As a follow-up to our recent post on teaching your kids some intro programming, I thought I’d also put out some notes on introducing the kiddos to computers in general. A while back I put out a call on the NoVAHackers distro list for Linux OSs that kids could learn on. They two most popular recommendations were:

• Qimo
• Edubuntu

Both of these distros have tons of learning-to-program games as well. The big difference between them is that Qimo was designed for stand-alone computers while Edubuntu was designed for networked computers in a classroom environment.

In my experiences with Qimo, there were many exercises focusing on typing, moving the mouse, clicking, and other computer basics. It also included many advanced learning games and even some later programming languages. Although it would freeze up every once in a while, Qimo seemed very stable overall.

I was equally impressed with Edubuntu. Unfortunately, I tried to do some updates and it croaked on me for some reason. I could have tried reinstalling but my laziness snuck in and I just stuck with Qimo as it met my basic needs. Additionally, Qimo did seem somewhat better for kids under 6 (pre-school purposes with the youngest) and was slightly more kid-friendly in my opinion.

#####

What other “kid” OSs do you use? What are your experiences? Let us know in the comments below. See ya!

Kind of cheesy but does a pretty good job of explaining Border Gateway Protocol to the tunes of some old school Naughty by Nature. It’s under 5 minutes so it shouldn’t be too painful. The video was part of the campaign against SOPA, PIPA, and ACTA several months ago. Some of my favorite lines include:

• You do a trace and then you notice there’s a routing loop?
• There’s no room for adjacencies, there’s just room to ROUTE IT!

If you want to read along during the song (or are brave enough to try to karaoke it), check out there lyrics here.

#####

Know of good vids we should feature? Let us know in the comments below. Today’s post pic is from FurAffinity.net. See ya!

If you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.

A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.

Industry Articles

A Closer Look into the RSA SecureID Software Token: Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. (continued here) (@grecs: Wow, this is a major ding in their soft token market. Come on RSA … what were you thinking?)

Nmap 6 Released: The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. (continued here) (@grecs: Tons of new features and cool things to play with in their first major release in three years.)

New White House Cybersecurity Chief Largely an Unknown: Named late last week to replace Howard Schmidt as the top White House cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office of Management and Budget (OMB) and has been its intelligence branch chief for the past 11 years. (continued here) (@grecs: Makes sense as that intel guys don’t like to be out in the public too much.)

Anatomy of a hack: 6 separate bugs needed to bring down Google browser: An exploit that fetched a teenage hacker a $60,000 bounty targeted six different security bugs to break out of the security sandbox fortifying Google’s Chrome browser. The extreme lengths taken in March by a hacker identified only as Pinkie Pie underscore the difficulty of piercing this safety perimeter. (continued here) (@grecs: Awesome accomplishment by an extremely talented student. This guy is going straight to the pros.)

Notifying Users Affected by the DNSChanger Malware: Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, … (continued here) (@grecs: Huge mistake to even set these servers up in the first place. Now Google has to step in to hopefully warn enough people of them loosing the interwebs.)

Our Blog Posts

Video of the Week – How DNS Works: DNS has progressed a long way from just being a file on your computer that maps domain names to IP addresses. We came across this fairly simple 2:27 minute video that explains the basics of DNS well. (continued here)

Kid Hacking – Learning to Program: The successes of several HacKid conferences and the first ever DefCon Kids last year got me thinking about starting to teach my kid a little bit more about computers than he probably learns in school. Programming seemed like the obvious choice to me as that is where I started years ago. Yeah, it was only Basic but at least I learned the concepts. With a little bit of Googling the top choice seemed to be a language called Scratch hosted over at MIT. At this point I didn’t really know much about it so I put a call out to the Twitterverse since I know many of us have elementary-aged kids. (continued here)

“Infosec” Trademark Dampens Google’s Adword Revenue: Ok … so maybe the title is a little off … but it did dampen their revenue … at least some. Specifically, they’ve been loosing $10 a day from us. A few weeks ago I decided to try the whole Google AdWords thing out to help spread the word about NovaInfosec.com. I signed up and muddled around trying to understand everything and after a bit of stumbling around I was able to create an ad. It was nothing big as you can see below. So at this point I was pretty happy and next went into generating keywords. This activity took a bit but I came up with around 12 keywords that seemed to fit what I was looking for. It did take a while to come up with those 12 keywords though. (continued here)

Contemplating the Meaning of Offensive Job Postings: Huh? First there was the unspoken “O” word. Then it finally started making it’s way into speeches of high-ranking current and former government officials. And now it’s in job posts. Of course a private company actually performing offensive activities would likely be illegal in most cases … although I’m sure there’s a sneaky way around that (e.g., re-terming it as “active defense” or something).” However most likely this person would be serving some government agency in some capacity … so who knows… It’ll be interesting to watch how “offensive” trends in the coming months and years. And with all this press I’m sure NG is getting lots of applications for this position. (continued here)

Poll: Would You Give Up Your Facebook Password for a Clearance?: So last week we did a post on the whole Facebook password turnover thing. Overall legislation is popping up all over the place at the state and federal level preventing employers from asking for such information. Even though somehow this practice crept into practice at companies, clearly almost everyone is against it. A lot of people that I’ve spoken with recently around the DC area were pretty much dead against turning over passwords to an employer. The thing that I think makes DC a little different though is that much of our work involves some type of security investigation. (continued here)

NSA Looking to Train Students in Cyber Ops: The NSA has long run the National Center of Academic Excellence (CAE) program in Information Assurance Education (CAE-IAE) and more recently in Research (CAE-R) however they are reaching into new grounds by formalizing a new Cyber Operations (CAE-Cyber) distinction for colleges and universities. We’ve written about the CAE program before … and although it isn’t the be-all end-all, it’s definitely a good place to start if you are considering where to get your undergrad or graduate degrees. For the new CAE-Cyber program so far the NSA has only designated four schools (highlighted below) as meeting its requirements. (continued here)

Is Moving-Target Defense a Security Game Changer?: I came across this interesting article and audio interview today on research being done on the topic of moving-target defense. Coined in 2008 as a game changing technology in security, I’ve only been recently hearing about this concept and was looking for more details on the topic. This article from GovInfoSecurity.com provided a nice overview and followed with additional details in an 11 minute audio interview with one of the researchers that receive a $1 million grant. The concept is based on the assumption that enterprise networks and systems generally remain static over time. (continued here)

Job: Senior Security Consultant in Washington, DC / Virtual: This challenging position from GuidePoint Security looks to be very flexible and provides great benes however 40% travel might be a little much for some. But if you want to see lots of places and meet lots of people … maybe this is the job for you. The benefits package includes 100% coverage on healthcare (don’t see that too often) with lots of goodies (e.g., MBA/MBP and an iPhone). They seem to be looking for a jack-of-all-trades type security person so I see this as the type of job where if you don’t know it, you better be willing to learn on-the-fly. They also encourage speaking at conferences so that may be a plus for some. The company has been around for a year and is based in Reston, VA. (continued here)

#####

Hope everyone had a wonderful week. Have a great weekend! See ya!

This challenging position from GuidePoint Security looks to be very flexible and provides great benes however 40% travel might be a little much for some. But if you want to see lots of places and meet lots of people … maybe this is the job for you. The benefits package includes 100% coverage on healthcare (don’t see that too often) with lots of goodies (e.g., MBA/MBP and an iPhone). They seem to be looking for a jack-of-all-trades type security person so I see this as the type of job where if you don’t know it, you better be willing to learn on-the-fly. They also encourage speaking at conferences so that may be a plus for some. The company has been around for a year and is based in Reston, VA. It might be a chance to get in on the ground floor…

And don’t forget … if you organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details. Well anyway … on to the job post.

Title

Senior Security Consultant

Location

Washington, DC / Virtual

Company Name

GuidePoint Security

Job Description

Senior Security Consultants at GuidePoint Security are experienced professionals who are autonomous, experienced, self-driven security fanatics. Our Senior Security Consultants are materially involved in the complete professional services lifecycle, from pre-sales through delivery and have the freedom and control over how engagements are scoped and delivered. Our unique position as both a Value-Added Reseller (VAR) AND a professional services organization also requires our Senior Security Consultants to continually expand their knowledge and experience with the latest cutting-edge information security technologies. This helps satisfy our Senior Security Consultants desire to constantly expand their knowledge and better meet the needs of our clients.

Travel & Office Location

• Approximately 40% out-of-town travel to client locations is typical for Senior Security Consultants
• Senior Security Consultants work from home when not visiting client locations

Benefits & Technical Perks

• Choice of MacBook Air or MacBook Pro
• Apple iPhone 4S with mobile hotspot functionality
• 100% employer-paid medical, dental and vision insurance for employee, with generous employer family contributions
• Eligibility for retirement plan after 6 months
• Competitive salary dependent on experience

Requirements

Required

• Proficiency in Information Security tools such as Nessus, Kismet, Nmap, Burp, Netsparker, WebInspect, AppScan, Qualys, Nexpose, Core Impact, Metasploit and manual techniques to exploit vulnerabilities (both network and application layers)
• Proficiency in operating systems including Windows 2003 & 2008 R2, Windows XP and 7, RHES and Ubuntu Linux
• Proficiency in manually testing for Application Security specific vulnerabilities such as those included in the OWASP Top 10(SQL Injection, Cross-site Scripting, etc.)
• Knowledge of industry standards including ISO27000 series, NIST 800-42 & 800-53 and other industry related security standards
• Information Systems architecture and security control design and development experience
• Knowledge of Industry Regulations, e.g.,Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry (PCI), Sarbanes-Oxley (SOX)

Preferred

• Experience with application source-code security reviews
• Experience with programming languages such as Java, C, C++, C#, Python, Ruby and .NET
• Forensic & Incident Response experience
• Mobile security experience
• PCI DSS Industry experience
• Educational & Professional Credentials
• Bachelor’s degree in a relevant discipline or equivalent experience
• 3-5 years of consulting experience in the Information Security industry OR as a technical lead for an internal Information Security program
• Professional certifications such as CEH, CPT, CISM, CISSP, GIAC, GSEC and QSA
• Conference speaking experience is strongly preferred

About GuidePoint Security

GuidePoint Security provides customized, innovative and valuable information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals.

Follow-Up Contact Information

For additional information and to apply, head on over to its requisition on LinkedIn.

#####

You can find more career opportunities over on our Job Board. Head on over there for all the details. Today’s post image is from the good folks over at GuidePointSecurity.com.

I came across this interesting article and audio interview today on research being done on the topic of moving-target defense. Coined in 2008 as a game changing technology in security, I’ve only been recently hearing about this concept and was looking for more details on the topic. This article from GovInfoSecurity.com provided a nice overview and followed with additional details in an 11 minute audio interview with one of the researchers that receive a $1 million grant.

The concept is based on the assumption that enterprise networks and systems generally remain static over time. This gives an attacker ample time to research the environment and layout the most opportune attack. Moving-defense challenges this assumption since the enterprise would constantly change in terms of its configuration of the overall environment. Examples include changing IPs, underlying OSs, listening ports and protocols, etc. An attacker could perform recon and basic scanning for months but then nothing works as expected when it comes time to attack. Enterprises could also use this adaption technique in response to an attack to quickly limit the resources an attacker has access to. And as the researcher noted, the challenge involves keeping the network operational while making all these changes and ensuring cost-effective management.

Overall moving-target defense looks like an interesting approach and I anticipate the results of their research. I do have my doubts, though, on this being a cost effective security control. To me the resources needed to manage such a vast dynamic environment combined with keeping it operational appears to be too complex and costly. Perhaps this technique could have application in specialized segments (e.g., a DMZ) as part of a defense-in-depth approach.

If you are interested in more details on moving-target defense, the National Symposium on Moving Target Research is scheduled on June 11 right in our backyard of Annapolis, MD.

via GovInfoSecurity.com

Imagine a computer network that can fool intruders into seeing configurations that in reality don’t exist, making it hard for them to invade the system. That’s what Scott DeLoach is trying to figure out how to do.

DeLoach, a Kansas State University computer and information sciences professor, and colleague Simon Ou have received a 5-year, $1 million-plus grant from the Air Force Office of Scientific Research to study a type of adaptive cybersecurity called moving-target defense.

In an interview with Information Security Media Group, DeLoach explains a network that employs a moving-target defense would automatically and periodically randomize its configuration through various methods, such as changing the addresses of software applications on the network, switching between instances of the applications and changing the location of critical system data to thwart cyberattackers.

Continued here.

#####

Do you think this moving-target defense will be game changer? Let us know in the comments below. Today’s post pic is from SportsGamesRules.com. See ya!

The NSA has long run the National Center of Academic Excellence (CAE) program in Information Assurance Education (CAE-IAE) and more recently in Research (CAE-R) however they are reaching into new grounds by formalizing a new Cyber Operations (CAE-Cyber) distinction for colleges and universities. We’ve written about the CAE program before … and although it isn’t the be-all end-all, it’s definitely a good place to start if you are considering where to get your undergrad or graduate degrees. For the new CAE-Cyber program so far the NSA has only designated four schools (highlighted below) as meeting its requirements. For locals that are interested in attending participating schools, unfortunately it doesn’t look like any are in the NoVA/DC area. Hopefully, they offer distance learning programs…

via CNet.com

The National Security Agency has chosen the first four universities it will accredit to teach cyber ops programs.

The universities winning the designation Centers of Academic Excellence in Cyber Operations” are Dakota State University, the Naval Postgraduate School, Northeastern University, and the University of Tulsa.

Twenty universities have applied to partner with the federal agency, which said it started the program with an eye toward building a larger reservoir of professionals to support its work in conducting cyber-intelligence operations against adversaries. The interdisciplinary curriculum will include coursework in computer science, computer engineering, and electrical engineering. Some participants will also be invited to NSA seminars.

But this is not the equivalent of spy school. NSA said in a statement that the participating students and faculty members would not participate in U.S. government intelligence activities. Still, government officials have long bemoaned what they see as a pressing need to step up the number — and talent — of people it can choose to staff its myriad cyber espionage posts.

Continued here.

#####

For more information on NSA’s CAE check out their program page. See ya!

So last week we did a post on the whole Facebook password turnover thing. Overall legislation is popping up all over the place at the state and federal level preventing employers from asking for such information. Even though somehow this practice crept into practice at companies, clearly almost everyone is against it.

A lot of people that I’ve spoken with recently around the DC area were pretty much dead against turning over passwords to an employer. The thing that I think makes DC a little different though is that much of our work involves some type of security investigation. That could be anything from a simple background check all the way up to the highest level of clearances. As in the original case that sparked this whole thing off, Robert Collins was asked for his Facebook password as part of his investigative background to check for gang affiliations.

The thing that I haven’t heard much discussion of yet is whether turning over your passwords is required for any of the common clearance processes out there. According to what I’ve heard asking for this type of information hasn’t crept in to the process yet. Many of those that I’ve chatted with were very adamant about turning over their credentials. When I asked if they would cough up the creds if it were required for the clearance process most got pretty quiet.

For many of those around the DC area working for the government (either directly or indirectly), maybe giving up your passwords is only fair in exchange for obtaining a clearance and working on those types of programs. There are perks as well – job security and higher salaries (~20% more) just to name a few. All this talk leads up to the poll for this week.

#####

If there are other answers I may have missed or opinions you want to mention, please add them to the comments below. And as usual let us know if there are other poll questions you’d like to see us ask. Today’s post pic is from CNN.com. See ya!

Huh? First there was the unspoken “O” word. Then it finally started making it’s way into speeches of high-ranking current and former government officials. And now it’s in job posts. Of course a private company actually performing offensive activities would likely be illegal in most cases … although I’m sure there’s a sneaky way around that (e.g., re-terming it as “active defense” or something).” However most likely this person would be serving some government agency in some capacity … so who knows… It’ll be interesting to watch how “offensive” trends in the coming months and years. And with all this press I’m sure NG is getting lots of applications for this position.

via ThreatPost.com (emphasis mine)

Defense giant Northrop Grumman is hiring software engineers to help it carry out “offensive cyberspace operations,” according to a recent job posting.

The job posting, for a “Cyber Software Engineer 2″ appeared on the Website Clearancejobs.com and described a position on a Northrop R&D project to “plan, execute and assess an Offensive Cyberspace Operation (OCO) mission” that would include familiarity with tools like Metasploit and Google Earth and “integration of capabilities such as command linkages, data flows, situation awareness (SA) and command and control (C2) tools.”

Firms like Northrop have repeatedly been the target of sustained and sophisticated attacks from outside agents. Many of those attackers – euphemistically described as “Advanced Persistent Threats” – or APTs – are believed to have links to China and groups working for the People’s Liberation Army (PLA).

A spokeswoman for Northrop Grumman confirmed the validity of the job posting, but declined to elaborate on what Northrop was referring to with the term “Offensive Cyberspace Operations.”

As described, the job appears to be suited to a mid-level software engineer with experience in networking and agile development methodologies using a wide range of software- and Web development platforms, including Java, XML, JMS, PostgreSQL, Javascript and Python. The applicant is also expected to have knowledge of “‘security research’ tools like Metasploit, WorldWind (and) Google Earth,” according to the job posting.

Continued here.

#####

Check the job post out for yourself here. Today’s post pic is from ClearanceJobs.com. See ya!

Ok … so maybe the title is a little off … but it did dampen their revenue … at least some. Specifically, they’ve been loosing $10 a day from us. A few weeks ago I decided to try the whole Google AdWords thing out to help spread the word about NovaInfosec.com. I signed up and muddled around trying to understand everything and after a bit of stumbling around I was able to create an ad. It was nothing big as you can see below.

So at this point I was pretty happy and next went into generating keywords. This activity took a bit but I came up with around 12 keywords that seemed to fit what I was looking for. It did take a while to come up with those 12 keywords though. I started with around three times that but had to remove many since Google indicated they wouldn’t generate any traffic. Mmm? I wonder if they really meant to say it wouldn’t generate revenue for them… Anyway, I logged out and continued my daily routine, content that I might spread word of the site out to a slightly larger audience.

I checked in periodically to see if it was running but no luck. I expected this wait as Google claimed it could take up to three business days to review and start publishing the ad. After five days I called in, chatted with someone, and they flagged my submission to be reviewed ASAP. After about a day I didn’t notice anything so I logged back in and was surprise to find that my ad had been disapproved due to a trademark held for the term “infosec.” Really?

I immediately picked up the phone and called Google to see how this obvious error could be resolved. I find it hard to believe that someone could get a trademark on the single word “infosec.” One note here … when paying Google money for using Adwords I found they offer really easy to find contact info. When I called their automated system almost immediately connected to a nice young lady. I think this shows who their customers really are… Anyway…

As expected this first-tier person – we’ll call her Alice – really couldn’t help me out but recommended that I contact the trademark owner, get permission, and have them submit a special form to Google. So while on the phone I headed over to the USPTO website, loaded up and perused their TESS search engine and there didn’t appeared to be anything relevant.

As you can see above, out of the nine results the search only returned two that were listed as active and they were all phrases … not just a single term “infosec.” I was still on the phone with Alice so I mentioned this discovery. Unfortunately, she just went on with her scripted response saying that I would have to contact the owner of the trademark and have them fill out a “permission” form to resolve the situation. I politely noted to Alice that I cannot contact the owner since the trademark doesn’t exist and inquired if she could tell me who the owner was. Alice noted that she didn’t have access to this information. Not knowing what to do and it being probably near the end of her shift, Alice said that she’d be sending me an email with the contact info to go investigate further.

Well, we’ll see where this goes…

#####

Do you think the term “infosec” should even be trademarkable? Today’s post pic is from JumpFly.com. See ya!

Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night. If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to @grecs on Twitter.

Not much is happening this week in terms of meetups. It is a very light week with only one meetup on Tuesday so be sure to check @grecs’  weekend best bets as we might have something that you might be interested in. With that said, here are your meetups for this week and as well as a preview for next week…

This Week

Tuesday (5/22)

• ISACA NCA Meetup - “Annual Meeting of the Chapter Membership” at
  Holiday Inn - Rosslyn at Key Bridge from 7:30 AM to 5:20 PM (more info)

Next Week

And for those who would like to plan ahead, here is a preview of events on our calendar for next week.

• Wednesday: CapSecDC Meetup
• Thursday: CharmSec Meetup

Remember that Baltimore Node, HacDC, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week … so check them out for more fun stuff to do.

And be sure to subscribe to our RSS feed or follow us on Twitter at @novainfosec and @grecs to be alerted about any last-minute events or to receive updates on the meetups listed above. Finally, check out our Calendar for a complete list of infosec events in and around NoVA, DC, and MD.