lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: purdy at tecman.com (Curt Purdy) Subject: Security Certifications hilarious. cept the fee is $450, not $2k. Curt Purdy CISSP, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of B3r3n Sent: Friday, March 07, 2003 1:01 PM To: hellNbak; Ron DuFresne Cc: Rizwan Ali Khan; full-disclosure@...ts.netsys.com; security-basics@...urityfocus.com; certification@...urityfocus.com Subject: Re: [Full-Disclosure] Security Certifications Guys, Never read the CISSP trojan? Nice no? _________________________________________ Security Advisory MA-2003-01 CISSP - Trojan Security Certification Original Release Date: Thursday January 16, 2003 Last Revised: -- Source: -- Systems Affected o Information Security Community o Information Technology Employers o Information Security Consultants Overview It has recently been identified that The International Information Systems Security Certification Consortium (CISSP) has developed and released a potentially destructive trojan application, which masquerades as a valid standard for professional certification in the field of information security. I. Description Delivered in the benign form of a six hour examination, the CISSP prompts target user with a series of 250 questions regarding the following topics: o Access Control Systems & Methodology o Applications & Systems Development o Business Continuity Planning o Cryptography o Law, Investigation & Ethics o Operations Security o Physical Security o Security Architecture & Models o Security Management Practices o Telecommunications, Network & Internet Security This rather large payload, commonly referred to as the Common Body of Knowledge (CBK), may cause a Denial of Service situation, leaving the target overwhelmed and unable to respond to further requests during the duration of the attack. If the target handles the Denial of Service attack appropriately, and is unaffected, the CISSP trojan discontinues this attack, and self-mutates into a certification of added IS credibility. If accepted by the target, this certification begins to cause the following symptoms: o Increase in self-confidence o Increase in salary requirements o False sense of accomplishment o False sense of self-improvement Despite the symptoms, the target experiences no real benefit whatsoever. The affected target then is made to transfer funds in excess of $2,000 (US) to a remote bank account owned by ISC2. Finally, the affected target promotes itself to a "Certified Information Security Expert" sans authentication. The affected target may then infect others, eventually creating a massive army of unskilled, prefabricated, shrink-wrapped, not for resale, half-assed security engineers, consultants, and "research scientists". II. Impact An abundance of sub-par information security engineers, consultants, and "research scientists". A negative impact on the economy, specifically within the Information Technology sector. III. Solution Avoid any certifications issued by ISC2 until a patch is distributed. Obtain information security related certifications from valid sources. Employers are encouraged to recognize the CISSP as a trojan certification. Appendix A - Vendor Information International Information Security Certification Consortium, Inc. (ISC)2 is the premier organization dedicated to providing information security professionals and practitioners worldwide with the standard for professional certification. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists