Stegotrojansaurus

IF YOU ARE STUDYING FOR A CERTIFICATION EXAM, STOP READING-- THIS IS PURELY ACADEMIC AND WILL ONLY CONFUSE YOU

 

 

When I explain steganography to my students, I usually say, “It’s a message in one medium put inside another medium-- more like encoding than cryptography.” I stress that steganography is NOT crypto, even though the topics always seem to be taught coincidentally. I often use the example of Jeremiah Denton, who, as a prisoner of war, blinked the word “torture” in Morse code while being forced to make propaganda films against his country (https://www.youtube.com/watch?v=rufnWLVQcKg). I talk about putting a text message inside the code for a .jpg, and so forth.

 

As almost always happens, a student in a recent class taught me something I did not know before. But this case was exceptional, because it was something that had simply never occurred to me at all, and I don’t think I’ve ever heard anyone else suggest it:

 

Trojan horse applications are a form of steganography.

 

It’s kind of perfect. The malware, which is a message of one medium (the executable), is hidden inside a message of another medium, such as a photo or movie or text document or whatever (sometimes-- there are examples of Trojans where both the malware and its carrier are executables, or there is just one executable with two aspects: one desirable to the victim, and one not).

 

This is purely a philosophical point: it doesn’t mean anything earth-shattering in the world of INFOSEC. But I love it when a student has a completely new take on some fairly old ideas. Blew me away. Good job, Ann-Kathrin.

'Membering Mnemonics

I often learn quite a bit from the students I’m supposed to be teaching (mainly because they’re invariably smarter than I am). I also love mnemonics— those mental tricks and reminders that help you recall concepts and bits of information.

This past week, one of my classes was going over the OSI and TCP/IP networking models; I had a great mnemonic for OSI (Please Do Not Teach Security People Anything)…but I confessed that I have no way of remembering the TCP/IP Model.

One of the participants said she had something, but was reluctant to share. We coaxed it out of her. I share it, slightly modified, with you now:

“Not In The….Arctic.”

I will never again forget the names of the four layers of the TCP/IP networking model. Though I may try.

Thanks, Lauri— you’re a good teacher.

Wandering Security

For the first time ever, I ran across a hotel business center (desktop PC and printer) that had the USB ports physically blocked out. I find that interesting only because I’ve often considered how easy it would be to introduce malware/whatever into a business center (and often hoped those machines are airgapped from the hotel’s production environment).

Of course, this was at a time when I needed to print something off a USB stick, instead of, say, an email I could access through a Web browser.

I found out that unplugging the keyboard would, yes, open a viable USB port that wasn’t limited to just human interface devices. Sure, I was limited to inputs from the mouse in order to manipulate the file (because, well— no keyboard), but it seems that someone put at least some good thought into locking down that system, but then left a giant pathway right through their control policy.

Not sure what the workaround would be, short of putting Super Glue on all the keyboard/monitor USB connections for every PC in every property in that hotel chain. Or going with thin clients that have peripherals that are hardwired and not connected by USB (come to think of it, with a very limited target functionality, why does the business center need full PCs, anyway?).

Anyone ever given any thought to this?

The Flatline Cohesion Principle

This week’s CCSP class pointed out that one of the multiple-choice answers in my book of practice tests included the term “flatline cohesion principle.” They asked me what it meant, and I had to admit that I had no clue…maybe it meant that I was drinking too much scotch when I wrote the book?

Turns out, it was a nonsense term I invented as a distractor from the correct answer to that specific question. So we discussed the idea, and decided we had to come up with a definition for the completely blank term.

The consensus was that it should mean: “When you write a book of practice tests that may or may not have complicated, misleading questions in it, then use your class to crowdsource how worthy the material is for study purposes.”

I do like this. But I am very open to alternative uses for the term. If someone comes up with something better, put it in the Comments section, and I’ll send you a free copy of the book. I will be the sole judge of what constitutes “better.”

In the meantime: everyone should follow the flatline cohesion principle.

And many, many thanks to this week’s CCSP class participants: y’all were awesome, and I think you’re all gonna to conquer the exam.

Sharp Security

In the US, possession of a switchblade is a federal offense, but butterfly knives are as legal as rye bread.

In Germany, it’s just the opposite. About switchblades and butterfly knives, I mean— bread’s not illegal there, as far as I know.

Funny thing: neither place, far as I can tell, suffers from crime waves using either instrument.

I am sure someone smarter than me could figure out some sort of meaning in this.

CCSP Test Feedback

From a recent student:

”I found it to be quite challenging, mostly because more than a few of the questions and / or answers were so tersely worded that it was very hard to determine what was being asked.  I also ran into some test questions on concepts that weren’t covered in the course material, or if they were,  it was in passing and didn’t really justify the attention it got on the exam.  However, I passed, so it’s all behind me now.  :^) “

Amazon Data Leaks

Meh. When I first saw a notice that contained the same words as the headline on this entry, I thought, “well, here begins the end of cloud managed services.”

But then I read an article [like this one] and saw that it was really Amazon employees taking bribes from retailers to remove negative reviews.

So…”help me sell more sandals,” is a far cry from, “sell me my competitor’s data.” I would imagine Amazon’s main concern is that the bribes are less expensive than what Amazon could otherwise charge for this same service…and go directly to the employees, instead of to Amazon.

RECENT CISSP CAT EXAM NOTES

Got an email from a recent former student...the kind of email I really enjoy:

"Hi Ben,I wanted to let you know that I took my test yesterday and passed at 100 questions :D

 

- After our class, I studied using mostly the Boson practice exams (reading the explanation for EVERY question, failed or passed).

- After that I bounced back and forth between Boson random exams, the updated Sunflower guide, and the 11th Hour book (which was great for last-minute cramming, the last 2 days leading up to the exam).  I also watched Kelly Handerhan's CISSP prep videos at Cybrary prior to our class, and various other YouTube videos (Larry Gleenblatt's CISSP exam tips were helpful) here and there.

- I studied for about 2-3 hours a day, every day, for 4 weeks total (taking 1.5 weeks off for vacation).

- I was 100% certain that I was going to fail while taking the exam.  I was so sure of it that I considered just picking the same letter answer over and over to end the test and GTFO at around 80 questions.  Glad I didn't.

- I took my time reading and re-reading each question and answer so many times that I thought I was going to shoot myself in the foot with the time of the exam.   I had about 30min left at 100 questions.

 

Thank you for all of your wisdom and guidance during our class.  I feel that it helped a lot and set a good expectation for the exam and framework of where to study. It helped me realize my weak areas so I knew where to focus.  Although, the test has a funny way of making you feel that you're completely unprepared while you're actually taking it. :)"

Physical Badsec

If your physical security process involves controlled items, make sure you train your staff not to hand a stack of the controlled items to unauthorized personnel during the procedure...else someone could pilfer one or two, and use them for all sorts of nefarious purposes.

 

In totally unrelated news, if someone wants to smuggle contraband/small children/explosives aboard a cruise ship, drop me a line in the Comments section.

carnival luggage tag.jpg