lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <000901c2e7ca$5ed89ee0$e600a8c0@RANDALL.local>
From: purdy at tecman.com (Curt Purdy)
Subject: Security Certifications

hilarious.  cept the fee is $450, not $2k.

Curt Purdy CISSP, MCSE+I, CNE, CCDA
Senior Systems Engineer
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of B3r3n
Sent: Friday, March 07, 2003 1:01 PM
To: hellNbak; Ron DuFresne
Cc: Rizwan Ali Khan; full-disclosure@...ts.netsys.com;
security-basics@...urityfocus.com; certification@...urityfocus.com
Subject: Re: [Full-Disclosure] Security Certifications


Guys,

Never read the CISSP trojan? Nice no?

_________________________________________
Security Advisory MA-2003-01     CISSP - Trojan Security Certification


Original Release Date: Thursday January 16, 2003
Last Revised: --
Source: --

Systems Affected

         o Information Security Community
         o Information Technology Employers
         o Information Security Consultants


Overview

It has recently been identified that The International Information Systems
Security Certification Consortium (CISSP) has developed and released a
potentially destructive trojan application, which masquerades as a valid
standard for professional certification in the field of information
security.


I. Description

Delivered in the benign form of a six hour examination, the CISSP prompts
target user with a series of 250 questions regarding the following topics:

         o Access Control Systems & Methodology
         o Applications & Systems Development
         o Business Continuity Planning
         o Cryptography
         o Law, Investigation & Ethics
         o Operations Security
         o Physical Security
         o Security Architecture & Models
         o Security Management Practices
         o Telecommunications, Network & Internet Security

This rather large payload, commonly referred to as the Common Body of
Knowledge (CBK), may cause a Denial of Service situation, leaving the
target overwhelmed and unable to respond to further requests during the
duration of the attack.  If the target handles the Denial of Service attack
appropriately,
and is unaffected, the CISSP trojan discontinues this attack, and
self-mutates into a certification of added IS credibility. If accepted by
the target, this certification begins to cause the following symptoms:

         o Increase in self-confidence
         o Increase in salary requirements
         o False sense of accomplishment
         o False sense of self-improvement

Despite the symptoms, the target experiences no real benefit
whatsoever.  The affected target then is made to transfer funds in excess
of $2,000 (US) to a remote bank account owned by ISC2.  Finally, the
affected target promotes itself to a "Certified Information Security
Expert" sans authentication.
The affected target may then infect others, eventually creating a massive
army of unskilled, prefabricated, shrink-wrapped, not for resale,
half-assed security engineers, consultants, and
"research scientists".


II. Impact

An abundance of sub-par information security engineers, consultants, and
"research scientists".

A negative impact on the economy, specifically within the Information
Technology sector.


III. Solution

Avoid any certifications issued by ISC2 until a patch is distributed.
Obtain information security related certifications from valid sources.
Employers are encouraged to recognize the CISSP as a trojan certification.


Appendix A - Vendor Information

International Information Security Certification Consortium, Inc.

(ISC)2 is the premier organization dedicated to providing information
security professionals and practitioners worldwide with the standard for
professional certification.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ