Saturday, December 31, 2016

2016 InfoSec Tweet Awards

Welcome back good reader.  This year marks the 5th Annual InfoSec Tweets Awards!  It's hard to believe I've been doing this for half a decade.

In 2016 I reduced the number of accounts I follow and I'm not as obsessive about reading every tweet, but there were still plenty of gems to choose from.

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along...


Best Tweet Inspired by a TV Show

Best Tweet Inspired by a Movie

Best Tweet About CISSPs

Best Tweet About Auditors

Best Tweet About DevOps

Best Tweet About A Text Editor

Best Tweet About Education in InfoSec

Best Tweet About Skill Shortage in InfoSec

Best Tweet About Travel (tie)


Best Tweet About Dating in InfoSec (tie)



Best "Threat Landscape" Tweet

Best Poem in a Tweet

Best InfoSec Analogy in a Tweet

Best Tweet Telling It Like It Is


Well, that's a wrap for 2016.  I know this year has sucked for a lot of you.  We've lost loved ones and those who inspire us, but this does not diminish the impact they've had on our lives and the people we are because of them. With that said, on this New Year's Eve, let us celebrate the good things in our lives and cherish those who are still with us.  I wish you all health and happiness in 2017 and hope to see many of you soon.  

Happy New Year!




Friday, December 30, 2016

Defeating the Rebellion with Security Controls: A Star Wars Story

The weekend Rogue One: A Star Wars Story was released a conversation started on Twitter discussing the missteps made by the Empire which inevitably lead to the theft of the Death Star plans.  To avoid spoiling the movie for everyone, Wolf Goerlich (@jwgoerlich) and I moved the conversation to direct messages.  He has since posted two great videos, "Rogue One and InfoSec" Part 1 & Part 2.  You can find them on his informative YouTube series, Stuck In Traffic with Wolf Goerlich

What follows are my thoughts on the controls the Empire could have implemented to thwart the Rebellion.


*** WARNING: SPOILERS AHEAD *** 

Prohibit BYOD (Bring Your Own Droid)

From R2-D2 to BB-8 it seems everyone has their own personal droids in the Star Wars universe.  Most are designed with a specific task (Astro Mechs, Protocol Droids, etc.) but all are capable of storing large quantities of data and many are equipped with universal Scomp Links or computer interface arms that allow them to access any computer terminal.  Had the Empire prohibited BYOD and implemented network access controls then unauthorized assets (droids) would be unable to connect to computer terminals in the first place.

Design Review

In Rogue One, Galen Erso is the unwilling head of the Kyber Crystal Research Team working on the Death Star.  In this role he was able to architect a flaw in the reactor that would lead to its destruction during the Battle of Yavin.  In the movie, a holo-recording of Erso recounted how he had made himself indispensable, "all the while laying the groundwork for revenge."  He accomplished this by, "placing a weakness deep within the system, a flaw so small and powerful that they will never find it."

The construction of the Death Star was a massive undertaking, one executed with military precision.  This should have included extensive reviews of the initial design as well as architectural, electrical, mechanical (and crystalic?) inspections during construction.  Appropriate checks and balances would have prevented this flaw from being introduced.


Asset Management and Clearance Code Revocation

During the escape from Eadu the rebels steal an Imperial cargo shuttle.  This ship contains clearance codes that allow them to pass through the shield gate and land on Scarif.  Chronologically this may be the first time this tactic was used, but as we have seen in Return of the Jedi, the Rebel Alliance would later steal a shuttle in order to bypass the deflector shield and land on the forest moon of Endor.  Had the Empire implemented better asset management they would have known these shuttles were stolen and could have revoked the clearance codes.  The Empire may have even gone one step further by implementing a system that would allow them to remotely disable the engines on stolen star ships.

Two-Factor Authentication

Upon gaining entrance to the citadel tower (simply by donning stolen uniforms) Jyn and Cassian access the data vault by placing the hand of an unconscious officer on a biometric pad.  While some argue that biometric authentication is better than a password, by requiring a combination of the two, the Empire could have prevented access to its sensitive proprietary information.

Data Encryption 

Once inside the data vault, Jyn and Cassian were met with a six story shaft containing a spire filled with "data tapes".  The design is reminiscent of a StorageTek 4400 ACS tape library. Following the identification of the correct tape and Jyn's harrowing escape, she makes her way to the satellite dish in order to transmit the plans to the Rebel Fleet.  Once received, the data is transferred to several different forms of media before finally landing in the hands of Princess Leia who included them with her message to Obi-Wan Kenobi inside R2-D2.  Had the Empire encrypted this data the rebellion would have likely ended on Scarif, the Battle of Yavin would never have taken place, and the Death Star would have gone on to destroy countless other planets.

Final Note 

While it's easy to point out the shortcomings of the Empire, the lack of controls are all too prevalent in the real world.  There are plenty of reasons these controls might not have been implemented.  The Death Star was a massive undertaking.  It is possible that all resources were diverted to its construction and any budget for controls were denied.  Perhaps in a galaxy far, far away there exists an InfoSec skill shortage.  Lastly, it could be the culture of arrogance that was prevalent throughout the Empire.  After all, who could hack the all powerful Galactic Empire?


Thursday, January 14, 2016

Breaking Into Security: A Compendium

Like most Information Security practitioners, I am frequently contacted for advice on breaking into this industry.  Rather than write yet another blog post on the subject, I thought it would be more beneficial to collect a variety of quality posts covering different aspects of the industry and provide them as a quick an easy reference.

In reverse chronological order:

Starting an InfoSec Career – The Megamix   Lesley Carhart (@hacks4pancakes)
If you have no idea where to start then begin here.  Hacks4pancakes has done an amazing job and her "Megamix" is probably the most comprehensive series of articles on breaking into security.
How to become a pentester   Peter Van Eeckhoutte (@corelanc0d3r)
Corelanc0d3r is the go-to guy for training when it comes to exploit development.  He has written an extensive post covering time, effort, and the general mind set of a pentester.  He also provides links to resources and a list of companies willing to hire inexperienced pentesters.
20 of the Most Misguided Beliefs About InfoSec   David Spark (@dspark)
While this is not technically a "how to break into security" post it does debunk a lot of common misconceptions about security which can be just as valuable when starting your career in InfoSec.  
Answers on how to get started in Security   Chris Gates (@carnal0wnage)
Chris provides sound advice on getting started in pentesting, but the best part of this post is the list of book recommendations sorted by area of focus (pentesting, netsec, webappsec, social engineering and physsec/redteam)
Finding And Using A Mentor   Wolf Goerlich (@jwgoerlich)
In Wolf's blog post he expands upon a recent Forbes article on mentorship and provides the InfoSec perspective on finding and benefiting from a mentor.  He's also recently posted a Career Advice Video (avalable here).
How to Build a Successful Information Security Career   Daniel Miessler (@DanielMiessler)
Dan's post includes the usual advise for starting out but also addresses the areas in which you will need to grow as your career progresses.
Education & InfoSec   Steven Maske [me] (@ITSecurity)
This was my personal take on all the different ways you can learn our trade.
Hack the Hustle! [Video]   Eve Adams (@HackerHuntress)
Think you know how to write an InfoSec resume?  Are you sure?  Find out from a respected technical recruiter who understands the needs of our industry.

Thoughts On Being Asked “How Do I Get Into INFOSEC?”   Scot Terban (@Krypt3ia)
A (surprisingly calm) reality check from my favorite security curmudgeon.  Read this for an idea of the expectations that you will face IRL. TL;DR: InfoSec is not for those without dedication. 
How To Break Into Security   Brian Krebs (@briankrebs)
If you don't know who Brian Krebs is, you will.  He is one of the more well known reporters in our industry and his site, Krebs on Security is one of the few InfoSec news sources that is read by people outside of our industry. Back in 2012 he conducted a series of interviews on how to break into security. 
   

Thursday, December 31, 2015

2015 InfoSec Tweet Awards

It's December 31th so that must mean it's time for the 4th annual InfoSec Tweet Awards!  Over 2,100 of you read last years post (my 2nd most popular to date) so it seems I should continuing the tradition.

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (yes, I know twitter now calls them "likes").  As always, categories are completely arbitrary. I make them up as I go along...

Best Tweet Inspired by a Song (Tie)



Best Tweet Inspired by a Holiday (Tie)



Best Tweet That Should be on a T-Shirt (and already is)


Best Tweet About Phishing


Best Tweet About the Cloud


Best Tweet About the Internet of Things


Best Tweet About Threat Intelligence


Best Tweet About Recruiting


Best Work/Life Balance Tweet


Best "IT is Hard" Tweet


Best InfoSec "Pick-up Line" Tweet


Best InfoSec Parenting Tweet


Best "Out of the Mouth of Babes" Tweet


Best Tweet "That Understands My Pain"


Best Twitter... um... –er

Last but not least we have the "award" for the person who posted the best overall tweets of the year.

And the winner is.... Security Humor (@SecurityHumor)! Security Humor is hardly a new account. This month marks the sixth year s/he has provided funny quips 140 characters at a time. The Security Humor account has been in the running for this coveted(?) award for the last two years and only narrowly lost to InfoSec Taylor Swift (@SwiftOnSecurity) and Info Security Jerk (@infosecjerk)

If you follow one new account this year it should be @SecurityHumor. Below are a few recent gems:




This concludes the 2015 Tweet Awards. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very Happy New Year!


Friday, August 7, 2015

Review: Hacktivist Vol. 1


A year and a half ago I reviewed the first issue of "Alyssa Milano's Hacktivist" (see review here).  With last week's release of Volume 2, Issue #1, I thought it about time to review the rest of the original story arc.

"Hacktivist" re-imagines the event of the Arab Spring uprising that occurred in 2010/2011.  This is the central focus of the story.  The sociopolitical events and accomplishments of the activists are much more important than the "hack" part of "Hactivist".

If you work in InfoSec or any other IT related field, you are going to have to suspend your disbelief when reading this story.  There is some effort to use language familiar to the technically inclined however, it's apparent that the writers don't really have a complete understanding of the lexicon.  Don't get me wrong, "Hacktivist" is not as bad as "Live Free or Die Hard" (a.k.a Die Hard: Hack all the Things) but, let's suffice it to say that some liberties have been taken.

Another aspect of the story I found particularly unrealistic is the interaction between the CIA and the founders of the Facebook-esque company, "Your Life".  The way in which the CIA initially approaches the founders and the nature of the business proposal (while common in entertainment) was not very realistic.  This is a little disappointing for a story that tries to take itself more seriously.  I also find fault with the government's response when things don't go their way.  To avoid any spoilers, let's just say that if Mark Zuckerberg decided to shut down Facebook and sell your personal information, he wouldn't be called the country's #1 threat.

If you can forgive these issues, there is an interesting, albeit somewhat short story.  All-in-all it's an entertaining read and for $1.99 per issue (4 total) there are worse ways to spend your money.


You can pick up "Hacktivist" at your local comic shop or a digital copies at Comixology.com.


Monday, June 29, 2015

Book Review: Spam Nation

As an Information Security practitioner I am no stranger to Brian Krebs.  He is undoubtedly the foremost investigative reporter covering "cyber crime" (yes, I said "cyber").  I've followed his work since the mid-90's, first on the "Security Fix" blog at the The Washington Post and (naturally) at KrebsOnSecurity.com. I was eager to read this book and finally got around to picking it up a few weeks ago.

Spam Nation is a quasi-autobiographical retelling of Mr. Krebs coverage on the spam industry and pharma-wars.  If you’ve familiar with his work you’ll likely recognize many of the stories.  The book recounts previous news articles with added exposition, provides insights from the author, and includes numerous interviews with both spammers and the people who bought their products.

All in all, Spam Nation is an easy read that is written to appeal to a wide audience.  If you're a seasoned InfoSec professional you won't find a lot of new information however, this book serves as a good review of the golden days of spam and the pharma-wars.  If you are new to the industry (< 10 years) then this is a must read.  It serves as an origin story for spam and it's a good idea to acquaint yourself with its roots.

Lastly, keep in mind that this book wasn't written for the InfoSec community.  It is written for the general public and the language and writing style reflect that.  With that said, I also recommend this book to friends and family.  It provides solid insight into one facet of our world.


Spam Nation is avalable on Amazon here.


Wednesday, December 31, 2014

2014 InfoSec Tweet Awards

Welcome to the third annual InfoSec Tweet Awards!  These posts continue to be some of the more popular blog entries on SecurityRamblings.com so I feel compelled to continue the series.
As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the last year. Also, you will notice that the categories have changed.  This is because they are completely arbitrary. I make them up as I go along. So without further ado...

Best Tweet Inspired by a Movie


Best Tweet Inspired by a Song (Tie)



Best Tweet Inspired by the Holidays (Tie)



Best Tweet on How to be a Hacker


Best Tweet About Linux


Best Tweet About Metasploit


Best Tweet About Medical Devices


Best Tweet About The Cloud


Best Tweet About Cryptography


Best Tweet About Two-Factor Authentication


Best Tweet About Silk Road


Best Tweet About "Named" Exploits


Best Tweet About Attribution (Tie)



Best Tweet Explaining the Sony Breach


Best "Fake" Tweet


Best "Get Off My Lawn!" Tweet


Best Twitter... um... –er

Last but not least we have the "award" for the person who posted the best overall tweets of the year.

And the winner is.... InfoSec Taylor Swift (@SwiftOnSecurity)! InfoSec Taylor Swift is an unusual account. On one hand it's an obvious parody of a celebrity with a humorous slant towards information security. On the other hand she (he? they?) offers legitimately sound advice in 140 characters or less. The quality is such that news outlets have quoted the account and the new web site associated with it, decentsecurity.com, has the potential to become a solid resource for InfoSec fundamentals.

If you follow one new account this year it should be @SwiftOnSecurity. Below are a few gems from 2014:

Serious Tweets:


Funny Tweets:


This concludes the 2014 Tweet Awards. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very Happy New Year!


Monday, December 15, 2014

Don't Click

As I'm sure the readers of this blog will know, way back on
June 20, 2011, the ICANN board voted to end restrictions on TLDs. This paved the way to expand the number of TLDs (22 at the time) to include over 400 gTLDs (Generic Top Level Domain).  Most of the new gTLDs were sponsored by companies and organizations willing to pay the $185,000 application fee.  In November 2013, these new domains began rolling out a few per month.

Many domain registrars are offering free pre-registration for the new gTLDs.  Like a good little geek I immediately skimmed through all the options and reserved a couple dozen domains.  There are some real gems in my list but I'll keep them to myself until their respective gTLDs go live.  I don't want to lose them in the land rush :)

So what's my point?  Basically I wanted to share my first gTLD and solicit ideas for its use.  Without further adieu I present:

http://dont.click


What do you think?  What would you do with this domain?  Please leave your suggestions in the comments below or hit me up on twitter (you'll find me as @ITSecurity).  Thanks in advance.



Tuesday, September 9, 2014

Book Review: The Basics of IT Audit


Full Disclosure: I was the Technical Editor for this book. While some may say this makes my opinion biased, I believe this has made me more critical of the finished work.


The Basics of IT Audit: Purposes, Processes, and Practical Information by Stephen Gantz is the latest in "The Basics of" series by Syngress.

It is intended to "provide you with a thorough, yet concise overview of IT auditing. Packed with specific examples, this book gives insight into the auditing process and explains regulations and standards such as the ISO-27000, series program, CoBIT, ITIL, Sarbanes-Oxley, and HIPPA."

At 270 pages it is one of the longer books in this series and like the others, is intended to provide a high level overview of the subject matter. It begins by explaining the reasoning behind auditing and quickly moves into the different roles and responsibilities that one can expect during an audit engagement. The book dedicates separate chapters for internal and external audit as well a chapter explaining the different types of audits.

It goes on to spend several chapters breaking down the components and life cycle of an audit before delving into the different methodologies and frameworks available (NIST, ISO/IEC, COBIT, etc.). The book ends by providing an overview of Audit-Related Organizations, Standards, and Certifications.

All-in-all The Basics of IT Audit is a good primer for anyone just getting started in IT Audit or students pursuing a degree in IT Assurance. The book also does a great job demystifying the audit process and is recommended for anyone in IT who may be involved in their company's audit process.


Get this book at: Amazon | Syngress


Friday, June 13, 2014

Education & InfoSec

Yesterday the question was asked, "do you see a bump in pay-grade commensurate with the cost of a Masters?"  This got me thinking. There are numerous blog posts on how to break into security but I've rarely seen a blog post on education, especially given how often this question is asked. In this day and age there are numerous options available. Below are my experiences with the various forms of education and recommendations for someone new to the InfoSec industry.

"Traditional" Education

To begin, I did go to college. Back in the 90’s there was no such thing as an Information Security degree. Even IT degrees were still somewhat scarce. The best option available was a Computer Science degree that more or less taught programming fundamentals. At the time, classes were simplistic. One actually began with the professor holding up a 3.5" floppy saying, "This is a floppy disk". I often found I could complete the lab assignment and homework before class ended.

Recommendation:
Is a degree needed to "make it" in IT or InfoSec?  In a word, no. Some of the smartest, most technically competent people I know have no formal education. Nevertheless, I would recommend getting a degree. It can be difficult to make it past keyword filters and HR gatekeepers without this check box. Ideally, when you graduate you'll also walk away with soft skills that many IT/InfoSec professionals are lacking.


Internship

After a few years bouncing around different colleges I entered into an internship. I had a good mentor and learned more in those 10 weeks than in all my classes combined. At the end of the internship I was offered a full time position. Not wanting to give up on my education I transferred to the University of Phoenix and completed my last year online.

Recommendation:
Do it. Find an internship or take advantage of a mentorship program. There is no substitute for experience and you will never learn more than when you get your hands dirty. These are the times when you have more leeway to make mistakes and if you're not making mistakes you're not trying hard enough (or are not being challenged, in which case get a new mentor).


"Advanced" Degree

After completing my undergraduate degree I decided that if I was going to pursue an advanced degree I shouldn't wait. I was already in the student mindset and it would be easier to stay in "college mode" rather than return later in my career. I took a year off, then after an additional two years of education, I walked away with a shiny new Master's degree.

I'm often asked if I see value in my degree. Honestly, I'm not sure I do. Outside of positions with a college or university (or in executive management) I have not seen many InfoSec jobs that require an advanced degree. I also have not seen higher wages as a result of my Master's. In fact, I've been told I was passed over for a position because the company felt my education overqualified me and they believed I would not stick around.

Recommendation:
I've said publicly in the past that an advanced degree may have been a mistake on my part. Education is expensive and I can't say there is an adequate ROI. Even with employer contributions, I will be making student loan payments for many more years.

When deciding, take a good hard look at what area of InfoSec you want to work in and which industry. Look at job listings and talk to people in those positions to determine if an advanced degree is worth it. Also, take your time looking into a degree program. There are a lot more options than when I was in college. Find a curriculum where you will actually learn something and not just walk away with an expensive piece of paper.

Final thought: I still consider my career to be relatively young (13 years). I may find that my degree has greater value later in life.


Certifications

Certifications are another highly debated topic in the InfoSec industry. Over the years I've accumulated a handful of them at my employers' behest (CISA, CISSP & Six Sigma Green Belt). Realistically, I probably wouldn't have picked these up on my own dime but they do have some value.

Recommendation:
Not all certifications are created equal. Some have far more value than others. If you want to learn something and earn a certification that is respected, look at SANS training and certifications. If you are interested in a career in pentesting look at the OSCP and the other Offensive Security certifications.

The value of the CISSP is hotly contested. While many people believe it has no real value, this sentiment has started to sway. I attribute this to the election of Wim Remes (@wimremes), Dave Lewis (@gattaca) and Jennifer Minella (@jjx) to the (ISC)2 Board of Directors. These individuals have taken up the challenge of making the CISSP relevant and not just a check box to get passed HR.


Conferences

The value of InfoSec and Hacker conferences is immeasurable. Not only is there the opportunity to learn, but the networking possibilities are endless. The InfoSec community is one big family and you will likely make many friends and possibly meet future coworkers.  I make it a point to attend 3-5 a year.

Recommendation:
Conferences are a must. Don't worry about expensive events like RSA or BlackHat unless you can get in with a student or press pass. Even if your company is willing to pay for it, you'll likely have a limited education budget that can be stretched further at other events. Many quality conferences only cost $150-$200. BSides events are held all over the world and range from FREE-$20.

Training at conferences is also a bargain. You can usually get 2-3 days of quality training for $1000 (which includes entrance to the conference).

If you can't afford travel, check out SECore.info for conferences near you. If you can't afford the cost of registration, consider volunteering. The organizers can always use help and it's a great way to network. You'll have plenty of time to see talks as well.


Independent Study

People who are successful in this field are people who enjoy what they do and spend a significant amount of free time learning. In addition to my day job I spend 15-20 hours per week absorbing new material.

Recommendation:
Find an RSS reader you like (some suggestions here) and subscribe to InfoSec blogs. Listen to podcasts. Spend time on SecurityTube.net and YouTube (I highly recommend Adrian Crenshaw's channel). Join twitter and follow other security practitioners. Learn to code in Python or Ruby and open a GitHub account.

Build a lab. You'll learn by doing. Download tools, spin up VMs (check out Kali and Metasploitable) and spend time familiarizing yourself with them.

Lastly, explore. There's much more information out there than you will ever be able to learn.


Monday, February 10, 2014

Review: Alyssa Milano's "Hacktivist"

When news hit that Archaia Entertainment would be releasing a title called "Hacktivist" the security community let out a collective groan.  The skepticism was not abated when Alyssa Milano was attributed to the project.  How can the Hollywood actress best known for her roles on the television series' "Who's the Boss?", "Melrose Place" and "Charmed" write a comic about a subject that is regularly misrepresented in the media?

In truth Ms. Milano is more than just an actress and author.  She is the Founding Ambassador for the Global Network for Neglected Tropical Diseases and a UNICEF Goodwill Ambassador for the United States.  Her trips to India, Kosovo, and Angola in support of these missions have at least given her some exposure to the regions portrayed in this story.  Ms. Milano had this to say about her inspiration:
"I’m very involved with global activism and philanthropy. I like the idea of everyday people doing good.  My inspiration for Hacktivist is actually Jack Dorsey, the creator of Twitter and Square. I picture him leaving the office at night and going home, where he locks himself in his room and starts hacking to change the world. 
"I felt Hacktivist was a strong story that I really wanted to tell visually.  Doing a graphic novel allowed me to dream big and it gave me the freedom to create without boundaries."
I can't say that I see Mr. Dorsey in the same light. There's a big difference in hacking to be innovative versus attacking companies and governments.

While the comic seems to be Ms. Milano's concept she is only listed as the creator.  The story is credited to Jackson Lanzing and Collin Kelly.  Both of these authors are relatively unknown so it remains to be seen how they will influence the narrative.

Characters 

The publisher describes Hacktivist as:
"a fast-paced cyber-thriller about friendship and freedom in a time of war. The story follows Ed Hiccox and Nate Graft, the young founders of the world’s most innovative social media company who moonlight secretly as one of the most notorious black-hat hacker teams on the planet. When the U.S. government discovers their operation, they must face the real world beyond the code and choose between loyalty and what they believe to be is right."
Personality wise, the characters read as a blend of Mark Zuckerberg and Anonymous, but with personalities at either end of the spectrum.  Ed is a suit-wearing savant who would rather spend his free time memorizing traffic patterns.  Nate is a jeans-and-hoody-wearing non-conformist who would rather spend his evenings throwing a party that, "makes Gatsby look like a bounce house."

"Hacktivist" is a four issue mini-series so the story has yet to delve into the characters' motivations but the plot is interesting enough to warrant spending a couple of bucks on each issue.

Technical Merits

If you work in information security, don't read this comic expecting familiar jargon or novelty screenshots of nmap and Metasploit.  I doubt they consulted any experts when they wrote dialog such as, "and now they're plugging us into an onion router" and the verbal exchange depicted below:

click to enlarge
I tend not to get too worked up about trivial inaccuracies in entertainment media (movies, television, books, comics, etc.).  The purpose of these stories is to entertain the general public who doesn't particularly care if a scene is technically accurate.  No doubt doctors, lawyers and other professionals can point out issues with how their profession is portrayed.

Verdict

Whether you are a comic book reader or not, the first issue of "Hacktivist" was entertaining.  Without giving anything away, the issue leaves the reader wanting to know what happens next.  "Hacktivist" is a fully contained story with a beginning, middle and end (not always the case with comics).  If you don't like cliff hangers, you can wait until all issues have been released or wait for the trade paperback to be published.

You can pick up a copy of "Hacktivist" at your local comic shop or a digital copy at Comixology.com.



Controversy Around The Word "Hacktivist"

Back in July (2013) TechDirt obtained one of the 500 preview copies of Hacktivist that were distributed at San Diego ComiCon. They published an article where TechDirt noted that "HACKTIVIST™ is © and TM 2013 by Alyssa Milano."  As you can imagine this caused some stir in the Information Security community.  To her credit Alyssa Milano spoke up on Twitter and directed inquires to the publisher.  Archaia quickly followed up with a post clarifying their claim.  In it they state:
"Archaia and Ms. Milano do claim trademark and copyright protection, as appropriate, for the book, the title, the characters, and content included of The Hacktivist. However, no claim is made to other uses of the term ‘hacktivist.’ In accord with Ms. Milano’s wishes, we support the attention to the issues of philanthropy and activism."






Friday, February 7, 2014

Lessons Learned: Speaking at a Security Conferance

SOURCE Boston was kind enough to take a chance on me and on April 17, 2013 I gave my first talk at a security conference.  The video was finally released this week so I though it a good opportunity to run down my lessons learned.

I fully admit I was anxious and acknowledged I made quite a few mistakes.  I've given small presentations in the past however, I was always the subject matter expert in the room and felt confident I would be able to speak with authority and answer any questions.  This time I was speaking in front of my peers, many who are wiser and more experienced than I.  Looking back I recall seeing Jack Daniel, Andy Ellis, Josh Corman, Bob Rudis and Ed Skoudis (just to name a few).  The room was small, it could accommodate maybe 50 people and there were about 35 people in attendance.  I'm not sure if this made it easier or more difficult.  On one hand, if I embarrassed myself it would only be in front of a handful of people, however, the small venue made it more intimate.

Below are the lessons learned throughout the process.  Some of these I was able to incorporate before the talk, others I didn't think of until after the conference.

Submitting a Talk:  When you've chosen a topic make sure you give yourself plenty of time to submit. Deadlines can creep up on you.  Also, make sure you follow the instructions.  One thing I constantly hear from conference organizers is that they will reject quality talks if they do not follow the required formatting.

Start Working Right Away:  As soon as your talk is accepted start working on your presentation.  It may seem like you have plenty of time but life inevitably gets in the way.  Business trips, unexpected workload and family events can consume your time.  In my case, a death in the family monopolized a significant amount of time and drained a lot of my motivation to work on my talk.

Practice, Practice, Practice:  This one should be obvious.  Get your presentation done early so that you can rehearse your talk.  If you're anything like me you'll be surprised at how often you tweak the content.  Start with a written script, graduate to note cards and eventually your slide deck should be all you need to give your talk without thinking.

Slides:  Slides should not contain your entire talk.  These should be used to visually supplement your material. This is where you can add pictures, charts and graphs to illustrate your point.  Bullet points should be high level and the font should be large enough to read from the back of the room.  In most cases a talk should be able to stand on it's own so if there are technical difficulties you can continue without slides.

Dry Run:  If you have the opportunity, give a preview of your talk somewhere else.  Most cities have organizations that are looking for speakers (DefCon Groups, ISSA or ISACA chapters, local "city sec", etc.).  This is a great opportunity to practice your talk in front of a live audience and get honest feedback that you can incorporate later.  If you can't find a meeting, try to arrange a Skype call or Google Hangout where you can present in front of a small group.  You'll be surprised at how many people are willing to give you feedback.

Film Yourself:  No one is going to be as critical as you are to yourself.  Watching your own talk will help you work on your timing, get rid of the "ums" and "ahs" and get you to move about (this engages the audience and prevents you from looking stiff).  The dry run mentioned above is usually a great opportunity to film yourself.

Title:  It can be tempting to come up with a witty title for your talk.  This can draw attention and you may get a better turn out.  Just don't get too carried away.  You want people to still know what your talk is about.  In my case I went too far in the other direction.  I titled my talk, "Hacking Back Is A Bad Idea".  This gave away my opinion and may have dissuaded people from attending who did not share my view.  In retrospect, a more appropriate title may have been, "Hacking Back: Is It Right For You?"

Questions:  If you finish your talk early or plan to leave time at the end, you'll have the opportunity for questions.  In a large room you will want to repeat any questions asked.  You're the only one with a microphone and the rest of the audience may not hear the question.  In my case, the room was small enough and the discussion lively enough that I did not feel the need to interrupt to repeat comments and questions.  Unfortunately, this means they were not captured on the recording.

Hopefully you can learn from my mistakes.  I've embedded my video and slides below.

Please be gentle :)






Tuesday, December 31, 2013

2013 InfoSec Tweet Awards

It's that time of year again... I bring you the second annual InfoSec Tweet Awards!  Okay, like last year there are no actual awards. These these are just some of the more entertaining or thought provoking tweets that I "favorited" throughout the year.  

Enjoy!



Best Tweet Inspired By A Song


Best Tweet That Should be on a T-Shirt


Best Tweet About Hackers (Tie)



Best Tweet About Hacking


Best Tweet About Hacker Handles


Best Tweet About A Hacker Conference


Best Tweet About BackTrack


Best Tweet About Scanning


Best Tweet About Programming


Best Tweet About A Text Editor


Best Tweet About Java


Best Tweet About A Data Center


Best Tweet About Credit Cards


Best Advice To InfoSec Noobs


Best Tweet About "The Cavalry"


Best Tweet From "Outside The Bubble"


Best Twitter... um... –er

Last but not least we have the "award" for the person who posted the best overall tweets of the year.

And the winner is.... Info Security Jerk (@infosecjerk). Info Security Jerk says what we are all thinking. His tweets are consistently funny, all the more so because they are rooted in the day-to-day life of those who work in InfoSec. If you follow one new person this year it should be him. Below are three gems from 2013:




This concludes the 2013 Tweet Awards. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very Happy New Year!


Wednesday, November 6, 2013

Hacking Your Health Part II: Ancestry


This is a continuation of the blog post Hacking Your Health.  Previously, we focused on the health, disease and drug aspects of the genetic testing results received from 23andMe.  While the Ancestry portion of the test results doesn't really apply to "Biohacking" I would be remiss in not discussing the fascinating information you can learn about your genealogy.



Ancestry Results

There is a wealth of information available in the Ancestry half of the report.  The dashboard overview provides a snapshot of the highlights.  Here you can see: the percentage of your dominant ancestry, specific countries of ancestry based on surveys taken by others with similar DNA, the estimated percentage of Neanderthal DNA, number of genetic relatives with 23andMe profiles (close family, 2nd & 3rd cousins, 4th cousins and distant cousins) and Top Relative Surnames.  Famous relatives will also be displayed here (while none were listed in my profile, Jesse James appears to be my wife's distant relative)

Ancestry Composition

Personally, Ancestry Composition is one of the bigger draws of 23andMe.  I've always had a keen interest in history.  My Great Uncle has documented a significant amount of my maternal grandmother's line however, little documentation exists for the rest of my family. The results from 23andMe "reflect where your ancestors lived 500 years ago, before ocean-crossing ships and airplanes came on the scene."

There are three different "resolutions" to the results (global, regional and sub-regional).  At the top level, I am 99.8% European, 0.2% unassigned (this is not surprising).  Zooming in to the regional view the results are divided between Northern (40.4%), Eastern (12.9%), Southern (2.2%) and Nonspecific (44.3%) European.  As you can see a significant portion of my ancestry is "Nonspecific European".  Zooming in to the sub-regional view does not provide much more clarity:


This much "nonspecific" ancestry is not unexpected for such a densely populated region.  With that said, the "Ancestry Composition" estimates can be tuned.  By changing the setting to "Speculative" the results become more interesting however, the confidence threshold drops from 75% to 50%:


Beyond the analysis of genetic information, 23andMe encourages customers to complete questionnaires to provide further ancestry correlation.  By hovering over any of the regions and clicking the arrow you will be provided with the sample sizes used to determine the region (includes both 23andMe data and public studies).  In my case, comparative genetic information and survey results were taken from 5,041 people to determine my ancestry.  Clicking "Show Details" provides a breakdown of how the participants self-identified their heritage.


Maternal Line/Paternal Line

As a male I have both an X and a Y chromosome allowing me to review genetic lines from both parents. A downside of genetic testing is that females have two X chromosomes which only provides the maternal line.  On the bright side there is an option to share data with others and by linking with male family members it is possible to have a more complete profile.

Both "lines" provide the haplogroup to which you belong as well as a heatmap of the haplogroups' distribution approximately 500 years ago (before the era of intercontinental travel).

My Maternal Line
My Paternal Line
The results also provide some facts about your haplogroups such as age (how many years the haplogroup has existed), region, example populations and a "highlight" (for instance one of my haplogroups appears to have been common in Doggerland).

23andMe provides additional information in another tab with a detailed history of your haplogroups and related subgroups.  A haplogroup tree is contained in its own tab where you can collapse and expand the different groups and highlight groups based on geographic location.


Neanderthal Ancestry 

This is a relatively new section.  Only in recent years was it discovered that modern day Homo sapiens sapiens share genetic code with Neanderthals (Homo sapiens neanderthalensis).  It's unclear exactly what this means from a genetic standpoint and 23andMe states, "There are many intriguing theories about what traits the smidgen of Neanderthal DNA may have imparted on modern humans, but we don't know yet if having a little more than average Neanderthal DNA could explain why someone is extra brawny, short or boorish.  Those traits might just be regular human characteristics."  The DNA for an average person of European descent is estimated to contain 2.6% Neanderthal DNA.


DNA Relatives 

This section is broken up into three tabs, List View, Map View and Surname View.

List View:  This is quite literally a list of all 23andMe users who are genetic relatives.  Users are able to share as much or as little information as they would like. This ranges from virtually nothing to names with complete profiles (examples below):

Click to enlarge
Map View:  Genetic relatives are pinpointed on a a Google map.  Links are provided to quickly zoom to specific regions or to "Top Locations" (highest concentration of genetic relatives).  Almost half of my genetic relatives currently reside in the United States:

Click to enlarge
Surname View:  This view lists the frequency in which a last name appears among your genetic relatives. Actual counts are provided as well as an "enrichment" number which indicates "how common a particular surname is among your Relative Finder matches, compared to the entire 23andMe database."

Click to enlarge

Ancestry Tools 

Ancestry Tools are listed as features that "may still be in development, require specialized knowledge or appeal to only some [23andMe] customers."

Countries of Ancestry:  This feature combines information from Relative Finder matches and those matches' answers to the "Where Are You From?" ancestry survey.

DNA Melody:  This was a delightfully unexpected bonus.  23andMe maps specific traits in your profile to the rhythm, pitch, key and timber of a melody.  Click to "hear" my DNA.

Family Inheritance  Advanced:  This tool allows you to compare your DNA, bit by bit, to see what segments you share with close and distant family.  With this tool you can "find out where those DNA segments start and end, and see how DNA is transmitted across multiple generations by comparing multiple family members against a person in question."

Global Similarity Map:  This feature provides migration animation that "shows who in the world you most resemble genetically" over the last 50,000 years.

Haplogroup Tree Mutation Mapper:  This feature shows you which particular mutations in a person's mitochondrial DNA (maternal ancestry) or Y chromosome (paternal ancestry) were used to determine their haplogroup assignment.


Overall 23andMe provides a remarkable amount of information at a relatively low cost.  If you are interested in obtaining your own results I invite you to use this referral link:
http://refer.23andme.com/v2/share/6224967130210323244