cyberjulie
CyberJulie
Some infosec humor and lots and lots of book reviews..
38 posts
Don't wanna be here? Send us removal request.
Last Seen Blogs
buginsideyou
mari ♡
lilac-raven
aka lilacvampire
azbukacasino
Без названия
digitouchs
digitouchs.com - One Stop Digital Service Provider
renegadestrilogy
r e n e g a d e s
Text
Here is how to install a dnscrypt proxy with adblocker on Linux to block internet tracking, advertisements (Ads) and malware at DNS level
-> How to install dnscrypt proxy with adblocker on Linux
39 notes
·
View notes
Text
I guess while we were slacking off during the holiday, some chose to pick up the slack. No pun intended. 😆
5 notes
·
View notes
Text
He's making a database. He's sorting it twice. SELECT * from contacts WHERE behavior = 'nice' SQL Clause is coming to town. 🎄🎅
583 notes
·
View notes
Photo
Review:
Lee Brotherston and Amanda Berlin wrote the “Defensive Security Handbook: Best Practices for Securing Infrastructure” to help newly appointed security practitioners and those in management roles. Their goal is to provide a common standard of terms and practices, which can be pragmatically and effectively applied to most organizations. This is not a book for long-time practitioners; it is designed to be a reference for those comparatively new to managing a security program. It is also not a deep engineering book; rather, it is a set of high-level standards and best practices across a wide variety of defensive security activities.
This book provides a broad overview of a number of defensive topics, without focusing too much on any one industry. The authors intentionally made this book for “as many environments as possible” (p. xiv), and as such, they do not give many industry-specific examples (with the exception of the section on industry-specific regulations). Their examples focus on the security professional and that person’s tools and processes, without discussing the nuances of different industries. This makes the book appealing to a broad range of practitioners, from companies of different sizes and influence levels.
I appreciate that the authors take a top-down approach – describing creating a security program and getting executive buy-in. They discuss the creation of policies, standards and procedures, with user education thrown in for good measure. Brotherston and Berlin recognize that creating a security program is, first of all, about aligning the program to business priorities, and they ensure readers are made aware of the benefits of getting financial and human resource support for the security program as a first step.
In each chapter, the authors include basic information on the topic, and also tips and suggestions, notes and words of caution. For example, in the physical security section, they note that “badges are fairly simple to spoof with time and effort. Recon can be completed by someone malicious to attempt to re-create a legitimate badge” (p. 77). Additional resources are referenced appropriately, which makes the reading interactive and thought-provoking. Because this is an overview of many topics, there is not a lot of depth to each discussion – there is just enough to cover the basic concepts, identify common approaches and challenges, and reference additional resources for readers who want to go further. The layout is clean and the information easy to read and absorb.
It is not until later that the authors dive into technical topics such as operating systems, networking, endpoints, software development, logging and monitoring, and password management. They provide a lot of follow-on resources and an appropriate overview of the topics.
This book is a terrific resource for anyone tasked with starting a security program at his or her company. The authors acknowledge that many security professionals find themselves in a security role after being “voluntold” to do security, and that making the transition from purely IT operations to security leaves a person bewildered and overwhelmed. The authors also recognize that the first tendency of IT people is to find a tool or “pretty blinky LEDs” as a panacea for all security problems. The authors address this by stressing that many effective security strategies do not require a large tool investment, but instead a professional can leverage their organization’s existing capabilities to quickly improve the company’s risk profile.
They complete the "Defensive Security Handbook" with some “last mile” tips about email, DNS and security through obscurity, as well as a list of resources and links for further information. One drawback of this book is the lack of discussion about dealing with cloud security and hybrid infrastructure environments. Written in 2017, it may be a matter of timing that this vital topic is not addressed. I would look to future editions to correct this oversight.
Book written by Lee Brotherston and Amanda Berlin
Book review by Helen Patton
0 notes
Photo
Review:
Mathew Syed, a British columnist and writer for “The Times” newspaper, writes “Black Box Thinking” about how people and organizations learn from failure. This book covers various studies of individuals and organizations, such as the aviation and medical industries, and how they overcame failure. Similar to cybersecurity, these industries experience some truly advanced attacks that cannot be prevented. However, most security incidents are caused by simple mistakes, such as misconfigurations, using weak passwords or forgetting to apply updates to fix vulnerabilities. We see these common failures or mistakes repeated all over the world. This isn't a cybersecurity book, but it can help guide those who want to build a safer and more high-performance organization.
The key messages of the book are:
To succeed and progress you need to learn from failure.
Appropriate systems, culture, ways of thinking and methods are necessary for learning.
Pay attention to elements of psychology and organizational culture that hinder learning.
Share what you learn with the industry.
There are a number of key concepts and topics in “Black Box Thinking,” and here are a few that are important for cybersecurity:
System and Workflow
A single mistake can be fatal to an aircraft, so the aviation industry tries to automatically acquire as much data as possible. If something happens, the procedure is to analyze the data, investigate the cause and take immediate action to prevent the same failure from happening again. The "Black Box" in the title of this book is the flight recorder on the plane. It creates the most important record for investigating the root cause of an aviation accident.
In cybersecurity, it is also important to create a cycle in which records are automatically recorded as much as possible and analyzed in the event of an error.
One interesting point Syed makes in the book is that to learn from failure, you need to consider not only the data you can get but also the data you can't collect. It’s not possible to obtain and retain all necessary data for technical, economic and other reasons, but it is very important to understand the data that you have and the data that you do not have at the time of analysis. This helps you investigate the causes of an issue and allows you to build more effective response measures moving forward.
Mindset and Culture
In order to succeed, it is necessary to learn through trial and error. As such, successful people have a positive attitude toward failure because they know that they can experience meaningful evolution by facing failure directly and repeatedly trying again. Growth mindset and growth culture help us unlock the potential of individuals and organizations.
There is no complete security. Even if you achieve a certain level of security, it cannot be a permanent solution. Organizations and human behavior cannot be predicted, and what is required of security will change according to the times and circumstances. Security is an iterative process, and organizations need to institute a mindset of improving productivity and security through embracing new challenges, rather than fearing change or failure.
What Prevents Learning from Failure
Syed also explains various human factors that hinder learning from failure.
Mistakes threatening self-esteem or professionalism.
Fear of failure and perfectionism.
Hierarchical relationships that don’t allow individuals to point out mistakes.
Mindset and culture of placing blame on individuals for failure.
Fundamental attribution error by the brain, which tends to think of the simplest and most intuitive story.
Since cybersecurity is part of human and organizational activity, it is easy to imagine that some of the factors listed here have caused a drop in security levels. In particular, blame and intolerance can cause serious damage. When a security incident occurs, the person who fell victim or the IT or security team is often accused of being at fault, which doesn't help at all. If the culture of immediately shaming and blaming individuals is rooted in the organization, nothing will be reported, and no one will want to join the IT or security team. As explained in this book, it is important to face failures, identify the cause, make improvements and make the organization safer.
I recommend adding this book to your reading list. Information technology is evolving day by day and is now an important part of the foundation of our lives. Cybersecurity has never been more important to human life, and everyone bears part of the responsibility for following best practices to keep ourselves and our organizations safe. “Black Box Thinking” does not focus on cybersecurity, but it includes many tips that can contribute to more advanced processes and safer digital lives.
Book written by Matthew Syed
Book review by Kaoru Hayashi
0 notes
Photo
This book is a must-read for all network defenders. First and foremost, it book is based on the author’s real-world experiences as a cybersecurity consultant. It provides valuable insights into why companies of any size struggle to address their top risks.
Simply put, they don’t know which risks are the most important, and often this means all findings, vulnerabilities and threats are treated equally. They employ too many security technologies and spread their employees’ time thin, resulting in defenders ineffectively handling real-world threats.
If you’re looking for a new approach to disrupt and improve your cybersecurity program, this book is a must-read.
Companies are struggling to implement cybersecurity operations and strategies that can make positive impacts and make cybersecurity efforts more effective. Often, organizations learn their biggest security risks, but fail to take action in a timely manner. Network defenders spend time on too many top priorities or pet projects coming from leadership.
If you had one project you set out to accomplish this year, what would that be? How would you know you’re addressing the top risks to the company? Modern cyber security programs need a data-driven approach to ensure focus on the most impactful initiatives. In some cases, this means stopping non-essential projects in order to make the greatest impact in your network defense programs. Sounds difficult, but data can be your compass.
Security programs need to focus on ensuring they have the right technologies to generate the right level of data. There are several key ways to approach a data-driven cybersecurity approach:
Metrics – Data analysis efforts need to focus on your top impacts, but also your top assets. Not all risks are equal.
Data Gaps – Do you have the right level of data in order to make the right decisions?
Data Management – Data is king, and as such it needs to be properly managed.
Threat Intelligence Needs a Goal – Focus on answering one question above all: What is the number one way I will be attacked?
Discernment – Some data is good, but other data can be bad.
Organizations struggle with prioritization. The result is, network defenders are spread thin and cannot apply the proper time and focus on the most impactful, beneficial work efforts. To make it worse, cyber leaders may change directions, or upper management may read something in the news and want that risk to be addressed. It’s true that awareness of all potential risks that could occur is very important, but without prioritization, awareness can become a pitfall. In this example, the news article was very impactful to the organization affected, but does that translate into the most critical risk and threat to your organization?
The overall goal of a data- driven cyber program is to not have to make decisions about which risks are not worth working on and which deserve time and effort. It’s about picking the most impactful, beneficial projects and effects, aligned to the data, in order to deliver a risk-driven, data-driven prioritization to your leadership, board and team.
The case for data is clear, but recognizing the value of data is only the first step in developing a cybersecurity program that can make data-driven decisions for your organization.
The biggest challenge lies with data itself. Often, organizations have a lot of data. But data quality is not the same as data volume. If your security information and event management (SIEM) software generates millions of events a day, one has to ask the question, how can you manage this? Before you take actions against data, you need to make sure the data you’re collecting has the quality necessary to allow you to make decisions against it. You should:
Filter data that is no longer necessary for action.
Look at threat intelligence data differently, making sure it’s addressing the goal of relevance to your company, not just offering a broader look at national state attackers.
Ultimately, with the right level of data, you are able to take a step back and look at all your assets, data, business tolerances to taking risks. Then you can approach your board with the two or three projects that will address the real risks that are most likely going to impact the business.
Stop what you are doing and take a different look at how you should be managing your cybersecurity program. You should be able to gather the data you need and formulate priorities and efforts based on the data. It’s a great way to navigate emotions, politics and conflicts that occur within any successful cybersecurity program. The way I like to put it, if you don’t agree with me, you need to convince me otherwise, and you’d better be able to create the data necessary to convince me I need to look at it in a different way. This book is a very real and practical way to help you get into the right frame of mind.
Book reviewed by: Paul Calatayud
0 notes
Photo
Abundance: The Future Is Better Than You Think
Executive Summary
Abundance: The Future Is Better Than You Think is about this radical idea that exponential technologies will flip our common notion about scarcity. We live in a world where entrepreneurs make money by selling scarcity. Some resource or other is hard to get, so the entrepreneur finds a way to get it and sell it to the masses. Exponential technologies are “systems or tools where the power and/or speed, doubles each year, and/or the cost drops by half.” [1]
It turns out that exponential technologies are key to finding solutions to the world’s grand challenges: food, water, shelter, energy, communication, education, healthcare, and freedom. The authors have tracked the exponential technologies that drive these grand challenges through six phases that they call The Six Ds of Exponential Organizations: digitization, deception, disruption, demonetization, dematerialization, and democratization. They say that solutions for most of these grand challenges are tantalizingly just 15 to 20 years away. In less than a generation, instead of managing a set of scarce resources, the world will be flush with resources that are abundant.
That said, I am not recommending Abundance as a must-read for the cybersecurity professional today. The ideas that the authors discuss will not improve your current defensive posture. However, if the authors are correct, exponential technologies will significantly impact how we all deploy security technology in the very near future. If you are intrigued by the abundance concept, this is the book for you.
Review
Peter Diamandis and Ray Kurzwell founded Singularity University back in 2008. Their mission is to "educate, inspire, and empower leaders to apply exponential technologies to address humanity’s grand challenges.” [2]
Exponential Technologies Definition: Systems or tools where "the power and/or speed doubles each year, and/or the cost drops by half.” [1]
At the university’s founding, Diamandis and Kurzwell appointed Salim Ismail to be the school’s executive director and global ambassador. [3] Their joint vision, their Massive Transformative Purpose (MTP), is to "Build an Abundant Future Together.” [1]
Diamandis published Abundance in 2012 in order to explain the abundance concept to the world. [4] Later, in 2014, Ismail published “Exponential Organizations” to explain how modern businesses could take advantage of these exponential technologies, and build leaner and more efficient companies in an abundant world. [5]
So, just what do these visionaries mean when they talk about abundance?
Abundance is this radical idea that exponential technologies, those that meet the definition above, will flip our common notion about scarcity. For example, we all think about oil as a scarce resource because it is hard to get oil out of the ground. Oil companies make money by selling that scarcity because consumers don’t have the means to do it themselves. But, in an abundant future, the cost of solar power and the exponential technologies that drive it might become so cheap that energy becomes essentially free for every person on the planet. Pause for a second and let that idea roll over you. Free energy for everybody on the planet. The mind boggles.
In that future, oil companies would find themselves in an abundant world where their demonstrated expertise to get oil out of the ground is no longer needed. If this happens, this would be a classic case of Diamandis’s The Six Ds: a predictable and observable transformational process that is occurring in many business sectors where exponential technologies are present:
Digitization: Once a technology becomes digitized, it is easy to access, share, and distribute. Solar went digital about 25 years ago. [6] [7] [8]
Deception: After digitization, growth is deceptively small until the numbers break the whole-number barrier. [9] If the speed of your exponential technology grows from .034 to .068, most will not notice. But, once it grows to 1.088, that is crossing the whole-number barrier. When it grows ten more times, that number becomes exponential: 38,788.92. That is exactly what has been happening to the solar energy sector and the exponential technologies that drive it for the past 25 years. [4]
Disruption: After the whole-number barrier is broken, the existing market is disrupted by the new market’s effectiveness and cost. [9] In the energy business, pundits call this the “utility death spiral” as many utility companies have banned together to lobby against the proliferation of solar. [10]
Demonetization: The technology increasingly becomes cheaper. [9] In 1998, residential solar power installation cost was $12 per watt. In 2015, homeowners paid under $4 per watt. [11] In 2017, one homeowner went from paying $250 a month for electricity to paying zero. [12]
Dematerialization: Physical products are moved. [9] As more people move to solar power, oil company refineries will start to vanish. The reliance of utility companies to distribute power start to disappear, replaced by the individual homeowner’s ability to generate and store their own power. [13]
Democratization. Once the other 5 Ds happen, the technology price is so cheap that anybody can have it. [9] Energy flips from being a scarce resource to an abundant one.
According to Diamandis, Kurzweil, and Ismail, this abundance idea of the future is not a science fiction fantasy either. It is happening right before our eyes. They say that the world will flip from scarcity to abundance in the next 20 years for certain of humanity’s “grand challenges”:
Food
Water
Shelter
Energy
Communication
Education
Healthcare
Freedom
Kurzweil came up with an interesting metric to track this exponential technology behavior in his book, The Singularity is Near: When Humans Transcend Biology. What are the number of calculations per second that technology can perform for $1,000? [14] In 1900, with Charles Babbage’s mechanical Analytical Engine, the number of calculations was extremely small – only 0.000005821. But, every five to ten years, that numbered doubled. By 1949, the number was 1.837, and we were off to the races. By 1977, the number was 26,870. By 1998, the last year in the study, the number was 133,300,000. [15] [16] That is demonstrated exponential growth.
Even though Diamandis does not include cybersecurity in his list of grand challenges, you can certainly start to see the effects of the Six Ds on the network defender community:
Digitization: More and more network defenders are putting their log data in the cloud, where third parties can gain access.
Deception: This is the phase we are in now, but not many have noticed yet.
Disruption: After the whole-number barrier is broken, the disruption will happen at the point product vendors.
Demonetization: Network defenders will realize they don’t need point products to perform a specific task in their networks. They will get those services from the cloud at a much cheaper rate.
Dematerialization: Point products start to disappear.
Democratization: Cloud security services delivered to very cheap enforcement points will make it possible for anybody to get open source security services essentially for free.
The authors are quick to point out that, just because exponential growth is happening in many interesting technological areas, this doesn’t guarantee that the world’s entrepreneurial and technological leadership will build solutions to take advantage of it. The Singularity University's founders established the school just for that purpose. But, they also realized that more emphasis is needed. The Abundance authors suggest that another way to encourage investment in exponential technologies is to create incentive competitions. [4]. The prizes establish a competition with a specific goal in mind and offer a high-value prize as an incentive.
A Sample Set of Incentive Prizes
Prize: The Orteig Prize ($25,000) [4]
Problem: First nonstop aircraft flight between New York and Paris
Winner: Charles Lindberg in 1927
Prize: The XPRIZE ($10M) [17]
Problem: The first commercial, reusable 3-person spaceship
Winner: Richard Branson in 2004
Prize: The Google Lunar XPRIZE ($30M) [18]
Problem: Land on the moon; travel 500 meters; transmit high-definition videos back to earth
Winner: Nobody yet
Prize: The Wendy Schmidt Ocean Health XPRIZE ($2M) [19]
Problem: Create PH Sensor technology that will affordably, accurately, and efficiently measure ocean chemistry
Winner: Sunburst Sensors, ANB Sensors, and Team Durafet
Prize: The Qualcomm Tricorder XPRIZE($10M) [20]
Problem: Build a device that will accurately diagnose 13 health conditions and capture five real-time health vital signs independent of a healthcare worker or facility and in a way that provides a compelling consumer experience
Winner: Final Frontier Medical Devices and Dynamical Biomarkers Group
Book written by Peter Diamandis and Steven Kotler
Book review by Rick Howard
0 notes
Photo
Reamde
REVIEW:
The novel has everything that a cyber thriller needs: Chinese hackers, Russian mafia, cyber crime, massively multiplayer online role-playing games (MMORPGs), hacking culture, and guns. It is classic Stephenson, and not quite as dense as some of his other works. While it is a wildly imaginative story, the details are real and correct. If you are a cybersecurity professional, you will not learn anything new here, but you will appreciate a ripping good story told within the boundaries of the cybersecurity community you know.
Stephenson centers on Richard Forthrast, the founder and owner of the Fortune 500 company that manages T’Rain, an MMORPG. He is a former drug smuggler who funneled his profits into a computer gaming company and turned T’Rain into the most popular computer game on the planet. Across the world, a group of young and talented Chinese hackers and T’Rain players devise an elaborate gold-farming ransom scheme. They create and distribute the Reamde virus, which essentially bricks the T’Rain gamer’s computer until the victim delivers a specified amount of virtual gold to a remote location in the T’Rain online world. The hackers collect the virtual gold and convert the gaming money into real money for profit.
Forthrast’s niece, and employee, inadvertently shares a sample of the Reamde virus with her boyfriend. The boyfriend dabbles in credit card fraud, and when the Reamde virus corrupts the computer network of his Russian mob contact—specifically the group’s pension fund, the obshchak—the Russians come looking for the perpetrator.
What follows is a mad dash around the world as the Russian hackers, with Forthrast’s niece in tow, try to get their money back from the Chinese hackers. They run into a separate collection of international terrorists operating out of the same abandoned Chinese building as the Chinese hackers and an MI6 agent tracking the terrorists. As the terrorists escape and evade the Russians, MI6, and the Chinese hackers, they end up in the backwoods of Canada, Forthrast’s backyard. There’s a lot of fun stuff going on here.
The story is similar in heft—almost one thousand pages—to two other Stephenson works: Cryptonomicon and The Baroque Cycle. But Reamde is a straight-up cyber thriller and Stephenson doesn’t spend a lot of time diverging from the main story as he did in those books.
Gold Farming
Gold farming has been a staple of MMORPGs from almost the beginning of online games. It’s a term used to describe MMORPG player behavior when the player’s intent is not to play the game as the designers intended. Instead, gold farmers gather as much virtual loot available within the game for the purpose of reselling that virtual loot to other players for real-world currency. Most MMORPGs have fully functioning economies and gold farmers take advantage of that. Entire businesses have popped up, especially in China, dedicated to that effort.
In Reamde, Stephenson takes that phenomenon to the next level. Most MMORPGs distribute loot randomly within the gaming world, but in T’Rain, naturally occurring gold deposits form around the game world similarly to how they form in the real world. Tom Bissell, writing for The New York Times, described it this way:
“Two things have assured T’Rain’s commercial success: actual geological laws have been programmed to govern its terrain (it is this feature from which the game’s name derives); and the game uses a currency system based on real money — treasure mined from the strata of T’Rain’s crust can be transformed into earthly coin.”
If you take a step back from that explanation, you realize that the T’Rain economy functions eerily similar to how the Bitcoin economy works. In both systems, the amount of treasure available in the world is finite and is worth only what the people within the economy are willing to pay for it. I could find no reference that confirms that connection between T’Rain and Bitcoin, but I do find it an interesting coincidence. Stephenson is adept at explaining how money systems work. Bitcoin launched in 2009, and Stephenson published Reamde in 2011. Even if the connection was unintentional, Stephenson had to be at least thinking about Bitcoin while he was writing the book.
Wardriving
Wardriving is the act of driving around town with a collection of remote networking gear and looking for unsecured WiFi routers. In Reamde, the Russian mafia needs to find the Chinese hacker hideout in China. They kidnap the good guys and whisk them away to Xiamen, China, so that the good guys can help them with the search. The good guys, under threat of death, search for the Chinese hackers by wardriving the streets of the city and frequenting the many Internet cafes, or wangbas, that most of the locals use for Internet access.
Lock Picking
Some of the good guys in our story are traditional white-hat hackers (hackers that exploit weaknesses in systems not to steal or to cause mischief but to understand how those systems work and perhaps to offer better ways to build those systems). One interesting cultural phenomena that emerged from this hacking culture is a fascination with locks and how to pick them. If you have ever attended DEFCON, you already know what I mean. There is usually a room dedicated to the lock-picking craft, and every time I have wandered in there in the last five years, the room is jammed with expert lock pickers showing wannabes how to get started. In Reamde, the good guys lock pick their way out of several situations, and Stephenson takes a moment to explain why these white-hat hackers might have that skill.
MMORPG Battle
During the course of the story, the good guys who are working for the Russian mafia deposit the ransom of virtual gold into a remote area of T’Rain in the hopes that the Chinese hackers will unbrick their computers. A problem arises when the T’Rain community discovers the Reamde virus scheme. Many clans within the game stake out the route to the remote location in order to ambush the Reamde victims before they deposit their virtual gold.
In T’Rain, if you kill an adversary in the game, you collect his or her valuables. The Chinese hackers need to collect the ransom and walk it out of the remote area and into a T’Rain city where they can convert the virtual money into real money. With the clans blocking their path, this becomes problematic. What results is a massive clan battle between the Chinese Reamde clan and all of the other T’Rain clans in the game. Stephenson completely captures the complexity, stress, and strategy of directing hundreds of your own teammates that are maneuvering across a vast virtual terrain against thousands of hostiles whose intent is to prevent you from doing just that.
Conclusion
This novel has everything that a good hacker novel needs, right up through a bit about how to survive a zombie apocalypse. It is classic Stephenson without the denseness of Cryptonomicon and The Baroque Cycle, and it elevates the genre of the cybersecurity thriller above other entries in the field. While it is a wildly imaginative story, many of the details are real and correct and you’ll appreciate what a good time this is.
Book written by Neal Stephenson
Book review by Rick Howard
0 notes