Watch for potential signs always, and sift away from trouble before it hits you

As i was sifting through websites, i decided to give my ISP in Malaysia, a visit. I have an account with them which gives me perhaps the best internet in Malaysia at the moment. Of course with my information security training and background, i have a keen eye on things that do not look good…

I use Google Chrome for my daily surfing and online transactions. They do have an edge with the amount of time spent in infusing security with browsing. Though, we have our doubts on their legions with government surveillance bodies, I have got to say that they do know how to protect their netizens…  

Data breaches are made not by an attack which takes a few hours, no. It is made with exact precision. Typically synonymous to a military attack, black hatters follow a strict process, known as the cyber kill-chain. We have come across kill-chains in the military but it is prevalent in the world of cyber warfare. It takes a lot of effort, meticulous planning and an evil deed to go through with a cyber attack. Hence we call them APTs. APT stands for… Advance Persistent Threats. We, as security professionals are trained(hopefully) to look at signs of an attack taking place.

I cannot stress more, the importance of sniffing out potential failures and disclosing this things to companies. This is what we do as ethical security professionals. We never take for granted the signs of an imminent attack or disclosure of personal data.

I, remember once, my father forwarded me a suspicious email. I trained my parents well, when it came to phishing emails. Kudos to my parents, for always following up with me, if there was something out of the ordinary. Now, back to the suspicious email. It was from our national power company, seeking out for bill payments etc. What caught my eye was the domain and the email address this mail came from. My thought was, “Hey, how did they get my fathers email address. This is bad, they must have breached the database of the Power Company and got a list of emails”. Deadly. I notified the relevant authorities, and up to this day, no acknowledgement came from them.

Back to Chrome, yes the powerful sniffer of trouble, gives you an idea whats good and bad. So, i wanted to check my account with this service provider. When i got to the page, Chrome gave me a warning, in fact the warning was really interesting. It just stated that the Service provider uses SHA-1 on its trust chain. Ok, i am cool with that, who wants to attack a Malaysian service provider. I do not know, but according to the Kill-Chain, it might be something bigger. So i would say, fix your own flaws, and lessen your attack surface.

I gave Qualys a crack, i did the awesome test to check the sites SSL certification. It was very eventful and it gave me a grade “F”. What!!! No way, i have all my Personal Information on that site. It has SSLv3 enabled and some of its cryptographic issuance are obsolete. This is bad. You are talking about customer data and a potential attack surface for a black hatter. We all hear of multi-million dollar loses from breaches. They all start from a flaw not fixed.

I do hope they fix it, as i disclosed this flaw to them. It might be a small issue for humongous security teams, and perhaps a financial cost to them to fix the certs, but it is definitely going to prevent a massive issue later on.

People reading my blog, always listen and watch out for warning signs. Since we are ultra connected these days, you can never go wrong spending a few minutes with your security. It saves you in the long run.

NZQA and its section 18.

Just figuring out how New Zealand institutions misinterpret the rules set by NZQA on section 18.

From my perspective on LinkedIn,

“NZQA needs to fix rule 18. Anyone doing offshore study with world class universities should be exempted of the rule of 3 year study in a English medium degree. Is it based on geographical location or the course itself? . Come on, don’t tell me if i studied at University of Cambridge in Estonia, i am any lesser than a graduate “on the ground” in UK. Please fix that NZQA. Anyone with NZQA please take note.”

Remember, geographical locations matter. If you want to study in Monash, go to Australia and do it. Same as a lot of offshore campuses in Malaysia. 

Any way else, you still need an IELTS/TOEFL. You cant run away. 

http://www.nzqa.govt.nz/providers-partners/approval-accreditation-and-registration/programme-approval-and-provider-accreditation/english-international-students/

1. Previous primary and secondary study in English

International students from countries with a student visa approval rate of at least 80 per cent that can provide clear evidence of either:
(a) completion of all primary education and at least three years of secondary education (that is, the equivalent of New Zealand Forms 3 to 7 or years 9 to 13), or
(b) completion of at least five years of secondary education (that is, the equivalent of New Zealand Forms 3 to 7 or years 9 to 13)
at schools using English as the language of instruction are eligible for enrolment at all levels of the NZQF.

2. Previous tertiary study in English

International students that can provide clear evidence of completion of a tertiary qualification of at least three years’ duration with English as the language of instruction in New Zealand, Australia, Canada, the Republic of Ireland, South Africa, the United Kingdom or the United States, are eligible for enrolment at all levels of the NZQF.

Scholarships currently available from various countries.

Anyone keen on getting scholarships. This is a list of scholarships available globally. Go check it out!

8. Korean Government Scholarship (http://www.niied.go.kr/eng/contents.do…)
9. Belgium Government Scholarship (http://www.vliruos.be/4273.aspx)
11. Sciences Po France (http://formation.sciences-po.fr/…/the-emile-boutmy-scholars…)
12. Utrecht University Netherland (http://www.uu.nl/…/grantsandscholarships/Pages/utrechtexcel…)
13. Prasetya Mulya Business School Indonesia (http://www.pmbs.ac.id/s2/scholarship.php?lang=ENG)
14. Brunei Darussalam Government Scholarship (http://www.mofat.gov.bn/index.php/announcement)
15. Monbugakusho Scholarship Japan (http://www.id.emb-japan.go.jp/sch.html)
16. Paramadina University Master Fellowship Indonesia (https://gradschool.paramadina.ac.id/…/paramadina-medco-fell…)
17. PPM School of Management Indonesia (http://ppm-manajemen.ac.id/beasiswa-penuh-s2-mm-reguler/)
18. University of Twente Netherland (http://www.utwente.nl/internationa…/scholarshipsandgrants/…/)
19. Sweden Government Scholarship (http://www.studyinsweden.se/Scholarships/)
20. Chinese Government Scholarship (http://www.csc.edu.cn/laihua/scholarshipdetailen.aspx…)
21. Taiwan Government Scholarship (http://www.studyintaiwan.org/taiwan_scholarships.html)
22. United Kingdom Government SCholarship (http://www.chevening.org/indonesia/)
23. Panasonic Scholarship Japan (http://panasonic.net/citizensh…/scholarships/…/requirements/)
24. Ancora Foundation Scholarship (http://ancorafoundation.com)
25. Asian Public Intellectuals Fellowship Japan (http://www.api-fellowships.org/body/)
26. AUN/SEED-Net Scholarship (http://www.seed-net.org/index.php)
27. Art Asia Major Scholarship Korea National University of Arts (http://eng.karts.ac.kr:81/karts/board/list.jsp…)
28. Ritsumeikan Asia Pacific University Japan (http://www.apu.ac.jp/home/life/index.php?content_id=30)
29. Seoul National University Korea (http://en.snu.ac.kr/…/gradu…/scholarships/before-application)
30. DIKTIS Overseas Scholarship (http://www.pendis.kemenag.go.id/beasiswaln/)
31. Honjo International Scholarship Foundation Japan (http://hisf.or.jp/english/sch-f/)
32. IDB Merit Scholarship Programme for High Technology (http://www.isdb.org/irj/portal/anonymous…)
33. International HIV & Drug Use Fellowship USA (http://www.iasociety.org/fellowship.aspx)
34. Nitori International Scholarship Foundation Japan (http://www.nitori-shougakuzaidan.com/en/)
35. School of Government and Public Policy Indonesia (http://sgpp.ac.id/pages/financial-conditions)
36. Inpex Scholarship Foundation Japan
37. Asia University Taiwan (http://ciae.asia.edu.tw/AdmissionsScholarship.html)
38. Macquaire University Australia (http://www.mq.edu.au/…/macquarie_university_international_…/ .

Hosting game servers in this part of the world

Off topic perhaps from my usual ranting, this post is directed to Valve. 

I am an ardent fan of Left For Dead 2. I play the game with my friends using a Steam Server and my friends are located on the other side of the world. What makes it a whole lot crazy is the scarcity of servers in this part of the world. (New Zealand and Australia)
It is annoying when latency hits a nominal 900ms when i play games with i believe servers located in Seattle, WA. I cant do much either with the traffic engineering controls on the carrier circuits which does its magic to reach your servers in 900ms (RTT) i hope. My teams whole idea is to be basically host a couple of servers using Amazon AWS so that users in the Australasia region can get proper latency when they play high fps(frames per second) games. 
Given that the closest data center is located in Sydney, hosting a bunch of game servers in Australia would no doubt benefit us. If Amazon is the best route to take, at lest of our worries would only be the Data Center to Data Center connectivity, not the RTT it takes just to reach one. 
We have yet to come up with the architecture but once we do we will post it up here to get a move on. I really hope Valve hears us. Though we are pacific cousins, the gaming world should not be separated by the vast ocean. 

Sites and checks for security professionals on the go

As ive worked in the security field for a short stint, there are many things ive picked up.
1. Learn short cuts in a job, and one being able to pick the little tools on the net.
2. Read a lot, it is very important to keep up to date
3. Script.

1. Short cuts.
To test a web server response, use hurl.it
https://www.hurl.it/
Its an amazing site to check responses from a web server.

To check SSL certs, use the qualys lab server test.
https://www.ssllabs.com/ssltest/
Great site to test your ssl certificate and potential vulnerabilities

To check the activity of website and how things run,
The firebug plugin on mozilla.
Amazing little tool. Of course will google you can use their developer stuff. Great  way to learn.

Subscribe to US-CERT. Important! Of course follow my blog too, im very connected to people and their blogs

2. Read heaps.

Pick up CSO Online. Great articles.
The RSA blog
Depending on your flavor of security, you can always check out vendor blogs
Threat intelligence wise, i found Lockheed Martin and some of the BAE articles are nice.
Dark reading
Again check my blog!

3. Script.

Learn PERL and Python. Code Academy has some good stuff, check them out too.
MIT online or Stanford too are nice places to learn.
Scripting, no not my blog, lol.

Hope the advice helps.

Journey of SSCP

Good day guys,

Sorry for the long wait on a post. I have been hitting the books and yes, it is SSCP. One might be thinking why do the SSCP and not the CISSP. For one, SSCP only covers 7 CBK(Common Bodies of Knowledge) and CISSP covers 10. SSCP has a lower requirement in terms of experience for getting the full on qualification and CISSP needs 5 years in one of the 10 CBKs.

As i go through this part for preparation of my exam in November, i shall post on various things i have gone through to prepare for this exam. An interesting text ill be using as backup is the Security of Computing by the Pfleegers. I find that book to be excellent for technical security. I gave Shon Harris a pass, but i might just watch her video presentations instead. Perhaps worth a watch.

Till next time.