HR Recruiting should step it up to obtain top infosec talent

With infosec unemployment approaching 0%, particularly in the DC are where I live, companies need to be competitive in their recruitment.  Jeff Snyder of posts an interesting article on this.

I changed jobs in 2014 and a lot of this rings true to me.

Obviously improvements in salary, telecommuting, vacation, good retirement matching and good retirement program would be a nice start.   But this is about the hiring process not fantasy. 😉

There are reasons why so many jobs go to people with connections. It’s not necessarily because networking is so awesome.
Is the job posting interesting? When you are networking, your contact can tell you what’s great about the job.  If you’re coming in cold, what about that posting sets it apart?  While I’ve seen examples that go too far in the other direction, generally going too far isn’t the problem.   Most are boiler plate for 50% of the content.

Is recruiting treating the resumes like an auditor running down a checklist?   Most job seekers believe this is the case.  They add in buzzwords to the résumé thinking they will score higher on relevance.   If the HR recruiter is looking for 3 years of X and 2 years of Y, they may miss out on a great candidate.  The best resume may never make it past the gatekeeper to the hiring manager.   Another point for networking.  It gets the résumé into the hiring manager’s hands.

According to Jeff, companies are still taking too long in making decisions.   With the short bench, talent has lots of choices.   If you’re planning to hire the people you attract to a job req, you should be ready to move.

Check out Jeff’s article  for more on this topic.


Chrome, Firefox Leak actual IP of VPN Users

A post on Friday, at reveals a security flaw in WebRTC enabled browsers that leaks the actual IP addresses of VPN users.

I primarily use VPNs to protect my data when on a untrusted network (such as at a hotel, coffee house or other hot spot.  It also comes in handy to check access from other parts of the world, by VPNing to a foreign point of presence.

VPNs are also used for anonymity.  Websites are able to make a STUN request, and the browser’s supporting this request will reveal what was thought to be protected IP addresses of the client.

You can check if you are affected at a test website set up by Daniel Roesler.

In my case when using Chrome, the website shows 2 internal IP addresses (wired and wireless), my VPN client IP address, my external (ISP) IP address, and the IP address my request is coming from.

Internet Explorer does not support WebRTC and does not leak this information.

Per torrentfreak, fixes in Firefox include running NoScript.  In Chrome ScriptSafe or WebRTC Block.


Phishing Drill

This morning I was looking at my work email in Good, and saw I had a ‘package undeliverable’ email.   Since I dont use my work email address with any deliveries I figured this was phishing.   Because the address is less than a year old, I sighed that my address was already known to spammers and scammers.   When I got to my desk, I took a look at the mail headers just to verify it had slipped past MessageLabs (, so I could submit it as a false negative.

The mail headers revealed a ‘phishme’ mail server.   This indicates it is a phishing drill rather than an actual phish. I almost want to click on the link in the message to see what the education message looks like.   Better not so I dont end up on any ‘bad’ list.   I’ve been on the other end of that, looking at the list of people who took the bait and shaking my head.

Keysweeper – Microsoft Wireless Keyboard Sniffing

Its kind of funny when I read The Drudge Report links related to Information Security. Today, he links to a VultureBeat article on KeySweeper.

Keysweeper is a project, standing on the shoulders of other work, to create what appears to be a USB wall charger, but is actually logging keystrokes from nearby Microsoft wireless keyboards.

Sniffing wireless keyboards has been around for a long time. I wrote about it in part of a blog entry in 2008. Taking a quick glance, at the articles, it sounds like Microsoft is still using XOR to provide confidentiality in wireless keyboards. Makes me happy I’m using Logitech’s wireless keyboard. Logitech says they provide 128-bit AES encryption. The product info at Amazon for Microsoft’s keyboard merely states it has “secured wireless transmission”. Or apparently not.

Kaspersky and DarkHotel

On Monday, Kaspersky posted about malware it has dubbed DarkHotel which targets corporate executives traveling abroad.

It is a good awareness piece.   Any time you are on someone else’s network, you are engaging in risky behavior.

With DarkHotel, users are prompted to install ‘updates’ to their software.   This is familiar, as similar fake updates are presented to spur users to install malware when visiting compromised websites or sites with malicious advertising.  Software updates should be performed on a trusted network whenever possible.  Updates should always be gotten from a trusted location.

This can be more difficult than it seems.   Lets say you see a prompt to update Flash.  Too wise to fall for this, you close your browser, reopen it, and browse to to download the latest flash update.   If adobe doesn’t use SSL, and a malicious attacker controls your network, you could be redirected to install malware instead even using this ‘safer’ method.

When you’re on the road, its not the best time to perform updates to your system anyway.  If something goes wrong you may not have access to resources to fix issues with even a legitimate update.

What if you’re on the road all the time?

This is where VPN software comes in handy.

I’ve blogged about my use of Witopia as a personal vpn provider.
If I was traveling for work, I could use my work VPN, however if your company doesn’t tunnel ALL traffic, you are still vulnerable.
Advanced users may choose to install a router at home which contains VPN server software to be able to VPN home.  Some newer routers support this functionality.

Staying safe on the internet requires vigilence.


iOS 7.1.x PDF Exploit Released

SANS is reporting a PDF exploit for iOS 7.1.x has been released.  While this is patched in iOS 8, the adoption rate for this new iOS version has been slower than previous versions.  Businesses have been in front, cautioning their users that upgrades should not occur until business apps have been tested.  Additionally, the 5 Gb free space requirement has prevented impulse upgrades for some users.

To me, this is yet another example of Apple’s inattention to security.  When Microsoft releases security updates they release them for every supported product at the same time.

Keep an eye out for a iOS upgrade if you’re running 7.


Infosec Red Card

At my new job, they take safety really seriously.  They want everyone to go home at the end of the day with all the fingers they came in with.   Not normally an issue for officeworkers, but the thought is nice.  It is really more appropriate for other divisions/branches of the company.

Each employee gets a physical safety red card, and are empowered to use it to stop work when there is an imminent danger or potential for physical harm.  Work resumes only when cleared by management.

Its a really cheesy way of deputizing everyone as a safety officer.  It reminds me a bit of the original Saturn model where a lineworker could shut down the assembly line.

It made me wonder, what about an infosec red card.   Hopefully at most companies, infosec can put a halt to a process forcing management to examine and address the risk.  Its possible that a company might train users well to refuse to act insecurely.  Not provide their password to the helpdesk.  Not to send sensitive information over clear text.  Not to allow tailgating.  Perhaps there should be an infosec red card as well.


Ordering Pizza

Even with Little Caesars expanding back into the DC area, there isn’t one that close to my house.  But we still get to enjoy their commercials.

LogIn Password Little Caesars Pizza TV Commercial
Watch this video on YouTube.

In this commercial a husband asks the wife for the login password so he can order pizza.  She explains that Little Caesars has hot and ready pizza so you can just walk in and grab one.  The joke being that he didn’t realize she wasn’t telling him the password, so he starts typing.

Its funny though, one password construction method is to take a sentence and use the first letters.  So maybe when she said “Little Caesars has hot and ready pizza so you can just walk in and grab one. ” she really meant her password was LChh&rpsucjwiago.

Personal VPNs in a CDN World

I wrote about personal VPNs back in 2011.  Going on vacation, I wanted to avoid insecure wifi.  The best way to do this is through a personal VPN product.  This is still true today even with the increased use of SSL.  I still think this is a great use for these products.

Interest in encryption and personal VPN products has skyrocketed since the Snowden “revelation” that the government snoops on you (and lets not forget about Google).  People are interested in always on VPNs to restore a bit of privacy.

Do VPNs meet this goal, and what is the cost??

The VPN provider I use, has a page “Why Do I need a Personal VPN?”  Their list is a good summary of why you might use a personal vpn, but it has one example of why it sometimes isn’t so easy.

“You don’t want search engines, such as Google, Yahoo, AOL, and Bing recording and storing every Internet search you perform…..potentially forever.  Just like your ISP, Internet search engines record every search you do and tie it to your IP address.” 

Search engines are using cookies to track you.  Even if you dont log in, which they encourage you to do, they use cookies to know who you are.  IP address isn’t granular enough for them.  Shared computers, multiple computers behind an IP address.   You would need to take additional steps such as incognito mode to prevent all tracking.

“You live in, or are visiting, a country that engages in Internet censorship or monitoring of content.”

Fair enough, but people who employ encryption could find their themselves under suspicion just for that.

And there is also the case of Eldo Kim.  He sent a bomb threat to get out of a final exam.  He thought he covered his tracks using TOR.   But he used the campus wifi, so they were able to track who was using TOR at the time of the threat.  Are you going to think of everything when covering your tracks.

In general VPNs meet the goal of providing privacy.  But like anything you need to be aware of some gotchas.

There are also costs to using a VPN.  This is particularly true when used in a every day , always on method as would be necessary to avoid governmental, ISP and corporate snoops.  When just using a VPN to protect when on a hostile network, the speed impact may not be so noticeable.   But when at home, you have a big pipe.  50+ Mbps connections are becoming more common place.   The FCC is thinking of defining broadband as faster than 10 Mbps.  So why does my VPN pipe max out at 5 Mbps.   That’s quite a hit.  I haven’t asked my provider if that is a QoS per user, or an element of saturation.

There is also the issue of the CDN.  Content Delivery Networks move content to the ISP data center to provide faster response.   Netflix SuperHD was originally available only to users on their Open  Connect Network (CDN).   YouTube’s ISP rating system reports my ISP has tested HD quality and my VPN pipe doesn’t have HD quality.   My traffic through the VPN bypasses the locally cached content.  Performance is lost in the name of security.

Is this enough to keep you from using an ‘always on’ personal vpn?