A Heart Device Is Found Vulnerable to Hacker Attacks [Barnaby J. Feder, NY Times]

It turns out that the risk of someone actually hacking a pacemaker is rather small, since the researchers were testing this on a device that wasn’t implanted, and they were within 2 inches of the device at the time.

These devices utilize a wireless radio to allow doctors access to monitor and reconfigure them without opening up the patient again. Normally this is done in the office, with a device placed near the implantation site, so it seems unlikely that someone is going to sit in a local coffee shop and give all the older patrons heart attacks.

In addition to the risk of someone “tweaking” a pacemaker’s settings, there is also the possibility that they would be able to obtain some private medical data from the device, which should raise some additional concerns about patient privacy.

There is some hope, however. The researchers suggested some enhancements to provide some defensive capabilities to these devices. These included notification of access attempts, authentication of connections, and key exchange. Obviously, since these devices have a limited power supply, they are focusing on ways to do this with little or no power coming from the device itself.

The full report can be downloaded here.

I received the results of the CISSP exam on October 11th, four days after I took the test in New York City. Naturally, I was thrilled, and posted as such to the SCC. Wasting no time, I had my manager, who is a CISSP (among other certs), fill out the endorsement form. I promptly faxed the form, along with my resume, to (ISC)2. And then I waited.

According to the email, it was supposed to take 2-3 weeks for (ISC)2 to process my information and validate that I met the requirements for the certification. So after 3.5 weeks, with no other communication, I started to get concerned. After emailing support, I received the following response:

We apologize for the delay but our system has not been able to process any certificates for three weeks due to a very large upgrade. We expect to begin again this week. We ask that you give two weeks to actually receive your certificate. If you still do not receive it, please write back. Thank you for your patience.

So when did I receive word that I am officially a CISSP? November 15th, fully five weeks after the news that I passed the exam. And I didn’t receive my certificate until over a week later, November 24th.

I suppose it could be worse. A colleague of mine took the exam in mid-October in Florida, and he just received his exam results yesterday. While waiting five weeks for their verification process was annoying, waiting over four weeks just to get the exam results must be downright painful.

That’s not to say I can’t reschedule, but I’m going to pretend that’s not an option so I don’t deviate from my study plan. When I study for an exam I tend to go to all out, so I’ll be reading (or re-reading in some cases) the Shon Harris All-in-One Exam Guide, the official ISC^2 guide, and the Krutz & Vines CISSP Prep Guide.  And I’ll be spending many hours running through the practice questions on CCCure.org.

I have been following a number of discussions in the blogosphere and the SCC regarding the value of the CISSP certification. While this has been debated by far more experienced security professionals than I can claim to be, I’ll explain why I am continuing down the CISSP path.

The CISSP certification has been described as “an inch deep and a mile wide.” This is meant to indicate that there is a vast breadth of material covered, but not much of it is explored beyond the basics of that topic area. This implies that a CISSP is not expected to be an expert on any of the 10 domains of the CBK, but rather has a sufficient level of all-around security knowledge.

I see the CISSP as sort of a minimum requirement for most security professionals. It’s not going to impress many people in the field that you have it, but if you don’t, you’d better be prepared to demonstrate why you didn’t need it.

The CISSP is not a Ph.D. It’s not even an M.S. It’s a certification that demonstrates you were able to survive the somewhat arduous exam and meet the experience requirements. It’s likely to get you a pass into the “good pile” in an HR resume selection process, and it can be a marketing tool for a consultant to assert their expertise. It may also give you a bit of a salary increase in your current position.

But let’s be honest; becoming a CISSP is not the culmination of your career. Either you are going to continue learning and growing as a security professional, or you are not. The CISSP shouldn’t be seen as a high water mark; it’s more of a checkpoint along the way.

Why did I change jobs? Don’t get me wrong, I loved my old job. I was the main security guru in the place, and I had my hands in every IT-related project that came through. I enjoyed working there, and the majority of my coworkers were great people. It came down to some advantages that the new position offered that the old one simply didn’t:

1. I was “recruited.” - Never discount the power of ego. I hadn’t posted an updated resume in over 6 months, but this company came looking for me anyway. It felt good to be sought after, instead of doing the seeking.

2. Location - I had an awful commute at my old job. On an average day, it would take between 1-1.5 hours to travel in each direction. Forget about days when it was raining or snowing.

3. Compensation - Not that I was that underpaid or anything, but the new company made an offer right off the bat that was a considerable increase in my salary.

4. Larger company - With a larger company comes a larger and more complex and diverse infrastructure. While I may have worked on firewalls from vendors such as Cisco and Juniper, I have never had the opportunity to work on a Check Point.

5. Larger team - As I mentioned, I was the main security guy at my last place. Not that I have a problem with that, but I’ve only been in the security field for a few years, and I know I still have a lot to learn. This place puts me in a team with a number of highly experienced security professionals. I may be a little out of my depth at times, but I can learn a lot from the people I’m working with.

That last reason is probably the biggest reason for making the jump. I do my best to keep expanding my security knowledge by reading and testing out new tools, but there is something to be said for working with people who have been doing for a lot longer, and who are more than willing to answer any question I can throw at them.

We’ll see how it goes. My first couple of projects involve firewall management centralization and network compliance management. I’ll post again soon with some details on the products I’m looking at.

So why, oh why, do certain cell phone carriers feel the need to block access to this service?  After all, you are paying for the call; shouldn’t you be able to call who you want?  The answer is, of course, that these carriers would rather force you into paying for their services than let you use their network to access a free service.  Sounds sort of illegal, doesn’t it?

Here’s the message from FreeConference.com, with some suggestions:

Dear FreeConference User:

AT&T/Cingular, Sprint, and Qwest Are Blocking Your Conference Calling

As of Friday, March 9, it’s come to our attention that Cingular Wireless has begun blocking all conference calls made from Cingular handsets to selected conference numbers. If you call our service, you receive a recording that says, “This call is not allowed from this number. Please dial 611 for customer service”.

Earlier this week, Sprint and Qwest joined in this action, blocking cellular and land line calls to these same numbers. This appears to be a coordinated effort to force you to use the paid services they provide, eliminating competition and blocking your right to use the conferencing services that work best for you.

Don’t Let AT&T/Cingular, Sprint, or Qwest Take Away Your Right to Use the Conference Service of Your Choice!

We Need Your Help! Please Take the Actions Below:

Whether you are one of their customers, or an organizer who is being impacted by these uncompetitive actions, please file a complaint with the FCC or send an email to your State Attorney General to complain about this monopolistic practice to limit the choices of consumers.

You can also let these companies know how you feel about their attempt to block competitive services:

• Sprint Customers can click here or dial *2 from their Sprint Phone
• Cingular Customers can click here or call 1-888-333-6651
• Qwest Customers can click here or call 1-800-860-2255

Your FreeConference Team remains steadfastly committed to bringing you simple, convenient and reliable conferencing services at the lowest cost possible. We appreciate your support in this endeavor.

Your FreeConference Team

I found this originally on SSAATY.

I am of the opinion that, once you have the basics in place, you need to focus on the insiders, such as DBAs that have unrestricted access, network admins who use one shared administrative account to administer everything, and users who have local administrative privileges. Many of the problems you are defending against on the outside are black and white issues - Do I need to disable any services on this web server? What ports should I allow through this firewall? What should I log and where should I log it? And so on.

On the other hand, decisions to restrict access to insiders come up against a lot more resistance, both for business and political reasons. No one wants to be told they shouldn’t be trusted with the level of access they have, it’s an affront. Also, there are many more complicated situations for internal users. Maybe restricting write access to USB for all users would be a great security measure, but what about the admins who need to transfer data back and forth? All these problems have solutions, but the time it takes to resolve them makes it necessary to dedicate a larger portion of your time to these efforts.

Maybe I’m way off base here. I’m not saying external threat mitigation is a cakewalk. It’s just that after the basics are taken care of, I think more effort is required to secure things from the internal perspective. Ok, I’m ready…tell me why I’m wrong.

While the majority of my time spent at CompUSA could be termed “retail hell,” it did give me access to many different types of hardware and software, from many different vendors. I started in the software department, and vendors came in on a regular basis with freebies in an unsubtle attempt to bribe us into pushing their products over the competition.

Similar to Ryan, I then moved into the Upgrades department, selling the higher-end products that had to be locked away behind the counter.  I was also trying to become a repair tech, and meeting with resistance.  Working in the Upgrades department was somewhat enjoyable, and when it was slow I could go next door to the tech area and check out what they were working on.

Overall, it was good experience, if a bit painful.  Then again, that would be my description of most jobs in retail.  All in all, I’m not really that broken up over the fact that there will be no more CompUSA stores in my area.

First impressions: security at the jury entrance was like going through the airport, with less of a line, and no nonsensical restrictions.  While I was not allowed to bring food or drinks into the facility, I was not forced to throw out a tube of moisturizer in my backpack, for instance.  I assume if I had any weapons or other sharp objects I would have been forced to discard them.  Also, I had to leave my cell phone in the car, as camera phones are a no-no.

While the security at the entrance was tight, I had some concerns.  First, no attempt to check my ID was performed in my entire time at the courthouse.  I had to present my summons, but beyond that, I could have been anyone.  Not that many people are going to crash jury duty, but if someone was motivated to do so, I doubt they would have much difficulty.

Second, the smokers are given their right to light up in a small fenced-in terrace outside the main waiting area.  Good for them, but I question how difficult it would be for someone to pass something to (or from) one of the smokers.

I also have a (minor) complaint.  Why, when there are 3 potential courthouses that the juror pool can be summoned to, do I get stuck with the only one that doesn’t offer WiFi?  I spent the better part of 6 hours — don’t get me started on that one — waiting to be called into a courtroom, reading old magazines, when I could have been on my laptop getting things done (i.e. posting this complaint earlier).

In the end, I wasn’t picked for the final jury, and I was thanked for my service and sent home.  While I understand justice is a process, it was unfortunately a lengthy and uneventful process in this case.

ccording to the comparison, Microsoft scored an abysmal 82.40% total on-demand detection of viruses/malware. That’s over 6 percentage points lower than the the next-worst contender (Dr. Web, at 89.27%). At the other end of the spectrum, Avira PE Premium, G DATA Security AVK, MicroWorld eScan Anti-Virus, F-Secure Anti-Virus, Kapersky Labs Kapersky AV, and AEC TrustPort AV WS were all rated above 97% detection, which AV-Comparatives calls their “ADVANCED+” certification level.

Keep in mind, it’s only a 1.x product from Microsoft, so they may be leaving room for improvement. But I expected more from Microsoft with all the marketing about their security initiatives.

Here’s the full results of the test: http://www.av-comparatives.org/seiten/ergebnisse_2007_02.php

Found via PCMag.

If you are running WordPress 2.1.1, and you haven’t already done so, go to this link immediately, and follow the instructions to upgrade to 2.1.2:

WordPress 2.1.1 dangerous, Upgrade to 2.1.2

Note: I appear to be having some difficulty creating links, post upgrade. I’ll see what I can do to resolve the problem and update this post.

Update: Problem resolved