Re: [Full-Disclosure] Security Certifications

From: B3r3n (B3r3n@argosnet.com)
Date: 03/07/03

  • Next message: KF: "Re: [Full-Disclosure] Security Update: [CSSA-2003-SCO.4] UnixWare 7.1.1 Open UNIX 8.0.0 UnixWare 7.1.3 : Lax permissions on /dev/X" 
    To: hellNbak <hellnbak@nmrc.org>, Ron DuFresne <dufresne@winternet.com>
From: B3r3n <B3r3n@argosnet.com>
Date: Fri, 07 Mar 2003 20:01:02 +0100

    Guys,

    Never read the CISSP trojan? Nice no?

    _________________________________________
    Security Advisory MA-2003-01 CISSP - Trojan Security Certification

    Original Release Date: Thursday January 16, 2003
    Last Revised: --
    Source: --

    Systems Affected

             o Information Security Community
             o Information Technology Employers
             o Information Security Consultants

    Overview

    It has recently been identified that The International Information Systems
    Security Certification Consortium (CISSP) has developed and released a
    potentially destructive trojan application, which masquerades as a valid
    standard for professional certification in the field of information security.

    I. Description

    Delivered in the benign form of a six hour examination, the CISSP prompts
    target user with a series of 250 questions regarding the following topics:

             o Access Control Systems & Methodology
             o Applications & Systems Development
             o Business Continuity Planning
             o Cryptography
             o Law, Investigation & Ethics
             o Operations Security
             o Physical Security
             o Security Architecture & Models
             o Security Management Practices
             o Telecommunications, Network & Internet Security

    This rather large payload, commonly referred to as the Common Body of
    Knowledge (CBK), may cause a Denial of Service situation, leaving the
    target overwhelmed and unable to respond to further requests during the
    duration of the attack. If the target handles the Denial of Service attack
    appropriately,
    and is unaffected, the CISSP trojan discontinues this attack, and
    self-mutates into a certification of added IS credibility. If accepted by
    the target, this certification begins to cause the following symptoms:

             o Increase in self-confidence
             o Increase in salary requirements
             o False sense of accomplishment
             o False sense of self-improvement

    Despite the symptoms, the target experiences no real benefit
    whatsoever. The affected target then is made to transfer funds in excess
    of $2,000 (US) to a remote bank account owned by ISC2. Finally, the
    affected target promotes itself to a "Certified Information Security
    Expert" sans authentication.
    The affected target may then infect others, eventually creating a massive
    army of unskilled, prefabricated, shrink-wrapped, not for resale,
    half-assed security engineers, consultants, and
    "research scientists".

    II. Impact

    An abundance of sub-par information security engineers, consultants, and
    "research scientists".

    A negative impact on the economy, specifically within the Information
    Technology sector.

    III. Solution

    Avoid any certifications issued by ISC2 until a patch is distributed.
    Obtain information security related certifications from valid sources.
    Employers are encouraged to recognize the CISSP as a trojan certification.

    Appendix A - Vendor Information

    International Information Security Certification Consortium, Inc.

    (ISC)2 is the premier organization dedicated to providing information
    security professionals and practitioners worldwide with the standard for
    professional certification.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: KF: "Re: [Full-Disclosure] Security Update: [CSSA-2003-SCO.4] UnixWare 7.1.1 Open UNIX 8.0.0 UnixWare 7.1.3 : Lax permissions on /dev/X"

    Relevant Pages

    • Re: Entry Level Certifications
      ... you apply to become a CISSP. ... Information Security Analyst ... antivirus and patch management etc. ...
      (Security-Basics)
    • RE: [Full-Disclosure] Security Certifications
      ... If you spend more on coffee than on IT security, ... Never read the CISSP trojan? ... Security Advisory MA-2003-01 CISSP - Trojan Security Certification ... affected target promotes itself to a "Certified Information Security ...
      (Full-Disclosure)
    • Re: OSCP
      ... CISSP is widely accepted ... OSCP is really good for getting hardcore experience, ... My opinion is that very good practical course and certification for this ... Security 101" course to receive the OSCP (Offensive Security Certified ...
      (Pen-Test)
    • Re: Re: CISSP
      ... What source says that a 11 years old boy got CISSP? ... direct full-time security professional work experience ... you have to look for another certification. ... Cenzic Hailstorm finds vulnerabilities fast. ...
      (Pen-Test)
    • RE: Re: CISSP
      ... certification which is derived of multiple certs. ... CISSP is the simplest choice of them all. ... It's a requirement for most companies seeking security ...
      (Pen-Test)