I actually have a point to make today. Expanding upon my post on Twitter (@mock7), I was doing some basic math yesterday and came up with a pretty scary realization.
According to this SC Magazine article , Pennsylvania State University recently stated that they are working to notify approximately 30,000 individuals whose personal information may have been compromised in a recent malware attack.
Forget about mitigation.
In fact, forget about the cost of 30,000 sheets of paper and envelopes. Ink and the wear & tear on printers. Oh...they used a company like FedEx Office? Even more costly.
Forget the salary of the person who has to type up the letter, and the person who has to edit the letter.
Forget the cost of credit monitoring that will probably be offered to those whose information was put at risk by this attack
(Equifax 'ID Patrol' is ONLY $14.95/month - $14.95*12months*30000people=$5,382,000).
Nope...forget all that, and consider this: Today, a first class stamp costs $.44, and Pennsylvania State University (aka Penn State - ) is literally going to spend more money on postage for the 30,000 letters they have to send to individuals - informing them they may be at risk - than they would have spent on a good vulnerability assessment.
FUD (fear, uncertainty, and doubt) tactics, which seem to be a necessary evil in ANY security industry, are becoming more and more obsolete in information security because the numbers are really starting to speak for themselves.
Thursday, December 31, 2009
Thursday, October 22, 2009
How Facebook "Fan" pages and a small digital footprint can make someone a target
A little while ago, I noticed that financial institutions (banks, credit unions, etc.) are creating "Fan" pages on Facebook. I assume this is being used as a marketing tool so "fans" can advertise that they are happy using whichever bank it is they use.
Although this marketing concept LOOKS good on the surface (inexpensive to maintain, broad market coverage, free advertisement, etc.), it has peeked my interest from an information security standpoint.
Any social engineer worth their salt will be quick to exploit the information which is being handed to them on a silver platter. There is no restriction for membership on a bank's fan page, therefore, anyone can become a fan...even someone with a fake profile. From there, it is very easy to access a list of facebook users who use the bank.
Now that the social engineer knows a person's name and what bank they use, it's not long before they find an email address (especially if it is posted to someone's Facebook page). A simple "your account needs updating" email along with a link to what LOOKS like your bank's website, and the social engineer just got handed someone's account number, password, etc...(for example: compare http://www.wellsfargo.com/ to this screen shot of a fake Wells Fargo website; http://cache.gawker.com/assets/images/consumerist/2009/05/051309-004-fake-wells-fargo-site-2.png)
Be sure to check your URLs when you click links, and watch out for those .ru and .cn extensions!
Even someone with a minimal digital footprint can easily make themselves a target if they are not careful on social networking websites. So when utilizing these sites for personal or promotional use, please exercise caution...it really will keep you from becoming a victim.
Has anyone ever attempted to scam you? Did it work? Have you been the victim of identity theft? Feel free to contribute your thoughts, experiences, recommendations, etc!
Although this marketing concept LOOKS good on the surface (inexpensive to maintain, broad market coverage, free advertisement, etc.), it has peeked my interest from an information security standpoint.
Any social engineer worth their salt will be quick to exploit the information which is being handed to them on a silver platter. There is no restriction for membership on a bank's fan page, therefore, anyone can become a fan...even someone with a fake profile. From there, it is very easy to access a list of facebook users who use the bank.
Now that the social engineer knows a person's name and what bank they use, it's not long before they find an email address (especially if it is posted to someone's Facebook page). A simple "your account needs updating" email along with a link to what LOOKS like your bank's website, and the social engineer just got handed someone's account number, password, etc...(for example: compare http://www.wellsfargo.com/ to this screen shot of a fake Wells Fargo website; http://cache.gawker.com/assets/images/consumerist/2009/05/051309-004-fake-wells-fargo-site-2.png)
Be sure to check your URLs when you click links, and watch out for those .ru and .cn extensions!
Even someone with a minimal digital footprint can easily make themselves a target if they are not careful on social networking websites. So when utilizing these sites for personal or promotional use, please exercise caution...it really will keep you from becoming a victim.
Has anyone ever attempted to scam you? Did it work? Have you been the victim of identity theft? Feel free to contribute your thoughts, experiences, recommendations, etc!
Tuesday, June 16, 2009
June 19...free-form writing.
Woke up last night to the sound of two animals fighting. One was definitely a cat, but not sure what the other animal was. Either way...the cat lost. Sounded like a baby crying as it tended to its wounds.
Had a bit of trouble getting back to sleep and woke up at a very early hour. I am currently experimenting with how much coffee I can drink without getting too jittery. Cup #2 is doing a nice job right now. I started using Splenda in my coffee instead of sugar...I like 'Sugar in the Raw' the best, but I gotta watch the waste line...bikini season and all :-P
This writing is a much needed reprieve from compiling spreadsheets, making sales calls, and responding to emails...it's nice to relax for a few minutes.
Speaking of sales, I recently received a copy of some of Anthony Robbins' material from a good friend who owns his own company. He said it's been very helpful on his road to success, so I feel the strategies will assist me in my career with Lares!
I'll be spending the weekend mornings reading/listening and will keep you posted on my progress!
For now, I am on the couch...laptop living up to its namesake...watching the US Open golf tournament on TV...enjoying just being for a bit.
Woke up last night to the sound of two animals fighting. One was definitely a cat, but not sure what the other animal was. Either way...the cat lost. Sounded like a baby crying as it tended to its wounds.
Had a bit of trouble getting back to sleep and woke up at a very early hour. I am currently experimenting with how much coffee I can drink without getting too jittery. Cup #2 is doing a nice job right now. I started using Splenda in my coffee instead of sugar...I like 'Sugar in the Raw' the best, but I gotta watch the waste line...bikini season and all :-P
This writing is a much needed reprieve from compiling spreadsheets, making sales calls, and responding to emails...it's nice to relax for a few minutes.
Speaking of sales, I recently received a copy of some of Anthony Robbins' material from a good friend who owns his own company. He said it's been very helpful on his road to success, so I feel the strategies will assist me in my career with Lares!
I'll be spending the weekend mornings reading/listening and will keep you posted on my progress!
For now, I am on the couch...laptop living up to its namesake...watching the US Open golf tournament on TV...enjoying just being for a bit.
Wednesday, June 3, 2009
College Writing
I wrote this about three years ago as an assignment in a college writing class. Now self published via blogspot for the world to read:
Waking Before Hitting Ground
The screen is blank in front of me and I am breaking into a cold sweat. I wonder if Salvador Dali ever sat in front of a blank canvas and wondered where to begin. I have so much insight into the life of Dali, yet I am having trouble developing a concrete idea between the relationship of seeing and knowing. How did Dali know that when someone saw his paintings, they would know the meaning? Did he care? I suppose I shouldn't care so much about whether or not the reader can derive meaning from the words scribbled onto this parchment. As long as I know what it all means, then that's all that matters, right? That is art! That is exactly what Salvador Dali created when he painted "El Somni."
A midnight blue-sky fades to white on its way to the pitch black Earth below, setting the background of "El Somni." In the forefront, an intriguingly strange image steals the focus of the painting. Beneath a dissipating moon is the profiled head of a sleeping man, its shape held by eleven crutches of varying length and position. One long crutch holds the forehead in place using the earth as an anchor, as another keeps the chin and lips from dropping to the ground. If the crutches were all removed, surely the head would turn into an amorphous mass.
Black, brown, and tan in color, the top of the head is bald and resembles a sand dune. A furrowed brow gives the appearance of deep concentration while pink, chapped lips are in need of a cold drink of water. A disproportionate nose juts out over the lips, shielding them from the rays of a rising sun. Oddly, a black cloak is draped where an ear should be found and the black rear end of the massive head looks like a half-deflated balloon, draped over the U-shaped end of a crutch.
A white and brown-specked spaniel leans on a crutch to the left of the profiled cranium. The dog looks elderly, worn-out, and emaciated. Human emotions of contempt and fatigue are evident in the dog's face as it looks at the sleeping head. Without its crutch, the dog would most likely succumb to the warm, sun-lit ground below for a nap.
With a bathrobe and a headdress of some sort, a figure walks slowly away from the dog. Hands in the robe's pockets, the figure looks at the hills in the distance and takes note of his/her long shadow. Perhaps he/she is walking toward the rowboat that is in the background.
Lastly, a small town that resembles an Italian villa stands alone in the background in the right periphery of the painting. As with most villas of its size, the largest and most central building is the house of God. The church is surrounded by white steps and structures, a green hilltop, and black rocks. The brick church, which dwarfs the other buildings in the villa, is the color of brick that has endured centuries of harsh rain, blazing sun, and relentless wind.
Initially, Salvador Dali's "El Somni" feels as if one is looking into the dream of a stranger, yet the images are eerily familiar. The images portrayed seem to mix both the dream world and reality.
The head appears soft and almost as vulnerable as human beings are when asleep. After a long day facing the harshness of reality, the dream world seduces and holds the subconscious. As a crutch holds steady a person with a broken leg, the dream world gives the brain a retreat from the nuances of the physical world. Possibly representing reality, the head is shrouded in the darkness of night. Senses are deprived of any stimulus allowing the being to sleep, uninterrupted.
In the background, it is a bright, summer day. Serenity and warmth allow the brain to relax and forget the troubles of the conscious world. The robed figure may, perhaps, be an old girlfriend or boyfriend returning to the bedroom after a long, hot shower for a session of lovemaking. The dog may have been a childhood pet, long since gone from the realm of the living, but existing forever in dreams. The Italian villa may not even exist, save for this dream, or perhaps it is where the subject of this painting spent childhood summers on the Mediterranean Sea.
The images appear as in a dream, connected in some way, but with no transition from one to the next. The figures in the painting are detailed, yet blurry, as is often the case in a dream. "El Somni" seemingly attempts to capture the journey of the mind as it gives in to sleep and moves into a completely different state of being.
Not quite convinced that I had truly captured the meaning of "El Somni," I found myself at the local library with a list of books found on Google. I began reading George Orwell's book, Dickens, Dali & Others: Studies in Popular Culture, which houses a very insightful essay entitled "Benefit of Clergy: Some Notes on Salvador Dali." This essay takes a deeper look into Salvador Dali's autobiography The Secret Life of Salvador Dali (Pub. 1942).
Orwell highlights "some of the episodes of Dali's life, from his earliest years onward. Which of them are true and which are imaginary hardly matters; the point is that this is the kind of thing Dali would have liked to do." (1) For example, one of the most insightful episodes is when Dali describes his first meeting of his future wife, Gala. He claims to be tempted to push her off a cliff, and feels as if she wants him to do something to her. After their first kiss, she confesses that she does not want Dali to make passionate love to her, but to kill her!
According to Orwell's essay, Dali is disappointed by her confession, since it is what he wanted to do in the first place. Dali freely admitted necrophilia - the obsessive fascination with death and corpses, an erotic attraction to, or sexual contact with corpses - and images of skulls, corpses of animals, and dead faces occur fairly frequently in his paintings.
Another source of Dali's influence was the great works of art created by the Greeks. Dante: La Divine Comedie is a book which depicts numerous Dali paintings that were influenced by Greek mythology. Dante: La Divine Comedie does not detail in writing how Greek mythology influenced Salvador Dali's works, but it is quite apparent by viewing prints such as "The Apotheosis of Homer" or "Leda Atomica." But not all of Dali's mythology-inspired paintings are in his most recognized style.
Dali's personal style that he is most renowned for is surrealism. Utilizing the psychological theory of Dr. Sigmund Freud, "surrealism explores the world of the subconscious that is only visible in dreams." (2) Dali's most recognized surrealist painting; Persistence of Memory (1931) depicts melting clocks in a desert wasteland. To create these visions, Dali utilized the paranoiac-critical method, a phrase that he coined and defined as "a spontaneous mode of irrational understanding experienced by entering alternate levels of reality." (3) Dali would reach these alternate states of reality via two methods: Sleep deprivation and hallucinatory drug use.
With this insight into his life and the sources of Salvador Dali's creativity, the message of "El Somni" becomes much more apparent. Knowing about his obsession with death and corpses, when I look at the sleeping man in the painting, I can't help but think that he isn't sleeping at all. He is deceased. The crutches are holding his inanimate face in place so his loved ones may recognize his soul-less body. When rigor-mortis sets in, the crutches can be removed and the face will hold its shape. A common myth is that the soul of a man is removed through the back of the neck - exactly where the black cloak of Death is resting in the painting. In fact, the entire head looks as if it is having the life drained from it.
The images in the background of "El Somni" are clearer now, more than ever! I feel a rush of excitement - as if I've just broken a code of some kind! Dali's influence by Greek mythology never impacted my view of "El Somni" before this moment. The robed figure in the background is Charon - the ferryman of the River Styx. The River Styx is a mythological crossroad between the world of the living and the realm of the dead, called Hades. One would face a giant, three-headed dog named Cerberus, who would allow entrance into Hades after one successfully crossed the fiery River Styx. Cerberus is portrayed in "El Somni" by the brown-specked spaniel that leans on a crutch.
In the last three days I have developed a new interpretation of Salvador Dali's "El Somni." By knowing more about the background and influences of Dali, I am able to see new meaning in his art. Knowledge impacts how the mind sees and interprets the outside world. You may look at the love of your life and see the person of your dreams one day, but if you know that they have committed adultery, you may see them as a disgusting and vile person the next. This principle applies to art, as well. When I first viewed Dali's "El Somni" I accepted that it depicted the mind's journey into the world of dreams and peace, but it is really analogous to Death's visit.
______
1. George Orwell, "Benefit of Clergy: Some Notes on Salvador Dali," Reynal & Hitchcock, 1946
2. Frank Weyer, Salvador Dali - Life and Work, Konemann Publishing, 1999
3. Albert Field, The Official Catalogue of the Graphic Works of Salvador Dali, Dali Archives Ltd., 1996
A midnight blue-sky fades to white on its way to the pitch black Earth below, setting the background of "El Somni." In the forefront, an intriguingly strange image steals the focus of the painting. Beneath a dissipating moon is the profiled head of a sleeping man, its shape held by eleven crutches of varying length and position. One long crutch holds the forehead in place using the earth as an anchor, as another keeps the chin and lips from dropping to the ground. If the crutches were all removed, surely the head would turn into an amorphous mass.
Black, brown, and tan in color, the top of the head is bald and resembles a sand dune. A furrowed brow gives the appearance of deep concentration while pink, chapped lips are in need of a cold drink of water. A disproportionate nose juts out over the lips, shielding them from the rays of a rising sun. Oddly, a black cloak is draped where an ear should be found and the black rear end of the massive head looks like a half-deflated balloon, draped over the U-shaped end of a crutch.
A white and brown-specked spaniel leans on a crutch to the left of the profiled cranium. The dog looks elderly, worn-out, and emaciated. Human emotions of contempt and fatigue are evident in the dog's face as it looks at the sleeping head. Without its crutch, the dog would most likely succumb to the warm, sun-lit ground below for a nap.
With a bathrobe and a headdress of some sort, a figure walks slowly away from the dog. Hands in the robe's pockets, the figure looks at the hills in the distance and takes note of his/her long shadow. Perhaps he/she is walking toward the rowboat that is in the background.
Lastly, a small town that resembles an Italian villa stands alone in the background in the right periphery of the painting. As with most villas of its size, the largest and most central building is the house of God. The church is surrounded by white steps and structures, a green hilltop, and black rocks. The brick church, which dwarfs the other buildings in the villa, is the color of brick that has endured centuries of harsh rain, blazing sun, and relentless wind.
Initially, Salvador Dali's "El Somni" feels as if one is looking into the dream of a stranger, yet the images are eerily familiar. The images portrayed seem to mix both the dream world and reality.
The head appears soft and almost as vulnerable as human beings are when asleep. After a long day facing the harshness of reality, the dream world seduces and holds the subconscious. As a crutch holds steady a person with a broken leg, the dream world gives the brain a retreat from the nuances of the physical world. Possibly representing reality, the head is shrouded in the darkness of night. Senses are deprived of any stimulus allowing the being to sleep, uninterrupted.
In the background, it is a bright, summer day. Serenity and warmth allow the brain to relax and forget the troubles of the conscious world. The robed figure may, perhaps, be an old girlfriend or boyfriend returning to the bedroom after a long, hot shower for a session of lovemaking. The dog may have been a childhood pet, long since gone from the realm of the living, but existing forever in dreams. The Italian villa may not even exist, save for this dream, or perhaps it is where the subject of this painting spent childhood summers on the Mediterranean Sea.
The images appear as in a dream, connected in some way, but with no transition from one to the next. The figures in the painting are detailed, yet blurry, as is often the case in a dream. "El Somni" seemingly attempts to capture the journey of the mind as it gives in to sleep and moves into a completely different state of being.
Not quite convinced that I had truly captured the meaning of "El Somni," I found myself at the local library with a list of books found on Google. I began reading George Orwell's book, Dickens, Dali & Others: Studies in Popular Culture, which houses a very insightful essay entitled "Benefit of Clergy: Some Notes on Salvador Dali." This essay takes a deeper look into Salvador Dali's autobiography The Secret Life of Salvador Dali (Pub. 1942).
Orwell highlights "some of the episodes of Dali's life, from his earliest years onward. Which of them are true and which are imaginary hardly matters; the point is that this is the kind of thing Dali would have liked to do." (1) For example, one of the most insightful episodes is when Dali describes his first meeting of his future wife, Gala. He claims to be tempted to push her off a cliff, and feels as if she wants him to do something to her. After their first kiss, she confesses that she does not want Dali to make passionate love to her, but to kill her!
According to Orwell's essay, Dali is disappointed by her confession, since it is what he wanted to do in the first place. Dali freely admitted necrophilia - the obsessive fascination with death and corpses, an erotic attraction to, or sexual contact with corpses - and images of skulls, corpses of animals, and dead faces occur fairly frequently in his paintings.
Another source of Dali's influence was the great works of art created by the Greeks. Dante: La Divine Comedie is a book which depicts numerous Dali paintings that were influenced by Greek mythology. Dante: La Divine Comedie does not detail in writing how Greek mythology influenced Salvador Dali's works, but it is quite apparent by viewing prints such as "The Apotheosis of Homer" or "Leda Atomica." But not all of Dali's mythology-inspired paintings are in his most recognized style.
Dali's personal style that he is most renowned for is surrealism. Utilizing the psychological theory of Dr. Sigmund Freud, "surrealism explores the world of the subconscious that is only visible in dreams." (2) Dali's most recognized surrealist painting; Persistence of Memory (1931) depicts melting clocks in a desert wasteland. To create these visions, Dali utilized the paranoiac-critical method, a phrase that he coined and defined as "a spontaneous mode of irrational understanding experienced by entering alternate levels of reality." (3) Dali would reach these alternate states of reality via two methods: Sleep deprivation and hallucinatory drug use.
With this insight into his life and the sources of Salvador Dali's creativity, the message of "El Somni" becomes much more apparent. Knowing about his obsession with death and corpses, when I look at the sleeping man in the painting, I can't help but think that he isn't sleeping at all. He is deceased. The crutches are holding his inanimate face in place so his loved ones may recognize his soul-less body. When rigor-mortis sets in, the crutches can be removed and the face will hold its shape. A common myth is that the soul of a man is removed through the back of the neck - exactly where the black cloak of Death is resting in the painting. In fact, the entire head looks as if it is having the life drained from it.
The images in the background of "El Somni" are clearer now, more than ever! I feel a rush of excitement - as if I've just broken a code of some kind! Dali's influence by Greek mythology never impacted my view of "El Somni" before this moment. The robed figure in the background is Charon - the ferryman of the River Styx. The River Styx is a mythological crossroad between the world of the living and the realm of the dead, called Hades. One would face a giant, three-headed dog named Cerberus, who would allow entrance into Hades after one successfully crossed the fiery River Styx. Cerberus is portrayed in "El Somni" by the brown-specked spaniel that leans on a crutch.
In the last three days I have developed a new interpretation of Salvador Dali's "El Somni." By knowing more about the background and influences of Dali, I am able to see new meaning in his art. Knowledge impacts how the mind sees and interprets the outside world. You may look at the love of your life and see the person of your dreams one day, but if you know that they have committed adultery, you may see them as a disgusting and vile person the next. This principle applies to art, as well. When I first viewed Dali's "El Somni" I accepted that it depicted the mind's journey into the world of dreams and peace, but it is really analogous to Death's visit.
______
1. George Orwell, "Benefit of Clergy: Some Notes on Salvador Dali," Reynal & Hitchcock, 1946
2. Frank Weyer, Salvador Dali - Life and Work, Konemann Publishing, 1999
3. Albert Field, The Official Catalogue of the Graphic Works of Salvador Dali, Dali Archives Ltd., 1996
Thursday, May 14, 2009
Twitter, Facebook , Hockey, and Beer
Am I a Twitter-stalker?
I feel like a total stalker when I 'follow' someone on Twitter - whether they are a friend, colleague, or just generally cool person - and they do not follow me back. I think this makes me an unwilling twitter-stalker.
At least on Facebook I can 'lurk' on someone's profile...but they have to make me a friend first. I don't feel quite as creepy when checking out someone's status updates, pictures of their family barbecue, and adding their cell phone number to my BlackBerry.
On that note...if you post your cell phone number on the internet ANYWHERE, please do not complain via your status updates about how you received a telemarketing call on said cell phone. Let's be a little more careful with our personal information, people!
I am happily writing this after getting some inspiration today from my friend Amy, who has a very fun and well-written blog titled: The Petite Filet
I warn you...After reading her blog, you will want a snack. I just had a bowl of cereal...it's late and I don't want to eat too much before bed. Although what time I hit the hay all depends on how late the Boston Bruins vs. Carolina Hurricanes Overtime lasts.
They are in Game 7 of their Eastern Conference SemiFinal playoff series...winner moves on. The Detroit Redwings (my favorite team since I met Gordy Howe when I was 9 years old) triumphed over the Anaheim Ducks tonight with a 4-3 Game 7 victory in their Western Conference SemiFinal game.
Either way, I will enjoy a delicious Yuengling Light Lager...which is not available in New England. Luckily, my fiance's brother's girlfriend (got that?) goes to Penn State. When she came home for her summer break from school, she brought us 8 cases of my favorite beer. I am very excited to have another....RIGHT NOW.
I feel like a total stalker when I 'follow' someone on Twitter - whether they are a friend, colleague, or just generally cool person - and they do not follow me back. I think this makes me an unwilling twitter-stalker.
At least on Facebook I can 'lurk' on someone's profile...but they have to make me a friend first. I don't feel quite as creepy when checking out someone's status updates, pictures of their family barbecue, and adding their cell phone number to my BlackBerry.
On that note...if you post your cell phone number on the internet ANYWHERE, please do not complain via your status updates about how you received a telemarketing call on said cell phone. Let's be a little more careful with our personal information, people!
I am happily writing this after getting some inspiration today from my friend Amy, who has a very fun and well-written blog titled: The Petite Filet
I warn you...After reading her blog, you will want a snack. I just had a bowl of cereal...it's late and I don't want to eat too much before bed. Although what time I hit the hay all depends on how late the Boston Bruins vs. Carolina Hurricanes Overtime lasts.
They are in Game 7 of their Eastern Conference SemiFinal playoff series...winner moves on. The Detroit Redwings (my favorite team since I met Gordy Howe when I was 9 years old) triumphed over the Anaheim Ducks tonight with a 4-3 Game 7 victory in their Western Conference SemiFinal game.
Either way, I will enjoy a delicious Yuengling Light Lager...which is not available in New England. Luckily, my fiance's brother's girlfriend (got that?) goes to Penn State. When she came home for her summer break from school, she brought us 8 cases of my favorite beer. I am very excited to have another....RIGHT NOW.
Thursday, April 23, 2009
Filet Mignon for lunch!
Two weeks ago Chris Nickerson was in town for some business. It was fantastic having my best friend stay with my fiance and I in our townhouse apartment! It gave us a lot of time to come up with a strategy to best implement my talents into working in tech sales for his company, Lares (www.lares.com).
Since I understand the overall concept of ROI through preventative assessments / pen tests, he assured me that I do not need to know the technical side of things. THANK GOD.
While he was in town, I attended my first ISSA chapter meeting. My first 'conference' was a very good one. I was able to see some very comprehensive presentations, including Chris's hour-long talks about Social Engineering as an integral part of pen testing. I also made fast friends with Dan Marcil - Vice Pres. of ISSA's Hartford Chapter - and after the meeting we enjoyed a few pints of the delicious Naughty Nurse brew, courtesy of City Steam Brewery.
Fast forward to the end of the week, since Chris and I are friends and didn't want to spend the whole week discussing work stuff!
The day he left, he and I were discussing a new SaaS platform-based product for Web Application testing, called White Hat Security (www.whitehatsec.com). He told me about a meeting coming up the following week that he had been invited to, which would provide a better understanding of the product.
He asked if I would attend the meeting in his place, since he was about to head home to Colorado. I immediately agreed, and was subsequently invited to a very enjoyable information session / lunch meeting at Morton's Steakhouse.
I certainly learned a lot and realized how much I have learned in a short period of time. If I had attended that meeting three months ago, I would have been COMPLETELY lost. Especially when they started talking about the more technical side of the product.
So, although I'm pretty new to the tech sales game, I have really enjoyed it, thus far. I just hope it keeps involving meeting such great people and enjoying swanky lunches!
Now...if I could just find some clients who want to play golf...
Since I understand the overall concept of ROI through preventative assessments / pen tests, he assured me that I do not need to know the technical side of things. THANK GOD.
While he was in town, I attended my first ISSA chapter meeting. My first 'conference' was a very good one. I was able to see some very comprehensive presentations, including Chris's hour-long talks about Social Engineering as an integral part of pen testing. I also made fast friends with Dan Marcil - Vice Pres. of ISSA's Hartford Chapter - and after the meeting we enjoyed a few pints of the delicious Naughty Nurse brew, courtesy of City Steam Brewery.
Fast forward to the end of the week, since Chris and I are friends and didn't want to spend the whole week discussing work stuff!
The day he left, he and I were discussing a new SaaS platform-based product for Web Application testing, called White Hat Security (www.whitehatsec.com). He told me about a meeting coming up the following week that he had been invited to, which would provide a better understanding of the product.
He asked if I would attend the meeting in his place, since he was about to head home to Colorado. I immediately agreed, and was subsequently invited to a very enjoyable information session / lunch meeting at Morton's Steakhouse.
I certainly learned a lot and realized how much I have learned in a short period of time. If I had attended that meeting three months ago, I would have been COMPLETELY lost. Especially when they started talking about the more technical side of the product.
So, although I'm pretty new to the tech sales game, I have really enjoyed it, thus far. I just hope it keeps involving meeting such great people and enjoying swanky lunches!
Now...if I could just find some clients who want to play golf...
Friday, March 13, 2009
Social Engineering Master Class @ ChicagoCon!
This was a really fun webcast I had the pleasure of listening in on; featuring Mike Murry, Chris Nickerson, and Don Donzal from EH.NET.
Chris is really pumped about working on the SE Masterclass with Mike. They are both huge resources in the SE community and they are setting the bar impossibly high for this class.
The info:
In this 1-hour webcast, you'll be taken on a whirlwind adventure back to the days of the first charlatan, forward to the dawn of the Internet and smack dab into the present where these two topics are merging to form the most effective attacks to date.
Topics include:
-Brief history
-How do I utilize recon data in a SE attack
-Highly effective client-side attacks combining SE with exploit frameworks like Core IMPACT & Metasploit
-Business value in adding SE to your pen testing efforts
-How to learn what they know
It has become imperative to assemble a world-class team of experts to train professionals on the technologies and methods of the most dangerous and costly attackers, social engineers. ChicagoCon has responded with the first ever offering of the Social Engineering Master Class, developed and taught by Mike and Chris from May 4 - 8, 2009.
For more information, please visit www.chicagocon.com/2009s/semasterclass.html.
If you are looking for a class to show you a new way to ask for a password or silly parlor tricks to mess with someone's head, then this course is not for you! If, however, you desire to uncover advanced level material of both a technical and psychological manner, and learn the repeatable methods to gather intelligence, execute attacks, manipulate situations, and formally track a company's susceptibility to social engineering... and be able to mess with someone's head, then there simply is no other course like this in the world.
Two additional announcements:
- After the live event, come right back to this thread to talk to Chris and Mike.- A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don't miss it!!
HERE IT IS!
http://www.ethicalhacker.net/content/view/242/2/
If you want to ask questions or make comments about the class, we have opened up a thread on EH net to keep the interaction going:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3616.0/
Chris is really pumped about working on the SE Masterclass with Mike. They are both huge resources in the SE community and they are setting the bar impossibly high for this class.
The info:
In this 1-hour webcast, you'll be taken on a whirlwind adventure back to the days of the first charlatan, forward to the dawn of the Internet and smack dab into the present where these two topics are merging to form the most effective attacks to date.
Topics include:
-Brief history
-How do I utilize recon data in a SE attack
-Highly effective client-side attacks combining SE with exploit frameworks like Core IMPACT & Metasploit
-Business value in adding SE to your pen testing efforts
-How to learn what they know
It has become imperative to assemble a world-class team of experts to train professionals on the technologies and methods of the most dangerous and costly attackers, social engineers. ChicagoCon has responded with the first ever offering of the Social Engineering Master Class, developed and taught by Mike and Chris from May 4 - 8, 2009.
For more information, please visit www.chicagocon.com/2009s/semasterclass.html.
If you are looking for a class to show you a new way to ask for a password or silly parlor tricks to mess with someone's head, then this course is not for you! If, however, you desire to uncover advanced level material of both a technical and psychological manner, and learn the repeatable methods to gather intelligence, execute attacks, manipulate situations, and formally track a company's susceptibility to social engineering... and be able to mess with someone's head, then there simply is no other course like this in the world.
Two additional announcements:
- After the live event, come right back to this thread to talk to Chris and Mike.- A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don't miss it!!
HERE IT IS!
http://www.ethicalhacker.net/content/view/242/2/
If you want to ask questions or make comments about the class, we have opened up a thread on EH net to keep the interaction going:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3616.0/
Back in the Game
When it rains, it pours!
Been living off caffeine because I have so much going on right now. Along with my latest venture managing accounts for Lares (www.lares.com), I am officially back in the music game...albeit in a more limited capacity than before.
Tourian Music Group - originally founded to market and promote DJ Scratchator of the Flipmode Squad - recently evolved in a very positive way. J.P. Morgan 'GRRIM,' who started out as the Global Marketing Director for DJ Scratchator, has recently accepted the opportunity to work with Busta Rhymes as his International Booking Agent.
We are currently in talks with some sponsors about a US Tour with various artists, and are hoping to donate a significant portion of the proceeds to support battered women & children. If this works out...it will be very beneficial to all parties involved.
Very exciting stuff...and more details to come when I have them!
Okay...back to work!
Been living off caffeine because I have so much going on right now. Along with my latest venture managing accounts for Lares (www.lares.com), I am officially back in the music game...albeit in a more limited capacity than before.
Tourian Music Group - originally founded to market and promote DJ Scratchator of the Flipmode Squad - recently evolved in a very positive way. J.P. Morgan 'GRRIM,' who started out as the Global Marketing Director for DJ Scratchator, has recently accepted the opportunity to work with Busta Rhymes as his International Booking Agent.
We are currently in talks with some sponsors about a US Tour with various artists, and are hoping to donate a significant portion of the proceeds to support battered women & children. If this works out...it will be very beneficial to all parties involved.
Very exciting stuff...and more details to come when I have them!
Okay...back to work!
Sunday, March 8, 2009
Ski Lift Advice
On Saturday, I was invited to work an event for SOBE Life Water at a teeny, tiny ski hill here in CT. The chance to strap on my snowboard and hit any kind of slopes, for free, while promoting a decent product is always hard to pass up...but especially when it is so warm out that I was able to snowboard all day in a t-shirt!
So off I went...and it was a very fun day. While boarding, I wound up on the ski lift with a member of the hill's ski patrol. I am not an introvert, so quickly struck up a conversation with the older gentleman. He inquired about my t-shirt which gave away the fact that I was working the SOBE promotion on the hill. I told him how I work weekends for a promotional event company for "fun" money. After that, I explained how I work from home full-time, and recently took on my first venture into the sales field with Lares.
I told him how intimidated I was to get into a fully commission-based income, and he simply agreed and said, "Yeah...you don't sell...you don't eat."
We had a chuckle and then I, in the natural flow of conversation, asked what he did for a living. He smirked and said, "I'm a sales manager for a plumbing distributor."
It was a very funny moment, but he immediately started telling me about his 35 years in the business and how selling a product is really not about the product at all...Although you have to KNOW your product, he said, it's about selling yourself.
This is a very quality piece of free advice that I plan to take with me into my ventures with Chris Nickerson's company.
So off I went...and it was a very fun day. While boarding, I wound up on the ski lift with a member of the hill's ski patrol. I am not an introvert, so quickly struck up a conversation with the older gentleman. He inquired about my t-shirt which gave away the fact that I was working the SOBE promotion on the hill. I told him how I work weekends for a promotional event company for "fun" money. After that, I explained how I work from home full-time, and recently took on my first venture into the sales field with Lares.
I told him how intimidated I was to get into a fully commission-based income, and he simply agreed and said, "Yeah...you don't sell...you don't eat."
We had a chuckle and then I, in the natural flow of conversation, asked what he did for a living. He smirked and said, "I'm a sales manager for a plumbing distributor."
It was a very funny moment, but he immediately started telling me about his 35 years in the business and how selling a product is really not about the product at all...Although you have to KNOW your product, he said, it's about selling yourself.
This is a very quality piece of free advice that I plan to take with me into my ventures with Chris Nickerson's company.
Thursday, March 5, 2009
Social Engineering...not just for Pen Tests anymore!
I never enjoy receiving sales calls from anyone, especially Telemarketers. I have signed up for the National DO NOT CALL gimmick, but still receive intrusive phone calls...ON MY CELL PHONE...at least once a day.
From my previous posts, you know that I recently took on an exciting new position as an Account Executive for Chris Nickerson's security consulting company, Lares (http://www.lares.com/).
Yesterday I asked myself, aloud (c'mon...I work at home ALONE all day), "how much of a pain in the 'you-know-what' am I being while making prospecting calls to companies???"
It's kind of a nuisance for all parties involved; I literally have to social engineer my way past customer service reps, administrative assistants, dogs, bees, and dogs with bees in their mouths so when they bark they shoot bees (I love the Simpsons...and I digress) just to get to speak with a generally disinterested person on the other end of the phone who is most likely too busy to talk with me in the first place, or not the person I need to speak with anyway.
I will continue my verbal quest to show people the potential returns on their investment in preventative security measures, but will definitely be implementing a few new strategeies to build my account network.
I'll keep you posted and will let you know if I take over the classes for Dale Carnegie.
From my previous posts, you know that I recently took on an exciting new position as an Account Executive for Chris Nickerson's security consulting company, Lares (http://www.lares.com/).
Yesterday I asked myself, aloud (c'mon...I work at home ALONE all day), "how much of a pain in the 'you-know-what' am I being while making prospecting calls to companies???"
It's kind of a nuisance for all parties involved; I literally have to social engineer my way past customer service reps, administrative assistants, dogs, bees, and dogs with bees in their mouths so when they bark they shoot bees (I love the Simpsons...and I digress) just to get to speak with a generally disinterested person on the other end of the phone who is most likely too busy to talk with me in the first place, or not the person I need to speak with anyway.
I will continue my verbal quest to show people the potential returns on their investment in preventative security measures, but will definitely be implementing a few new strategeies to build my account network.
I'll keep you posted and will let you know if I take over the classes for Dale Carnegie.
Wednesday, March 4, 2009
Outsider/Contractor Best Security Practices
originally written by Chris Nickerson*
Edited by me.
1. Corporate Email access to contractors:
Not sure why in ANY situation a particular contractor working at the location would need this address. Their mail functions should work fin to facilitate all they need. If you are 1099'ing a contractor to "white label" as your company, you'd definitely want them to look and feel like a w-2 employee where email would be important and would grant access to it (albeit limited).
2. Internet access:
Should be on the corporate network or provided via a dedicated network. Well...assuming your accountability as high, it would be easier to grant separate or proxied access to the net. Even if a single point of failure or choke point (which would not be an issue, given that you have zero priority to availability) would lend the most functional ability to make suers accountable for their traffic and increase the overall confidentiality of the data if the right DLP/ Content Filtering controls were in place for egress and ingress.
3. Network access to corporate or a separate DMZ for Contractors:
This really depends on what the contractor is doing. I am a big fan of the "you get nothing until you can justify WHY you need it" policy. If they are supposed to be scanning or testing from the perspective of an internal user, then they should probably have access. If they are doing your taxes, on the other hand, tell them to use their 3g card to get on the net.
4. Directory accounts(AD accounts for contractors):
Again, It should be based on need. Most do not need an account. Sneakerware, email, USB - all using encryption - should be just fine to get what the contractor needs to get the job done. However, if they are supposed to audit many configurations, fix a server, or do other Administrative tasks, you will "probably need to give them access." My advice in this instance is to LOG EVERYTHING THEY DO!!!! And I mean EVERYTHING. Got it? Say it with me now...EVVVV - REEEE - THIIIING. Okay...I'll move on. everything
5. Methods of Ensuring accountability at the end of project cycle by the contractors:
Removable drive access, email, and web to ensure they abide by the NDA signed. I make my consultants save ALL work onto an encrypted USB drive. At the end of a project's delivery stage, the client can choose to either immediately destroy, or allow us to follow our 90-day client data destruction guidelines. In reality, all these questions come down to the level of sophistication, process, and methodology used by your contractors. They should ALL have data destruction, data privacy, data handling, reporting, 3-rd party user access control, project requirement, and NDA agreements/methodologies that are followed and are able to be audited by you (the customer). If they don't have these documents, and follow them on a regular basis, it's not a repeatable process and they will gladly "wing it" to get your business. I have MSA, DATA PRIVACY, and Master Service Agreements signed for all clients concerned with the all of the areas listed above.
*Information provided with express permission to publish on blogger.com by:
Chris Nickerson [CISSP,CISA,IAM,17799,CCNA,MCSE]
Founder and CEO
Lares Consulting
(C): (720) 217-3087
cnickerson@laresconsulting.com
Edited by me.
1. Corporate Email access to contractors:
Not sure why in ANY situation a particular contractor working at the location would need this address. Their mail functions should work fin to facilitate all they need. If you are 1099'ing a contractor to "white label" as your company, you'd definitely want them to look and feel like a w-2 employee where email would be important and would grant access to it (albeit limited).
2. Internet access:
Should be on the corporate network or provided via a dedicated network. Well...assuming your accountability as high, it would be easier to grant separate or proxied access to the net. Even if a single point of failure or choke point (which would not be an issue, given that you have zero priority to availability) would lend the most functional ability to make suers accountable for their traffic and increase the overall confidentiality of the data if the right DLP/ Content Filtering controls were in place for egress and ingress.
3. Network access to corporate or a separate DMZ for Contractors:
This really depends on what the contractor is doing. I am a big fan of the "you get nothing until you can justify WHY you need it" policy. If they are supposed to be scanning or testing from the perspective of an internal user, then they should probably have access. If they are doing your taxes, on the other hand, tell them to use their 3g card to get on the net.
4. Directory accounts(AD accounts for contractors):
Again, It should be based on need. Most do not need an account. Sneakerware, email, USB - all using encryption - should be just fine to get what the contractor needs to get the job done. However, if they are supposed to audit many configurations, fix a server, or do other Administrative tasks, you will "probably need to give them access." My advice in this instance is to LOG EVERYTHING THEY DO!!!! And I mean EVERYTHING. Got it? Say it with me now...EVVVV - REEEE - THIIIING. Okay...I'll move on. everything
5. Methods of Ensuring accountability at the end of project cycle by the contractors:
Removable drive access, email, and web to ensure they abide by the NDA signed. I make my consultants save ALL work onto an encrypted USB drive. At the end of a project's delivery stage, the client can choose to either immediately destroy, or allow us to follow our 90-day client data destruction guidelines. In reality, all these questions come down to the level of sophistication, process, and methodology used by your contractors. They should ALL have data destruction, data privacy, data handling, reporting, 3-rd party user access control, project requirement, and NDA agreements/methodologies that are followed and are able to be audited by you (the customer). If they don't have these documents, and follow them on a regular basis, it's not a repeatable process and they will gladly "wing it" to get your business. I have MSA, DATA PRIVACY, and Master Service Agreements signed for all clients concerned with the all of the areas listed above.
*Information provided with express permission to publish on blogger.com by:
Chris Nickerson [CISSP,CISA,IAM,17799,CCNA,MCSE]
Founder and CEO
Lares Consulting
(C): (720) 217-3087
cnickerson@laresconsulting.com
Tuesday, March 3, 2009
How the heck did I get here???
In January 2009, Chris Nickerson - Founder and CEO of Lares (http://www.lares.com/) - offered me the opportunity to make his company's first outbound sales inquires...via phone, email, Twitter, Facebook, LinkedIn, and however else I could manage to build the buzz about his company.
So how come I got this opportunity??? Hope you have a few minutes!
Chris and I grew up in a suburban town in Eastern Connecticut and spent our time "social engineering" our way past the adults at the local, ritzy swim-clubs so we could use the tennis courts and pools on blistering summer days. It was no surprise to me when, after departing for the greener pastures of Kansas City, Chris was quick to embark on a career path in the information security industry. From his time spent working as a Security Architect for Sprint to the day he decided to begin his own security consulting company, Chris has quickly become a pioneer and a leading authority in the industry.
As for me...I certainly went a less conventional route to the position I am in now as an Account Executive for Lares. In High School, I generally skated by on personality and charm, with the occasional half-assed completion of a homework assignment. I learned the hard way that this approach did not work at the collegiate level. With a one-point-something grade point average after three semesters, it was pretty evident that I had some real learning to do.
I was lucky to have an Uncle who worked in middle-management at a Hartford-based insurance company so, with his assistance, I ventured into my first insurance company cubicle job. It was fantastic! I was 19 years old and making good money for a relatively easy job.
But after about a year, I was losing interest and started to skate by on personality with a little bit of bullshit sprinkled on top. I quickly found myself a 21 year-old who was stuck in a cubicle with no advancement opportunities and, even worse, no motivation...So I decided to try something new and exciting.
I signed 'the dotted line' on August 7, 2001. A little over a MONTH before 9/11 occurred. The Army National Guard was my route to a tuition-free college education, but everything changed after that. 6 years (and 2 active duty tours) later, I found myself wondering, again, what the heck to do when I grow up...
Humble pie can actually taste pretty effing good when you swallow it with a big ol' glass of pride. I spent a couple of years after leaving the National Guard doing a lot of soul searching, using my benefits as a Veteran to attend college again, doing odd jobs, begging, borrowing, and stealing (don't worry...it's just a figure of speech). After all that, I wound up in that cubicle environment again, only this time with a much brighter outlook. This lead to the opportunity to work full-time from home....which is where this story is being written right now. If not for this opportunity with my full-time job, I wouldn't have had the liberty to say yes to what occurred next...
Chris Nickerson and I have stayed in touch since he moved to Kansas our Junior year of High School, so it was no surprise when I received a text message from him on New Year's Day. Only this time his inquiry was a little different in nature;
"Wut r u doin nxt week?" he inquired.
Figuring his work was bringing him to the East Coast - which usually leads to us drinking heavily in New York City on a work night - I responded with a quick, "Hanging with you?"
He promptly shot back, "flying u to Vegas...got a job opp 4 u"
And so he did. We spent the week of CES discussing what types of services his company offered and I was immediately hooked. How could I not be excited about working to create a buzz about products and services that seem to come right out of a movie (Sneakers - starring Robert Redford - comes immediately to mind)!!???!!???
I am not yet a learned member of the information security industry...but with the guidance of Chris and the other experts at Lares, I have a feeling I will not be venturing into other endeavors any time soon. And I will be lame and take this opportunity to thank everyone for getting me where I am today. I just can't wait to give it all back.
Thanks for reading this excerpt...until next time (don't worry...there will be some information on social engineering, infosec, etc...)
So how come I got this opportunity??? Hope you have a few minutes!
Chris and I grew up in a suburban town in Eastern Connecticut and spent our time "social engineering" our way past the adults at the local, ritzy swim-clubs so we could use the tennis courts and pools on blistering summer days. It was no surprise to me when, after departing for the greener pastures of Kansas City, Chris was quick to embark on a career path in the information security industry. From his time spent working as a Security Architect for Sprint to the day he decided to begin his own security consulting company, Chris has quickly become a pioneer and a leading authority in the industry.
As for me...I certainly went a less conventional route to the position I am in now as an Account Executive for Lares. In High School, I generally skated by on personality and charm, with the occasional half-assed completion of a homework assignment. I learned the hard way that this approach did not work at the collegiate level. With a one-point-something grade point average after three semesters, it was pretty evident that I had some real learning to do.
I was lucky to have an Uncle who worked in middle-management at a Hartford-based insurance company so, with his assistance, I ventured into my first insurance company cubicle job. It was fantastic! I was 19 years old and making good money for a relatively easy job.
But after about a year, I was losing interest and started to skate by on personality with a little bit of bullshit sprinkled on top. I quickly found myself a 21 year-old who was stuck in a cubicle with no advancement opportunities and, even worse, no motivation...So I decided to try something new and exciting.
I signed 'the dotted line' on August 7, 2001. A little over a MONTH before 9/11 occurred. The Army National Guard was my route to a tuition-free college education, but everything changed after that. 6 years (and 2 active duty tours) later, I found myself wondering, again, what the heck to do when I grow up...
Humble pie can actually taste pretty effing good when you swallow it with a big ol' glass of pride. I spent a couple of years after leaving the National Guard doing a lot of soul searching, using my benefits as a Veteran to attend college again, doing odd jobs, begging, borrowing, and stealing (don't worry...it's just a figure of speech). After all that, I wound up in that cubicle environment again, only this time with a much brighter outlook. This lead to the opportunity to work full-time from home....which is where this story is being written right now. If not for this opportunity with my full-time job, I wouldn't have had the liberty to say yes to what occurred next...
Chris Nickerson and I have stayed in touch since he moved to Kansas our Junior year of High School, so it was no surprise when I received a text message from him on New Year's Day. Only this time his inquiry was a little different in nature;
"Wut r u doin nxt week?" he inquired.
Figuring his work was bringing him to the East Coast - which usually leads to us drinking heavily in New York City on a work night - I responded with a quick, "Hanging with you?"
He promptly shot back, "flying u to Vegas...got a job opp 4 u"
And so he did. We spent the week of CES discussing what types of services his company offered and I was immediately hooked. How could I not be excited about working to create a buzz about products and services that seem to come right out of a movie (Sneakers - starring Robert Redford - comes immediately to mind)!!???!!???
I am not yet a learned member of the information security industry...but with the guidance of Chris and the other experts at Lares, I have a feeling I will not be venturing into other endeavors any time soon. And I will be lame and take this opportunity to thank everyone for getting me where I am today. I just can't wait to give it all back.
Thanks for reading this excerpt...until next time (don't worry...there will be some information on social engineering, infosec, etc...)
Thursday, February 26, 2009
Not pretty...but sure does cost your business a lot of $$$
http://tinyurl.com/b8knak - amateurs sure don't make it look pretty, but they still obtained ~1300 Social Security Numbers.
In an economy where most businesses are cutting IT budgets and security is even viewed as a "luxury," preventable information breaches are becoming a daily occurrance at companies around the globe. This is only one small example...
Lares - a vendor-independent security consulting firm - assists companies to secure their electronic, physical, intellectual and financial assets using a unique blend of assessment, penetration testing, and coaching.
Check us out today at http://www.lares.com/ and let us help you "protect what matters most."
Subscribe to:
Posts (Atom)
