3 - Mark Ciampa's Blog (Security+ 4e)

    • 12 Aug 2014

    Home Network Devices From ISPs Are Vulnerable

    Almost everyone who has ever dealt with an Internet Service Providers (ISP)--which would be about all of us--know this story all too well. The ISP wants you to lease your home networking equipment from them instead of purchasing it yourself (in many cases ISPs require that you use their equipment). If you are lucky enough that you can use your own equipment, you know that whenever you must call your ISP about a service...
    • 11 Aug 2014

    Updates to Internet Explorer

    Microsoft's Internet Explorer (IE) web browser still has a large chunk of the browser market. NetMarketShare says that IE 8 commands the largest share of the overall web browser market of all web browsers with 21.56% (Google Chrome has 9.08% market share while Mozilla Firefox has 9.27%). However, IE 8 was released back in March 2009 and lacks security features of newer products (the current version is IE 11). And...
    • 8 Aug 2014

    1.2 Billion Passwords Compromised? Really?

    Much media attention has been focused the last few days on a recently-released report that says 1.2 billion user passwords have been amassed by attackers in Russia. But the company that made the claim has not been forthcoming with more clear information about it. All that the company will say is that they have this list and that they'll sell you a service to see if your password has been compromised. On Tuesday...
    • 14 Jul 2014

    Vulnerabilities in Browser-Based Password Management Applications

    Password management applications {Chapter 10 Security+ 4ed} have long been promoted to help users wrestle with keeping their multiple passwords secure. Now security researchers have revealed vulnerabilities in one type of password management applications called browser-based managers {Chapter 10 Security+ 4ed}. First, the background. The weakness of passwords {Chapter 10 Security+ 4ed} is well-known. The problem, of...
    • 9 Jul 2014

    7 and 1

    In a FIFA World Cup semi-final soccer match getting beat by a score of 7 to 1 is astonishing. Also astonishing is that 1 out of every 7 debit cards were exposed due to security breaches in 2013. According to a survey by Discover Financial Services debit cards are very popular today with consumers. On average consumers used their debit card 20 times each month in 2013 (compared to 19 times in 2012) purchasing $8,875...
    • 2 Jul 2014

    Apple's Patch Monday

    Anyone who works with Microsoft Windows knows that the second Tuesday of each month is Patch Tuesday {Chapter 5 Security+ 4ed}, when Microsoft distributes their security patches. This past Monday (Jun 30 2014) Apple had a large Patch Monday addressing a total of 63 security vulnerabilities. Apple's two main operating systems, OS X 10.9.4 (Mavericks) and iOS 7.1.2, had several holes plugged. Mavericks received 19...
    • 26 Jun 2014

    Sharing Wi-Fi

    From an early age we were all taught that there are certain things that should not be shared (toothbrushes and spoons are two such items that immediately come to mind). There are also certain technologies that users have long been discouraged from sharing. Now there is movement that one such technology-- wireless local area networks (WLANs) or Wi-Fi {Chapter 8 Security+ 4ed}--should be freely shared. But this may not...
    • 24 Jun 2014

    Ransom Attacks Racheting Up

    The number of attacks demanding a ransom from organizations are dramatically increasing. And one recent attack shows just how deadly these attacks can be. Vimeo, Feedly, Meetup, Basecamp, Bit.ly, Shutterstock, MailChimp, Move, and Moz have all been victims of attacks demanding ransoms--in just the last month. The attacks start with a distributed denial of service or DDoS {Chapter 3 Security+ 4ed} attack directed at...
    • 13 Jun 2014

    Latest Security Defenses: Carbon Paper and Dial-Up Lines

    Who would have thought that carbon paper and dial-up telephone lines would be able to deter attackers? But that's exactly what one restaurant chain is now turning to. The P.F. Chang's restaurant chain has 204 China Bistro and 170 Pei Wei Asian Dinner restaurants in 23 states. Yesterday (Jun 12 2014) they finally confirmed a rumor that has been circulating for several days that attackers have stolen credit and...
    • 11 Jun 2014

    Cost of Cybercrime

    A new report shows the cost of cybercrime each year. And the numbers are astonishing. The Center for Strategic and International Studies (CSIS), a Washington, D.C.-based think tank, and Intel's McAfee security unit gathered publicly available data collected by government organizations and universities along with interviews with security experts to look at the direct and indirect costs of online attacks. These costs...
    • 9 Jun 2014

    Malvertising

    Phishing, rootkits, zombies, botnets--virtually unheard of just a few years ago--are today part of our everyday information security vocabulary. Now be prepared to add another word to this growing list: "malvertising" (or "malicious advertising"). Malvertising is increasingly becoming a major weapon in the attacker's toolbox. Web-based advertising is in many ways what makes the Internet work...
    • 5 Jun 2014

    End-To-End Influence

    Google's announcement on Tuesday (Jun 3 2014) that they were expanding email encryption for Gmail (see Jun 4 2014 blog posting) is starting to gain traction. Now Comcast has announced that it will work with Google to encrypt email exchanged between their servers. Google's Gmail does its best to encrypt its messages. When users access their Gmail account the web browser connection defaults to using Hypertext...
    • 4 Jun 2014

    Google Chrome End-To-End

    Encryption tools like Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) {Chapter 11 Security+ 4ed} are often used for protecting email messages. However, for many computer users these programs can seem daunting to configure and use. Now Google has announced a product that promises to make email encryption much easier. Although Google uses Hypertext Transport Protocol over Secure Sockets Layer (HTTPS) {Chapter 12...
    • 3 Jun 2014

    Security Job Forecast: Red Hot

    As the calendar now turns into June the summer temperatures will start to soar. In the same way the forecast for jobs in security is likewise turning red hot with no signs of cooling off anytime soon. Consider the demand for security positions. On the government front in late March the U.S. Secretray of Defense announced that the Pentagon wants to triple its cyber-security staff over the next two years by hiring up...
    • 2 Jun 2014

    Apple Security Update

    Today (Jun 2 2014) Apple Computer kicks off its annual Worldwide Developers Conference in San Francisco. Will we hear about iOS 8? Mac OS X 10.10? A new MacBook Air? Apple TV? Maybe an iWatch? But before jumping into Apple's latest product announcements, maybe this is a good time to take a quick look on how Apple is doing with security. Apple has continued to push out security patches {Chapter 5 Security+ 4ed}...
    • 30 May 2014

    TrueCrypt Shuts Down, But Why?

    TrueCrypt {Chapter 11 Security+ 4ed} is one of the best known and widely-respected open source cryptography tools. In a very surprising move, TrueCrypt posted on its web site (truecrypt.sourceforge.net) on Wednesday (May 28 2014) the following message: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues." The site goes on to say that the TrueCrypt page now exists only to help migrate...
    • 29 May 2014

    Windows XP Hack? Too Risky

    A rumor is circulating that a simple registry hack of Windows XP can trick the Microsoft patch management update service {Chapter 5 Security+ 4ed} into delivering patches for this now-discontinued operating system. However, there's no confirmation that it actually works and the risk is far too high. Last month (April 8, 2014) Microsoft ended all support for its Windows XP operating system (see Jan 18 2014...
    • 27 May 2014

    Point-of-Sale Attacks

    The next time you swipe your debit or credit card at a retailer's point-of-sale (PoS) machine to purchase gas, movie tickets, food, or just about anything else you have just used a device that accounted for over 30% of the data security breaches in 2013. And attacks using PoS devices will only continue to grow, as evidenced by a recently-uncovered global PoS operation. Although the Target data breach in December...
    • 23 May 2014

    China Bans Windows 8--For Security?

    China has banned Microsoft Windows 8 due to what it calls "security issues." But it's doubtful that weak security in the operating system is the true reason for this banishment. Last week (May 16 2014) China announced that it would not purchase any computers for government use that had Windows 8 installed. The official Xinhua news agency said the ban was “a move to ensure computer security”...
    • 21 May 2014

    Security and the Law

    One of the reasons for the success of attacks today are universally connected devices {Chapter 1 Security+ 4ed}. It is unthinkable for any technology device—desktop computer, tablet, laptop, or smartphone—not to be connected to the Internet. Although this provides enormous benefits, it also makes it easy for an attacker halfway around world to silently launch an attack against a connected device. This also...
    • 6 May 2014

    Earwax Biometrics

    Yes, it's true. Researchers have conducted studies demonstrating that human earwax could one day be used as a means of authentication {Chapter 10 Security+ 4ed} just like passwords. Earwax (technically known as cerumen) is "a mixture of secretions from specialized sweat glands with fatty materials secreted from sebaceous glands." Using gas chromatography-mass spectrometry techniques for analyzing chemical...
    • 2 May 2014

    Windows XP Support Not Dead

    For several years Microsoft has adamantly maintained that Windows XP will absolutely, positively not be patched after April 8, 2014 (see Jan 18 2014 blog posting). But in a surprising move yesterday (May 1 2014) Microsoft released an emergency patch for a vulnerability in Internet Explorer (IE) and included Windows XP. The IE vulnerability (see Apr 28 2014 blog posting) targets versions 6 through the current version...
    • 1 May 2014

    I'm Here to Help

    Successful attacks today invariably involve both technology and social engineering {Chapter 2 Security+ 4ed}. As evidenced by several recent attacks, one of the most common social engineering tricks is for an attacker to walk in and claim to be from tech support and is here to help. Recently a London gang consisting of a dozen thieves were convicted for two electronic robberies of a London bank. Dean Outram, one of...
    • 29 Apr 2014

    Zero Day Internet Explorer Attack

    On Saturday (Apr 26 2014) Microsoft announced that users of its Internet Explorer (IE) web browser are vulnerable to a new zero day {Chapter 4 Security+ 4ed} attack. It impacts IE versions 6 through the current version 11. Using a vulnerability in Adobe Flash, it allows attackers to bypass both Data Execution Prevention (DEP) {Chapter 3 Security+ 4ed} as well as Address Space Layout Randomization (ASLR), two important...
    • 15 Apr 2014

    New SY0-401 Security+ Exam and Textbook

    Within the next few weeks the new CompTIA SY0-401 Security+ exam is scheduled to be released, and the current SY0-301 exam will expire at the end of 2014. The objectives for this new exam were made available to the general public in December 2013 and can be downloaded from CompTIA at http://certification.comptia.org/getCertified/certifications/security.aspx. So what changes can you expect from this new exam? First...