Saturday, December 22, 2007
Update to SPAM text file has been posted
Those of you who decided to use my technique to fight spam can download an updated text file (URL to the file is specified in the article).
I have new collected data about the spamming sites and domains. The header of a file was updated as well. Njoy
Friday, December 14, 2007
Google cleaned up its index from malware sites
Just want to share with you some good news.
Google finally made drastic step to remove the malware sites from their index. It was long overdue. Sunbelt first noticed the huge number of infected sites, and their appearance in results lists for a wide array of searches.
Microsoft and Yahoo! admitted that the malware sites is the problem need to be solved, however, they did not inform when they will follow Google's step. One more time: Google is ahead of crowd.
Wednesday, December 12, 2007
SHOULD WE BE AFRAID OF RUSSIAN HACKERS?
In accordance to IT security experts, cyber espionage will be the leading IT security threat next year. More than 120 countries utilize the Internet to carry out espionage as sophisticated, inexpensive attacks outpace porous network defenses.
http://www.itcinstitute.com/info.aspx?id=45273
Reading some of the latest reports on the Internet, I would like to add my thoughts about the global-level threats coming from Russian hackers, the one of the greatest source of malicious activity and cyber crime in the world.
First of all, let’s see what the people they are and what actually forces them to carry sophisticated attacks over the Internet.
WHO ARE THEY?
In the times of the existence of the USSR, the kids were brainwashed with the communism ideology starting from the kindergarten. “Grandpa Lenin” was the idol, the leader who “brought the Great October Revolution to all poor and working people”, who created the USSR with a mob of friends and his supporters from oversees (read: Germany). The Communist Party created the social model of the growing socialism that had to be inevitably converted to communism. I don’t need to explain what the communism means except the fact that this utopia still lives in the heads of many people.
In the condition of living under the power of Communist Party and KGB as a main suppressor of bright minds, the people get used to the way they live. The intelligence, particularly, entertained their minds by reading a lot of books, by listening the voice of the West using the transistor AM/FM radio, discussing the life and politics in the close circle of friends, and basically did not expect anything extraordinary from the every-day life. The main rule was “don’t stick your nose out” and you’ll be safe.
Young generation saw a clear path to the acceptable level of living (of course comparing to all other people in that country): get High School Diploma, get College Degree, and find the work as a regular engineer with average, low compensation, or, at least to become the factory worker. All of them knew that there is no way to make more money in that society unless you decide to break the law.
Everything was so standardized in a term of living that no one expected something extraordinary in their lives. To buy the car would take 10-15 years of hard work with above average compensation and saving of every possible ruble (Russian currency).
Time has dramatically changed the people who live in Russia these days. The money making opportunities, the food in the food stores, the clothe in the department stores, the new foreign cars on the streets, the new very rich Russians so–called "New Russians", the cost of living, and of course, the new Information Technology - everything has changed! The intelligent minds are more occupied with "how to make more money" idea than with new books in the book stores even if they don't have to get them through the network of friends anymore or exchange for other goods because they are freely available in the stores (just pay!).
The perception have changed! Now it is close to the Western's: to become rich! Those who were close to the Communist Party in the old days were able to grab the natural resources or entire fabrics/plants and became rich in very short period of time. They became the ideal for young generations: get rich quick. However, those who were ordinary people had no access to the country’s pie that already has been divided among the elite.
Current political situation in Russia does not encourage people at all. Believe or not, the life there still sucks. There is nothing worse than reasonless, apathy and useless life. The life when you have to kiss ^%$ (pardon my French) to every bureaucrat, put yourself down in a front of plumber or person from the Management office of the building where you live when you have to solve the every-day problems - is not something that you want to respect. Corruption has spread its web everywhere, and if you happen to cross the border of Russia it starts right there where the officials take unfairly large fees (or "bribe tax") for bringing the goodies – the fact of life in many sectors of the Russian economy.
This is so known fact that in order to minimize the exposure to corrupt practices the US Commercial Service recommended dealing only with large, well-known companies or publicly visible officials whenever possible. This suggestion is not a guarantee that you can avoid the corruption schemes (ex: 8 Russian banks engaged in money-laundering scheme with over $8 billion over 3 years). When the value of the goods is not in a line with the prices, the corruption occurs. Based on VeriSign data, for instance, the Russian federal government runs on a budget less than in Texas. It surely forces the public officials who are underpaid rely more on the “bribe tax” – the rule "demand vs. supply" in works.
Russia has always been a country that supports personified power and the term "democracy" sounds like foreign word. Russia has constructed a neo-Soviet cult of personality around increasingly clamorous figure of Putin. Putin is in the last year of his two-term serving as a President with no constitutional right to run for a third term. But the Kremlin propaganda constantly reminding Russians that their destiny is based on Putin’s longevity. It’s a known fact that Putin is a former KGB officer... Nobody knows which job Putin is going to take after the 2 terms, but everyone understands that he does not want to give the power away.
The paradox is that people support Putin but they despise his government placing Putin in their minds above corruption. It can be contributed to the fact that in spite of real challenges, the Russian government made some improvements by increasing employment opportunities and stability and decreasing the chaos of 1990s.
Putin was successful in establishing personal control over the central government. In accordance to the research by Moscow Center of Research of Elites, 78% of leading political figures (executive power and legislation) were somehow connected with the former KGB or currently restructured and named FSB during their careers. No wonder that many civil rights slowly but surely are suppressed not only for Russian citizens but also for some of the foreign journalists and actors. The assassinations are not the rare occasions…
There is still a lot of propaganda but now against Georgia, against Ukraine, and against America (do they want to steal our oil?) in addition to a state of fear. Who do they afraid of? Putin, bandits, court, management, or unavoidable crisis? It’s hard to determine. People don’t know but they are paralyzed, are faceless and motionless, and already trying to kiss %^& deeper, to lie harder, to scream louder at those who are lower on the social ladder, and to restrict more if they have any power. The main principle of soviet line [in the department store] came back: hate everyone who is staying ahead of you and despise everyone who is behind you.
The fact is that "mother Russia" is a bad mother that doesn’t love her children. This continuous fear and feeling the lack of own rights – is a life condition of kids that were lacking the love. The kids with not enough love are terrible force.
Horrible...
WHAT THEY DO TO SURVIVE
Russians always "bended heads" in a front of the Western society for their language (recall Tsar Peter and French language that was incorporated into the Russian elite society or hundreds of English technical and non-technical words that are being used today even if most of them can be directly translated in Russian because it's cool to insert them into the phrases), for music (Beatles, Rolling Stones, or even rap that was replicated by the low-class Russian musicians), for jeans (black market with Russian "fartsovschiks" who sold them under the table in 80-ties and 90-ties), and for their fashion and food.
Now, the replication spread to a computer field. Russians quickly adopted Information Technology and became quite sophisticated in many areas of computing. The computers were bought using legal and illegal ways when it was necessary, especially when the supercomputers were needed.
In order to survive and eventually live better, many Russians are looking for ways to make money. Some of them are building new businesses to serve the inside population (food or household service); the others build the connections across the border and import or export the goods or materials. If you have the business skills and connections it's a right way to go. But if you have no business skills or business talent? Maybe to find the job in some existing business as an employee? Join one of the thousands mafia groups? Learn something valuable in order to be in demand, but what? Tough choices.
I happened to talk to one young Russian fellow who came over to make some bucks in the US and was working as a life guard at the pool. On my question why he does not want to work in Russia, he mentioned that his father is a poor man with poor health, and there is no one who can help the family. There are no jobs available unless you have the car and you can speak/read English, so he is trying to find the way to make more money here and legally or illegally stay in U.S. so he'll be able to send some money to the family. I am sure you could meet some young Russians working in our department stores and in the resorts across the US coast. They are the folks who want to earn some money here, in the US, and like the described above fellow either hide and work for cash or get the chance to become a legal immigrant. You can also find them in almost every European country from England to Italy (including Sicily's smallest cities). Amazing...
What if you are an educated man with no business skills and no capital? What would you do? To become a bandit does not sound attractive; to work as an employee does not bring desired compensation and it is a long-long way to the desired level of prosperity. Some of them choose this way but are not happy. No wonder, you rarely see the smile on their faces. It takes years for former Russian immigrants who moved to the US to remove the fear, life dissatisfaction, cynicism, and anger from their faces.
Russia always was reach on smart and talented people. Let's take for instance the Russian scientists who created the space crafts and rockets, or take the artists, writers, or Russian programmers who are now working for many U.S. corporations being already U.S. citizens or still are working across the border (by the way, one of the best anti-virus program, Kaspersky Anti-Virus or popular WebCEO search engine optimization program are the creation of Russian programmers). In fact, the Russian firms exported $2 billion in software with expected 80% growth in foreign sales (in accordance to OSPINT.com).
Because of excellent school education in spite of all described above problems, there are thousands of talented computer enthusiasts who want to use their computer skills to make decent money. They are the greatest Russia's asset for future IT growth. Many of them organize the business offering their programming skills to foreign companies for pennies. Those who are well established and have a number of clients slowly raise their fees. In accordance to the latest figures, there are about 30,000 Russians who are engaged in the Information technology (with a 40% yearly growth). At the same time, the average monthly compensation of Russian programmers is around $650 dollars what is about 15-20% less than in the US.
Keep in mind that the Russian educational system graduates more than 100,000 new programmers each year! This surplus is partially utilized by the foreign companies such as IBM, Google, Microsoft, and Cisco. They built the labs and development centers in Russia. The others programmers choose one of the attractive ways to become rich quickly: to rob the foreign banks or sell valuable information to clients. Is it legal? No. Do I care? No! With unstable banking, legal, infrastructure, and government system; with anger or hate; with total corruption at every level of a society, with a life that sucks, they have no remorse. The sick society builds monsters like Russian Business Network (RBN), widely known for being a willing Internet host for spammers, malware-filled Web sites, and pornography because of its loose policies and willingness to host any Web site operator with no questions asked.
I heard that RBN has disappeared from Russian cyberspace and re-appeared in China recently, only to disappear again. RBN, until recently based in St. Petersburg, Russia, was known as the ISP of choice for cyber criminals. The group closed its Russian operation after its upstream ISP cut off the access to the group. There are some speculations that that group spread out but continues its operations. Who would refuse to make big bucks? Cyber-crime is a big business worth millions of dollars, and a business operation as large as RBN would likely not give up that easily. The analysis shows that there has been very little change in operations. Alexa statistics for Antivirgear - the bogus program, shows that the rankings have actually improved over the last month—indicating that the RBN’s activities are still going strong.
GLOBAL THREAT COMES FROM RUSSIA
As a recent Wall Street Journal article noted, cyber-criminals are exploiting Google searches and social networks – with their myriad sources of personal data – to dig for information about upper-level corporate personnel. Using that information to deliver ever-more believable email solicitations, these criminals are taking direct assault via "phishing" at corporate proprietary information stored on the desktop.
Russia has been and remains today the single greatest source of malicious cyber activity and cyber crime (possibly with the exception of the US). In many ways, Russia’s geography, and social and economic conditions (as you see above) create the perfect ground for cyber criminals. They can find the prestige in addition to money in poorly secured western companies and unprotected individuals. Because even law enforcement is often challenged with corruption, it’s hard to expect that the law in Russia will be enforced once the western company presented the claim supported by the facts and necessary evidence.
All this was contributed to the creation of a highly sophisticated cyber underground network with its own community, newsletters, blogs, and its own moral. Taking into account millions of poor people who are struggling making payments, with lack of food and clothing, and often begging on the streets and in the subways of big cities, this network is like a country within a country. Having less pressure from the law enforcement comparing to hackers in other countries, Russian hackers enjoy the freedom of doing whatever they decided to do.
How much they can make? It's hard to estimate, but I was able to find the article with short information about "the infamous 76service.com, which was run by two enterprising criminals who call themselves 76 and Exoric. The two cleared a cool one million dollars per month in a scheme modeled after portfolio investments". They sold access to infected PCs (think bots) what they called a 'project.' The buyer would harvest any valuable data off the machine, and sell that information to the black market. The buyer acts as a fund manager, and as some stocks perform well, some infected machines had more valuable booty -- such as bank account information -- than others. They could then sell it on the black market for a lot of money".
Needless to say, this example is shocking. No wonder, cyber crime with a profit is so popular among hackers. Forget about "innocent" teenagers who hacked your PC or server and placed some stupid message on the first web page or screen saver. It's all about money!
It's hard to separate the politics from cyber crime in Russia. I have to return back to the political situation inside and outside of Russia, and particularly, US.
As you probably know, the former USSR had 15 Republics, and after the collapse of the Soviet Union, the Republics got separated from Russia in order to become separate countries. Some of them were able to get rid of Russian influence, and joined the West (particularly, Baltic republics that joined NATO); others are still under heavy Russian influence with a various degree.
Due to the large population of native Russians in many of those countries, they are under pressure from Putin who used various vehicles to apply the pressure, for instance, restricting the sale of wine from particular regions (Georgia and Moldova), interfering with elections (Ukraine, where even the hackers were used to break the Central Election Commission’s servers), and placing the military bases at the territories of neighboring countries. It is not hard to understand why Russia wants to preserve the influence or presence taking into account that many former Republics have the natural resources that were used during the USSR era or have strategic geographic locations.
The relations between Russia and the US have become somewhat tense last years. Along with the collapse of the Soviet empire, many neighboring countries also wanted to loose the ties with Russia as being formerly dominated by Russia areas. Therefore, NATO expansion and US military bases in that region along the borders are not pleasant things for Putin.
There is no doubt in my mind that Russian government of FSB are eager to use the expertise of local hackers to test the ability to disrupt the communications or infrastructure of those countries that may be considered as "definitely, not the friends" if not to say enemies. In fact, in recent years, the Russian government allocated significant funding for IT-related projects and initiatives.
As I mentioned earlier in my blog, Estonia experienced distributed denial-of-service (DDoS) attacks on government, news and bank servers for several weeks. The incidents followed the removal of a Soviet statue from a central Tallinn Square. It was discovered that around 20,000 networks of compromised computers from the US, Canada, Brazil, Vietnam and others were linked.
Mikhel Tammet, director of the Estonian communication and information technology department mentioned: "It was a political campaign induced by the Russians; a political campaign designed to destroy our security and destroy our society. The attacks had hierarchy and co-ordination." Estonia is one of the Baltic countries that got separated from the Russia and became an independent, West-oriented country.
Experts believe recent attacks have been far more sophisticated in their nature, designed specifically to slip under the radar of the governmental systems they were targeting. They have progressed from initial curiosity probes to well-funded and well-organized operations for significant political or economic gain.
Evidence suggests that governments and government-allied groups are now using the Internet for espionage and cyber attacks on the critical national infrastructure (financial markets, utility providers, air traffic control) of other countries. There were more reported cases in 2007 than any previous year. This growing threat is acknowledged by the United States Department of Defense.
As the number of security holes is growing every year, the number of hacking attempts is growing, too. In accordance to Secunia Advisories, the number of security holes have been grooving at a steady rate around 25% a year:
• 2003: 2,700 advisories published
• 2004: 3,100 advisories published
• 2005: 4,600 advisories published
• 2006: 5,300 advisories published
Do you see the trend? Then more we protect our operating systems, networks, and applications then more we meet new challenges. Therefore, security now accounts for 20 percent of IT technology and training budget, according to new survey. "It is clear that information security is an increasing concern for many organizations -- 78 percent of those surveyed by CompTIA indicate that management now considers information security a top priority," the report says.
The successful attacks mean weak defense. Weak defense means poor skills of the majority of the security consultants. The director of one of the largest security consulting firms in Washington painted the picture most harshly telling a group of policy makers, "80 percent of our security consultants have soft skills and only twenty percent have hard skills. If we don't reverse that ratio within the next two years, we'll be out of business."
You may see the surprising things happened these days. The Chief Information Security Officers of the large federal agencies and corporations are being registered to attend Hacker Exploits classes. It surely demonstrates that the security field has reached a triggering point.
You could read numerous articles about credit card theft. In fact, the most successful thieves were Russian hackers. With well established networks of credit card sellers and buyers, with the sophisticated technique and attack tools, the Russian groups such as Web Attacker, Snatch, Rock Phish, and MetaFisher have been successful in their efforts. In spite of some efforts and partial success of Russian law enforcement, the network and the market still exist.
When the whole scheme was analyzed, the law enforcement officials discovered a high level of sophistication, organizational capacity, and constantly improved malicious code along with thousands of bots. They are so advanced that they have been thinking about preventive steps such as to mine the data inside the law enforcement agencies in various countries. In fact, the hacking groups go well beyond just credit card theft. They provide fundamental and countermeasure research on organizational structures and processes utilizing various databases and archives by basically employing the principle "knowing your enemy". They even try to plant one of the attackers into the infrastructure of the target organization in order to have more inside information. The thorough research and analysis in addition to a known method of social engineering before attacking the target is a scary trend…
* * * * *
I feel that while you are reading this blog you are thinking how to put together the opposite things like tough life in Russia with beggars on the streets and the explosion of Information Technology with growing number of sophisticated hackers inside of one country? As one of the Russian journalists wrote, "the country, full of talented, smart, and honest people becomes more stupid, more dishonest, and dishonored, and 20 years from now, people will ask again themselves like a maniac after orgy: how could I do this?"
Should we be afraid of Russian Hackers? The answer is above.
Friday, November 23, 2007
Steganos offers free desktop encryption
Safe One protects up to 2GB of sensitive data
I used some Steganos' freebies in a past but never valued them to the degree so I can recommend them. This time, I want to bring your attention to the new Steganos Safe One product, a freeware version of Steganos Safe for consumers and small businesses.
The privacy software provides protection for up to 2GB of sensitive data by creating two 1GB virtual drives which can store encrypted versions of the data.
According to the company, you can use various portable devices, such as iPod, USB sticks, digital cameras and PDAs that can be used as keys to open the Steganos "safe". The program also features a fully integrated password generator to help users produce secure passwords with a built-in multilingual dictionary.
Steganos PicPass allows users to utilize images as a personalized password by memorising their exact sequence. I have experimented with personalized images about a month ago but did not accept it for my passwords, yet. Personalized images is a new way to password protect your data.
"Steganos Safe One offers users real peace of mind, secure in the knowledge that their privacy is protected without them having to spend anything to do so. "
Steganos Safe One is now available for download. The Steganos Safe One supports Windows XP for the x64 processor architecture, and encrypts data with 256 bit AES. Not bad at all!
http://www.steganos.com/us/products/home-office/safe-one/overview/
Labels:
desktop,
download,
encryption,
free,
steganos
Monday, October 22, 2007
* Certified are getting paid less!
I found a small article written by Tessa Parmenter. She noted that his week, Foote Partners LLC released a study revealing unbelievable information: the average premium pay for uncertified workers INCREASED over those who are certified. They have seen the average premium pay for uncertified workers increase 8% and decrease 2.3% for certified engineers in the past year.
http://itknowledgeexchange.techtarget.com/networkhub/you-mean-i-wont-get-paid-more-for-getting-this-cert/?track=NL-81&ad=610275&asrc=EM_USC_2423108&uid=5617007
What can I say? Certainly, there are some exclusions (CCIE, CISSP, J2EE...) but every rope has the end! Read my previous posting about certifications in details.
Friday, September 21, 2007
* "Thank You" letter for your Friday enjoyment
Thanks to my son who send me this "jewel" of a "Thank You" letter. I feel that I need to share it with you for a good Friday laugh. He interviwed the guy for a LAN Admin position. On the question what's the difference between the HUB and the SWITCH. He answered: "Hub is just a hub, and the switch it's like a car with a green and red light..." Well, below is a copy of his "Thank You" letter receved just next day over e-mail. I did not correct anything... Njoy! :-)
Dear Mr. YYYYY,
It was very enjoyable to speak with you and your team about the LAN Administrator position at Department of Labor. I think I was too nervous for some technical questions that you and you team asked me such as: how can you joint your server to the domain? The answer should be: go to command prompt then type: DCPROMO then server name. Another question you asked me what if user are not able to see your server? The correct answer should be at the logging window right click on the check box below your user ID change it to the correct server. Then what is the maximum speed of the switch? The correct answer should be 1000 Mbps. I know I get lost this morning from place to place. However, I know that I should have done a better job than what I did this morning. I also know that I am out of your consider about the job you want to hire that's fine with me. I just want to tell you that my brain was shut down this morning (I need a cup of café in the morning) those questions are within my knowledge, and I did do it well. If I have another change I would have done a lot better job.
I appreciate the time you took to interview me; I am very interested in working for you and looking for ward to hearing from you about the second Interview.
Sincerely Yours,
YYYYYY YYYY
Friday, August 10, 2007
* How to hack unencrypted wireless session
Recently, I came across the information about unsecured WiFi connections. I am sure you are familiar with this scenario when you turn your laptop on in some of the buildings or neighborhoods, and your wireless card can find at least 2-3 unsecured wireless connections. Unfortunately, most of them are the result of the default configurations of the wireless router being pre-configured by the manufacturers and used by inexperienced consumers. While I can understand why they do it this way (for non-IT customers), it leads to a wide-open gate for hackers and this is not news, what is interesting is how easily Web app sessions can be hijacked on these networks.
Infamous Robert Graham, the CEO of Errata Security (I have the links to his web site in our Information Security Index), described the “man in the middle” attack. Robert hijacked a GMail session of a volunteer and showed how easily he could grab cookies and IP addresses and take over a session.
The attack is actually quite simple. First Robert needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement.
1. To ran the “Ferret” utility to copy all the cookies flying through the air
2. To clone the cookies into a browser with a home-grown tool called “Hamster”.
3. The attack can hijack sessions in almost any cookie-based web application (ex: Google’s Gmail, Microsoft’s Hotmail and Yahoo Mail).
4. Since those programs just uses cookies, getting the IP addresses and user names and passwords are not required.
How to protect your session? Hey, just use the SSL from the beginning instead of a pure HTTP session:
https://mail.google.com/mail/ instead of the http equivalent will be a good remedy.
Tuesday, July 31, 2007
* My War with the SPAM
Spam hurts.
Spam drives us crazy.
Spam consumes resources on your web site, in your mail box, the traffic on the Internet, and a disk space on your ISP's servers.
Spam kills our precious time when we want to read the e-mails from legitimate senders but forced to read pure junk and delete the stream of offers to buy drugs, to play online casino, to work as the representative of a foreign company, to get the guaranteed cash, to catch the virus of Trojan horse program (hidden behind the text/link of image), to meet hot singles in your area, or porn crap.
How to fight SPAM?
I began with collecting the links to the informational sites that offer knowledge and resources on fighting the spam nightmare. You can find one here, too:
http://www.rtek2000.com/Tech/I-SecureLinks3.html
Reading through the numerous web pages , articles, blogs, and forums, I found that the first source of the spam to my e-mail box is my own e-mail address that can be scanned from any web site where I posted it by the e-mail harvesting programs freely available on the Internet. As far as I know, those programs were designed by the folks who did not want to spam but rather get the attention to their products. So, the simplest way to distribute the news about a particular product was to e-mail to a large number of cyber citizens. It is how the spamming started!
Now, the spamming is extended to the wide range of services, and the millions of affiliates who want to make a buck by selling the product or service need the customers who want to buy. You may ask me, how come I am getting e-mails with a garbage text in it; it's not the offer to buy anything, it's a junk! Well, thanks to the search engines (and particularly, to their "crawlers" or "spiders") that scan not only web sites pages but also the folders that contain e-mails. By sending the garbage-like text in e-mails with the keywords embedded in the text, the spammers hope to raise their web sites' popularity level through the search engine ranking. Particularly the spam that I am getting these days is about 60% of this kind.
I have seen several ways of packaging spam messages: Plain text, Image files, Document files, and lately PDF files.
So, how to protect your e-mail address from being harvested? There were numerous discussions on the web. I have participated in several of them. The common conclusion: there is no way to completely hide the e-mail address. I used to implement various JavaScript-based solutions that may protect against simple harvesting programs, however, as the countermeasures become more complicated, the "harvesters" become more sophisticated. My latest solution is to use the small image of my e-mail address being loaded thought the CSS code (cascading styles sheet method). It greatly reduces the chances to be harvested, however, it does not guarantee 100% protection because there are some programs that can use the character recognition in the image. Don't think it's done manually! Those programs do it automatically!
The biggest problem with the spammers lays in the area of blogging. If you happened to have the blog site of forum, you must clean your blogs from literally hundreds of spamming messages in every corner of your site! If you don't manage one, you are lucky because it is a real nightmare. The automated programs that specialize in breaking through the web site security rules using the weaknesses in the software design can post automated messages within seconds!
To be honest, I gave up on the forums completely by locking it up from posting but I still have to clean it up regularly (less often, at least). It is a very time-consuming task to tweak the web site's files, apply patches, or complicated solutions that in the end only temporarily protect against the stream of spam.
I have decided to concentrate on fighting the e-mail spam. The second step after getting some background on spamming was to identify the domains that are sending the spam. It is not a simple task taking into account that when the spammers send e-mails they rarely specify their real e-mail address but rather the link to their web site. The only way to find out the real sender is to look in the message header, and to grab the IP address from the top of the message. So, I have collected the IP addresses in the text file, day after day spending precious minutes for the purpose of identifying the biggest spammers in the world.
Well, I do not suggest you to repeat it. First of all, it's not the pleasant procedure. Second of all, there are many anonymizer-type of the programs that can hide your real IP address and to substitute it with a random IP address taken from the text file. The only what drives me up in my efforts is the revenge when I will be able to filter the most of the junk and redirect it to the trash can where it belongs.
After collecting the information from my e-mails, I have identified the high-level IP addresses (like 88.xxx.xxx.xxx, 89.xxx.xxx.xxx, etc). Then, using the WHOIS service, I have identified the countries that are originators of the spam e-mails. I realized that I have no customers in China, for instance, who order my products using English-based pages, so I can filter all of them out. Using similar approach, I have set the web site filters accordingly, so the domains that I have identified could not access my web sites.
You won't believe what happened. I have reduced the spam by 80% instantly!!
I felt that the victory is close but I did not expect the problem that I have faced really soon.
My sales dropped by 80%... No, it's not because I have filtered spam but (as I discovered later) because the Google's PR (page rank) of my web pages dropped from PR6 to zero. I began to investigate what happened. My guess that I have prevented the Google's spider to crawl my web site unfortunately was the correct one. The Google's spiders were in my filter-out range. It took me about two months of hard work in optimizing my web site, adding more pages, sending begging e-mails to Google until I have re-instated my position in the search engine.
Moral? Be careful when you implement the filtering!
I have changed my strategy after that and I filter only on the e-mail level, not the web site level. I have the long list of spammers (http://www.800-security.com/tech/SPAMaddresses.txt) that I am updating weekly. So, you can use it at your own discretion. Please keep in mind that the more filters I apply then the less information will be shown in the file. One quick suggestion: filter the e-mails that contain the .tr, .pl, .br, .ma, .th, .ru, .jp, .ch domains in the message header.
I am going to show which filters I used on the top of the text file soon. So, keep monitoring!
To finish my story, I want to point you to a very useful web site:
http://www.projecthoneypot.org/
See the Top 25 Countries Where Spam Servers Are Located.
I utilized a freely available technique to "honeypot" the spammers. So, now I can see how many of the "harvesters" were fooled by my program (oh, the sweet revenge!) as well as I see the updated in a real time list of the biggest spammers in the words by precise IP address. It gives me the opportunity to adjust my filters.
Am I getting the spam now? Yes. But it is 10-12 a day but not 80-120 as it used to be.
Happy fighting!
Thursday, June 21, 2007
Russian Hackers...again
Russian hackers hijack Italian sites to serve exploits blog posted by Ryan Naraine at ZDNET.COM demonstrated again that the war between hackers and security companies is an ongoing event and I doubt that it will be over in the nearest future. Yes, the law enforcement measures were improved across the entire world in the places where we could not expect earlier (China, Malasya). However, the creativity of those who design the malicious software is often above the creativity of those who design the countermeasures. Apparently, Russia is a good source of hackers (as well as the programmers). I would be especially careful to hire the Russian programmers to lower the cost of development if they still live in Russia. You can easily get your financial information stolen by those programmers who may build and hide a back door into your system.
The problem is that the most of the countermeasures are reactive even if some of the vendors
claim that their software includes intelligent engine that can recognize the new malicious program. None of the vendors will ever admit that those "intelligent engines" are good in the lab and on the paper (especially, the marketing) but fail in the field. Could they be sophisticated enough, they would prevent the attacks that involve several components including even the tiny proxy server that after being downloaded serves as a door to download the information stealer(the WebAttacker/MPack exploit toolkit).
While there is no guarantee that the latest-greatest software and OS patches installed on PC will protect you at 100%, it is still important at least to lower the risk of infection. Another countermeasure is to avoid browsing unknown web sites as much as possible. Is it possible? I think so.
While you are reading this article, I recommend you to follow the suggestion of the the blog and to run the Secunia’s free software inspector to scan your machine to look for weak spots.
Sunday, June 10, 2007
* New struggle for current MCSEs
For those who are MCSE 2003, Microsoft has some good news.
Yes, the endless struggle for being certified by Microsoft AND being current MCSE or MCP has entered into a new phase: http://www.microsoft.com/learning/exams/70-649.mspx
What bothers me that the Microsoft Marketing department, well in advance before the final release of Windows 2008 server, already offers the new certification in the run for more revenue that the new certification will generate. The product is not there, yet, but the certification is already there (beta).
Why to offer beta certification? It's pure simple. If you want to try passing the beta for free, you will obviously have to learn the product that was not released to the general public. And this IS the goal. Along with the money current MCSEs will pay for the exam (not the beta) later, Microsoft will achieve the goal to have more ambassadors of a new server operating systems, the ambassadors who will push it to their network environment...
Get your money ready, MCSEs!
Friday, June 8, 2007
* MAC security vs. Vista
About a week ago, I had a conversation with some of my friends regarding the bullet-proof operating systems. One of them informed us that one of the Government organization decided to replace Windows-based workstation and to use Steve Jobs' MACs because they like UNIX kernel are not penetrainable due to the security architecture and required permissions from the kernel to use any external program. While I agreed on the kernel itself, I disagreed that MAC is a bullet-proof OS. The problem with any OS that it's not only kernel itself but the whole bunch of other files that participate in various services, supporting applications, and much more.
I liked MAC for a sleek interface and performance but not for the price tag. Also, Vista offers the same grade of a quility screen images and comparable performance. To support my statement, I sent them the link to the following article where the number of security problem were addressed:
http://www.crn.com/software/199701019?pgno=3
"If you look at the number of found vulnerabilities in Windows XP (28) vs. Vista (11) this year, Vista wins again. If that seems like a lot, don't forget Mac OS X has had 101 in the same time period".
No matter what the OS is being used and level of the security applied, the weakest link is always the end-user.
I liked MAC for a sleek interface and performance but not for the price tag. Also, Vista offers the same grade of a quility screen images and comparable performance. To support my statement, I sent them the link to the following article where the number of security problem were addressed:
http://www.crn.com/software/199701019?pgno=3
"If you look at the number of found vulnerabilities in Windows XP (28) vs. Vista (11) this year, Vista wins again. If that seems like a lot, don't forget Mac OS X has had 101 in the same time period".
No matter what the OS is being used and level of the security applied, the weakest link is always the end-user.
Monday, May 21, 2007
This is London... and Estonia.
One more story to prove that the credit card industry is still very vulnerable (and as a result, we are too).
http://www.thisislondon.co.uk/news/article-23395784-details/Britain's+biggest+credit+card+fraudsters+jailed+for+over+five+years+each/article.do
When the PCI standard will be a norm for every company that processes and stores credit card numbers? And how many new government regulations are required to make the online shopping safe? There are so many new technologies and solutions to improve the safety of the online transactions (like "use once" credit card numbers) ... so, when can we say that the online shopping is relatively safe? Why the adoption of new technologies is so slow?
Reading weekly SANS e-mails, I see more and more cases when the online crooks are getting jailed. However, killing several roaches does not destroy their colony. The online theft became an attractive business, and the story above proves it. Want to get the lifestyle of the kings? Steele or buy several credit card numbers, and enjoy your travels in the first class seats!
The vulnerability of the corporate networks is an issue that was discussed 1000 times online, in the press, and even on TV. While the online security is important for every company that has connectivity to the Internet, the companies that process credit card transactions must have double security. The protection must cover wide range of attacks including the DoS.
I was not surprised to read about the latest DoS attack on the Estonia's government and non-government sites (banks, newspapers) by the Russian hackers when Estonia removed a Soviet war memorial statue in the capital city of Tallinn. Ethnic Russians protested the statue's removal with riots and protests broke out on April 27. If you don't know, in the middle of the 20th century the Russians occupied three Baltic countries and made them the tree Soviet Republics (of 15 total). Since then, there is a mix of Russians and Estonians, Litanies, and Latvians who had to co-exist together for more than 60 years quietly hating each other. Since the republics became the separate countries again (after the fall of the Soviet Union), the nationalists in those countries began the movement for the clean country. Even the well respected people who contributed a lot for the prosperity of the countries were dismissed and forgotten only because they were Russian descent.
While I can understand the basis for that hate, I don't approve any nationalists who do separate people only by their nationality. There are thousands of decent people who have a different descent but take pride to be a part of the country, and contribute as much as they can; and there are some that hate the country they live in, ignore the traditions, and even plot the disasters. Then, I would weed them out.
http://www.thisislondon.co.uk/news/article-23395784-details/Britain's+biggest+credit+card+fraudsters+jailed+for+over+five+years+each/article.do
When the PCI standard will be a norm for every company that processes and stores credit card numbers? And how many new government regulations are required to make the online shopping safe? There are so many new technologies and solutions to improve the safety of the online transactions (like "use once" credit card numbers) ... so, when can we say that the online shopping is relatively safe? Why the adoption of new technologies is so slow?
Reading weekly SANS e-mails, I see more and more cases when the online crooks are getting jailed. However, killing several roaches does not destroy their colony. The online theft became an attractive business, and the story above proves it. Want to get the lifestyle of the kings? Steele or buy several credit card numbers, and enjoy your travels in the first class seats!
The vulnerability of the corporate networks is an issue that was discussed 1000 times online, in the press, and even on TV. While the online security is important for every company that has connectivity to the Internet, the companies that process credit card transactions must have double security. The protection must cover wide range of attacks including the DoS.
I was not surprised to read about the latest DoS attack on the Estonia's government and non-government sites (banks, newspapers) by the Russian hackers when Estonia removed a Soviet war memorial statue in the capital city of Tallinn. Ethnic Russians protested the statue's removal with riots and protests broke out on April 27. If you don't know, in the middle of the 20th century the Russians occupied three Baltic countries and made them the tree Soviet Republics (of 15 total). Since then, there is a mix of Russians and Estonians, Litanies, and Latvians who had to co-exist together for more than 60 years quietly hating each other. Since the republics became the separate countries again (after the fall of the Soviet Union), the nationalists in those countries began the movement for the clean country. Even the well respected people who contributed a lot for the prosperity of the countries were dismissed and forgotten only because they were Russian descent.
While I can understand the basis for that hate, I don't approve any nationalists who do separate people only by their nationality. There are thousands of decent people who have a different descent but take pride to be a part of the country, and contribute as much as they can; and there are some that hate the country they live in, ignore the traditions, and even plot the disasters. Then, I would weed them out.
It relates not only to those 3 Baltic countries but to the U.S. as well. Who knows how many Al-Qaeda cells are hidden inside of our country? Who knows how the sophisticated equipment and advanced skills in the cyber security will be used? We are the same vulnerable as Estonians not only from outside but from inside...
Thursday, May 10, 2007
Old Topic but still viable (my comments)
I have been reading the article "Certifieable" at http://www.darkreading.com/document.asp?doc_id=123606. Below is a link to my comments.
Tuesday, May 1, 2007
Kaspersky published the tutorial about keyloggers
I found a good article about keylogger software from Kaspersky.com. It is a "must" for security professionals and can be useful to educate the end-users. It is written by a russian computer professional, the Deputy Director of the company's Research and Development team. The article is very detailed and, beyound the treats, suggests the countermeasures:
How they work and how to detect them (Part 1)
The article has the following chapters:
Why keyloggers are a threat
How cyber criminals use keyloggers
Increased use of keyloggers by cyber criminals
Keylogger construction
How keyloggers spread
Protection from keyloggers
The second part is coming soon.
Monday, April 23, 2007
The Cyber INsecurity and hackers
If you had no chance to read the newest document from a ground-breaking Congressional hearing, it's worth reading:
http://homeland.house.gov/SiteDocuments/20070419153038-21091.pdf
This is an outstanding document that confirms that our Government is still quite rusty on IT security. Some of the statements in this document are quite troubled: "We don't know the scope of our networks," said subcommittee chairman Langevin, "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
The purpose of this hearing was to afford House members the opportunity to understand how deeply federal systems have been penetrated and what the Department of Homeland Security and others are doing to stop the compromises.
(thanks to Alan Paler from SANS who shared this information)
Let me tell you one story (a good add-on to this article).
Some days ago, I began working for one of the divisions in the Government organization (I am skipping the real name). I came across the Division Director's laptop that is frequently used outside of an agency’s headquarter. As you know, in order to configure the laptop for any program, you have to have the administrator's privileges. I have been told that the password on this laptop is the word "password".
Being in the security field for more than 8 years, I felt obligated to remind all division employees the importance of the strong passwords. So, I found an excellent article on the web about that topic, and sent to all employees. Particularly, the article stated that the password word "password" can be cracked in 0.5 sec. You won't believe what happened after. My team leader said that the "boss" was not happy about it, and "suggested" (you know what it does mean) not to post the information of that content anymore.
The Russians have a proverb that in a direct translation says that "the fish is getting rotted starting from the head". How the employees will take care about the password security if their general manager not only ignores it but even prosecutes it?!
I don't know what should happen beyond September 11 events that may shake people up to the degree that they will finally get the feeling of INsecurity if the passwords are NOT secure enough, if the networks are NOT protected enough, if the operating systems are NOT patched in a timely manner, and that the cyber flavor of terrorism is a real thing.
http://homeland.house.gov/SiteDocuments/20070419153038-21091.pdf
This is an outstanding document that confirms that our Government is still quite rusty on IT security. Some of the statements in this document are quite troubled: "We don't know the scope of our networks," said subcommittee chairman Langevin, "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
The purpose of this hearing was to afford House members the opportunity to understand how deeply federal systems have been penetrated and what the Department of Homeland Security and others are doing to stop the compromises.
(thanks to Alan Paler from SANS who shared this information)
Let me tell you one story (a good add-on to this article).
Some days ago, I began working for one of the divisions in the Government organization (I am skipping the real name). I came across the Division Director's laptop that is frequently used outside of an agency’s headquarter. As you know, in order to configure the laptop for any program, you have to have the administrator's privileges. I have been told that the password on this laptop is the word "password".
Being in the security field for more than 8 years, I felt obligated to remind all division employees the importance of the strong passwords. So, I found an excellent article on the web about that topic, and sent to all employees. Particularly, the article stated that the password word "password" can be cracked in 0.5 sec. You won't believe what happened after. My team leader said that the "boss" was not happy about it, and "suggested" (you know what it does mean) not to post the information of that content anymore.
The Russians have a proverb that in a direct translation says that "the fish is getting rotted starting from the head". How the employees will take care about the password security if their general manager not only ignores it but even prosecutes it?!
I don't know what should happen beyond September 11 events that may shake people up to the degree that they will finally get the feeling of INsecurity if the passwords are NOT secure enough, if the networks are NOT protected enough, if the operating systems are NOT patched in a timely manner, and that the cyber flavor of terrorism is a real thing.
Wednesday, April 18, 2007
Entering the IT Security field
I have answered some career-related question in another blog @teachrepublic.com, and I feel that it's a good info to mirror into this blog, as well.
Common mistake
Being in the IT field for more than 15 years and teaching folks since 1993, I know quite a bit about the IT, and particularly about IT security. I began my journey in that field by taking the responsibility for managing one firewall. It was a good start. It gave me a lot of exposure to the IT security, forced me to read about various protocols in depth, concepts, and it forced me to learn UNIX. The common mistake is to start the career by taking the certification classes or exams. The concept "certification" is about certifying the skills you already have. So, my suggestion (if you really want to be a high-level professional), start with hands-on experience. If you want to know more about certifications, read my article published in 2002 that (some people believe) still has some value:http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf
Find the way to get some exposure to the security appliances (firewalls, proxy servers, content filters, IDS), software (basically the same but software-based), tools (scanners, packet capturing/analyzing, sniffers, etc), and as a “must” read the literature and security-related articles that will expand your horizon. Be a volunteer, find a mentor, or at least build a small network at home and play with the evaluation copies (or freeware) of various software utilities/programs/firewalls. Learn how to harden the OS or web server, etc. Build a Linux server and workstation. Talk to your management and express your interest to get more exposure/responsibilities to IT security. Show it as a potential benefit to your organization.
Another suggestion is not taking the short-term training classes but rather buying the multimedia-based self-training software with live instructors that present the topics you want to learn. There are many benefits (like repeating, stopping, portability, rewinding, pausing, etc). Some of the vendors also offer online mentoring in addition to the software. All this works fine if you have enough self-discipline. If you follow the path that I suggest, the certifications will be achieved easier and will add the value to your hands-on experience. Don’t forget that in the security field the employers are looking for real-world experience. So, the abbreviation letters after your last name will be more powerful if you have something in your resume that highlights your hands-on skills. I would not suggest the CISSP certification at all at this stage of your career. The CISSP certification is valuable when you have substantial experience (5-7 years) in the information security field. It is mostly designed for the management (or at least, senior-level) security professionals. That certification can give you more opportunities to get better paying job but at the right time. If some of the folks disagree with me I would forward them to the article above where I describe the dentist who just got certified.
If you still seriously consider CISSP as one of your choices, at least you can get more information and links about it here: http://www.800-security.com/corporate.html (this site also has a comprehensive Index of free IT security resources).
Best of luck in your career!
Common mistake
Being in the IT field for more than 15 years and teaching folks since 1993, I know quite a bit about the IT, and particularly about IT security. I began my journey in that field by taking the responsibility for managing one firewall. It was a good start. It gave me a lot of exposure to the IT security, forced me to read about various protocols in depth, concepts, and it forced me to learn UNIX. The common mistake is to start the career by taking the certification classes or exams. The concept "certification" is about certifying the skills you already have. So, my suggestion (if you really want to be a high-level professional), start with hands-on experience. If you want to know more about certifications, read my article published in 2002 that (some people believe) still has some value:http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf
Find the way to get some exposure to the security appliances (firewalls, proxy servers, content filters, IDS), software (basically the same but software-based), tools (scanners, packet capturing/analyzing, sniffers, etc), and as a “must” read the literature and security-related articles that will expand your horizon. Be a volunteer, find a mentor, or at least build a small network at home and play with the evaluation copies (or freeware) of various software utilities/programs/firewalls. Learn how to harden the OS or web server, etc. Build a Linux server and workstation. Talk to your management and express your interest to get more exposure/responsibilities to IT security. Show it as a potential benefit to your organization.
Another suggestion is not taking the short-term training classes but rather buying the multimedia-based self-training software with live instructors that present the topics you want to learn. There are many benefits (like repeating, stopping, portability, rewinding, pausing, etc). Some of the vendors also offer online mentoring in addition to the software. All this works fine if you have enough self-discipline. If you follow the path that I suggest, the certifications will be achieved easier and will add the value to your hands-on experience. Don’t forget that in the security field the employers are looking for real-world experience. So, the abbreviation letters after your last name will be more powerful if you have something in your resume that highlights your hands-on skills. I would not suggest the CISSP certification at all at this stage of your career. The CISSP certification is valuable when you have substantial experience (5-7 years) in the information security field. It is mostly designed for the management (or at least, senior-level) security professionals. That certification can give you more opportunities to get better paying job but at the right time. If some of the folks disagree with me I would forward them to the article above where I describe the dentist who just got certified.
If you still seriously consider CISSP as one of your choices, at least you can get more information and links about it here: http://www.800-security.com/corporate.html (this site also has a comprehensive Index of free IT security resources).
Best of luck in your career!
Tuesday, April 17, 2007
Money matters: SC Magazine Salary Survey 2007
Thursday, April 12, 2007
I passed. Such a relief!
Such a relief!!!
Just yesterday I posted a new blog about waiting for the results for more than 10 days, and right after that I received the congratulation e-mail from the ISC(2) registrar. The next step in getting the CISSP certification is to submit the resume and the endorsement form.
Only those who were in my shoes can really appreciate the feelings after getting good news from ISC(2). Anyway, I promised to describe the exam and to share my experience and thoughts.
I. ABOUT THE EXAM.
I have been driving to Washington DC for HIPAA conference where the exam was scheduled. We had a large room with about 30 people who tried to pass the exam. I remember some suggestions to dress appropriately, so, I had my light jacket. In fact, it was not enough! I was sitting against the large door, and I got almost frozen out there sitting like in the wind tunnel with a wind across the room. The cup of coffee that I had before exam did not help. I was warming my palms in the thighs in a turn, one-by-one.
Well, I thought that 6 hrs is enough for several breaks. I wish!
I inserted the ear plugs and opened the booklet. The suggestion to quickly come through the entire test book and to answer the easy questions did not work for me. I found that there were about only 8-10% of the questions that can be answered quickly because the questions itself were short. The longer question, the more time you need to analyze what is actually asked and what is the catch (if any). In the end, when I finished my 250th question, I found that I spent more than 3.5 hrs. At this point I took a short break, and put my palms under the hot water in the restroom, had two chocolate cookies, had some warm-up exercises, and came back to my "refrigerator".
Until this moment I was confident and relatively calm. However, when I began answering the most difficult questions, I caught myself that the time is running faster then I want. Then my confidence began evaporate as the level of stress did opposite. In the end, I had only about 7 min left before the deadline. I was able to review 3 questions that I marked as the most controversial, changed the answers, and said to myself: “Stop it now!” because my brain was quite overloaded and because there is no time to re-check all the answers again.
II. AFTER EXAM.
Right after the exam, when I went out to the Hilton's entrance hall I felt like a squeezed lemon. The thoughts about food (I did not eat anything but 2 cookies for entire day) went through but I could not say if I was hungry at all.
Instead of hitting any cafeteria, I got my car back ($25 valet parking), and drove home to Baltimore. It was funny because only 8 miles away from home I stopped at the restaurant and ordered a platter with crab cakes and a drink to relax. I felt that I need to eat something right away. Then I smoked outside the best cigar from my collection (I took it in advance). I deserved it! I got home safe and relaxed. :-)
OK, now some suggestions.
III. "10 RULES FOR SUCCESS"
I have developed the "10 Rules for Success", and I feel that some of them helped me to answer most of the questions properly (some of them were posted on the blogs, so I accommodated them for my own interpretation):
1. Read every question AND every answer word by word:
a. You can find a tricky question/answer that you can otherwise miss easily (I had two of them on exam)
b. You will understand better the difference in answers even if they are quite similar (I had 7-10 of those on exam).
2. Skip the long-text questions and the difficult questions and don't spend time on them right away, just put them aside so far.
3. If the question is to find the right answer, eliminate the wrong answers first. If the question is to find the wrong answer, mark all CORRECT answers, first.
4. Control your time, so you can define or change your exam taking strategy on-the-fly.
5. If you answered to the question but still unsure if you are correct, put a large question mark sign next to a question. When you have some time left before deadline, review them again (I have corrected 3 answers).
6. Make sure that you allocate at least 10-15 min for filling out the answers in the answers form.
7. Before the end, check if you filled out ALL answers (it's easy to miss one-two).
In addition:
8. Dress appropriately (bring a warm jacket or sweater just in a case).
9. Have at least 8 hrs of sleep at night before exam and arrive 25-30 min prior to the exam to read through your cram sheet.
10. You will need your confidence during exam. Build your confidence by learning as much as possible and passing the quizzes at the level at least 80%. If you don’t know the correct answer to some of the questions, it must not shake your confidence. Think like a manager of a large corporation and take your chance choosing one answer based on real-world situations.
IV. ABOUT THE EXAM QUESTIONS
As I mentioned above, I had about 8-10% of easy questions. I also got some standard questions but idiotic answers (I am sorry, ISC2 folks) that had nothing to do with the reality. I assumed that they were in the pool of 25 questions that were not counted toward the exam result. Unfortunately, I cannot give you an example because of my obligations, but trust me that you are going to be puzzled with some of the answers.
I found that you have to know more about the current standards than about the old ones. For instance, I had a lot of questions about VPN and SSL, more than I could expect. I also was surprised by the number of questions about disaster recovery. I had a feeling that there were at least 20% of them!
I was quite familiar with the majority of the topics and I thought that I knew some of them pretty well. In spite of this, I had the questions about very familiar topics that "put me in the corner" and demonstrated that I could learn better…
V. HOW TO LEARN
I am not sure that my way of learning is good for everybody.
Many years ago I found that visual memory is better than anything else for learning the material. I used this concept when I trained students in the class. I used this concept when I was learning the domains. So, prepare as many tables/drawings/schematics as possible and be patient making a lot of notes because it helps to memorize visually. It will help you to classify the information!
I had the following books/materials/resources:
1. Shon’s All-in-One (used 100%)
2. CISSP Passport (used 5%)
3. ISC(2) Official Exam Book (used 80% - very useful!)
4. Gold Edition of Kurtz (used 15%)
5. Audio Training CDs from PrepLogic (obviously not enough information – used in the beginning of the learning but later did not touch)
6. Shon Harris’ Solutions. CISSP course (used 90%)
7. CCCURE.ORG blog, Google search, many articles, and my Information Security Resources Index.
8. My own audio CDs (used 100%)
I began reading the Official book making some yellow marks. When I figured out that I have to memorize a lot of material, I switched to All-in-One book, and starting from the domain 1 began making the detailed notes in the notebook. At the end of each domain, without repeating the material, took the quizzes from the book and from the CCCURE.ORG web site. Made the notes what I have to repeat/re-learn. I used the Official book to understand some topics better. Then I took my PDA, and recorded the content of my notes to the WAV files (later, I converted them into the MP3 format). Then burned the CD with the files and listened to myself while driving in the car to and from work. By the way, the Shon Harris' CISSP Solution DVD set also includes the MP3 files (3 months subscription), so, it was very useful on its own.
I repeated the same with the rest of domains. At this point, I bought Shon Harris’ CISSP Solutions Training Course. The lectures are very good and easy to follow through, and the add-on graphics serve well in understanding the concepts. She also points to some of the concepts that you *must* know for the exam and she guarantees that the questions about those concepts will be there.
When I finished, I began preparing my own Cram-Sheet. Typing the extracts from the books and web sites helped me to visualize the concepts/standards/protocols. I drew the tables in many instances.
Repeated the quizzes again: for each domain (75 questions), then for 3 domains together (100 questions), and finally, the big one: all domains (250 questions). Three days before the exam, I prepared the final Cram-Sheet (only one two-sided page with extracted info) that I used right before the exam.
VI. ABOUT SOME PREPARATION TESTS
I found that some of the cccure.org quiz questions are outdated and have wrong answers. I submitted my corrections to the web master, and he confirmed that I was correct about them. Later, due to a time limitation I just ignored incorrect/outdated questions.
I have to note that I came across the TestKing’s preparation tests that I have downloaded from the web for free (even don’t remember from where). Most of the questions are stolen from ISC(2) book and other web sites and books. This company proves to be a biggest cheater (and I have the proof that they also cheat with search engines what is a case of unfair competition). I believe that Microsoft sued them, too.
I also used several questions from Boson that were for free. After all, the cccure.org quizzes better than any other (excluding Transcender’s that are still #1 even if they cost more than others).
Except two books that I got from eBay, practically all my resources were purchased on a good discount from RTEK 2000 web site. They sell them cheaper than CCCURE.ORG and obviously cheaper than the original software companies.
VII. END OF STORY
It took me 4 months of heavy-duty learning (especially last two months: every evening 2-2.5 hrs and every weekend 3-4 hrs). I took a day off right before the exam and mostly relaxed after taking 100 questions quiz in the morning.
I feel now that I could learn more and better but the goal is almost achieved (I still need to submit my resume and the Endorsement Form to ISC(2) for getting the CISSP certificate and final approval), and I am a happy camper!
Questions? Post in the comment!
Just yesterday I posted a new blog about waiting for the results for more than 10 days, and right after that I received the congratulation e-mail from the ISC(2) registrar. The next step in getting the CISSP certification is to submit the resume and the endorsement form.
Only those who were in my shoes can really appreciate the feelings after getting good news from ISC(2). Anyway, I promised to describe the exam and to share my experience and thoughts.
I. ABOUT THE EXAM.
I have been driving to Washington DC for HIPAA conference where the exam was scheduled. We had a large room with about 30 people who tried to pass the exam. I remember some suggestions to dress appropriately, so, I had my light jacket. In fact, it was not enough! I was sitting against the large door, and I got almost frozen out there sitting like in the wind tunnel with a wind across the room. The cup of coffee that I had before exam did not help. I was warming my palms in the thighs in a turn, one-by-one.
Well, I thought that 6 hrs is enough for several breaks. I wish!
I inserted the ear plugs and opened the booklet. The suggestion to quickly come through the entire test book and to answer the easy questions did not work for me. I found that there were about only 8-10% of the questions that can be answered quickly because the questions itself were short. The longer question, the more time you need to analyze what is actually asked and what is the catch (if any). In the end, when I finished my 250th question, I found that I spent more than 3.5 hrs. At this point I took a short break, and put my palms under the hot water in the restroom, had two chocolate cookies, had some warm-up exercises, and came back to my "refrigerator".
Until this moment I was confident and relatively calm. However, when I began answering the most difficult questions, I caught myself that the time is running faster then I want. Then my confidence began evaporate as the level of stress did opposite. In the end, I had only about 7 min left before the deadline. I was able to review 3 questions that I marked as the most controversial, changed the answers, and said to myself: “Stop it now!” because my brain was quite overloaded and because there is no time to re-check all the answers again.
II. AFTER EXAM.
Right after the exam, when I went out to the Hilton's entrance hall I felt like a squeezed lemon. The thoughts about food (I did not eat anything but 2 cookies for entire day) went through but I could not say if I was hungry at all.
Instead of hitting any cafeteria, I got my car back ($25 valet parking), and drove home to Baltimore. It was funny because only 8 miles away from home I stopped at the restaurant and ordered a platter with crab cakes and a drink to relax. I felt that I need to eat something right away. Then I smoked outside the best cigar from my collection (I took it in advance). I deserved it! I got home safe and relaxed. :-)
OK, now some suggestions.
III. "10 RULES FOR SUCCESS"
I have developed the "10 Rules for Success", and I feel that some of them helped me to answer most of the questions properly (some of them were posted on the blogs, so I accommodated them for my own interpretation):
1. Read every question AND every answer word by word:
a. You can find a tricky question/answer that you can otherwise miss easily (I had two of them on exam)
b. You will understand better the difference in answers even if they are quite similar (I had 7-10 of those on exam).
2. Skip the long-text questions and the difficult questions and don't spend time on them right away, just put them aside so far.
3. If the question is to find the right answer, eliminate the wrong answers first. If the question is to find the wrong answer, mark all CORRECT answers, first.
4. Control your time, so you can define or change your exam taking strategy on-the-fly.
5. If you answered to the question but still unsure if you are correct, put a large question mark sign next to a question. When you have some time left before deadline, review them again (I have corrected 3 answers).
6. Make sure that you allocate at least 10-15 min for filling out the answers in the answers form.
7. Before the end, check if you filled out ALL answers (it's easy to miss one-two).
In addition:
8. Dress appropriately (bring a warm jacket or sweater just in a case).
9. Have at least 8 hrs of sleep at night before exam and arrive 25-30 min prior to the exam to read through your cram sheet.
10. You will need your confidence during exam. Build your confidence by learning as much as possible and passing the quizzes at the level at least 80%. If you don’t know the correct answer to some of the questions, it must not shake your confidence. Think like a manager of a large corporation and take your chance choosing one answer based on real-world situations.
IV. ABOUT THE EXAM QUESTIONS
As I mentioned above, I had about 8-10% of easy questions. I also got some standard questions but idiotic answers (I am sorry, ISC2 folks) that had nothing to do with the reality. I assumed that they were in the pool of 25 questions that were not counted toward the exam result. Unfortunately, I cannot give you an example because of my obligations, but trust me that you are going to be puzzled with some of the answers.
I found that you have to know more about the current standards than about the old ones. For instance, I had a lot of questions about VPN and SSL, more than I could expect. I also was surprised by the number of questions about disaster recovery. I had a feeling that there were at least 20% of them!
I was quite familiar with the majority of the topics and I thought that I knew some of them pretty well. In spite of this, I had the questions about very familiar topics that "put me in the corner" and demonstrated that I could learn better…
V. HOW TO LEARN
I am not sure that my way of learning is good for everybody.
Many years ago I found that visual memory is better than anything else for learning the material. I used this concept when I trained students in the class. I used this concept when I was learning the domains. So, prepare as many tables/drawings/schematics as possible and be patient making a lot of notes because it helps to memorize visually. It will help you to classify the information!
I had the following books/materials/resources:
1. Shon’s All-in-One (used 100%)
2. CISSP Passport (used 5%)
3. ISC(2) Official Exam Book (used 80% - very useful!)
4. Gold Edition of Kurtz (used 15%)
5. Audio Training CDs from PrepLogic (obviously not enough information – used in the beginning of the learning but later did not touch)
6. Shon Harris’ Solutions. CISSP course (used 90%)
7. CCCURE.ORG blog, Google search, many articles, and my Information Security Resources Index.
8. My own audio CDs (used 100%)
I began reading the Official book making some yellow marks. When I figured out that I have to memorize a lot of material, I switched to All-in-One book, and starting from the domain 1 began making the detailed notes in the notebook. At the end of each domain, without repeating the material, took the quizzes from the book and from the CCCURE.ORG web site. Made the notes what I have to repeat/re-learn. I used the Official book to understand some topics better. Then I took my PDA, and recorded the content of my notes to the WAV files (later, I converted them into the MP3 format). Then burned the CD with the files and listened to myself while driving in the car to and from work. By the way, the Shon Harris' CISSP Solution DVD set also includes the MP3 files (3 months subscription), so, it was very useful on its own.
I repeated the same with the rest of domains. At this point, I bought Shon Harris’ CISSP Solutions Training Course. The lectures are very good and easy to follow through, and the add-on graphics serve well in understanding the concepts. She also points to some of the concepts that you *must* know for the exam and she guarantees that the questions about those concepts will be there.
When I finished, I began preparing my own Cram-Sheet. Typing the extracts from the books and web sites helped me to visualize the concepts/standards/protocols. I drew the tables in many instances.
Repeated the quizzes again: for each domain (75 questions), then for 3 domains together (100 questions), and finally, the big one: all domains (250 questions). Three days before the exam, I prepared the final Cram-Sheet (only one two-sided page with extracted info) that I used right before the exam.
VI. ABOUT SOME PREPARATION TESTS
I found that some of the cccure.org quiz questions are outdated and have wrong answers. I submitted my corrections to the web master, and he confirmed that I was correct about them. Later, due to a time limitation I just ignored incorrect/outdated questions.
I have to note that I came across the TestKing’s preparation tests that I have downloaded from the web for free (even don’t remember from where). Most of the questions are stolen from ISC(2) book and other web sites and books. This company proves to be a biggest cheater (and I have the proof that they also cheat with search engines what is a case of unfair competition). I believe that Microsoft sued them, too.
I also used several questions from Boson that were for free. After all, the cccure.org quizzes better than any other (excluding Transcender’s that are still #1 even if they cost more than others).
Except two books that I got from eBay, practically all my resources were purchased on a good discount from RTEK 2000 web site. They sell them cheaper than CCCURE.ORG and obviously cheaper than the original software companies.
VII. END OF STORY
It took me 4 months of heavy-duty learning (especially last two months: every evening 2-2.5 hrs and every weekend 3-4 hrs). I took a day off right before the exam and mostly relaxed after taking 100 questions quiz in the morning.
I feel now that I could learn more and better but the goal is almost achieved (I still need to submit my resume and the Endorsement Form to ISC(2) for getting the CISSP certificate and final approval), and I am a happy camper!
Questions? Post in the comment!
Wednesday, April 11, 2007
Patiently waiting ... and wondering
I am in a waiting mode for the second week with no touching or reading any security-related articles. I was so "saturated" with it for the last 4 month while preapred myself for the CISSP certificatione exam, that now I decided to give a break to my brain.
Yes, I took a CISSP exam at the last day of March. I'll describe my experince later, after I'll get the feedback from ISC(2). I am waiting for the second week and wondering why does it take so long to let people know about their exam result? The answers to 250 questions are being submitted on the electronically-friendly form. All it takes is to scan the form and get the results. So, why people should wait for so long and feel somewhere between the sky and the ground? Do we deserve more quick results?
Yes, I took a CISSP exam at the last day of March. I'll describe my experince later, after I'll get the feedback from ISC(2). I am waiting for the second week and wondering why does it take so long to let people know about their exam result? The answers to 250 questions are being submitted on the electronically-friendly form. All it takes is to scan the form and get the results. So, why people should wait for so long and feel somewhere between the sky and the ground? Do we deserve more quick results?
Tuesday, March 20, 2007
All systems to use "common secure configuration"
I just got the following message from Allan P. (SANS Security Institute)
"FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.
The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.
Alan PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters."
Knowing that Shon Harris (Logical Security) also consulting for Air Force and has written many security-related books (not to count the training materials for CISSP certifications), I assume that she deserved also many kudos regarding this announcement.
"FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.
The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.
Alan PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters."
Knowing that Shon Harris (Logical Security) also consulting for Air Force and has written many security-related books (not to count the training materials for CISSP certifications), I assume that she deserved also many kudos regarding this announcement.
Going for a Big one
I remember the time when the CISSP certification was criticized by my staff instructor who actually was one of the first who passed this "tough nut" exam. His argument was that the exam is out of real life of the security practitioners and geared toward the management staff only; that the exam tests the crazy collection of knowledge from various (not always related disciplines); that the exam tests not only the background but rather your ability to memorize huge number of abbreviations of IT protocols, technologies, law definitions, terms, etc. At that time, we developed our own security training course, and later, we liked more the SCNP exam as the one that checks the hands-on knowledge, the knowledge that really matter in the real world of the cyber war (I hope you agree that this war is a matter of a fact).
Well, time has changed our perceptions because the CISSP exam became the number one exam in the cyber security world. I assume that several factors attributed to this change. First of all, then, in 2000, we had no idea what can happen just in one year - the major attack in NY. This factor was the most important in the growing popularity of the CISSP certification.
Also, more and more companies realized that protecting of their infrastructure and IT resources becomes the task number one. It is obvious that the expertise in this area is required unless you want to outsource this matter to a third party. It wasn't 100% safe to rely on someone (even with enough expertise) if you really care about your business. So, many companies tried to hire the security experts to solve the problem internally being able to control the process to higher degree.
The first pros who were hired: hands-on gurus in the cyber protection area who knew the firewalls, routers, sniffers, and were good LAN/WAN troubleshooters. As it always happened, the HR departments began to look for the definition of the professional level for this tough job. Unfortunately, the reality is that none of the HR people knows anything about the Information Security, and as it happened in a past, the certification became the definition of the professional level. Not the hands-on knowledge, not the real-world experience, not the achievements, but one exam that made the difference (see my article about IT certifications hypes written in 2002).
I have to admit that the folks at (ISC)2 were smart enough to push their certification up to the point when the Department of Defense requested all security professionals who work for DoD to be CISSP certified. Even Alan Paller and Steve Northcutt from SANS institute were not able to push hard enough their GIAC Certification Program (and those guys are good entrepreneurs and are pretty successful). So, the CISSP certification became a mainstream certification in the security world, and the de-facto standard.
Many folks around the world are jumping on this wagon and trying to pass one of the toughest certification exams. Just imaging: 250 written questions, 6 hours, $450 per test, and 10 security-related domains (including the domain with a criminal/cyber law!). The collection of knowledge required to pass the exam is described as being "2 miles wide and 2 inches in depth".
Well, considering the today's value of the CISSP certification as never before, I have decided to go for a Big one, too. I have to admit that during my study I gathered some useful knowledge that "widened my IT horizon". For instance, I was never interested to find out in-depth what the technology Microsoft uses for an authentication in Windows 2003 server except knowing that it's called Kerberos. I learned even some pieces of criminal law that might help in understanding better one of those lengthy TV serials about crime investigation (as Shon Harris mentioned in her DVD-based training course).
Only 10 days left for study, and I am overwhelmed with a stream of information that I must memorize. It's not hard to understand, but to memorize...
Wish me good luck and strength for 6 hours on March 31st!
I will add more information to this topic later. So far, if you interested, reply to my blog with your certification-related questions.
Best to all of you (but spammers)!
The Cyberteacher
Well, time has changed our perceptions because the CISSP exam became the number one exam in the cyber security world. I assume that several factors attributed to this change. First of all, then, in 2000, we had no idea what can happen just in one year - the major attack in NY. This factor was the most important in the growing popularity of the CISSP certification.
Also, more and more companies realized that protecting of their infrastructure and IT resources becomes the task number one. It is obvious that the expertise in this area is required unless you want to outsource this matter to a third party. It wasn't 100% safe to rely on someone (even with enough expertise) if you really care about your business. So, many companies tried to hire the security experts to solve the problem internally being able to control the process to higher degree.
The first pros who were hired: hands-on gurus in the cyber protection area who knew the firewalls, routers, sniffers, and were good LAN/WAN troubleshooters. As it always happened, the HR departments began to look for the definition of the professional level for this tough job. Unfortunately, the reality is that none of the HR people knows anything about the Information Security, and as it happened in a past, the certification became the definition of the professional level. Not the hands-on knowledge, not the real-world experience, not the achievements, but one exam that made the difference (see my article about IT certifications hypes written in 2002).
I have to admit that the folks at (ISC)2 were smart enough to push their certification up to the point when the Department of Defense requested all security professionals who work for DoD to be CISSP certified. Even Alan Paller and Steve Northcutt from SANS institute were not able to push hard enough their GIAC Certification Program (and those guys are good entrepreneurs and are pretty successful). So, the CISSP certification became a mainstream certification in the security world, and the de-facto standard.
Many folks around the world are jumping on this wagon and trying to pass one of the toughest certification exams. Just imaging: 250 written questions, 6 hours, $450 per test, and 10 security-related domains (including the domain with a criminal/cyber law!). The collection of knowledge required to pass the exam is described as being "2 miles wide and 2 inches in depth".
Well, considering the today's value of the CISSP certification as never before, I have decided to go for a Big one, too. I have to admit that during my study I gathered some useful knowledge that "widened my IT horizon". For instance, I was never interested to find out in-depth what the technology Microsoft uses for an authentication in Windows 2003 server except knowing that it's called Kerberos. I learned even some pieces of criminal law that might help in understanding better one of those lengthy TV serials about crime investigation (as Shon Harris mentioned in her DVD-based training course).
Only 10 days left for study, and I am overwhelmed with a stream of information that I must memorize. It's not hard to understand, but to memorize...
Wish me good luck and strength for 6 hours on March 31st!
I will add more information to this topic later. So far, if you interested, reply to my blog with your certification-related questions.
Best to all of you (but spammers)!
The Cyberteacher
Subscribe to:
Posts (Atom)