2 - Mark Ciampa's Blog (Security+ 5e)

    • 4 Oct 2017

    Not So Good with Numbers

    It's 500 million. No, wait, it's 1 billion. Hold on, hold on, it's really 3 billion. There's quite a difference between 500 million and 3 billion. To be exact, that difference is 2,500,000,000. Or, it's a 500 percent increase. For you scientific types, it's 2.5E+09. In terms of money, if you had $2.5 billion you could afford to buy 83,333 cars that cost $30,000 each. Or you could buy a small city...
    • 3 Oct 2017

    Apple iOS 11 Security - Part 2

    Apple recently (Sep 12 2017) announced its new line of phones. The new iPhone X ("ten") has an OLED screen, an additional two hours of battery life, no home button or fingerprint reader, and costs $1,000. There are also updates to its flagship mobile operating system, iOS 11, which includes new features that relate to security (see Sep 27 2017 blog posting). Perhaps the biggest security news concerns Apple's...
    • 27 Sep 2017

    Apple iOS 11 Security - Part 1

    Apple recently (Sep 12 2017) announced the release of new hardware, most notably the Apple iPhone X. (Tech note: "iPhone X" is pronounced as "iPhone ten" (the number) and not "iPhone ks" (the letter)). There were also updates to its flagship mobile operating system, iOS 11. Aside from several significant new features and updates, there are also new OS 11 features that relate to security....
    • 22 Sep 2017

    Mind-Numbing Equifax Hack

    "Mind-numbing" is defined as something so extreme or intense that it prevents normal thought. And that's the best way to describe news of the recent (Sep 9 2017) Equifax data security breach. And it's mind-numbing on many different levels. First, it's mind-numbing because of the sheer number of individuals that it impacts. About 143 million users have had their personal information stolen from Equifax's...
    • 11 Sep 2017

    Dolphin Attack

    Voice commands given to our smartphones and stand-alone devices are all the rage. Known as called "voice command devices" (VCDs) these include Siri, Alexa, Google Assistant, Samsung S Voice, and Bixby. These VCDs listen for our voice commands and then take action. But recent research has found that attackers could issue voice commands to these devices that we cannot hear. Yet the risk seems pretty low. Because...
    • 25 Aug 2017

    Secure Coding (From Upcoming Security+ Guide to Network Security Fundamentals 6th Edition)

    NOTE: The new Security+ SY0-501 exam will be available beginning Wednesday, October 4 from CompTIA. However, this is a “quiet” release of the exam: there will be no general announcements from CompTIA at that time until Monday, October 30, when the official release of the SY0-501 Security+ exam will be announced. During the month of October anyone can take the new exam, but instructors are specifically encouraged...
    • 19 Aug 2017

    It's Not Magic

    Teller, of the famous magic duo Penn & Teller, recently wrote an article for the Wall Street Journal (Aug 5 2017). It's about the tricks he uses to memorize his passwords {Chapter 12 Security+ 5e} from a magician's perspective. In his own words, "As a magician, can I use my tool kit to keep my information safe?" What he said was slightly interesting (and a little mind-numbing). But in the end it's...
    • 15 Aug 2017

    Innocent or Guilty?

    In one of the most bizarre twists in the world of security, the security researcher who neutralized the ransomware {Chapter 2 Security+ 5e} known as Wcry (aka Wannacry) appeared in federal court yesterday (Aug 14 2017) and pleaded not guilty to unrelated criminal charges that he was behind malware that steals banking credentials. What? Is this a criminal who was masquerading as a good guy? Or is it a misunderstanding...
    • 5 Aug 2017

    PasswordManagerIsEssential

    Recently I attended a conference about security. One of the speakers was giving steps for improving security. When he got down to the topic of passwords {Chapter 12 Security+ 5e} he said that password length is more important than complexity. And that's entirely correct. But then he said that the best approach was to take a thesaurus and find four random words. Combine those four words together and voila! You then...
    • 4 Aug 2017

    New CompTIA CPT+ Security Certification

    Yesterday (Aug 3 2017) CompTIA {Chapter 1 Security+ 5e} announced a new security certification. Currently CompTIA offers security certifications in Security+, Cybersecurity Analyst+ (CSA+), and CompTIA Advanced Security Practitioner (CASP). Soon another certification will be added. It will be called the Cybersecurity Penetration Tester+ (CPT) and will certify security professionals in the area of penetration testing ...
    • 31 Jul 2017

    Cash for Bugs

    When I was young a summer tradition was to go outside at dusk and catch fireflies ("lightning bugs"). While some people would put the bugs in a glass mason jar to watch them light up, I would always release mine after catching them. But did you know that you can still earn cash for these bugs? That's because the enzymes luciferase and luciferin in lightning bugs is used to detect bacteria contamination in...
    • 27 Jul 2017

    RIP Flash

    That sound you heard on Tuesday (Jul 25 2017) may have come from the security community rejoicing over Adobe's announcement that Flash is finally being phased out. Due to the many, many vulnerabilities it has introduced, from security personnel there will be few tears shed, although for developers and sites that rely on Flash it does leave several questions. Adobe Flash is a multimedia software platform that is used...
    • 20 Jul 2017

    Call Out

    To "call out" means to hold someone accountable for their words or actions. And that's just what a report has done regarding why we are so bad at security. And the one being called out hits very close to home. There are many difficulties in defending against attacks: universally connected devices, increased speed of attacks, greater sophistication of attacks, availability and simplicity of attack tools,...
    • 19 Jul 2017

    Biometrics Update - Part 3

    So far we've seen that biometrics {Chapter 12 Security+ 5e} is using a person’s unique physical characteristics of what he or she is. Standard biometrics can use the human retina, fingerprint, voice and iris, and increasingly facial recognition is being used (see Jul 17 2017 blog posting). We've also seen that in China biometrics is increasingly used not for authentication {Chapter 12 Security+ 5e} to verify...
    • 18 Jul 2017

    Biometrics Update - Part 2

    We often associate "biometrics" {Chapter 12 Security+ 5e} with "authentication"{Chapter 12 Security+ 5e} by using a person’s unique physical characteristics to verify their genuineness by what he or she is, versus what they have, like a password. Standard biometrics can use several different unique characteristics of a person to authenticate a user. The human retina, fingerprint, voice and iris...
    • 17 Jul 2017

    Biometrics Update - Part 1 (From Upcoming Security+ Guide to Network Security Fundamentals 6th Edition)

    Standard biometrics uses a person’s unique physical characteristics for authentication (what he is). Standard biometrics can use several unique characteristics of a person’s face, hands, or eyes to authenticate a user. Authentication using standard biometrics can be done divided into those that use specialized biometric scanners and those that use standard technology input devices for recognition. SPECIALIZED...
    • 12 Jul 2017

    Ransomware Cripples Hospitals

    The recent spread of the latest variation of ransomware {Chapter 2 Security+ 5e} has had devastating results. How bad was it? Several hospitals and medical centers not only had to cancel procedures, but one hospital is scrapping its entire infected computer network and starting all over again. The ransomware called Petya dates back to 2016, but recently (Jun 27 2017) a variation of Petya, now called "NotPetya,"...
    • 10 Jul 2017

    Skills Gap

    Philadelphia is the largest city in the Commonwealth of Pennsylvania. "Philly" is the economic and cultural centerpiece of what is called the Delaware Valley. Of course, historically it was the focal point in the American Revolution as the place where the Founding Fathers signed the Declaration of Independence in 1776 and the Constitution in 1787. It also served as one of the nation's capitals in the Revolutionary...
    • 6 Jul 2017

    Privacy Update

    In today's ever-connected world, our privacy is certainly a thing of the past. Here's a quick update on what's going on in the world of privacy and what users can to do help protect their privacy. Most users do not take seriously the need for protecting their privacy. A survey asked users if they would give up using a device if it was determined to be a privacy threat. Not surprisingly, only 15 percent of...
    • 5 Jul 2017

    That's Not the Problem

    Suppose you take your car in for repairs because when you turn on the air conditioner there's suddenly a funny noise and it starts blowing hot air. After waiting in the customer service area for hours listening to a TV tuned to daytime programs that you didn't even know existed (or even cared), a service technician finally comes in to talk with you. He says that they found your spare tire was underinflated. Your...
    • 4 Jul 2017

    Antivirus Update (Part 2)

    In Part 1 of our Antivirus (AV) {Chapter 4 Security+ 5e} Update we saw that AV has been in the news lately with claims and counter-claims between the AV vendor Kaspersky Labs and Microsoft, followed by an announcement that the U.S. military may be banned from using software from Kaspersky Labs. The Russian government responded by saying that if Kaspersky is banned in the U.S., then Russia will look elsewhere for buying...
    • 3 Jul 2017

    Antivirus Update (Part 1)

    Antivirus (AV) {Chapter 4 Security+ 5e} has been all over the news lately. So an update of what's going on is in order. In this Part 1 we'll look at recent claims and counter-claims by the AV vendor Kaspersky Labs and Microsoft. And now the federal government has come down on Kaspersky Lab on a different issue, that has prompted a response from the Russian government. Last month (Jun 6 2017) Kaspersky Lab announced...
    • 3 Jul 2017

    Another Cost of Attacks

    Everyone knows that successful attacks today are expensive. But the recent purchase of Yahoo by Verizon illustrated yet another expense of not being protected against attacks. When an attack is successful, the list of the costs is long. There's the cost of downtime: an organization may be unable to conduct normal business because its web servers are infected and unavailable to customers who want to purchase products...
    • 2 Jul 2017

    Upcoming Windows Anti-Ransomware Feature

    Microsoft has just announced a new feature in Windows that is designed to prevent ransomware {Chapter 2 Security+ 6e} from locking up computers. It is actually similar to an old Microsoft feature, and several similar third-party tools are already available for both Windows and Apple macOS. There are still several questions surrounding it, but it may help. This new feature is, in some senses, a combination of two features...
    • 24 Jun 2017

    Reflections on New Security+ SY0-501 Exam

    This past week (Jun 22 2017) I completed work on the final chapter of the new Security+ Guide to Network Security Fundamentals 6e from Cengage. After starting this project earlier this year it has taken the better part of four and one-half months to complete. Although there are still a series of edits to work through, the heavy lifting is now over. This may be a good time to pause and share some reflections on the new...