|
Furism posted:It certainly is a good way to pick up some background knowledge about different aspect of security. Given how many domains there are in the course, you're bound to learn a lot of things. Some of it is boring and abstract (security models), some is amazing (cryptography), but overall I think it's a Good Thing to go through the book even if you don't attempt or pass the actual certification. Note that the exam, being so long (250 questions and up to 6 hours), doesn't really test your technical skill but rather your endurance and ability to regurgitate 800+ pages of content. Not sure how long ago you took it, but they gutted the crypto areas where they test you on thing like AES modes, stream ciphers, 2DES vulns, stuff like that. I took it right at the beginning of the new test and the coursework was still teaching to the old one so I got to review all that stuff anyway, but I don't think they asked anything beyond the names of the people in the RSA acronym. I do agree that its worth doing as a first accreditation in to the field, but something of a bare minimum. The vouching process and experience requirements seems to at least done some good with keeping out the crash-course cert mill stuff.
|
#
?
Mar 29, 2017 14:23
|
|
|
|
| # ? Apr 29, 2024 07:57 |
|
|
BangersInMyKnickers posted:Not sure how long ago you took it, but they gutted the crypto areas where they test you on thing like AES modes, stream ciphers, 2DES vulns, stuff like that. I took it right at the beginning of the new test and the coursework was still teaching to the old one so I got to review all that stuff anyway, but I don't think they asked anything beyond the names of the people in the RSA acronym. The crypto stuff I got was more in line with how digital signatures work, what type of encryption is used for what, AH/ESP, etc...
|
|
#
?
Mar 29, 2017 16:53
|
|
|
Furism posted:It certainly is a good way to pick up some background knowledge about different aspect of security. Given how many domains there are in the course, you're bound to learn a lot of things. Some of it is boring and abstract (security models), some is amazing (cryptography), but overall I think it's a Good Thing to go through the book even if you don't attempt or pass the actual certification. Note that the exam, being so long (250 questions and up to 6 hours), doesn't really test your technical skill but rather your endurance and ability to regurgitate 800+ pages of content. Great. Thanks. I am just looking to get some more certs on my resume/CV right now. Most of the material I'm very familiar with after reviewing it and doing some practice tests, but I just didn't know if CISSP was a trap or something I should avoid.
|
|
#
?
Mar 29, 2017 17:29
|
|
|
CISSP is quickly becoming a paper tiger cert imo, the material you learn is good but the cert itself is vastly overblown. If there's any way you can afford it, or get your company to pay for it, do a SANS course/cert. They're stupid stupid expensive.
|
|
#
?
Mar 29, 2017 17:33
|
|
|
Well this will be fun: https://boingboing.net/2017/03/24/symantec-considered-harmful.html Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities
|
|
#
?
Mar 29, 2017 17:46
|
|
|
CLAM DOWN posted:CISSP is quickly becoming a paper tiger cert imo, the material you learn is good but the cert itself is vastly overblown. If there's any way you can afford it, or get your company to pay for it, do a SANS course/cert. They're stupid stupid expensive. Technical chops (or managerial in the case of CISSP) should always get vetted during the actual interview process.
|
|
#
?
Mar 29, 2017 17:50
|
|
|
Diva Cupcake posted:It's been around forever and its usefulness hasn't really changed. Any multiple choice cert's value is always going to be with the opportunity it grants you via HR and recruiter filters, and the CISSP is one hell of an HR checkbox, especially if you work in DoD 8570 industries. I don't know what a "DoD 8570 industry" is, when we interview we do notice if you have a CISSP but it's not a filter in any way, and all it means is that you'd better know what you're fuckin talking about when we ask you security questions.
|
|
#
?
Mar 29, 2017 17:56
|
|
|
CLAM DOWN posted:I don't know what a "DoD 8570 industry" is, when we interview we do notice if you have a CISSP but it's not a filter in any way, and all it means is that you'd better know what you're fuckin talking about when we ask you security questions. http://iase.disa.mil/iawip/Pages/iabaseline.aspx
|
|
#
?
Mar 29, 2017 18:04
|
|
|
Diva Cupcake posted:8570 is a directive that you literally cannot be allowed to work in a certain capacity within the DoD without applicable certifications. It applies to DoD contractors as well. The list itself is arbitrary and mostly worthless and you'll laugh at the groupings. The CISSP covers just about anything decent though. Oh wow, that's insane holy poo poo. That's completely arbitrary and worthless.
|
|
#
?
Mar 29, 2017 18:11
|
|
|
CLAM DOWN posted:Oh wow, that's insane holy poo poo. That's completely arbitrary and worthless. Not really? It's requiring employees and contractors with access to administrative credentials to have passed a minimal level of certification. Is it perfect? No, but neither is making someone sit through a course that they can ignore. I mean, I don't think Security+ or the CISSP are super useful, but there is something to be said for hammering basic security knowledge into the IT workforce. And one way to do that is the force people to actually prove that they've at least spent time brain dumping a proctored cert. psydude fucked around with this message at 19:12 on Mar 29, 2017 |
|
#
?
Mar 29, 2017 19:09
|
|
|
Mustache Ride posted:Well this will be fun: https://boingboing.net/2017/03/24/symantec-considered-harmful.html Should note that the reduction of trust will be a gradual change across several Chrome releases, so that 30% of the web has some time to get their poo poo together.
|
|
#
?
Mar 29, 2017 19:14
|
|
|
CLAM DOWN posted:Oh wow, that's insane holy poo poo. That's completely arbitrary and worthless. You're clearly not DoD material then.
|
|
#
?
Mar 29, 2017 20:34
|
|
|
hobbesmaster posted:You're clearly not DoD material then. Thank god
|
|
#
?
Mar 29, 2017 20:37
|
|
|
BangersInMyKnickers posted:the names of the people in the RSA acronym. Wow that is a totally relevant fact that a security expert needs to know. I mean, I expect dumb crap like that to be on there, but I still hate it.
|
|
#
?
Mar 29, 2017 21:46
|
|
|
Guy Axlerod posted:Wow that is a totally relevant fact that a security expert needs to know. A security researcher should. Of course neglecting the "putting you on the spot" factor where you've even forgotten your own name.
|
|
#
?
Mar 29, 2017 22:03
|
|
|
Guy Axlerod posted:Wow that is a totally relevant fact that a security expert needs to know. 
|
|
#
?
Mar 30, 2017 17:15
|
|
|
hobbesmaster posted:A security researcher should. I have security researched that it stands for Rivest, Shamir, and Adleman
|
|
#
?
Mar 31, 2017 04:55
|
|
|
skull mask mcgee posted:Should note that the reduction of trust will be a gradual change across several Chrome releases, so that 30% of the web has some time to get their poo poo together. That's for the validity periods. The main sanction is refusing to accept EV certificates as EV, which takes effect "immediately" (i.e. once the proposal gets accepted, the bug report gets made, and the pull requests go through, it will show up in Beta). If you aren't buying EV certificates, you might as well be using Let's Encrypt.
|
|
#
?
Mar 31, 2017 07:43
|
|
|
Cup Runneth Over posted:I have security researched that it stands for Rivest, Shamir, and Adleman Yeah, that was a weird statement. As a "security researcher", I'd be more concerned with you knowing the mechanism of RSA than who loving invented it because who cares.
|
|
#
?
Mar 31, 2017 14:16
|
|
|
attribution is hard
|
|
#
?
Mar 31, 2017 14:19
|
|
|
flosofl posted:Yeah, that was a weird statement. You pay zero attention to who authors the papers you read? 
|
|
#
?
Mar 31, 2017 14:25
|
|
|
hobbesmaster posted:You pay zero attention to who authors the papers you read? lol if you haven't followed the updated implementation guide by Riivast, Shämor & Aedlemon in collaboration with NIIST.
|
|
#
?
Mar 31, 2017 14:57
|
|
|
hobbesmaster posted:You pay zero attention to who authors the papers you read? Jesus Christ goons, the discussion was in the context of getting a certification.
|
|
#
?
Mar 31, 2017 19:04
|
|
|
I guess I don't see why its not unreasonable to want people to know this? In my world for example we use algorithms that we call like "GMRES" or whatever and I'm pretty sure every single person that does anything in this field could tell you that it stood for "generalized minimal residual method", and I would hope that 99% of them could tell you that it's a Krylov subspace method and explain how those methods work. I would also hope that most people could tell you it was developed by Saad and Schultz. I dunno, I think you should know both how the mechanisms work and how/who it came from?
|
|
#
?
Apr 2, 2017 09:07
|
|
|
I can understand why someone actively developing something would like to think that everyone knows who the author of something is. You know, the innate appeal of leaving a legacy and having people know Who You Are. To be totally honest though, beyond having a standardized name that you can say and have other people in the field know what you're talking about, no-one actually gives a poo poo. If you're looking at new work from a particular person, then yeah, you'll look at whatever old stuff they've done (it gives them credibility, and tells you where they're coming from as far as this particular paper), but knowing that, say, RC4 was developed by Ron Rivest isn't exactly relevant as far as making use of it in practice.
|
|
#
?
Apr 2, 2017 12:21
|
|
|
Also getting certified doesn't mean you actually know it. Ask me in a year and I'll probably have forgotten. Because, you know, I don't use that knowledge.
|
|
#
?
Apr 2, 2017 17:44
|
|
|
This is so drat cool.quote:A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/ https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c1 https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html The Project Zero blog entry is fantastic and incredibly in depth, highly recommend a read. ps: 
|
|
#
?
Apr 6, 2017 01:12
|
|
|
Project Zero is just so loving cool in general. It must be such an interesting place to work.
|
|
#
?
Apr 6, 2017 01:53
|
|
|
Yeah, but if mask probing feature is turned on (and you don't use WiFi in public) you should be OK. The attack needs a valid MAC to start, and by default iOS and Android don't use actual radio MAC for probes. The only way an attacker is going to get your valid MAC is if you actually associate with a WLAN where the attacker can see it. I'm not saying it's not a big deal, because this is huge and a cool PoC. It's just not quite as dangerous as walking down the street and *BANG* you're owned. Unless of course you habitually connect to public WiFi or other Not My House WLANs automatically.
|
|
#
?
Apr 6, 2017 02:03
|
|
|
flosofl posted:. Unless of course you habitually connect to public WiFi or other Not My House WLANs automatically. I think you're underestimating how many people do this. Public/free wifi is ubiquitous, and people use it as much as possible.
|
|
#
?
Apr 6, 2017 02:19
|
|
|
MAC addresses are hella leaky. AFAIK both iOS and Android do their MAC masking in the same way - if they suspect they're no where near their home they randomise (i.e. locked and not on wifi) - if they want to find their home AP they broadcast their MAC - this includes all the time you have it in your hand using it. This will mean most people can have their actual MAC pulled from the air pretty regularly. It's a big deal.
|
|
#
?
Apr 6, 2017 02:23
|
|
|
CLAM DOWN posted:I think you're underestimating how many people do this. Public/free wifi is ubiquitous, and people use it as much as possible. Oh, no I agree. This is bad, I was talking more for the audience in this thread. I don't even connect to my work's corporate WLAN they have set up specifically for BYOD since I have an unlimited data plan now and things like my calendar and emails and whatnot are all available in the  But it's definitely going to be a target rich environment. Khablam posted:MAC addresses are hella leaky. AFAIK both iOS and Android do their MAC masking in the same way - if they suspect they're no where near their home they randomise (i.e. locked and not on wifi) - if they want to find their home AP they broadcast their MAC - this includes all the time you have it in your hand using it. This will mean most people can have their actual MAC pulled from the air pretty regularly. I know it's the Reg, but it has some good info in this article. https://www.theregister.co.uk/2017/03/10/mac_address_randomization/ quote:Apple, meanwhile, fared better in terms of effort, though not results. "Apple is the closest to being pretty good," Mayberry said, but noted that Apple devices, despite the advantage of hardware consistency, are still vulnerable to an RTS (Request to Send) attack. Sending RTS frames to an Apple phone forces the device to reveal its global unique MAC address, rather than the randomized one normally presented to the hotspot. Welp. Apparently, it acknowledges frames sent to whatever randomized MAC it's currently using without being associated. Which is part of the spec, so... (RTS/CTS needs to loving die. Remember broadcast storms in shared medium networks? Well, wireless networks get RTS floods, or Deauth floods, especially in environments with heavy churn like retail where everyone is juuuuust on the edge of coverage. But that would require a whole new architecture and bigger brains than mine) Proteus Jones fucked around with this message at 02:39 on Apr 6, 2017 |
|
#
?
Apr 6, 2017 02:25
|
|
|
Oh yeah for sure, I'm reasonably sure that most regulars here are at least a little careful of which wifi networks they join, but for 99% of users, welp. That Project Zero writeup really is superb, I would kill to sit down with some of those guys and chat.
|
|
#
?
Apr 6, 2017 02:35
|
|
|
Kill all IoT, burn it the gently caress down from ground up. http://mashable.com/2017/04/05/garadget-bad-review-bricked/
|
|
#
?
Apr 6, 2017 12:04
|
|
|
How much "know what you're buying and who you're buying it from" applies here? Seriously curious. It's an Indegogo project, not a large mfg.'s product. How does the thread feel about licensee vs. operator rights/etc.? I think I get that those lovely little projects, their existence, is growing an unregulated ecosystem of trouble. I enjoy reading this thread but have little to contribute topically, but I'm curious about this.
|
|
#
?
Apr 7, 2017 16:18
|
|
|
I read this thread because of how little I know about infosec and try to glean what I can. For me, IoT is like that undercoating you didn't want on your car, except that it also breaks your car's functionality, has security holes that let people roll down the windows to access its interior trouble-free or stop the engine remotely, and if it works properly at all, mostly just allows a megacorporation to vacuum your supposedly anonymized driving metadata into its gigantic profile crunching interior, which will eventually be stolen by Russian hackers and then stolen back by the NSA or something, which eventually links you to a terrorist group.
|
|
#
?
Apr 7, 2017 18:03
|
|
|
There are good IoT devices. We mostly hear about the bad ones - and there are many of them. Problem is you don't always know beforehand. Until companies who come up with devices with poor/no security get away with it this will continue. There should be sanctions for not providing due care or failing to follow best security practices. This should be legally similar to handling PII.
|
|
#
?
Apr 7, 2017 18:08
|
|
|
I totally agree. IoT is not inherently bad, it's just really easy to get wrong. Unfortunately it's also cheaper to get wrong in a lot of ways and consumers generally have no easy way to tell the good ones apart when they're looking to buy, so until getting it wrong starts costing the vendors money in the long term there'll be a constant stream of bad devices. If this bricker worm hits enough devices that are under some kind of warranty coverage it might actually help the situation by costing the vendors a lot there, but I suspect it'll take actual legal liability to really have an impact and I doubt that's going to happen any time soon (at least in the US). wolrah fucked around with this message at 19:39 on Apr 7, 2017 |
|
#
?
Apr 7, 2017 19:36
|
|
|
I think the biggest problem with IoT is the mentality of "always connected, all the time" with no backup plan for what happens if that connection goes down (as it always has and always will). We've seen loss of connection lead to flooded houses, starving pets, unopenable doors, and useless light fixtures/appliances. Anything connected to the IoT should also work if it's disconnected from the IoT, even if it's less convenient or has more limited options. For instance, for the pet feeder, there's really no excuse for not storing those settings locally so the device continues to function when it loses connection. It shouldn't have to pull them from the network all the time.
|
|
#
?
Apr 7, 2017 21:54
|
|
|
|
| # ? Apr 29, 2024 07:57 |
|
|
There's a lot of IoT that is just some dumb board being told what to do by AWS Lambda functions, which are great for learning but yes, the product needs to have some logic in there as well. If you have a thermostat that you can control via your phone then when you're at home the control path for that device shouldn't be to use the app to change something on a web service and then wait for the thermostat to retrieve it.
|
|
#
?
Apr 7, 2017 22:00
|
|
