This is one of the most crackpot ideas I've seen: create a .bank top-level domain and restrict it only to banks. Will that make phishing for bank information less possible? I don't think so. The problem is very simple: most people aren't observant of where they are connecting to or what might be showing in their browser's URL field. They also most certainly don't check the SSL Certificate to validate who signed it, or even to see if they are using SSL mode.

There's a reason companies like Verisign charge a lot of money for an SSL certificate: because they actually do some work to validate that the company signing up for an SSL certificate is actually who they say they are. If you check the SSL certificate for a secure site and it says Verisign signed it, you can be fairly certain you are talking to a company you think you are talking to.

Most phishing issues would go away if people were to simply be observant of where they connect. That means making sure the link you think you are clicking on is going to site it says. "Mouse over" the link and look at the lower part of the browser window. Does it match? Or better yet: don't click on a link that you received over email.

I never thought in my life I would spend almost the entire allowed 6 hour time on the CISSP exam, but I did. And I was oddly zen about the whole experience. Sure, I was a little nervous when I first walked into the testing room as I had no idea what to expect. One of the proctors, whom I met in a CISSP class nearly 6 years ago, checked my ID and paperwork and another proctor led me to a seat, which was to be mine for the course of the exam.

The usual electronic gadgets and gizmos were not allowed at your desk, and if they were present, they were to be switched off or set to vibrate mode and preferably up with the desk where you were permitted to put your snacks and the like (it was a 6 hour test with no lunch break). I left all my gear in the car, though I brought food and water in.

At 8:30, one of the proctors began reading the instructions, which involved filling out a scantron form with specific information. Once that was done and all the other instructions and the like were done, we broke the seal on our test and began. Nothing like filling out over 250 little bubbles.

Bathroom breaks, which I took at least 3 of, involved signing out, one of the proctors escorting you to the restroom (he didn't come inside), and him escorting you back and you signing back in. I guess they want to make sure you don't "cheat" in the bathroom. Fair enough.

And while the confidentiality agreement I signed as part of the CISSP exam process forbids me from getting into specifics about what was on the exam, I can say that I felt oddly zen about the experience. Once the test was underway, I stopped stressing about it. I took frequent breaks. I used earplugs. I was methodical and deliberate. I only made one "transcription" mistake (from book to scantron).

I took two passes through the material. The first pass was to answer the questions I was pretty sure about. On the second pass, I double-checked my answers both making sure I transcribed the write answer but that I actually chose the right answer. The ones I didn't know, and there were a few, I was able to make a semi-educated guess on most of them, the rest I just threw out a guess. It's not like the SAT's where you lose points for a wrong answer.

I walked out of the test feeling pretty comfortable with my performance. I'm sure I answered a few questions wrong, but that's life. Now I just need to wait for ISC2 to come back with my certification results so I can jump through the remaining hoops to be certified.

Meanwhile, I am exhausted after all that. Early bedtime for me.

From the latest SANS NewsBites:

The Pirate Bay, a website that helps users find files over BitTorrent peer-to-peer (P2P) file sharing software, has reportedly been the victim of attack; the intruder stole a copy of the site's user database.  User passwords are encrypted, but Pirate Bay's site operator encourages users to change their passwords nonetheless, and if they use the same password elsewhere, to change those as well.  The attacker got in through a hole in the site directory's blogging software.  Pirate Bay has a reported

1.4 million members.

http://www.theregister.co.uk/2007/05/14/pirate_bay_hacked/

http://www.securityfocus.com/brief/499

Guess even the pirates get hacked once in a while.  ;)

Russell Shaw reports that there is now a new "attack vector" utilizing Java and Quicktime on a web page. This is basically the security bug that was recently found against MacOS, but it's actually not against MacOS per-se, but rather Quicktime. That means not only is MacOS vulnerable, but Windows is potentially vulnerable too.

From nist.org article:

Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well. What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

The mitigation for this issue?  Disable Java, Uninstall Quicktime, or if you're a Firefox user, use the NoScript extension and ensure Java is disabled on untrusted sites. Not getting rid of Java or Quicktime, but I sure use NoScript. Yes, it's a pain, but these kinds of issues are precisely why I am willing to go through the trouble of running it.

Presumably, Apple is now aware of this issue and is working quickly to patch this issue both in Windows and MacOS.

Everyone blew this supposed "Mac" security issue out of the water, it seems. The Mac was "hacked," but it wasn't exactly specific to the Mac as the issue could be replicated in any browser on any system. It was a local exploit, at best, and it involved cross-site scripting, something that is inherently dangerous on all computers.

Please let me know when the Mac can be remotely rooted, though. That will be some serious news.