Security Links for February 2016

Made a blunder on the droplet that runs this blog on Digital Ocean and lost the previous two security link blogs. Luckily had a backup from August that I was able to restore from. Anyways, here’s the security links for February 2016.

Application Security Learning Resources – https://github.com/paragonie/awesome-appsec#application-security-learning-resources

A Dead Simple TCP Intercepting Proxy Tool Set – https://www.praetorian.com/blog/trudy-a-dead-simple-tcp-intercepting-proxy-mitm-vm

Let’s Encrypt Audit – https://community.letsencrypt.org/t/independent-audits-of-lets-encrypt-finished/6518

Introducing the Keybase filesystem – Sounds like a sane approach to encrypting data at rest – https://keybase.io/docs/kbfs

Securely Hash Passwords – https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords

An Interesting Online Scanner – https://www.censys.io/

Another Attempt at Creating a Secure Linux Distro – https://www.parabola.nu/

An open-source network simulator/emulator hybrid (Tor & Bitcoin) – https://shadow.github.io/
For Encrypting/Decrypting Data on the Fly – https://encipher.it/

Red Team Field Manual – http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_3?ie=UTF8&refRID=19V4X7X4WW7215V446N7

Decentralized DNS 
for Blockchain Applications – https://blockstack.org/

Github Bounty Program – https://bounty.github.com/index.html#open-bounties

Send An Urgent Message to a Friend When your in Trouble (i.e. Feds are knocking at your door) – http://www.snapmailemergency.com/

Get your cheap exploits here – http://cheapbugs.net/#home

Educating Youth for Cyber Security Careers

This past week I attended the Northeast Ohio Cyberconsortium conference sponsored by a number of entities in the Cleveland,Oh area. The goal of the conference was to stimulate a collaborative effort around building up and sharing information around Cyber Security as it relates to the North East Ohio area. One of the main talks was about the skills shortage in Information Security and what should be done to increase the talent pool. The proposition(they loved throwing this word around) offered was to build educational programs in the school systems around Cyber Security at as early of an age as possible. I think the NSA said that they get the gifted ones as early as 3rd grade and for security we should consider preschool.

The goal is an excellent ones, but the reductionist attitude offered presents a number of challenges. The one problem is that you simply cannot teach Information Security as an isolated discipline. There are a number of prerequisites that are necessary before you can even start to teach kids security. To name a few:

  • Computer Architecture – X86/X64/ARM
  • Operating Systems – UNIX/Windows/OSX/Android/IOS
  • Programming – Powershell/Python/Perl/Bash
  • Networking – TCP/IP, OSI, Ethernet, Wifi
  • These are all complex domains by themselves and then add on to that the various security principles that need to be applied and you can see it’s not as cut and dry as you may think.

    Then there are the ethical challenges in that to really understand how to secure things is you have to understand how to break things. This will no doubt create dilemmas with existing school policy and what the kids can currently do with school equipment.

    So I think what really needs to happen to make this achievable is a complete rewrite of existing educational plans. I think a structure more like college should be implemented where kids that are interested in a given domain like Cyber Security can elect to make it their ‘major’ and by doing so a specific roadmap would be produced for their educational career.

    The other thing to keep in mind is not all kids will be interested in such a field nor have an aptitude as you need to think about problems in a very detailed and logical way and not everyone’s brain is wired this way.

    Let’s Encrypt Talk @ Debconf15

    At this years Debconf15, a nice overview of the Let’s Encrypt project was given that you can view here. It’s a nice exposition as to the current broken state of CA’s and the projects plan to solve them. Let’s Encrypt is going to be making free certificates available in the next month or so.

    Will this be a game changer for commercial CA’s that make their profit off of selling certificates? Probably not in the short term and a large part of the answer will depend upon adoption and getting the Root & Issuing CA’s added to the trusted browser stores.