Ever find yourself needing to do a quick security scan but are on a computer that doesn’t have the right tools? This happens to me periodically when we need a quick scan done from “outside.” Out of curiosity I searched around and found a few good options that I thought you may find useful.

Nmap-Online.com: Administered by MatouSec.com, a project started in 2006 run by a group of security experts concerned about user desktop security, this service offers almost the full capability of Nmap through a website! The earliest reference I could find was in November of 2006 so they’ve been around for awhile.

To use the service just pick between “Quick Scan” and “Full Scan” that scans your own detected IP address or a “Custom Scan” that gives you almost full access to Nmap’s set of options (including scanning a range of IPs). Finally, agree to their ToS and hit Scan. You have the option of waiting for the results in the browser or entering an email and password to have them emailed to you. Keep the email and password handy as you can use these credentials to retrieve all your recent scans. Note that no registration is required though. It seems to track users with just your specific email and password combination.

Unfortunately, limitations there are… You can only scan IP addresses and ranges within your externally detected class C address space. Additionally, they have rules controlling the amount of scans you are permitted to perform within various time periods (e.g., a max of 8 scan requests from one IP per 24 hours). See their ToS for all the restrictions.

Check out Nmap-Online here.

HackerTarget.com: This is another service that I came across that offers several free online scanners. Currently, they provide 10 scans that include the likes of Nmap, OpenVas, Nikto, and WordPress Security Scan. Just checking out their Nmap service … it only performs a “Fast Scan with Service Identification” (i.e., nmap -sV -F your.ip.address.com). Most of their other services didn’t have any customizable options so I assume it’s just the default scans. For specifics you’d have to research the default scans for these tools. The WordPress scan however mentions 13 specific checks.

Just like Nmap-Online.com there are limitations… You only get four scans per day and can’t use free web email accounts to get the results. Additionally, you can’t scan IP ranges … just individual IPs. HackerTarget does offer a membership program that lifts these restrictions. Prices for individuals are $5 on a month-to-month basis or $30 a year. Corporations are $50 per month or $400 a year. Regardless if you use the free or paid versions, there doesn’t seem to be a way to view sessions online; you must enter an email for them to send results to.

Check out the HackerTarget.com Online Security Scan page here.

#####

Do you know of any other online security scanner for quick one-off assessments? Let us know in the comments below. Today’s post image is from AttackResearch.com.

It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter.

As always feel free to check out what local security bloggers have been up to and also be sure to follow myself (@nathiet), @grecs, and @novainfosec on Twitter if you want to know more about what’s going on in the local security community during the week. Without further ado … here are the top picks for this week.

First and for most, we would like to say #Happy 9th Birthday TaoSecurity Blog. @Richard Bejtlich plans to “continue blogging” and express his views.  Check out what he has in store for us over here and without further ado, here are this weeks top 3 NoVA Infosec blog posts….

#3- ShmooCon 2012 FireTalks – Update 3 (First Round Speaker Announcements): If you was wondering on was going to talk at this year’s  ShmooCon FireTalks then look no further than here as @grecs announces the first round of speakers. Ohh did we mention that it is not too late to enter as five slots are still open and check out what is in it for you if you win the FireTalks over here!

#2 - Can’t close the barn door: Is it possible to regulate the internet? Benjamin Hartley looks at the latest attempt at just that with SOPA “SOPA is the most recent in a long line of legislation intended to regulate the internet.” Click here to find out if the internet can be regulated or not “The internet was designed to be impossible to regulate”

#1 - The Gross Example of STRATFOR: What did Stratford do wrong? Ben Tomhave sees “ 5 major failures in this case that proves STRATFOR to be negligent (possibly criminally)” and are discussed over here

It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter.

As always feel free to check out what local security bloggers have been up to and also be sure to follow myself (@nathiet), @grecs, and @novainfosec on Twitter if you want to know more about what’s going on in the local security community during the week. Without further ado … here are the top picks for this week.

#3 -2011 Reading List: Need something to read in 2012? look no further than here as there is a comprehensive reading list and recommendations.

#2 -Is Android Really Secure Enough for the DoD?: Pentagon officials have approved the use of Android in addition to BlackBerry to meet their mobile computing needs. Our very own @grecs looks at if it is secure enough enough for the DoD and why it was chosen here

#1 - (UAC) User Assisted Compromise: This post explains how the “Ask” post module works “This module very simply uses the ShellExecute windows function viaRailgun with the undocumented (but very well known) operator of ‘runas’.” Click here to find if  ”users are generally as smart as bait”

Ira Winkler posted an interesting article a month or so ago (yes, I’ve had this post in the hopper for a while) over at Computer World entitled “Let’s scuttle cybersecurity bachelor’s degree programs.” What really caught my attention were some of the tweets surrounding it, especially how they seemed to imply this statement was for ALL infosec degrees.

weldpond: Ira Winkler: Let’s scuttle cybersec bachelors degree programs. Shld incorporate sec into regular CS prog https://www.computerworld.com/s/article/9221668/Let_s_scuttle_cybersecurity_bachelor_s_degree_programs

0xcharlie: @WeldPond I think infosec should be in a trade school with apprenticeships and such, not in a degree program.

weldpond: @0xcharlie Your idea is not mutually exclusive with teaching CS majors secure coding concepts. We probably need both.

The suggestion that we should not have infosec degrees totally caught me off guard and went counter to the way I’ve been thinking for a while. Even our new blogger judykavuo, who is currently getting her masters in infosec, felt the need to write about it and counter a few points.

In the past I’ve given presentations and we have blogged here about how getting an infosec degree is an excellent starting point for those entering our field. We’ve found that most infosec degrees or certificates were at the graduate level and have been exploring some of the newer undergrad degrees as well and were thinking of recommending some of those.

I guess a lot of people were confused about the article and Ira later added the following note.

(And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)

Well after the initial confusion wavered off I found that the more I read Ira’s article, the more I tended to agree with his suggestion. I think it’s important to establish a strong technical foundation with a traditional undergrad degree and several years of real world IT experience. And then maybe at that point you are ready for a full-time infosec gig. You need to secure “something” … and … if you don’t know what “something” is how can you secure it? In hindsight I realized this is actually how I did it!

Now I’m not saying don’t do any infosec activities in undergrad or that initial job … it’s just that it shouldn’t be the focus. So feel free take two or three infosec classess as part of your undergrad or attend traditional classes that are known to incorporate security. In the first few years out in the real world, focus on learning your trade … just try to sprinkle in some infosec here and there. There’s a whole list of things you could do to spray security onto your non-infosec job. I’ve often found that teaching or leading others is a great way to learn and strengthen your knowledge. Here are a few suggestions.

• Blog about the security aspects of it.
• Attend meetups and conferences and present on the security aspects your trade.
• Join or start a technology specific security mailing list on it.

But the whole point is just to NOT make security the focus during these years…

via ComputerWorld.com

It may sound counterintuitive, but the way to increase the number of cybersecurity professionals is not to start granting degrees in cybersecurity. I suppose it sounds logical. We’re hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs. And while we’re at it, let’s address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs. Unfortunately, the logic of these statements is about a micron thick.

Continued here.

#####

What do you think? Should universities abandon infosec undergrad degrees? Today post image is from NewsOne.com.

Here’s another quick post on an article I’ve been meaning to mention for the last month or so. It falls under the “2012 prediction” category so referencing it now still seems relevant. Plus it follows nicely with yesterday’s post on the hottest security jobs but is more focused on salary. I’ve added some commentary to the main points I pulled out just for the fun of it.

In summary …

• Infosec salaries should rise by an average by 4.5%. [grecs: Yet those CEOs are getting 20%+ pay increases. Also my insurance premiums are still increasing by that same 20% so I guess I'll be 15.5% in the hole for 2012. But on the other hand ... at least we should be getting raises.]
• There are lots of positions but not enough skilled people. [grecs: Good for us I guess ... but it may also pollute our profession with people that don't really "care" as much about infosec and are just doing it for the money.]
• Data security analysts is THE hot security job for the next year. [grecs: Nice general title to mention there... It could mean almost anything.]
• CISSP and Security+ certificates continue to be the most in demand. [grecs: When with the OSCP get some respect?]
• Application, mobile, cloud and virtual security will also be big. [grecs: Yeah, guess that makes sense ... since it's been the same way for the past several years ... well maybe except for mobile.]

via InformationWeek.com

Good news for information security professionals: Expect salaries to increase by an average of 4.5% in 2012. Pay for chief security officers, meanwhile, is expected to increase by 3.9%.

Those predictions come by way of staffing agency Robert Half Technology, which last week released its 2012 Salary Guide, which details technology industry salary and hiring trends.

The report predicts that for 2012, many security jobs will be in high demand, especially for midlevel and senior roles. “Data security and protection, especially in industries such as banking and healthcare, will continue to be an in-demand area within technology,” according to the report. “In fact, 24% of CIOs polled by our firm cited security as their top professional concern.”

Continued here.

#####

Today’s featured image is from HDIStLouis.com.

As we start the new year out with all our resolutions … maybe one of your goals is to get a better job. Well earlier this month I came across an article that may provide some insight into some of the “hot jobs” for 2012 and beyond. As originally posted by GovInfoSecurity.com based on a study by Dice.com, they found the following jobs to be the ones to focus on.

• Security Analyst
• Security Architect
• Application Security
• Security Engineer
• Network Security

In our general demographic (i.e., DC in the government sector) the biggest opportunities seem to be as Security Analysts, Security Engineers, and Network Security pros. If you’re looking for the biggest paycheck, although not as much fun, and are a bit more seasoned go for Security Architect positions. Also I found it strange that forensics wasn’t mentioned anywhere. GovInfoSecurity.com previously discussed how forensics was THE field to get into. We pointed out some of these posts here and here.

It’s nice to have a study like this one that points out where the biggest opportunities may be however my overall advice is still to find a job you love. At least maybe this list will give you some starting points as you navigate through your career to discover that love.

via GovInfoSecurity.com

Information security is one of those rare fields – it has more job openings than people to fill them. Dice.com, the largest IT job site, confirms this job growth and indicates a 79 percent increase in the total number of information security jobs posted on the site from September 2009 to September 2011.

Based on a review of job postings, here are the five hottest jobs for information security pros in 2012…

Continued here.

#####

Have any other suggestions for jobs to focus on in 2012? Let us know in the comments below. Today’s post image is from GovInfoSecurity.com.

It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter.

As always feel free to check out what local security bloggers have been up to and also be sure to follow myself (@nathiet), @grecs, and @novainfosec on Twitter if you want to know more about what’s going on in the local security community during the week. Without further ado … here are the top picks for this week.

First and for most, we would like to say it has been #1000 Posts in 1000 Words & Still Counting! so don’t be afraid to check out our history and future plans here! so without further ado, here are this weeks top 3 NoVA Infosec blog posts….

#3 – Best Approach to Increase Cyber Security Professionals: We often hear that the Cyber security field is growing and professionals are in demand, how should we fill this shortage of professionals? @judykavuo covers how to increase Cyber Security professionals in her latest blog post, is it pushing students through the budding cyber security degree programs? or some other means? Click here to find out what is best.

#2 – Impact, Value, and What’s Really Important: Is risk more important that impact when talking about risk management? Ben Tohmhave answers that question for us in his latest blog post. Click here to find out his answer.

#1 - New FedRAMP Program: Not Half-Baked but Not Cooked Through: If you  have wanted to move your services to the cloud, well look no further as FedRAMP will help Federal Agency managers to adopt cost-saving and service improving cloud computing solutions. @DanPhilpott examines the new FedRAMP program and guest writes his second article for us. Click here to learn more about FedRAMP.

The long wait for a key Federal cloud computing program is over with the launch today of FedRAMP. FedRAMP will help Federal Agency managers to adopt cost-saving and service improving cloud computing solutions.

For over two years the Federal government’s “cloud first” policy has floundered. Government executives and managers moved cautiously on adoption concerned about possible insecurity of the platform and the costs for FISMA authorization of complex cloud computing solutions.

Cloud Service Providers (CSP) have likewise been concerned with how different agencies had conflicting requirements and interpreted security control requirements differently. With multi-tenant solutions CSPs were beset by each tenant Agency wanting their own authorization, making business with the government a frustrating affair.

While there have been notable wins for cloud vendors over the past year many Federal systems that would benefit from a move to the cloud had the moves delayed until better policy and guidance was available to address those concerns.

FedRAMP Arrives

FedRAMP supplies the policy and guidance starting with the release by Federal CIO Steven VanRoekel of the FedRAMP memo, Security Authorization of Information Systems in Cloud Computing Environments [PDF]. As FedRAMP develops additional documentation it will be posted at the GSA hosted FedRAMP.gov site.

To make FedRAMP a reality a variety of organizations including GSA, NIST, CIO Council and OMB have worked to find ways to meet the many Federal security requirements for IT systems, manage the risk to government systems and make cloud computing adoption a straightforward process for everyone. Crowd-sourcing has played a huge role in development and many public and private organizations and individuals contributed throughout the process.

The FedRAMP program is a centralized method to assess and authorize (A&A) cloud computing systems under a streamlined FISMA process. By centralizing the process some key objectives can be met.

A CSP only has to go through authorization once. Subsequent customers can then leverage or re-use that authorization. If an agency has specific requirements then only the delta between the baseline FedRAMP and the agency controls needs to be addressed.

Cloud computing A&As are handled by FedRAMP components and third-party assessor organizations (3PAO) who can develop specialized skill sets for cloud computing. This will encourage development of cloud focused security staff and rapid maturation of processes focused on understanding the risks involved with cloud computing.

Compliance is only a component of good security. FedRAMP represents a minimal set of required security controls, a limited subset of the controls most systems would be required to have in place and operating effectively under normal FISMA authorization processes. FedRAMP should be seen as a starting point, a demonstration of due diligence on behalf of the CSP. Like any authorization in the Federal government, departments and agencies should use this process to determine whether the security is commensurate with the risk and magnitude of harm resulting from the cloud system being compromised or made unavailable.

How Does It Work?

The final FedRAMP concept of operations (CONOPS) and governance model have yet to be released but the basic process will involve six components: Joint Authorization Board (JAB), Program …

Continued on page 2 for some gotchas, if FedRAMP applies, and it’s current maturity…

I came across a tweet that mentioned the Lifehacker Workout and thought it was an excellent effort for giving geeks the motivation to get a little more exercise. They used a service called Fleetly.com to build out several individual workouts and then incorporated these workouts into a challenge. They set a target of 15 workouts over a period of one month with 3 to 4 workouts per week.

Although the Lifehacker workouts and challenge looked great, I was looking more for something that could provide a little motivation each day just to get off my butt and walk around a bit … and maybe do a few strength exercises. I try to workout a few times each week already so I just wanted this to be something that would motivate me during the day to get out and away from computer for a bit.

Using the Fleetly.com service I created an simple 20 minute per day exercise plan (baby steps here) and thought others in the local community might be interested in participating as well. Here is a quick description of the workout I created on Fleetly.com.

Just a quick 20 minute break with some walking and a few strength exercises. It is designed to be done in an office environment so there aren’t any exercises that’ll make you look silly. Thanks to Lifehacker and their Simple 30-40m Full Body Workout that I used as a base.

15 minutes of walking with the goal of increasing your distance each week

5 minutes of strength exercises with the goal of increasing your reps each week

• 5 push-ups
• 15 squats
• 15 calf raises (find some steps)
• 5 bench dips (on an office chair)

Note that the starting reps are minimal so please start out with more if you can.

The challenge itself uses this workout and runs from 12/6 through 1/6. The person with the most points a gets a wifi detection t-shirt. I should have some stuff laying for second and third place prizes as well. Watch here for updates… If you’re interested in joining, click on the link below and sign up.

NovaInfosec Holiday Challange

Queue pump-it-up music…

#####

 So why don’t you join … “we’re gonna pump you up!” Hey and there’s even an iPhone app… Today’s post photo is from BuildMuscleace.com.

I skipped last week but am back for more with another Weekly Rewind post… The industry news is from this past week however our blog posts go back about two weeks to the last Weekly Rewind. Also I didn’t include some of our standard articles due to their time relevancy.

For some of those readers that may not have noticed, I actually tack on commentary to the industry articles … so check out my italicized/bolded opinions and let me know if you agree in the comments. Lastly, take a zoomed up gander at the job application image to the right that @mubix posted earlier this week. North Carolina is probably one state I won’t be applying to…

Industry Articles

Cracking MD5 Passwords with BozoCrack: A couple of weeks ago I saw someone mention a little script called BozoCrack on Twitter and I decided to check it out. What caught my attention is that BozoCrack simply “cracks” md5 hashes by doing a search on Google for that hash. Once it finds the hash and the text that goes with it, it spits it back out on the screen. Not really cracking of course, but its pretty dang effective. (continued here) [@grecs: Here's a useful tool that automates Google hash cracking.]

ARIN Launches WHOWAS: American Registry for Internet Numbers (ARIN) is running a trial service that gives users access to historical IP whois data — that is, it will tell you who was responsible for an IP address or block of IPs. The service is not automated and if you want to access it you will need to submit a request via email with information about not only what you want to know, but why you are interested in accessing the information. (continued here) [@grecs: Might be useful... How would you use this data on a pen test?]

Dutch Researcher Created A Super-Influenza Virus With The Potential To Kill Millions: A Dutch researcher has created a virus with the potential to kill half of the planet’s population. Now, researchers and experts in bioterrorism debate whether it is a good idea to publish the virus creation ”recipe”. However, several voices argue that such research should have not happened in the first place. (continued here) [@grecs: Maybe not an infosec story but it does parallel our disclosure debate some. Of course it's a lot harder to biologically patch people.]

Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises: The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future… (continued here) [@grecs: Finally, someone is stepping up however there's probably so many loopholes that it'll probably be useless. For example, Facebook could simply pop up new mini-ToSs that people are just going to click though without reading.]

BUSTED! Secret app on millions of phones logs key taps: An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration. (continued here) [@grecs: iPhone coverage regarding this came up later in the week. At least it was disabled by default in most cases.]

Our Blog Posts

Job: Security Engineer II in Fairfax, VA: Looks like a great job opportunity has turned up over at the NoVA Hackers Association’s facility host. I know several of the folks that work in their security department over there and it seems like a challenging and rewarding place to work. The Company ICF International (NASDAQ:ICFI) partners with government and commercial clients to deliver professional services and technology solutions in the energy and climate change; environment and infrastructure; health, human services, and social programs; and homeland security and defense markets. (continued here)

Skype and the Enterprise: I read an interesting article this morning over on InfosecIsland.com that discussed the security of using Skype in the enterprise. As expected it didn’t give us the magic “yes” or “no” but instead the typical “it depends.” Overall, I thought the author made a very good point in that we trust a lot of our data to third parties, as I’ve mentioned in my teleconference security post, and Skype is just another third-party. The decision to use Skype should just follow the same considerations you’d normally take when acquiring any new third-party service. (continued here)

Job: Senior Cyber SME in Dulles, VA: This position over at Technica looks like a great opportunity for any of the more seasoned among us. It requires a masters, 5 years experience, and someone that really knows how to reverse engineer malware. And I can tell this manager knows how to hire the right kind of people … “Required Technical Certifications: None Required”. Company Description Technica is an innovative provider of high quality information technology solutions, process engineering and information assurance expertise. (continued here)

Top 5 Tips for Snagging that ShmooCon Barcode: Today’s the day … or at least one of three days throughout the year where we drop everything around 11:55 AM EST, head over over to the ShmooCon registration page, and starting F5ing the hell out of our computers with the hope of getting a barcode. Being someone that’s attended ShmooCon for four or so years now, I thought I’d pull together some of my tips for getting ShmooCon tickets. I’ve written about this previously however the ticket process has significantly changed since 2009. (continued here)