Wednesday, June 26, 2013

SL Powers IT Security Lunch & Learn event

Tying in with my recent posting on getting involved with local security events, today I attending a "lunch and learn" event organized by one of our local IT services companies, SL Powers.   They apparently do these events in our local area about once a month, in different locations.  This one had two presentations, both were pretty good.

First up, we had Silka Gonzalez, President & CEO of Enterprise Risk Management, a local company focused on helping their clients with risk management and assessments.  She gave a good overview of some of the various regulatory compliance standards out there that many of us have to deal with:  GLBA, FACTA, SoX, HIPAA/HITECH, FERPA, FISMA, and PCI-DSS.  What I particularly liked was how she pointed out the similarities among many of these, and what are the basic underlining concepts that are common in all of them.

The second talk was by Tom Leffingwell of Juniper Networks.  Now, I have known Juniper as a competitor to Cisco in terms of networking equipment.  What I wasn't aware of was their work in the area of network security.  So it was good to learn more about what they do in this area.  As with these kinds of presentations, you run the risk of being more a sales pitch then a technical overview, and I think he did a good job of staying more technical then sales.

I will keep my eye out for further sessions like these.  SL Powers also has a series of sessions called "Tech on Tap", which also sounds interesting.

I found out about this event via Eventbrite.  If you aren't familiar with this site, check it out.  Great way to find out about events in your area, both free and fee.  As IT people, we need to keep up our skills, so attending these events have multiple benefits.

Monday, June 24, 2013

Getting involved locally- joining, learning, networking

So its been too long since I've posted.  Something in the back of my mind is my observations of my collegues in the IT and IT Security realm.  What has long disappointed me was how many never bothered to keep learning and being involved in the larger "community".  Other then taking some training courses, many didn't bother to keep up with what is going on in the industry- didn't read journals (either print or on-line), didn't get engaged with local groups or events or the like.

For me, I joined USENIX and SAGE when I got involved as an IT admin.  When I got involved in IT Security, I joined ISSA and got involved in the South Florida ISSA chapter.  I was briefly involved with ISACA (and thought about getting back involved).  I know about other groups (we have a chapter of ISC(2) getting formed) and have looked at others to see if they were worth joining.

I tried to get involved with local events tied with those groups (my chapter runs a security conference every 2 years, and has an annual "hack the flag" event), as well as others.  Last year in December we had the ITPalooza event, which will happen again this year.

So my advise to you is if you want to succeed in your IT career: GET INVOLVED.  Depending on what your interest or focus is, see if there are groups that are appropriate for that, and join them.  Especially get involved with local chapters of these groups.  Maybe think about becoming an officer.  If you are the type, consider making a presentation, even its at a local event.

So, if you've had experience getting involved, comment about what you've done and what you've gotten out of it.

Tuesday, June 18, 2013

NSA, Prism, Privacy and all the rest

Well, its been too long since I posted.  I wanted to post something about the recent revelation about NSA spying on American citizens, the government's PRISM program, Edward Snowden revealing information and all the rest.

Frankly, I found it hard to do so.  I prefer to stay apolitical with this blog, and so much of what is coming out is being pickedup by different people and pushed in different ways.  In some ways, its like the whole issues are a mirror to see how other people think about privacy and the like.  Its a bit scary.

Bruce Schneier on his blog has frankly been doing a better job that I can.  And I largely agree with much that he is sharing.

The Electronic Frontier Foundation did a report on "Who Has Your Back", showing companys who are (or are not) protecting your information.  After this, I wonder what this report will show in the next edition?

Friday, June 14, 2013

Upcoming South Florida Security Event: State Sponsored Hacking

For those IT Security professionals in the South Florida area, there is an upcoming security event they should know about.

Hosted at Nova Southeastern University on July 23rd, its on State Sponsored Hacking.  Its organized by SherlockTech Staffing.

Full info and free registration at Eventbrite:

Signup today!!!

Wednesday, June 12, 2013

"A Great Course" on Cybersecurity

Not sure if others are aware of the company The Great Courses, which sells college-level courses on CD & DVD.  I've gotten a few and enjoyed them.

In their most catalog, I saw a new course that would be interested to this audience.

"Thinking about Cybersecurity", a 18 lecture course by Professor of Law Paul Rosenzweig.  (Course #9523)

The lecture listing has a lot of topics regarding with cybersecurity.  Not sure the level of technical information, or if its more on the policy side.

Has anyone gotten this yet and can comment?

Wednesday, June 5, 2013

CIA Releases Analyst work on how he decrypted 3/4s of the Kryptos Sculpture

I would hope most security geeks are aware of the Kryptos Sculpture located at the CIA's Langley headquarters.  Artist Jim Sanborn unveiled this cryptographic sculpture in 1990.

It took until 1998 until someone decrypted 3 of the 4 panels.  Analyst David Stein did so, and he wrote a paper on it.  It was published in the CIA’s classified journal Studies in Intelligence.  Note that ONE panel is still unsolved.

Thanks to THIS ARTICLE at, it seems that the National Security Archives has made this now unclassified work available.  You can read it HERE.

Monday, June 3, 2013

GeorgiaTech Researchers can hack your iPhone via charger

The use of small hardware devices (Arduino, Raspberry Pi, BeagleBone) to hack systems is one I've touched on before.  At the recent HackMiami Conference there was a very good presentation on this.  I think this is a vector that not too many security professionals are aware of, to their detriment.

HERE is a recent article on some researchers at the Georgia Tech who say they can infect an iPhone via a charger.  They will be showing how they did it at the upcoming Black Hat conference.

Apparently it's done with a BeagleBoard, which is a sizable device.  A BeagleBone would have been smaller, and easier to fit into a surge protector/power strip then a BeagleBoard.  But maybe they were looking for more proof of concept.

China & US start talks regarding cyber theft and espionage

Well this is interesting.

A very recent article published in an Australian paper (I can find no such article in any US paper, why is that?) says that the US and China are starting talks to "to set standards of behaviour for cyber security and commercial espionage".

Pretty interesting, considering that most people think that the various cyber attackes being seen by the US government are coming from China, and that such attacks are coming at the behest of the Chinese government.

This bears watching.

Android malware disguised as anti-malware software

Something I don't think a lot of security professions are aware of is the trend of users being tricked by fake anti-virus/anti-malware software that is really malware!  (apparently we now have a term for this: scareware)  People are so concerned about getting infected, that they install software they think will protect them, when, in fact, its infecting your system.

A recent presentation I was at said that the largest vector for Macintosh malware is via such fake anti-malware apps.  And, per another article, there is way more fake anti-malware on Windows then on Mac.  Big surprise.

And it shouldn't be a big surprise that the bad guys are doing the same on smartphones as well.

HERE is a great posting at Sophos' Naked Security blog on a deep examination of one such fake anti-malware on the Android platform.  Check it out.  A good read, with some great information.