There’s a long story to be told I’m sure, but the key point is that after TWO YEARS, the government has nothing but theatre to stand behind.

I’ll follow this up later with more.

UPDATES:

News:

• Byron Sonne not guilty on G20 explosives charges
• Sonne acquitted on explosives, mischief charges
• Freed G20 activist Sonne blasts ‘nanny state’
• Byron Sonne cleared of all charges
• CBC Video of post-verdict scrum
• Byron Sonne, Found Not Guilty On All Charges, Has Plans For The Future
• Everything You Need To Know About The Byron Sonne Trial: A Timeline
• Raw Video of post-verdict scrum

Court Documents:
Judge Spies Verdict (scan)

As many have noted, the current Canadian government is still not really paying attention to the rights of citizens. But at least this one is done.

As noted by Byron (at 1:16 in the Raw Video above) he is going to work on getting his certifications back. I have communicated the verdict to ISC2 Counsel and the response (as appropriate) was that there are privacy issues regarding the discussion with Byron which must occur. I believe that ISC2 will comply with their own statements (and ethics) regarding the notion of “innocent until proven guilty” and that re-instatement will be as quick as the suspension. Of course, if they don’t – well – that’ll be something to consider too.

Problem Description

a. VMware host memory overwrite vulnerability (data pointers)
Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

Workaround

Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected.

Mitigation

Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue.

Source: Article Link

One of my frustrations over the years has been around interviewing candidates for security jobs. I recently had a doozy when a candidate asked “what do you guys do?” Starring blankly at the phone I had to fight to maintain my composure. I then started mentally thumbing through years of absurd responses from candidates.

I decided to ask the community to share their favourite security job interview question answers and wow…did that ever garner a response.

Opening statement on Twitter “I’m compiling a list of things NOT to say in an interview for a security job. Got any good ones?”

Here are 50(ish) responses in no particular order.

Enjoy!

1. I’m a thought leader
2. “What was this position again?”
3. “Does the workplace anti-drug policy apply to drugs I make myself?”
4. asking someone on the interview panel “hey so why did you leave your last gig???”
5. “Who is that bitch in the picture behind your desk, the one next to the picture of those three ugly kids.”
6. Sharepoint
7. I use [OSX/Linux] so I’m secure.
8. “How can it be secure if anyone can see the source?”
9. “Why wouldn’t you just use Telnet for that?”
10. “IT guys are dumb”; “Developers are dumb” “they expected me to work at 9pm…”
11. “when nobody is looking I change the homepage to meatspin”
12. “This one time when I hacked _ …”
13. Q: Describe a TCP handshake. A: I can’t. NB: self declared network expert
14. Yeah, I’ve already been in your systems and, whew, I gotta say, you really need help.
15. “I don’t do documentation”
16. I only use Cisco security devices, because security begins with trusting yr vendor, and everyone
    trusts CSCO (Look at their stock!)
17. If an app has Common Criteria certification, you know it’s secure
18. “I broke into x, y and z sites”
19. You know, I hacked your company’s network once. Made a fortune off of the credit card data.
20. I had someone interview for a management position with a book full of documents created for previous employer
21. This job can be done by monkeys. Yes, I actually heard that one from a candidate.
22. “There’s this thing called APT.”
23. Do you want my Facebook username and password now?
24. “I know this guy Greg Evans who can be contacted for referral if needed”
25. I use the same password everywhere
26. “Admin for everybody works best.”
27. “I think Facebook’s handling for privacy matters is the bomb.”
28. mentioning a CISSP at all or citing military experience and having zero actual security experience
29. …and that guy with my name, yeah, that wasn’t me selling those secrets to China.
30. don’t speak of known security issues or problems in your existing org, if you’ll cheat on them, you’ll cheat on them
31. “Auditing? Naw, I’m not into the whole ‘logging’ thing.”
32. What do you mean compliance != security?
33. Gave a guy a scenario to work through once, dude got mad, lost his temper, described people in the situation as idiots, etc.
34. “Will this position look good as I’m interviewing for my next gig?”
35. I make sure to use a complex alphanumeric+special 8+ characters password for all critical systems: passw0rd!
36. Turn to the CTO (Jeremiah Grossman) and ask, “What do you do here?”
37. “I don’t think you’ve got anything a criminal would want”
38. “Why infosec? One word: misanthropy. BTW, can I telecommute?”
39. “everything I learned about security I learned from the compliance manager at my previous Job”
40. “In my last job I used Nexxus a lot”
41. do you have flexible office hours? I usually work from my home office lab, can you pay for my internet?
42. “Sorry I’m late. I misplaced the printout of the email setting up the interview.”
43. “Why, yes, An*nym*us *was* my idea…”
44. Lulzsec, that was also my idea.
45. I’m perfect for security, because I love telling people NO!
46. “Can I connect my {insert droid phone brand} to your network?”
47. “home labs are for geeks, that’s just pointless”
48. How would you describe diversity? >I eat lots of Chinese and Italian foods. >Could u elaborate more? > They all taste great. #real
49. “I’m just applying for the job so I can keep getting my unemployment check.” (true story)
50. “This is a 9-5 gig, right?”
51. “I just read SANS Newsbites and that’s pretty much how I keep up with everything in infosec”
52. Worst was clothing, not comment. Kid showed up wearing a “Bart Simpson, underachiever and proud of it” t-shirt for interview.
53. All of my past bosses were assholes, I hope you aren’t. (paraphrasing actual interview)

…and the winner in my books


54. Yes. I was security lead at Sony in 2010 and 2011

I received over 250 responses. Thanks everyone for contributing. Got more? Feel free to leave a comment.

(Image used under CC from Ced)

In a rather bizarre twist today the vote on the CIPSA bill was moved forward and hurriedly pushed through.

First off, what is the Cyber Intelligence Sharing and Protection Act or CISPA?

From Wikipedia (yes, I quoted Wikipedia, get over it):

The bill would allow the voluntary sharing of attack and threat information between the U.S. government and security cleared technology and manufacturing companies to ensure the security of networks against patterns of attack;[5][dead link] the most recent version of the CISPA bill may remove any reference to intellectual property.[6][clarification needed] Several commentators have distinguished CISPA from the controversial Stop Online Piracy Act (SOPA) bill.[7][8][clarification needed] CISPA was reported out of committee on December 1, 2011.[9] CISPA has been criticized by advocates of Internet privacy and neutrality, such as the Electronic Frontier Foundation and Avaaz.org, because they feel it contains too few limits on how and when the government may monitor private information when it might become collaterally entangled in the process of passing threat information, and too few safeguards with respect to how the data may be used; they fear that such new powers may be used to find and punish file sharers and copyright infringers rather than the stated foreign spies or hackers.

OK, got it. That sounds less than appealing.

From Computer World:

Civil liberties groups, including the Center for Democracy and Technology and the American Civil Liberties Union, have opposed the bill, saying it would open up Internet communications to snooping by government agencies, including the U.S. National Security Agency.

It is a bill that does smell rather foul. Earlier revisions of the bill were less insidious but, there were multiple amendments tacked onto the bill just prior to voting today.

Example from Techdirt:

Previously, CISPA allowed the government to use information for “cybersecurity” or “national security” purposes. Those purposes have not been limited or removed. Instead, three more valid uses have been added: investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children. Cybersecurity crime is defined as any crime involving network disruption or hacking, plus any violation of the CFAA.

Oh lovely…there it is again. Invoking the “protect kids” angle. This is a puerile ploy on the part of legislators to push through unsavoury legislation. “Well, if you don’t support this bill you support child molesters”. This of course is NOT the case. Sadly, too many voters happily gobble up the pablum they’ve been served.

Then there are the supporters…

But supporters argued the bill is needed to help private companies and government agencies fight cyberattacks. “There are people today who are literally robbing the future of America” by attacking U.S. companies, said Representative Mike Rogers, a Michigan Republican and lead sponsor of CISPA. “This is the one small thing we get to do to prepare for a bunch of folks who want to bring us down.”

I’m sorry but, I’ll just say it… COMPLETE BULLSHIT.

A doctoral dissertation on that matter would not encompass the depth my sentiment any better than that.

So, who did vote in favour of this piece of legislation? Here is the list of Congress critters that voted yes on CISPA.

Pull your ankles up to your chest America.

This is gonna sting.

Source: Article Link

(Image used under CC from Ano Lobb)

OK, this is rather interesting. An app that provides private browsing on your iOS device. The Onion Browser for iOS private browsing provides, potentially, for a safe browsing experience in the event that your phone gets pinched by border agents.

From Lifehacker:

We’ve talked about ways to Tor in Chrome and Firefox before, and Onion Browser uses the same basic premise. It tunnels your browsing through a Tor proxy server so websites don’t see your IP address and it encrypts all of your information before it leaves your device. Loading pages in Onion Browser takes a lot longer than normal, but you’ll be completely anonymous when you’re doing it. Onion Browser is a 99¢ download for iPhone and iPad.

Please note that this isn’t an endorsement of this particular app as we have not had a chance to test it just yet.

Source: Article Link

(Image used under CC from The Shifted Librarian)

So, it appears that the EU Parliament is going to turn over traveler data to the US. Not sure if they really gave this a lot of thought before pulling out the rubber stamp. One question I have is, will the US reciprocate?

From BBC:

The European Parliament has adopted a controversial bill clarifying US access to personal data about airline passengers in the EU.

MEPs agreed by 409 votes to 226 to let the US Department of Homeland Security see data on the Passenger Name Record (PNR) , under strict controls.

Supporters say this is a vital step in the fight against terrorism.

Of course it is…at least they refrained from claiming it was in order to battle kiddie porn this time.

So, what are these strict controls? What guarantees do EU passengers have that their information will be used to thwart evil and nothing else?

*crickets*

This stirs up a hornets nest of privacy concerns.

The BBC’s Imogen Foulkes in Strasbourg says many questions remain about how the information will be used, how long the US will keep it, and who else might have access to it.

Some MEPs fear the deal sets a precedent and ask how the EU would respond if China or Russia asked for the same information

Yeah, that’s kind what I was afraid of.

Source: Article Link

(Image used under CC from Brad Stabler)

The saga of the downed US drone aircraft in Iranian hands has found its way back into the head lines again. Now, the Iranians claim to have puzzled out the “many codes and characters”.

From Nextgov:

The chief of the aerospace division of the Iranian Revolutionary Guards, Gen. Amir Ali Hajizadeh, told state television that the captured drone is a “national asset” for Iran. “There is almost no part hidden to us in this aircraft. We recovered part of the data that had been erased. There were many codes and characters. But we deciphered them by the grace of God,” Hajizadeh said.

We have exclusive pictures of the Iranian drone prototype. It’s smaller than we imagined and not expected to do very well at high altitude or in hotter climates. No word on the nature of the revolutionary material they’re using in it’s construction.

Source: Article Link

(Image used under CC from Steampunk Family the von Hedwigs)

(Image used under CC from Pedro Vezini)

There are times when an unbelievable oops hits the headlines. This is one of those times. Apparently the insurance provider Aviva managed to fire 1,300 staffers via email

From ZDNet:

In an age of lacking inter-personal relations and working from home, it should come as no surprise to learn that many employees do still get the boot by email.

But there is no excuse for Aviva in this case, however, as despite its decentralised nature, someone surely could have approached the soon-to-be former employee. Under European employment and labour laws, one can’t just sack someone for the living hell of it. There are processes, procedures — and ultimately tribunals — for when it goes does go wrong.

Still, a jerk move is a jerk move. Aviva, with all its wealth, importance, and ‘modern attitude’ to its workforce, should never have sacked someone by email.

I could not agree more. This type of practice for terminating an employee is complete cowardice on the part of the employer. I hope that they’re made to explain their actions.

Source: Article Link

(Image used under CC from striatic)

Mercedes has been rolling out updates to it’s vehicles onboard systems at a rate that has proven unmanageable with USB drives. So, they have switched it out in favour of remote updates that are seamless to the vehicle owner.

From Txchnologist:

This new system upgrades on the fly, he said, the first such in-car application to do so. “It’s seamless to the customer,” Link said. “I have a friend who was excited about his system upgrade, which required him to plug in his stick and leave his car running for 45 minutes. Who wants to do that? In a process called ‘reflashing,’ the Mercedes system can turn on the car operating system (CU), download the new application, then cut itself off. It doesn’t require you to do anything at all.”

Um, yeah. While in principle I can see the appeal of a set up like that I’m curious as to how security is being handled. With access from 3G or 4G networks can the vehicles be reached by other parties or are these updates pulled from the vehicle onboard systems? I can’t help but think of the security in vehicles when I look back to 2006 when David Beckham had his vehicle stolen from a busy street in Spain with nothing more than a laptop.

Come to think of it, I could use a new ride

Source: Article Link

(Image used under CC from desertspotter)

Ars recently attempted to delve into the inner workings of the security built into Apple’s iCloud service. Though we came away reasonably certain that iCloud uses industry best practices that Apple claims it uses to protect data and privacy, we warned that your information isn’t entirely protected from prying eyes. At the heart of the issue is the fact that Apple can, at any time, review the data synced with iCloud, and under certain circumstances might share that information with legal authorities.

We consulted several sources to understand the implications of iCloud’s security and encryption model, and to understand what types of best practices could maximize the security and privacy of user data stored in increasingly popular cloud services like iCloud

Read on.

Source: Article Link