users big time. Mind you I heard about that from Smashing Security’s podcast on 1/11/18.

Still I maintain that more is being made out of this in the mainstream media in the wrong way. Especially as far as IoT goes, this could be a great tool to start forcing those device makers to do a better job with security overall. Once again though, I think being vigilant is the best solution at this time. Keep our heads up, and watch for the signs, test the fixes, and go about our daily business. Interestingly enough a major security issue with Dell EMC happened and was not mentioned while we have been freaking out about Spectre/Meltdown. Time for us to stop melting down about this one I think.