Neohaxor.org

Hello Everyone. I just wanted everyone to know that Shawn Moyer and I will be speaking at PhreakNIC 12. We are going to do the Satan is on my Friends List talk again. There were people who didn’t get to see it out in Las Vegas, and well, since BHJP is in a different part of the world we figured if people still wanted to see it we would do it again in the United States. We will have some updates so it won’t totally be the same talk we did in Vegas.

If you aren’t familiar with PhreakNIC it is a small conference in Nashville, TN. It’s loads of fun, there is great people, great conversation, and no vendor overload. I highly encourage people to go.

I find this funny, here is an article where it talks about Facebook users leveraging developer accounts they signed up for, so they can go back to the old Facebook. When you have the developer application installed it puts a link at the top of your profile page to switch back to the old Facebook. This makes sense since developers may have to maintain functionality on the old Facebook as well as the new. The funny thing is, I have had a developer account almost as long as I have had a Facebook account. I just assumed that option was on everyone’s page. It is a nice little hack, although Facebook is going to turn that option off soon.

It also seems that the users flooded the developer message boards voicing their distaste for the new Facebook. Ah… well… I hate to break it to them, but shhhh… those message boards are for the apps developers. There are Facebook staff that hang out and such, but all you are doing is irritating the person who wrote that stupid app you put on your page and don’t use. Stop! You are distracting them from doing input validation

I don’t really understand this UI rebellion. Who cares. I mean, really you can do the same stupid things you could do previously. If you don’t like it use MySpace. The more you look at Facebook the more it looks less and less like a social network anyway. The other day on TechCrunch there was an article called Facebook Isn’t A Social Network. And Stop Trying to Make New Friends There. I agree with this viewpoint. MySpace and other social networks are much more conducive to meeting new people and finding individuals with similar interests. It all depends on what you use a social network for.

I have an idea for all of the people who don’t like the new Facebook, the best way to rebel, is to quit using Facebook. That will get their attention. I know it won’t happen, but it isn’t like there aren’t alternatives. I mean, what does Facebook give you that other social networks won’t? The answer is nothing. Most people have accounts on multiple soc nets anyway. There are some 800,000 users in the I hate the new Facebook group. If they all quit using their accounts, that would have an impact. Do it or quit complaining. The choice is yours. The reason nothing changes is because they know you won’t leave.

Recently Facebook announced their Application Verification Program in an attempt to give user’s assurances that particular applications are secure. I think the intent is good but the implementation may actually cause more harm than good. Giving users an assurance that a malicious applications are secure can cause a lot of damage. People with assurances are a lot more loose with their actions where they may normally not be with no expectation of security.

Given the way many of Facebook’s applications are written it doesn’t lend itself to a proper review. The Facebook team is going to have to do reviews of submitted code that does not run on Facebook servers. This would only be a snapshot of the code at that given time. After the verification procedures are done, the developer can make whatever changes they want. They could change the verified app to a malicious app at will. I am getting so tired of security measures that don’t address the real problems. They are a waste of time. The only thing this verification program may do is stop the idiot who just learned PHP from creating the HackMe Back of social network applications. It doesn’t address the major problem that attackers are gaining access to the API and attacking social network users.

The best way to protect against malicious applications is to control the access to the API in the first place. Don’t just let anyone access the API and only need 5 friends to publish the app. Proper vetting procedures would go a long way in curbing the amount of malicious applications that get published on Facebook and other social networks. Why don’t the major social networks have vetting procedures for API access? It completely blows my mind, but that’s social network culture for ya.

Social networks are riding a thin line with security as it is. Introducing security measures that aren’t effective only cause more confusion on the part of their users. Social networks should strive to create a balance between functionality and security for everyone’s sake. Will that happen? Only time will tell. One thing is for sure though, attacks on social networks are only going to go up. The more surface you give an attacker the more options and success they are going to have.

Quite a few people have emailed me asking me what I thought about the Facebot application that was recently released. The paper is located here. Basically a group of people created an application that they published on Facebook that did click fraud. They hijacked simple requests through an application called Photo of the Day using HTML IMG tags, you know, the same thing we did on MySpace without even having to create an application, however, we had OpenSocial applications that did the same thing, and a little worse

They said they did it to prove you could turn a social network in to a botnet, you know, the same thing that we already talked about and demonstrated at both Black Hat and Defcon this year. As a matter of fact a copy of our presentation can be obtained here: Satan_Blackhat_Defcon

The title of their paper is “Antisocial Networks: Turning a Social Network into a Botnet”. The title of our HOPE presentation that we had to back out of was “Antisocial Networking: Vulnerabilities in Social Nets”. You can see this here from back in June. I am not quite sure what to think about all this, I guess it could all be coincidence. Like I said, I don’t know.

Now on Facebook the way you would have to go about turning their users in to a botnet is by creating an application. Facebook doesn’t allow linking to offsite content the way MySpace does. So if you want to use img tags, meta tags, and iframe tags you would have to use them in an application that you created.

So, my impression is Yup. Everything we talked about at Black Hat and Defcon. It’s old news, not sure why anyone is making a big deal or even writing about it.

This topic is one that I have had plenty of conversations with people about, but have not spent much time writing about. What got me thinking about this topic again was Seth Hardy recently requested to be added to the ballot for the ISC2 board. More information can be found on www.sethforisc2board.org. What’s great about Seth is he sees problems and wants to do something about it. I think sometimes we often resort to just complaining about issues rather than doing something about them. I say bravo to Seth. Even if Seth gets elected, I am not sure anyone would listen to him, but I like the idea that they would. I strongly urge ISC2 certified individuals to sign his ballot.

I am going to be as objective as possible in this post. People who know me know that I have a distaste for some of these certification vendors due to their deception and motives. I hold quite a few certifications myself going back to the 1990′s and have dealt with many of these organizations first hand. I have had plenty of time to hone my opinions and in the end that is all they are, my opinions. Feel free to agree or disagree.

What is Certification Supposed to be About?

The world of information security tends to be quite a bit different than other professions. Other disciplines may live and die by certifications and licensure. For example, in the medical field you want licensed physicians who are possibly board certified for their specialties. Additionally stenographers, interpreters, and many other professions have national certifications that open up great opportunities for their individuals following certification. The bodies that handle these certs in other disciplines are much different than those in the information security world. Other disciplines typically have certifications issued by national associations or other recognized industry body. In the information security world it is typically done by private business and masked bodies. I will get in to this more later.

Certification is supposed to be about demonstrating a baseline level of knowledge for a particular area. Licensure, as I see it, granting of a license based on a certain set of baseline qualifications. The way you go about demonstrating competency can range from certification to certification.

What You Look for in Security People

What do you look for in security personnel? Most likely there are no objectives of a certification that cover that. Often the number one thing people look for is experience. Nothing trumps experience even certification vendors know that. Along with experience is depth of knowledge. If someone doesn’t have experience you at least want people who can find answers, who have a genuine interest in the security field, and who can think critically. I haven’t seen a Certified Information Security Googling Professional certification yet What about soft skills? Writing skills? There are many factors about the people you wish to hire that are well beyond the scope of a security certification.

Three general areas that people look in to when hiring information technology people are experience, education, and certification. They may throw these areas around and substitute them, but the requirements are going to be there. Once the gatekeepers are passed it is up to the interviewee and the impression they make to land the job.

All About the Benjamins

Certification in the infosec world is typically handled by private companies and are either vendor specific or vendor neutral. Sometimes these companies will masquerade as an org, but when you pay them for training or certification watch where your money goes. It’s not the org front It’s in the best interest of these companies to draw blurry lines between their different parts. You may hear things like, “No this company provides the training, the certification is from this other organization”. Who do they think they are fooling? It is the same people working at both organizations and proctoring the tests.

More benjamins equals more win for the companies providing the security certifications, training, or CPE style credits. Or maybe you can just take the road that SANS does and just charge and outrageous price for your certification challenges right off the bat. Yes, Yes, I know. I called GIAC SANS. Same thing They are counting on people with security training budgets and certification reimbursement and saying “screw you” to the little guy. Certification vs value, make the decision for yourself. I personally think they are pricing themselves out of the running to do any competition with the big dogs ISC2 and ISACA but, oh well. I am entitled to my opinion. Not saying they are trying to do direct competition with them, but there are more people looking for CISSPs than there are GIAC certified individuals.

Why Security Certification is hard to make

There are certain roadblocks to certs in the information security space. This is because everyone from the person that deploys anti-virus software to the individual reverse engineering software is considered a “security person”. These are wide and varied disciplines that take a greatly differing skills to perform. So from a certification perspective you either have to specialize or generalize. When generalizing you have to be very broad and lose depth. When you specialize you lose overall market appeal. It’s hard to draw that line. This may be important when you are considering certification. If you are a specialist and there is a certification that fits your particular specialty, then there may be some additional appeal.

Perception is Everything

Certification value is pretty much all about market perception, regardless of the actual value of the certification to you personally or your peers. The greatest, most perfect security certification in the world can come along, but if it has no market value then there is pretty much no value in getting it. One way to gauge how well perceived the certification may be is by going to job search sites and looking for job positions in which you are interested. You will see how many mention the certification you are considering. The business side of security likes the thought of certification. It gives them a nice warm feeling inside. Hiring people in any profession is a gamble. You never really know if someone is going to work out or not. The thought of having an additional assurance that they are getting a decent individual is very appealing to them, regardless of how valid the certification is.

There seems to be a perception of certifications such as the CISSP, CISA, etc as being technical. This perception is incorrect. I split security certifications in to two different categories: Functional and Awareness. I consider certifications such as CISSP, CISA, Security +, etc as awareness based certifications. These certifications do not go particularly deep in to each of their domains but provide awareness in all of their domains. Functional certifications are ones that are more vendor specific and / or cover the functional aspects of particular items or domains.

Certification (may) = Win

Let’s take a look at some of the advantages of certification in the information security field. Certifications in the security field are all about your professional life. They are about your job and your future job prospects. Certifications aren’t good for much else unless you just like framing them and putting them on your wall Keep in mind all of these potential win situations for certifications are all based on someone else’s perceptions at a given time.

The biggest advantage of a certification is that it allows you to display the designation. This means you can say you are certified, display it on your resume, put it in your email signature, etc. Certifications are sometimes used as filtering mechanisms to weed through potential candidates. The person in recruiting or HR may not even forward your resume on to a decision maker because they do not see the certification. The whole goal of submitting a resume is to get your foot in the door for an interview. If you can’t make it that far then it is a fail situation. Displaying the designation allows you to meet the perceived expectations of someone looking for that particular designation.

Along with the previously mentioned, certifications give you some “flare” for your resume. It allows you to add a section to your resume called “Professional Certifications”. Now, you may have more than enough content for your resume due to your experience, but for people with less experience it helps fill out a resume.

During the study process for a certification there is the possibility of learning something. Now this probably isn’t going to be some earth shattering revelation, but the more you know the better off you are. It may force you to look at concepts that you haven’t taken the time to look at previously. So there is the potential that horizons may be broadened.

Vendor specific certifications demonstrate that you are at least familiar with the interface to a particular product. The world is much better off now that you know where that check box is It may give people a sense that you have actually seen the interface before.

Certifications can prove that you have the ability to start something and see it through. Much like education, some certifications take some effort to study for and complete. It can display a certain amount of determination on the part of a potential candidate. It shows that you have not remained stagnant in your career. I know the actuality is stupid, but remember we are talking about perceptions.

Certifications are rarely something that you get looked down upon for. If you are applying for a job or have a job interview I have never heard of a case where someone didn’t get a job because of a certification they held. I file this under the “it couldn’t hurt” column.

Certification (may) = Fail

Security certifications won’t help you do your job better, lift a car, or save a baby from a burning building. Security certifications in their current iteration seem to be very poor at proving people have baseline competencies, which is what certification is all about. This is something that the business side has not really caught on to yet and probably won’t.

Certification can be a pain to get. Some certifications require a healthy dose of time dedicated to studying, practice exams, and whatever other resources are required to pass the exam. Even if you are already familiar with the material, it takes time to learn how to answer the questions the way the certification vendor wants them answered.

Certifications can be a pain to maintain. Some security certifications require maintenance. This maintenance includes either re-certifying periodically or the submitting of credits. The credit based systems require that you get so many credits per year and per certification cycle. For the ISC2 certifications these are called CPEs (continuing professional education).

The benjamins are here to stay, certification costs money up front. This is your initial buy-in to the certification. Certification costs typically range anywhere from 150 dollars to as much as a few thousand depending on what the certification is and what is required.

Oh no, the benjamins are back! Of course everything from re-certification to annual maintenance requires money. Fees, fees, and more fees. Needless to say unless it is a perpetual certification you are no doubt going to have to pay money to the vendor periodically.

You really don’t get anything from certification vendors in return for your time, effort, and money. I think this is the part about certification that irritates me the most. After you have spent the time and effort to get a certification, you really receive nothing useful from them. You may receive notifications about items from the vendor, but it is typically “who cares” communication.

You may have ethical issues with certification vendors in which you don’t want to give them your money. In this case I am right there with you. This could actually be a big turn off in your decision making process.

The Certified Conclusion

There are probably valid points that I left out, sorry, but the post is getting long I don’t know if anyone will read it anyway. I am sorry if there is anything that I have left out. I also really didn’t want to talk about particular certifications, so I didn’t really list any. They are easy enough to find though.

There is really no right or wrong answer about whether to obtain a security certification. All you can do is take the data you have and make a decision for yourself. Visit job search sites and search for jobs with that particular certification. Weigh the time, effort, and expense that you will have to endure to get and maintain the certification. See what other people are saying about the certification. If it makes sense and you think that it will help, then go for it. If it doesn’t seem worth it, then don’t. It’s really hard to judge the future and where security certification vendors are going, so all you can do is make the best decision for yourself in the present.

I am just finishing up a post on certification, but I thought this needs it’s own post… and well… I am taking too long. Seth Hardy has requested to be put on the ballot of the ISC2 Board. He needs 591 signatures on his petition in order to be put on the ballot. From his site:

Send an email to me: shardy@aculei.net using your email address on record with (ISC)2, including your member number, stating that you are signing my petition!

Signing the petition doesn’t mean you’re voting for me; it just means that you’re supporting my inclusion on the ballot. I’ll be hitting you up for votes later.

Rather than just complain about issues Seth wants to do something about them. That is something I totally support. If you have an ISC2 certification please visit his site and sign his petition. www.sethforisc2board.org

More to come on the value / lack of value in security certification. I promise I will finish it soon.