Being Green

This isn't an article on espousing the intricacies of "Hulk smash", or the joys of being a Jolly Green Giant, instead I want to talk about team inclusiveness.  One of the many takeaways I came away from Army basic training with, was that we are all "Green".  It is a philosophy meant to eliminate bias and discrimination in the ranks, but it can be broken down to mean that we have a shared experience. It’s a mantra that since I wear the same uniform as you, your color, creed, orientation, or religion, are irrelevant to the fact that we are same, and in this together. Its a determination that you trust me to have your back, and I know that you have mine.  

This isn't just a phenomenon that is isolated to the military experience.  Whatever uniform or hat you wear, look around at those that are sharing the experience with you.  We are in this together; we share the same concerns and issues.  If we remember to keep this mindset, then maybe, just maybe, we may make that little extra effort to treat each other with the respect we deserve, and that keeps teams functioning well.  

Yours in Security,

JustinTM

Information on a Linux vulnerability was publically disclosed last week, and was widely distributed yesterday.

The CVE-2017-2636 vulnerability affects the majority of popular Linux distributions including Ubuntu, RHEL 6/7, Fedora, SUSE, and Debian.

http://securityaffairs.co/wordpress/57194/hacking/cve-2017-2636-linux-kernel-flaw.html

The vulnerability is in the N_HLDC Linux Kernel driver and can exploit a double free memory bug to allow for escalated privileges on the system.

The vulnerability can be verified using system test calls with google’s syzkaller fuzzer.

All major releases have a security patch available, and the recommendation is to patch as soon as possible.

Parting the Veil

Hats off to Rob Graham @ errata Security for a great blog post that shares some great CLI tools for the infosec crowd: http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html#.WIhBpFMrKpp

The past week has been quite fruitful,  I was able to add the CompTIA Project+ and the Cisco CCENT Certifications.  The CCENT was a result of taking the ICND1 exam, the first of 2 exams towards a Cisco CCNA.  I am also halfway to attaining the Linux+ certification.  My plan is take the next Linux+ exam (LX0-104) to complete the pair, and then move on to the ICND2.

Last week I also built my first Boot-to-root Virtual Machine, the goal was to create a vehicle for sharing my resume that would cause me to stand out.  I haven't had a response yet, but once I know that the my clues have been found, I will post the link and a walk-through.  It was terribly basic,  but a good beginning.

Yours in Security,
Justin

RFR - Request for Resume

Recently a good friend of mine alerted me to an opening at the organization with whom he is employed.  The prospect of working again with this fine engineer is certainly not something I would easily pass up, so I set about updating and polishing of my technical resume.  Somewhere along the line this document became large and a bit unruly.  It is not colossal by any means, but does fit the baby giant classification of a MTU frame size (a baby giant is slightly larger than a IEEE 802.3 standard 1500 byte frame).  After doing my best to limit the scope to 4 pages, I thought I was ready for the next step, but was pointedly reminded that I needed a good cover letter to go with it.

Always one to start with a little research first, I looked for the best possible cover letter format.  The Harvard Business Review postulates that a 5 line cover letter is in all instances ideal. (https://hbr.org/2009/06/the-best-cover-letter)
A bit of Hello, I heard you had this position open, This is why I would be great on your team, lets talk soon, regards...
Short, succinct, and to the point.  While it covers all the necessary bases it really doesn't stand out.  So I, with all my extra time, decided that the best approach to gain a Penetration testing position would be to build a boot-to-root hack-able virtual appliance, and embed my resume as the prize for owning the box. To wit, I present my cover letter, that does indeed follow the HBR guidance:

3st33m3d V13w3r,
I am writing in response to the opening for a Security Pen Testing & Assessment Engineer.
I offer over 20 years of highly technical, detail oriented, troubleshooting and analytical experience. I also have solid certification backed project-management skills, and passion for Information Security, all of which should mark me as a value added candidate for your team.
My resume is buried somewhere within [omitted for privacy], if you can gain access to the resume then I deem you worthy of my skillz, and would be willing to entertain a conversation about employment with your fine organization.

 Best regards,
XXXXXXX XXXXXX

We will see how it goes.
I hope you enjoyed my musings.

Yours in Security,
Justin

MostlyNotSecurity - Steps to the winners circle

Once in a while I stumble upon what equates to golden rules... the following may not represent all that glitters, yet falling prey to these classic blunders may limit your forward mobility.

http://viralnavy.com/11-things-smart-people-do-not-say.html

To sum up, avoid the following phrases, for more information read the article:

1. “It’s not fair.”

2. “This is the way it’s always been done.”

3. “No problem.”

4. “I think/This might be a silly idea/I’m going to ask a stupid question.”

5. “This will only take a minute.”

6. “I’ll try.”

7. “He’s lazy/incompetent/a jerk.”

8. “That’s not in my job description.”

9. “It’s not my fault.”

10. “I can’t.”

11. “I hate this job.”

Remember, stay positive, keep a shiny attitude, and stay awesome.

Yours in Security,
Justin

Where have I have I been for a Year?

Long has the question burned in the hearts and minds of intrepid IT hopefuls, and of course the recently techy unemployed; Education or Certification?

In my quest for career path validation, I asked the same question, luckily I found an option that fills both roles.  I am currently enrolled in a program with Western Governors University that makes Certification the final for several of the classes.  Yesterday I took and passed Cisco ICND1, the first of a two step process to attain the Cisco Certified Network Associate in Routing and Switching, or CCNA R&S for short.

subnote: As a full time Security Engineer, full time student, part time solider, and single parent, I often neglect certain passions and endeavors that I deem negotiable at the time.  This blog has been often fallen into that category.  As an effort of recompense, I am going to relate more of my study and side projects to this medium.  

Among the certifications a security minded person pursing an education through WGU can anticipate:
CompTia A+
CompTia Network+
CompTia Security+
CompTia Project+
CompTia Linux+
LPI LPIC-1
Cisco CCENT
Cisco CCNA R&S
Cisco CCNA Security

Add that that the other courses, and degree attained, and all told you have a very solid base to begin (or continue) a technical career.


Yours in Security,
Justin

Identity its not who you are, its what you do.

Its a new year in the blogsphere and time to step up my game.  My blog has sit here bereft of my musings for long enough, its time to get busy.

Security Shaken Loose

Lots of interesting things going on in security news during the past few months.  With the rise of connected toys we see the VTECH and theoretical Hello Barbie hacks, 320,000 Time Warner customers are urged to change their passwords due to that breach, and with a major NSA backdoor in some Juniper Networks networking appliances, there appears to be churn in every sector from Internet of things, Internet Service Providers, and even in Corporate and Government security. As we become more connected, we have to double down our efforts to increase the security and access to our information.

To What Ends

Even while taking such a stance, we have to assume that anything we store digitally in a connected fashion is at risk. Any illusions we have to privacy, are just fancies of blissful ignorance.  If someone wants access bad enough they will get it.  There are there are many ways we can go with this. Some believe that if we have nothing to hide then why does it matter, and others think that in a connected world where nothing will remain hidden, whats the point.  I believe that we all have something to hide, it can be as benevolent as wanting to protect the safety of our families or identity.

Bad things happen to good people. It would be nice if it wasn't so, but the nature of terror and power is to impose it.  There will always be those that prey upon others.

In keeping with a theme of Identity identity Security, I offer the following advice on securing and protecting yours.

Credit Freeze

A lesser known feature available from the Credit Reporting companies is a Credit or Security Freeze. This doesn't affect the credit you have, and restricts the credit information to certain government agencies and existing creditors. For roughly $5-10 per account you can go to TransUnion, EQUIFAX, and EXPERIAN, and request them to restrict access to your credit report.  This makes it extremely difficult for identity thieves to open new accounts under your name, and can be reversed at any time. You may even be given a Pin number that allows you to temporarily grant access to your credit report. I don't think $~30 is much to pay for that kind of security.

To get started click, or give them a call.

Equifax — 1-800-349-9960

Experian — 1‑888‑397‑3742

TransUnion — 1-888-909-8872

Yours in Security,
Justin