So let me ask the Islanders some questions: Do you think this is responsible reporting? Is it right to publish the locations of the Nations secrets to the world? If you’re outside of the US, how would you feel about this in your country?

Lee Mangold is an Information Security expert and contractor for the US Department of Defense and the US Army. The views expressed here are not necessarily the views of the United States Government in any way.

The Name

The name is probably the worst part about this exam. This exam (and the coursework) won’t make you ethical and it won’t make you an elite (1337) hacker (h@x0r). Surprisingly the DoD got this right when they called it a “Baseline Certification.” It teaches you the common basic methodology that crackers use every day, how to counter some of them, and most importantly the laws around hacking/cracking and doing it legally!

The Content

The exam is in revision 6 now, and tests a wide range of techniques from reading and analyzing TCP dumps and Snort logs, understanding the OSI model, how to use many of the common exploit tools, recognizing the exploits and their uses, and so on. The exam and coursework also teaches the common tools used by crackers and pentesters, how to use them, and why. This is actually a very ambitious certification, in my opinion.

The Exam

Having taken the GSLC and other many other DoD and commercial certs, I can tell you that this exam is no easier than any other. Perhaps this is new to version 6, but this was NOT an exam to take cold with little experience. The questions were very both realistic and fair. I’ve read reports of people even taking 4 hours on the exam – I’m not sure how that’s possible, but…

The Value

Is this going to make you a hacker? No, and that’s not really a fair question. The CISSP won’t make you a security expert either! What it does is 2-fold: 1) It teaches the novice the basic concepts and leads them down the right path to further their education, and 2) Makes you a little more marketable. If you don’t agree with #2 and you’re a hiring manager, I recommend you take this exam to understand what it’s all about. I think you’ll be pleasantly surprised.

My Conclusion

I have to go back to DoD guidance on this one (as scary as that may be): This is a BASELINE certification. It doesn’t mean you REALLY know what you’re doing! But I will say this, all things being equal, I would take a CISSP with CEH over just a CISSP any day of the week. It’s easy to negate this certification due to its name (as I did for quite a while), but after taking it myself I have a much higher respect for the CEH – version 6 at least.

Lee Mangold is an Information Security expert and contractor for the US Department of Defense and the US Army. The views expressed here are not necessarily the views of the United States Government in any way.

The details are sketchy – as they should be – but the idea is that the NSA is going to be placing IDS sensors across the country, primarilly targeting critical infrastructure. Sounds harmless (and beneficial, to me), but the Raytheon leak used the term “Big Brother”, so of course this became newsworthy!

The obvious concerns are that now the NSA is going to be tracking your every move, every website you go to, everything you buy, how much power you use … and not just you, but everyone in the country!! (please note the sarcasm)

Wallstreet Journal: U.S. Plans Cyber Shield for Utilities, Companies

Merging two blogs

WordPress makes this easy. While I could go through each of the posts, duplicate them, add comments and so on that’s far more time consuming than I want to worry about! Luckily I just had to go to WP-Admin->Tools->Export on the old blog and export all my data. This saves an XML file to your local computer. Then, go to the new blog and import the XML file from the old blog at WP-Admin->Tools->Import. It was that easy. I’ve used this method in the past for a complete restore, but never for a merge. Seemed to work very well.

Redirecting users

I don’t want users to continue to go to my old blog, but I also know that some users have bookmarked a few of my pages. I installed a module called Redirection on the old site and set each page to redirect to the new site. The redirects MUST be 301′s (Permanently Moved) otherwise search engines like Google will choke.

Google Webmaster Tools

If you use Google’s Webmaster Tools (which you should), you’ll want to go to (within Webmaster Tools)  Site Configuration->Change of Address   and move the old site to the new one. While you’re there, go ahead and resubmit a new sitemap!

Cleaning up the mess

Unfortunately, once all this is done, you may have duplicate “Categories”, post, etc…that’s the fine tuning you’ll do to complete the madness. All said and done, this was much much easier than I had planned, which is good because I don’t have time to manage two blogs, nonetheless spend a ton of time merging those blogs!

What if you could go to a site and determine that the specific version of CMS the target uses has a vulnerability that you just happened to find a CVE for (http://cve.mitre.org/cve/cve.html)?  The answer is obvious, but how prevalent is this and how easy is that information to find? DAMN prevalent and DAMN easy (okay it’s not all damn easy). The following are a few quick (and dirty) fingerprinting techniques to add to your arsenal. For the sake of brevity, we’ll limit this to the application and not specific versions.

WordPress

1. Search the source of any WordPress page for the generator meta tag (which will give you WordPress X.Y).
2. Look for links to wp-admin and wp-content.
3. Try to navigate to the /wp-admin and look for a login screen (or a 200)

Drupal

1. Search for drupal.css in the source. Add system.css and any specific module css files (like project.css, cck, etc…)
2. Look for links to “/sites/all/modules/*”, “/sites/default/*”.
3. Navigate to “/user” and look for a login screen

(ehm…Whitehouse.gov)

Joomla

1. Look for information in the generator meta tag (man these CMS’s are greedy for attention)
2. Navigate to /components and look for a blank 200 page
3. Try navigating to /administrator for a login prompt

Symfony Framework

1. This one is a bit tricky… However I was able to fingerprint InfosecIsland.com (hi guys!) by searching the source for any calls with an “sf” prefix like “sfConfig”
2. I’m sure there are more ways… I don’t use this API though…

… The list goes on …

Good news and bad… The good news is that this can ALL be changed (and there are tons more, by the way)!! The bad news is that it’s annoying and time consuming. However, if you’re the guy who changes his “server” output to “null” or “Windows” (for a Linux box), why not avoid fingerprinting of your webapps?

• Change path names (and/or mod_rewrite where you can)
• Change CSS filenames
• Customize your Theme files (and remove the <– Header –> crap)
• Remove or spoof the generator tag

All easier said than done, I know…! Have fun…

Followup: Supposedly WAPF (http://www.mytty.org/) does a lot of this, but I haven’t been able to download a recent version to test…I get server errors… HA!

Followup 2: Prototype at http://consulting.themangolds.com/webprint/

Myth 1: The MBA will prepare you to immediately run a Fortune 500 company

FALSE! The MBA is an academic program designed to teach the fundamentals of business, not how to be a star performer. Throughout my education I met students who put in the extra effort to be the best alongside those who were there to put a credential on their resume. You can find this from EVERY SCHOOL; I don’t care what “tier” the school is in!

Myth 2: The MBA doesn’t teach the real world

TRUE & FALSE! An MBA teaches the principals BEHIND the real world. Understanding the concepts behind HOW the real world works, we can better understand the WHY. That said, I also learned quite a bit from my higher-level classes that serves me today (I live in the real world, by the way). Is this universal? Certainly not! There are still those who don’t care enough about their own education to learn. There are other industry certifications that teach the real world…many many others…

Myth 3: An MBA doesn’t teach ethics which is why we’re all in financial trouble

FALSE! Nearly every class I took throughout my MBA (as well as my Business minor in undergrad) had an ethics competency. But there again, if you don’t care about the material enough to synthesize it into something useful for yourself, you’ll never “get it.” Nothing I learned in my MBA taught me to scam my customers or bet against my own portfolio!

Myth 4: An MBA will take me to the top!

FALSE: YOU will take you to the top. An MBA is a great start, but it’s not everything. You DO need real-world experience, but that’s in addition to a solid academic understanding of the core concepts.

Myth 5: MBAs are Awful!

FALSE! The MBA is a Masters in Business Administration. Much like a Masters in ANY other area of study, there are those who succeed and those who do not. It won’t hold your hand through life or guide your morals. It won’t determine of you are ultimately successful or not. It won’t build a successful company or break an economy. That’s not what a Masters degree does…that’s what YOU do.

Myth 6: I don’t need an MBA to start a business!

TRUE! You don’t! You don’t need to be a CPA to do your taxes, you don’t need to be a certified mechanic to fix your car…the list goes on… But, if you want to gain a solid understanding behind WHY your marketing works, or WHY you’re successful so you can repeat that success, you need some sort of baseline knowledge that you can either get from rigorous studying at the public library (Good Will Hunting, anyone?) OR formal education through an MBA. Intuition only get’s you SO far, though there are exceptions to every rule (please don’t show me the list of non-MBA CEOs)!

It’s troubling to see discussion from those who graduated from business schools across the world preaching their lack of knowledge after business school. Many have said they don’t use even their MBA, as though it’s a tool to pull out when you need it. There was a lot of talk about how to “Fix” business schools to prevent economic collapses like we’re in now…but very little talk about how to fix the students and manage the expectations of a very valuable learning experience!

If you have a home computer on a network and you DON’T want your bank passwords stolen, you DON’T want people stealing your connection, you DO want your computer to run reliably, there are five simple things you can do to keep you safe and help folks like me not lose their minds!

1. Software Patches

This is perhaps the simplest of them all. Run Windows Update, no exceptions. When it asks you to reboot, DO IT as soon as you have a minute. This extends beyond Windows Updates to other software such  as Adobe and Office Products. Adobe (like the Acrobat PDF reader) is notorious for taking a few months to fix security issues. When they say there’ s an update to install, they mean it!

2. AntiVirus

I don’t care what game you play or how much you complain, if you don’t run a virus scanner, you’re asking for trouble! There are many free solutions for virus scanning including AVAST and Comodo, both of which are great. If you DO take a performance “hit”, then try a different scanner. I’ll also lump-in spyware applications like AdAware and SpyBot here. I would call those bonus applications…

3. Firewall

This is probably the simplest of them all. For the average user, just enable Windows Firewall! If you want something more advanced, Comodo has a great (Free) solution that I use which lets you customize things much further than the average user would (should) care about.

4. Stop Using Questionable Software!

If you still use applications like Limewire, STOP! If you just blindly click “Yes” to every box you see, STOP! Realize that when you do this you are opening the door to all kinds of problems, including malware, viruses, password stealing, and SO MUCH MORE. Be smart about what you install…and remember, uninstall doesn’t always work!

5. Wireless Protection

If your access point is called “linksys” and your password is “admin”, you’re asking for trouble. First, change the router password and SSID. Next, enable encryption (AES or TKIP, WEP is useless, nowadays). That’s it! Just those two things will make you’re network MUCH more secure than before!

6. BONUS – Disable Admin

This is a crazy one, but one I practice. Create an administrator account, and take away admin privileges on your user account! You can still install software, you’ll just need a seperate password. If I can do it, so can you! Ask a techie-friend to help with this. It’s REALLY worth it, I promise!

These are all things that take just a few minutes to set up ONCE and you’re done. Everything I’ve written here is very well known and easy to implement. Security shouldn’t consume your life, but if you don’t “practice safe computing”, it just might!

The SRR scans your computer for STIG compliance. When it finds an area of non-compliance, it gives you an option to comment on it, or mark it as a false hit. When completed, it generates a huge XML file that is even less readable than the STIGS!

So, I created a windows app (yes, a windows app to read Linux logs) which parses the PDI-DB file (Included in the STIG download) as well as your results file and displays everything in a nice readable format including the finding and the regulation details.

Very briefly, when you launch the application you will be prompted to select the PDI-DB file. You can get that file from the SRR script package (it gets updated by DISA). After that, you simply select your server’s XML results file, and you get something like the above.

Im sure this is not bug-proof, so don’t come crying to me when it doesn’t work. Actually, do…so I can put the fix on my to-do-list. I’ve tested this under XP and Vista…both seem to work!

Download Now!

The backstory: Over the weekend my BB started shooting-craps on me. I spent a few hours with tech support only to find out that I the phone was DOA. AT&T got a replacement shipped out to me almost immediately, but that meant 3 days without my phone, planner, mobile mail, alarm clock, entertainment, toy, etc…

Part One – Tasks

As a reaction to my tragic loss, I started planning! I pulled out my trusty todo book (which I havent used in over a year) and began making lists like I used to. I organized all my tasks in three lists: Work, Home, School and set-out to clear them off before my vacation on Thursday. Realistically, I had planned to address 50% of my work ToDo list and 100% of school.At the end of Monday, both lists were almost completed! It’s obvious that technology has been letting me down and paper-and-pen have filled a gap, yet again…

Part Two – Email

I figured it was a somewhat irresponsible to go out without a cell phone of some sort, so I put my SIM in my wife’s old phone just so I’d have voice connection is she needed me, car breaks down, etc… This meant that emails would no longer buzz on my hip every few minutes! How could I cope without the constant stream of data!? What I realized is that my email is more of a constant stream of distraction than anything else! Nothing I do can’t wait until I get back to my desk! A colleague of mine (Scott Gallant) recently started checking his email only 3 (or so) times a day…I now understand why! It’s nice to be ABLE to check my email remotely, but it’s not a requirement…or so I’ve recently learned!

Replacement BB is HERE! What do I do now!?

One thing I truly missed about the BlackBerry was the calendar. I can track To-Do lists all day, but the calendar notifications are very valuable! A couple other things I missed were my “clock” and the web browser (at lunch). Notice there’s no mention of email!

So I plan to change the way I use my BlackBerry. I’m going to set my profile to only notify me on text messages, alarms, and phone calls…not emails. I’m going to continue using my paper todo lists (though I’ve tried various electronic methods), and I’m going to stop obsessing over my typical 15 second email response times!

When I got the replacement, I was almost sad to see my productivity vanish… Let’s see if I can change the way I use my holstered-technology for the better!

Boston Market (a roasted chicken sorta place) just shut down its location in front of a major Orlando university (UCF) and governmental research center. Their prices aren’t crazy, the food is pretty good, seems like a healthy alternative, so why did they shut down? Do we blame the economy? Maybe! People with less money may go out to eat less. If the food, service, and location are good, we have to look at prices: Makes sense… So what is a business to do? If the variable that’s killing you is your prices, CHANGE IT!

So I know what you’re thinking…That’s easier said than done, right? Well, let me introduce you to the company that I believe put this store out of business: El Corral. Here’s the short version: Go to this place, sit on outdated furniture, get great chicken and rice, spend $4.99!  There’s not much more to say about this place…It’s great food at a great price; just don’t get there late for lunch or be prepared to wait! They don’t have a corner lot, a web site, a billboard…just what looks like an old defunct Pizza Hut building and a sign.

Several other places have shut down in the same area. Pizzeria Uno’s just closed their doors a week-or-so ago. But this was another place that I would spent $14 on a so-so meal ($3+ was for a coke!). Same thing with Bennigan’s. We have a beautiful local mall getting ready to close it’s doors too…I would imagine that if it were affordable to lease space, they wouldn’t be in this mess…

So what’s the point here…The point is that if you can’t find a way to cut costs, then you’re not looking hard enough. You can either cut your costs or cut your losses!