An interesting and fun way to teach ethical hacking.
Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators “use carrots, not sticks.”
“Humor creates an open atmosphere,” that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should’ve already learned if it’s part of a game.
Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.
In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 “person” cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.
Look for it on store shelves later this year.
- Control-Alt-Hack: Can You Teach Hacking with a Card Game? (tomshardware.com)
- Card Game Turns You Into a White Hat Hacker (pcworld.com)
- Old-school card game delves into the dark world of computer security breaches (geekwire.com)
Some great basic tips for the average user to protect your computer:
Firstly, the most important computer security tip is to have anti virus software. These programs will not let your data be lost in case some viruses enter your system. They make backup files as well which allows you to retrieve any files that you lose. However, make sure that the anti virus you use is good software. Do not settle for any substandard program for it may harm your PC instead of doing any good to it.
Another very important point pertaining to computer security is that you should not open attachments with emails which you receive from unknown senders. Many of these emails are intended with the purpose of transferring viruses into your system. They can damage your files or the entire computer so better not open them.
Using strong passwords is also a very important tip to secure your computer. You should use long passwords with a mixture of digits and alphabets so that they cannot be easily hacked.
One major addition to this list that I would make is:
Change your user account so that it is NOT an Administrator account.
Excellent interview over at “Krebs on Security” with security rock star, Christian Schneier.
First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.
In general, though, I have three pieces of advice to anyone who wants to learn computer security:
Read the entire interview: How to Break Into Security, Schneier Edition — Krebs on Security.
Proof that there is always risk with technology despite advances.
The same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims’ own computers.Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But, a report released this week from McAfee and Guardian Analytics shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.”They are leveraging the cloud,” Brian Contos, senior director of emerging markets at McAfee, said in an interview. “This is the first time we’ve ever seen this.”
Read all the details: Cybercrime moves to the cloud | Security & Privacy – CNET News.
- Q&A of the Week: ‘The current state of the cybercrime ecosystem’ featuring Mikko Hypponen (zdnet.com)
- Debunking cybercrime myths (lightbluetouchpaper.org)
- Cybercriminals build massive banking fraud system in the cloud (pcadvisor.co.uk)
Great series starting over at Krebs on Security on how to get into the field.
At least once a month, sometimes more, readers write in to ask how they can break into the field of computer security. Some of the emails are from people in jobs that have nothing to do with security, but who are fascinated enough by the field to contemplate a career change. Others are already in an information technology position but are itching to segue into security. I always respond with my own set of stock answers, but each time I do this, I can’t help but feel my advice is incomplete, or at least not terribly well-rounded.
I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject. Today is the first installment in a series of responses to this question. When the last of the advice columns have run, I’ll create an archive of them all that will be anchored somewhere prominently on the home page. That way, the next time someone asks how they can break into security, I’ll have more to offer than just my admittedly narrow perspectives on the matter.
Read the whole interview: How to Break Into Security, Ptacek Edition — Krebs on Security.
- Small businesses sitting ducks for hackers (charlotteobserver.com)
- Learning from History – The Importance of IT Security (blogs.gartner.com)
- Thomas Ptacek Interview – Episode 292 (pauldotcom.com)
Security is a major aspect of IT. One of the great ways to take one’s IT security training to the next level is to obtain a CompTIA certification. Here’s part of a great interview that Techopedia recently did with CompTIA’s director of product management, Carol Balkcom.
Techopedia: Many know CompTIA for its A+ certification. Tell us about your other security offerings.
Carol Balkcom: CompTIA Security+ is our first exam devoted entirely to security, and it was originally launched in 2002. All of our exams are “vendor neutral”, meaning that they aren’t tied to any one vendor’s products – and Security+ is no exception.
CompTIA A+ and Network+ also have security components in them, because of course today’s support technicians and network administrators must also be knowledgeable about security. As an aside, all three of these exams (A+, Network+, Security+) are on the U.S. Department of Defense Directive 8570 that requires certification for information assurance personnel. As a result, a large number of professionals have taken these certifications over the last few years.
To get back to our security offerings, earlier this year we formally launched the first in CompTIA’s “Mastery” series of exams, our CompTIA Advanced Security Practitioner (CASP).
Techopedia: Tell us more about Security+. What major subject areas are covered and who is the primary audience?
Carol Balkcom: The primary audience for Security+ is IT professionals with two or more years of hands-on, technical information security experience. There are Security+ certified professionals in all types of organizations, from the U.S. Navy to General Mills to the Archdiocese of Philadelphia. As to the subject areas in Security+, the broad knowledge “domains” are network security, compliance and operational security, threats and vulnerabilities, application, data and host security, access control and identity management, and cryptography.
Techopedia: What about CASP? Can you tell us more about the designation?
Carol Balkcom: For the CompTIA Advanced Security Practitioner (CASP), we recommend at least 10 years in IT and five years of hands-on technical security experience. It is intended for the security architect working in a large, multi-location organization. The CASP also looks at the security implications of business decisions, such as the acquisition of one company by another, as an example.
Be sure to check out the rest of interview, which includes Ms. Balkcom’s take on the certification vs. experience question.
As a IT security professional, do you think you learned everything in class? Probably not.
In that case here’s a great presentation by security addict Rob Fuller on pentesting.
Proof that in the IT security field one is constantly learning in order to mitigate the risks of new threats.
- Ex HACKER: The unspoken, dirty little secret (glennroast.wordpress.com)
- Dirty Little Secrets Revealed By Ethical Hackers (pcworld.com)
This is not good.
Powered by ScribeFire.
- Blatant Stupidity: Latest Banking Mobile Apps Riddled With Flaws (infosecurity.us)
- “WARNING: Bank Of America, Chase, TD, USAA and Wells Fargo iPhone banking apps all have serious security vulnerabilities” and related posts (iphoneworld.ca)
- Vulnerabilities Found In Banking Apps (informationweek.com)