Tag Archives: security+

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

Understanding success in an information security job

There is a basic truth of information security jobs that can be intensely frustrating to some people but represent an exciting challenge to others: your guidance on improving security and reducing risk will often be ignored.

Many security professionals have a difficult time with the feeling of being ineffective. You can spend considerable time on a project that includes recommendations on improving security, and many of those recommendations might be disregarded. A track record of such events can make most professionals feel like a failure.

A security professional needs to understand that they are a change agent. Because information security practices are often not intuitive to others, your job will often involve working with others so that they will embrace small or large changes and do their part in improving security in the organization. To be an effective change agent, you need the skills of negotiation and persuading others to understand and embrace your point of view and why it’s important to the organization.

You need to realize, however, that even if you are a skilled negotiator, you still won’t get your way sometimes. This should not be considered a failure, and here’s why: it’s our job to make sure that decision makers make informed decisions, considering a variety of factors including security issues. As long as decision makers make informed decisions (meaning, we have informed them of the risks associated with their choices), we have done our job, and we need to be comfortable knowing that sometimes decisions are made that we don’t agree with.

– Excerpt from Getting An Information Security Job For Dummies, to be published in 2015

Breathing new life into old hardware with Ubuntu

I’ve got a five year old Compaq laptop computer that ran Windows XP Pro for years (except for a time when I ran Vista in order to write an e-book on Vista security). With additional patches over the years, the system has been running more slowly, even after performing a lot of work to optimize performance.

I also have security concerns. This computer is used by other family members (including teens) who are less security-conscious than I am.

After saving some personal data, I’ve removed Windows and installed Ubuntu Linux.  The install procedure is very simple. If you are wondering whether it will run on your hardware, you can boot it and run it from CD-ROM to see whether all of your hardware is supported.  Critical were Ethernet, WiFi, and USB drives. All worked flawlessly – so last night I installed it over WindowsXP (and am hoping that I won’t regret doing a dual-boot first). Today I am installing updates. After that I will re-create all of the same user accounts and restore users’ bookmarks (browser favorites) and files.

Not counting work computers, this now makes the computers in our home running mostly Unix. My Macbook runs Leopard, and the Compaq runs Ubuntu. There is a Windows XP Pro running on a desktop computer, and we have a little Acer netbook that runs XP.

Sept Scientific American on security and privacy

Bookmark This (opens in new window)

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

CISA forum guides certification candidates

Bookmark This (opens in new window)

CISA ForumThe CISA Forum is an online community whose purpose is to assist CISA candidates in their studies towards the Certified Information Systems Auditor certification.  The forum, started in 2002 by Peter H Gregory, CISA, CISSP, is hosted by Yahoo Groups and has more than 3,000 members.

“The forum has helped many achieve their certification through lively discussions about the security audit profession and the CISA exam itself,” Gregory states.  “I started this forum as a way to help new CISA candidates and to provide a platform for others to help these new candidates.”  Gregory encourages newly-minted CISA holders to stay on the van and help others on their way.

The CISA Forum is open to all who possess the CISA certification or are interested in attaining it.


The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

CISSP one of the hottest certs for 2008

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites CISSP as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “With CISSPs earning $94,070 a year on average, it’s easy to see why Trapp puts this one on the list. (Note that the exam costs $500, lasts up to six hours, and includes 250 multiple choice questions.”

CISSP for Dummies, 2nd editionLink to full article here.

Study for the CISSP certification with the best-selling CISSP study guide, CISSP for Dummies, here.

Security+ one of the hot certs for 2008

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites Security+ as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “Growth in Security+, which covers topics like communication security, infrastructure security, cryptography, access control and authentication, shows no signs of slowing down. According to Michael Trapp, writing for knowhow-now.com, “Comptia’s Security+ Credential is must have in today’s world.”

Link to article here:


securityplusfd.jpgStudy for the Security+ certification with the best-selling Security+ study guide, Security+ Certification for Dummies, here.

Security+ Study Guides

Bookmark This (opens in new window)

There are several books in print that the Security+ candidate can use as a study aid for the Security+ exam.

CompTIA Security+ Study Guide: Exam SY0-101CompTIA Security+ Study Guide: Exam SY0-101 by Mike Pastore and Emmett Dulaney

The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2)The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2) by Que Certification

Security+ Certification All-in-One Exam GuideSecurity+ Certification All-in-One Exam Guide by Gregory White

Security+ Guide to Networking Security Fundamentals, Second Edition by Mark Ciampa

Security+ Study GuideSecurity+ Study Guide by Ido Dubrawsky, Jeremy Faircloth, Michael Gregg, and Eli Faskha

Security+ Certification for DummiesSecurity+ Certification for Dummies by Lawrence H. Miller and Peter H. Gregory

A Real World Guide to CompTIA Security+ SkillsSecurity Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills by Michael Gregg and David Miller

Most Americans favor increased surveilliance

Surveillance cameras

Bookmark This (opens in new window)

A recent ABC News poll shows that seventy-one percent of Americans are in favor of increased video surveillance in cities as an anti-crime measure.

London’s “Ring of Steel” surveillance system is the model for U.S. cities that are considering similar systems, including New York, Chicago, and Baltimore.

Poll results here:


More articles:


New York City plans “ring of steel”:


Border patrol checking Seattle island ferry runs for dirty bombs:



Bookmark This (opens in new window)

Great Computerworld article on CIPAV. And there’s more to come: Computerworld filed a FOIA (USDOJ site here) request to get more information.

Questions answered include:

  • What is CIPAV?
  • What does CIPAV do?
  • What happens to the data the CIPAV collects?
  • Does the CIPAV capture keystrokes?
  • Can the CIPAV spread on its own to other computers, either purposefully or by accident?
  • Does CIPAV erase itself after its job is done?
  • Does the FBI have just one stock CIPAV model?
  • How did the CIPAV get onto the targeted computer?
  • Is CIPAV related to “Magic Lantern”?

Full article here:


Disclaimer/disclosure: I’m an InfraGard member. In my writing about CIPAV, I’m providing only information that has already been published.

my personal position on the FBI’s CIPAV capability

Bookmark This (opens in new window)

In the days since I posted a story on the FBI’s use of CIPAV (which may be their “magic lantern” capability), my blog has been visited by many individuals who are trying to figure out how to detect whether CIPAV is running on their systems and, if so, how to disable or remove it.

Sorry, can’t help you. Won’t help you.

As a security professional, I deeply understand the concern about spyware, key loggers, and other tools that track our movements and even our keystrokes. When they originate from commercial or malicious sources, of course I want the ability to detect, disable, and remove. I wrote a book on the subject three years ago.

But when law enforcement obtains a court order and uses the same sort of software, I will not publicly discuss if such capabilities exist or how they work. Being an InfraGard board member, I have visibly close ties with the FBI and other branches and levels of law enforcement. As my disclaimer reads, I am 100% white hat. I support law enforcement as long as law enforcement is acting within established laws. My disclaimer is reproduced below.

My professional codes of ethics ((ISC)², ISACA, GIAC, InfraGard) forbid me from activities that give even the appearance of impropriety. Hence, I do not possess, and never have possessed, nor downloaded, examined, or viewed, any tools that can be used to exploit weaknesses. I do not associate with those who do. I am 100% white hat.

FBI implanted spyware leads to arrest of bomb threat suspect

Submit: Add to your del.icio.us Digg This Slashdot GotNews StumbledUpon Reddit

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections.

My earlier blog entry on whether anti-virus can detect law enforcement-installed malware.

Entire story here:


AV vendors will block law enforcement key loggers, for now

Bookmark This (opens in new window)

Updated 7/19/07: FBI nabs bomb threat suspect with spyware
Updated 7/19/07: Policeware: the spyware used by law enforcement

A recent case that was heard by the U.S. Court of Appeals involved law enforcement use of a key logger on a suspect’s computer. The case involved a suspected illicit drug maker that was under investigation by the U.S. Drug Enforcement Agency (DEA). The DEA obtained permission from a judge to install key logging software on the suspect’s computer in order to harvest passwords for PGP and Hushmail encryption.

This case highlights a question that I’ve been thinking about for years: would my anti-virus program alert me to the presence of key logger software, even if it was installed by law enforcement? C|Net News interviewed representatives from several anti-virus/malware companies and got answers to that question. Would the following vendors’ programs detect key loggers even if installed by law enforcement?

▪ Grisoft/AVG: Yes
▪ Checkpoint: Yes
▪ Computer Associates: Yes
▪ eEye: Yes
▪ IBM: Yes
▪ Kaspersky: Yes
▪ McAfee: Yes
▪ Microsoft: Yes
▪ Sana: Yes
▪ Sophos: Yes
▪ Symantec: Yes
▪ Trend Micro: Yes
▪ Websense: Yes

C|Net News also asked these vendors if they had ever received requests from law enforcement (including subpoenas) that their products not inform a specific user of the presence of a law enforcement installed key logger. Some of the companies have a policy to not discuss specific dealings with law enforcement – and the rest said they had received no such request.

I am wondering just now – what would McAfee, Trend, Symantec, or any of the others do if law enforcement DID request / require that their products not report the presence of a key logger. How would they accomplish that feat? I can imagine a number of scenarios on how that would be accomplished:

  • The specific anti-virus vendor would design in a mechanism that would silence the software’s alert of a key logger if it received a specific signal from the vendor’s update service. To accomplish this, the vendor would have to know precisely which PC should be silenced, and be able to do so silently.

Other, less serious, alternatives come to mind:

  • Law enforcement could sneak into the suspect’s computer and run a program that would disable anti-virus programs’ ability to detect or report the presence of the key logger. I can easily imagine malware that would perform the same disabling feature in order to hide its own key logger. Some malware already has the ability to completely shut down anti-virus programs, firewalls, and so on, so this capability is not that far-fetched.
  • Law enforcement could send an e-mail to the suspect, where the e-mail either contained an executable, or a URL to a law enforcement website. “Please run this program or visit this web site so that we can install a key logger for you.” Uh huh.

Remember: anything that law enforcement can do, hackers can do. In fact, hackers are often one step ahead of law enforcement, experienced with the illicit installation of key loggers.

Anyway, I can imagine a future where law enforcement may have the ability to get key loggers onto computers, and at the same time get anti-malware programs to look the other way. But I expect that there will be capabilities of detecting and disabling such key loggers: hackers are notoriously anti-law enforcement and they would quickly fill the need to detect and block law enforcement key loggers.

In the meantime I can think of a few countermeasures:

  • Regularly scan your computer with one of several available online malware scanners (see this tip for more information).
  • Run one or more anti-rootkit programs to scan for rootkits (I feel that key loggers and/or the means for blocking anti-malware’s alerting it may be done by rootkits).
  • Switch your OS: use MacOS or Linux instead of Windows.

I have a feeling that the Electronic Frontier Foundation and the ACLU will be watching these developments.

Links to stories: