Thoughts & Tips For August 2018

  Image-from-rawpixel-id-436187-jpegPicture from RawPixel

Thrown For A Curve (Update)

See July update for my first report on my recent lower back injury with sciatica down my left leg.  Things are improving, but I'm still having numbness on my left foot and periodic spasms & tightening on my calf and glute muscles.  A review of my MRI with an orthopedic surgeon opened up the possibility of future surgery but that is still TBD.

Technology

I was able to move to Windows 10 on a new Dell tablet at work before the end of June 2018 deadline.  All in all it is working great, and I like having Type-C connectors on my work tablet and my personal HP Chromebook 13G1. For instance the same power adapter can be used on both.

Thankful For

Our July camping trip to San Elijo State Beach was awesome, and I did my first Sprint Triathlon (400m swim, 15-km bike, and 5-km run). I really enjoyed the sprint triathlon format even with my "physical recovery" slowing me down.  I'm already planning to do another one in September.

Future

I completed another Vital Smarts' 1-day Getting Things Done (GTD) class in July.  I currently only have material available for two more classes -- one in August, and then one in September.

DEFCON is coming up in August.  That should be fun.

We have another San Elijo State Beach camping trip planned for August.

Tips

I've been using some cream with Arnica on my sore muscles.  It is really good.

Quote I'm Thinking About

"The enemy often tries to make us attempt and start many projects so that we will be overwhelmed with too many tasks, and therefore achieve nothing and leave everything unfinished. Sometimes he even suggests the wish to undertake some excellent work that he foresees we will never accomplish. This is to distract us from the prosecution of some less excellent work that we would have easily completed. He does not care how many plans and beginnings we make, provided nothing is finished." - St. Francis de Sales


How I Studied For & Passed The CISSP

I got asked the other day at work on how I studied to pass the Certified Information System Security Professional (CISSP) back in Dec 2011. While I was relaying my experience, I made a few notes, and I figured it would be good to document the endeavor in a blog post.

AFC79C51-1617-4C5A-85ED-C70FE57E43BF

I think my main advantage was that I was able to get access to SANS Management 414 class via their self-study content using training dollars from work [direct link for more info].  While expensive, the 'do it on your own time' offering was much better for me than going to a class (which can also be expensive). 

One of the other key features that I liked about the self-study offering was there were seperate MP3s of all the sessions plus the online course review material.  This allowed me to binge listen to the audio content during my daily exercise, drives in the car, and while on travel (which happend about 5 times during my prep time before the test). The only bad news about all this 'listening' is that when I have a CISSP related nightmare I still hear Dr. Eric Cole's voice.

The package included printed slides for all the material (sync'd online to the audio feed): [Domain 1 - Information Security Governance & Risk Management; Domain 2 - Access Controls; Domain 3 - Cryptography; Domain 4 - Physical Security; Domain 5 - Systems Architecture & Design; Domain 6 - Business Continuity & Disaster Recovery Planning; Domain 7 - Telecommunications & Network Security; Domain 8 - Application Security; Domain 9 - Operations Security; Domain 10 - Legal, Regulations, Compliance, & Investigation], and a copy of the following book - "CISSP Study Guide" by Eric Conrad, Seth Misenar, Joshua Feldman. Also included was a series of pre-tests both online and paper and then a full practice test that was online.

Other books I used for reference included:

Once I went through all the material one time via MP3/Slides, I then deteremined when there was a class about 16 weeks/4 mouths in the future and signed up for that one.  I found it very useful to have a target date on the calendar to motivate me to block out time for studying.  I then spent every Off-Friday from work and ~4 hours each Saturday and Sunday studying the material up to the test week.  The test was on Tuesday and I pretty much studied full time Friday, Saturday, Sunday, and Monday before the test.  If my math is correct that was about ~250 hours of studying (not including the MP3 material listening which I continued doing during my exercise, driving, etc times up to the test).

In addition to the study reference material above, I also took a great deal of practice tests.  If there was a test I could take I took it. My prevous experience getting a Windows OS certification and Security+ was that there was a ton on of value in reviewing as many questions as possible. This turned into a a pretty detailed stats tracking on how I was doing and where I needed extra focus.  Here is the "final" view of my spreadsheet tracker I setup in Google Docs:

Cissp-test-tracking-1Cissp-test-tracking-2

The other thing I did that really helped was that any question I missed during any of the tests I took and turned it into a 3x5 study card.  I also kept the cards organized by the 10 major topic areas of CISSP.  This helped me really focus on studying the areas that needed the most work.  By the end I'm pretty sure I had 400 cards, and on the day of the text all I did before the test was drill through those cards.

What about the actual test?  Yes, it was very hard. Definitely the hardest test I've ever taken. I was the last one to leave taking up all but the last 5 minutes before the scheduled end time.  I don't know how well I did other than I passed.  And since that was the goal -- mission accomplished!

If you have any additional questions, comments, etc. then please let me know.

[Originally written on 2/24/2012 but updated 2/23/3014]


Tip - Subscribing to Twitter Accounts in Google Reader

NOTE: As of October 16, 2012 the official Twitter API turned off RSS options per this article.  What I wrote here doesn't work anymore.

I personally like keeping track of some Twitter accounts (especially security related ones) using Google Reader.  Unfortunately, I've found lately though that Twitter keeps messing with RSS urls, and getting subscribed without errors can be hit and miss.

Here is my understanding of the current format as of this posting ...

If you have a Twitter account like @johnswayer that you want to follow in Google Reader.  Then take the following main URL (twitter.com/statuses/user_timeline/) and add <twittername>+.rss -- for example:

"https://twitter.com/statuses/user_timeline/" + "johnhsawyer.rss"

Becomes:

 "https://twitter.com/statuses/user_timeline/johnhsawyer.rss"

And use that for the subscribe url.  I usually use a text editor to this (Notepad+ on Windows or TextWrangler on Mac).

Did I get this right? Did Twitter change this already? Is there a better way?  Leave a comment or send me email and I'll update this post.

 


Tech Tracking #001 - New News, Mobile, Video, Security, Books, Training, Etc

Here are some new items I am tracking --


Safer Browsing with Google Chrome - No JavaScript (Unless Authorized)

One of the lessons learned from attending DEFCON#18 was that as a FireFox user that running NoScript was a highly recommended tool. Many of the presenters who were talking about Internet browser vulnerabilities mentioned NoScript as a defensive tool to help mitigate the risks they were discussing in their presentations.

While I still use Firefox with NoScript a lot, I have also been using Google's Chrome browser more and more running on Mac, Windows & Ubuntu.  There is no NoScript version for Chrome but you can turn off by default JavaScript via:

  1. Options (aka Preferences)
  2. Under the Hood tab
  3. Privacy > Content Settings ... button
  4. JavaScript tab
  5. Do not allow any site to run JavaScript
  6. Close button

Once you have turned it off, there will be a 'no JavaScript icon' that will shows up in the Link Box on the far right-hand side of the box on the first site you hit with JavaScript:

Chrome-no-script-icon  

You can now click on that icon and allow the specific sites you frequent and trust to be in a trusted list. And you'll need to reload the page to get the exception registered so that the page will display and function as the publisher expected.  Here is what Hulu.com says if you go there without JavaScript turned on:

Hulu-no-java-script-message

IMHO, this is better than running JavaScript on every site you go to by default.  The best security practice is now to only allow JavaScript on sites you trust and know.  Not perfect but better than the alternative.

P.S. If you use Chrome's Incognito feature with JavaScript turned off then there appears to be no way to go turn on JavaScript for specific sites in Incognito mode except for those already in your approved list.


Learn Some Hacker Skills Online from SANS & Paul Asadoorian

Fellow FriendsInTech.com member Paul Asadoorian is presenting two upcoming SANS@Home courses:

Metasploit is a fantastic tool for testing your network and applications.  Come learn about all of its new features! You can use  discount code "PaulDotCom" and save 20%!


TSA Travel Woes - Post A Comment To Their Blog

I just found out that the Transportation Security Administration (TSA) is now officially blogging (started Jan. 30, 2008) and is accepting comments on their blog posts.

The blog is called "Evolution of Security" and can be found at: http://www.tsa.dhs.gov/blog.

If you run into trouble or maybe have a great experience, then make sure you use this resource to give them some feedback.


Some New Cold War History Recommendations

I am a big history buff. I am particularly interested in stories about World War II and The Cold War. 

I came across a bunch of recently released Central Intelligence Agency (CIA) docs at the Federation of American Scientists (FAS.org):

  • "The Secret War in Korea, June 1950 to June 1952," March 1964 [pdf]
  • "Record of Paramilitary Action Against the Castro Government of Cuba, 17 March 1960 - May 1961," May 1961 [pdf]
  • "The Evolution of Ground Paramilitary Activities at the Staff Level, October 1949-September 1955," November 1968 [pdf]
  • "The Berlin Tunnel Operation, 1952-1956," 24 June 1968 [pdf]

They all have some pretty interesting information in them.  I am fascinated by considering what the redacted parts contain.

The Cold War has many different angles and perspectives. One of the other resources that is really interesting is from Tony Kahn over at WGBH's Morning Stories podcast.  Tony produced the following series called "BlackListed" (RSS):

In October 1947, the House Un-American Activities Committee opened its hearing into Communist influence in the movie business and promptly denounced 19 prominent directors, producers, screenwriters, and actors as enemies of the state. One of them was Hollywood screenwriter Gordon Kahn, whose films include All Quiet on the Western Front and The African Queen.
    
In this six-part personal history of the Hollywood Blacklist, Gordon Kahn's son, Morning Stories producer Tony Kahn, tells the story of his father's 15 years of persecution and the fear that followed him, his family, and thousands of other Americans for being accused of having the wrong political ideas.

I have currently listened to three of six podcasts, and I am really enjoying this very well produced audio program.  No matter what your political views this is is a podcast that should not be missed.


Windows Mobile 6 Tip - Specific Ports for IMAP, SMTP, Etc.

One of the main reasons for moving to the AT&T Tilt was for the 'faster' network options 3G/UMTS/HSDPA plus Windows Mobile 6 was suppose to address a port mapping bug I've had on the Cingular 8125.

Our IMAP/SMTP services at work use non-standard ports for SSL/TLS connections, and you could not apparently assign these to non-standard ports with previous versions of Windows Mobile or PocketPC without doing some registry hacks.

Now, with Window Mobile 6 you can successfully append the port you want to connect to to the machine you are connecting to.  If your SMTP service is listening on port "444" and you SMTP server is called "smtp.mycompany.net" then the setting in the Mail setup is "smtp.mycompany.net:444" (with out the " quotes).

This tip should help others that might run into a problem with Google's new GMAIL IMAP support.

P.S. It appears that the AT&T Tilt is also referenced by AT&T as the 8925.  The unit is made by HTC that has a family of very similar if not exact models that go by 'TyTn II' and 'Kaiser.'


Taking Something On Purpose By Being "Clever" Is Still Stealing

I just just reading through Bruce Schneier's latest newsletter published on September 15, 2007, and it had this article:

Getting Free Food at a Fast-Food Drive-In

It's easy.  Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food.  This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food.  The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window.  Tell the clerk that you forgot your money and didn't order anything.  Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit.  Basically, it's a synchronization attack.  By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix.  The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food.  Or the second window could demand to see the receipt.  Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer.  But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.

http://www.youtube.com/watch?v=T1jgYPsvsrA

While it is a 'clever exploit, taking something purposely without paying for it is still stealing and stealing is illegal.