Not much has happened on the their Blogger site yet but the discussion on Google immediately took off with over 400 posts and 64 members as I write this. Since this group is in the “forming” phase, most of the discussion is all about how this association is going to work, everyone doing introductions, and of course ShmooCon tickets. Currently, it looks like they are going to try to hold two events each month. One will be the traditional luncheon that @mubix has been organizing for the past year. The second event may be a more formal evening meetup with presentations and all.

Joining seems to be pretty similar to the Freemasons. You have to be invited by a current member or a current member has to invite you. Additionally, there seems to be a requirement to be active. @mubix and crew will be skimming membership every few months and deleting lurkers. I think these two controls will go a long way to helping stem the prevalence of spam. But please remember that they are still in the development stages of putting this thing together so the “rules” may change over time.

You can find out more information on the NoVA Hackers Association on our NoVA Meetups page. Also keep up to date and help morph this group into what it will be by visiting them over at their Google Group!

If you’re a local security blogger that would like to be considered for this feature, please feel free to shoot us an email or send us a tweet @grecs. We also have a handy list of local bloggers, so be sure to contact us if you aren’t already on the list!

#3 – Election Woes: Just when you thought the election headache was over, @geminisecurity proves you wrong. Because while the election itself might be over, the controversy over voting machines is just beginning. In their post “AVC Advantage Attack,” @geminisecurity points out the fact that you can learn to hack a voting machine for around $20, and it’s a fairly simple task. That’s right: We are voting on machines that are not only easy to hack, but aren’t even regulated! Something tells us that George Washington is rolling over in his grave. Be sure to check out the full post here. 

#2 – Simple Security: We’ll be honest; this post got our attention before we even read it. With a title like “Simplicity is Security,” how could it not? Taking an interesting look at security by examining the use (or lack thereof) of debit and credit cards in Japan, @mubix makes some excellent points about how our desire to jump on every technological advance that comes along is making it harder to have good security. After talking about how people in Japan usually don’t have credit cards, debit cards, or do any of their banking online, @mubix poses the following question to his readers: “Should we continue down the path of “MORE SECURITY” or should we deviate a bit for simpler, possibly non-technical practices?” While we can’t say that we totally agree with the route of non-technical practices, we do believe that there is a happy medium. To answer the question for yourself, why not check out the full post?

#1 – Careers in Security: With the current economy being what it is, career advice had become rather popular as of late. Richard Bejtlich of TaoSecurity jumped on the career advice train this week in his post “Thoughts on Security Careers.” Quoting a number of different posts that deal with popular career trends and career advice for security professionals, Bejtlich gives his own insight, tips, and tricks. Even if you’re not interested in leaving your current job for another, this post is a must-read.

Well, that’s all for this week. Be sure to check back next week for more great reads from security professionals in your community.

Our official #totw was a RT by @mubix:

grecs RT @mubix RT @secureideas: “When pen tester tells U they luv something, get it off yr network.” @agent0×0: “I luv Sharepoint.” #defcon #totw

Honorable mention belongs to this tweet by @technogeezer because it’s so true!

grecs LOL.. RT: @technogeezer: Someone here at CSC now refers to physical meetings as getting together in ‘meatspace’ #totw

Now, on to the posts!

#3 – Lessons From the Sandbox: If you are  looking for great technical posts, @geminisecurity should be your first stop. Their latest post, “Protect Your Computer By Running Applications in Sandboxie” talks about the Windows utility Sandboxie—a program that allows you to run “applications in an isolated environment on your computer so you can protect yourself from malware, surf the web, and maintain your registry without affecting your host system.” They also note that “Sandboxie is a good alternative to setting up a virtual machine, especially if you just want to run a quick test or two without having to wait for an entire operating system to boot up.” Be sure to read the post and learn more about Sandboxie here.

#2 – The Bureaucracy Is Down: In his post “Blast From the Past,” TaoSecurity’s Richard Bejtlich uses an example from his own life that illustrates the sometimes ridiculous nature of tasks given by large organizations. In Bejtlich’s case, it was the Air Force that had given him and his co-workers what seemed to be an impossible mission: Centralize Air Force email within the course of a few months. Needless to say, such a feat was impossible in such a small amount of time. But now, nearly 11 years later, Bejtlich says that it is finally happening; that Air Force email will be starting the centralization process at Keesler Air Force Base, Miss. But as he says at the end of his post, “[s]o, about 11 years after being told to accomplish the same task, the effort will be done! I think there are lessons here for anyone with a similarly large, bureaucratic, turf-centric, distributed, decentralized, global organization.” Be sure to read the full post here.

#1 – Help Isn’t Coming: Leave it to @rybolov to hit the nail on the head when it comes to the Cybersecurity Coordinator position and why, even after two months, it still hasn’t been filled. In his post “Help Wanted,” he poses the following question: “So let me give you a hypothetical job: You have to give up your high-paying private-sector job to be a Government employee. You have tons of responsibility. You have no real authority. You have no dedicated budget. You have no staffers. The job has had half a dozen people filling it in the last 7 years. The job has been open longer than it’s been staffed over the past 7 years.” Does that sound like a job that any of you would want? Didn’t think so. By being blunt (unlike government officials), @rybolov makes excellent points as to why the Cybersecurity Coordinator position is still empty, and will likely remain that way unless something changes. Be sure to read his full post here.

Well, that’s all for this week. Be sure to follow us @grecs for more great posts throughout the week!

In other words, the perfect reading material to go with your morning coffee.

Now, on to the posts!

#3 – Plan for BSOFH Happiness: Half sarcasm, half advice, @rybolov’s post “Federated Vulnerability Management” gives the nitty-gritty on government patch and vulnerability management. After talking about what’s wrong with government patches and vulnerability management, he recommends using SCAP to ‘fix’ the mess. While the post is a little longer than usual, it’s definitely worth the read.

#2 – Sexism, Religion, and Hackers: This is a topic that isn’t discussed enough. While DojoSec’s Marcus J. Carey did a v-blog post about sexism in the security field a little over two months ago, there hasn’t been much discussion about it since. That’s why it was refreshing to see @mubix respond to a post by @shazzzam and others about females in information security. Let’s be honest: it’s not fair, and there is a bias. But as @mubix points out, “[s]exism, and for that matter, any “-ism” is flawed on both sides.” This is a highly controversial post, but one that should be read. You can read the full post here.

#1 – White Hat for a Million: After his post “Black Hat Budgeting” got a fair amount of response last month, author and speaker Richard Bejtlich decided to revisit the million dollar security question this month by figuring out what white hat security could do with a million dollars compared to what black hat could do. The results? Not exactly pretty. As Bejtlich says at the end of his post, “I am much less comfortable building out this team, compared to the Black Hat Budgeting exercise. There are way too many variables involved in defending any enterprise.” With roughly $850,000 spent on staff, there’s only $150,000 left for technology. How does Bejtlich break it all down? Read the full post to find out.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Know a blog that should be considered for our “Top 3 NoVA Infosec Blog Posts of the Week” feature? If so, send us a tweet with a link to the blog and the request for us to check it out.

While he doesn’t have a post featured this week, we would also like to introduce local NoVA blogger @bobgourley. Please take a moment to visit his Twitter feed or his blog and welcome him to the local infosec community.

Now, to the posts!

#3 – The Mystery of SSL: The post “How does SSL work anyway?” post published by @geminisecurity this week was not only useful, but witty. Likening SSL to a handshake—“[i]t’s like the secret handshake you used in grade school to get into your clubhouse”—@geminisecurity had some useful tips and tricks about Server Authentication, Client Authentication, References, and other SSL protocols. You can check out the full post here.

#2 – Resources Galore: It seems that @mubix is the man to talk to if you’re looking for great security resources. Posting what he described as “Getting your fill of Security,” this week, @mubix is now keeping a running list of security podcasts, security bloggers, security-related Twitter accounts, and sites that you’re free to hack. You can check out the list here. You can also check out our list of security resources for additional information.

#1 – 60 Day Surprise: After President Obama gave his remarks on Cyber Security earlier in the week, Richard Bejtlich wasted no time before blogging his own thoughts about the President’s controversial speech. While we read a lot of tweets and blog posts this week that dealt with Obama’s ultimate stance on Cyber Security, we felt that Bejtlich’s was by far the best. Not only did he provide an intelligent commentary about what President Obama said, he also created an ‘imaginary’ speech of “what I would have liked to have heard [from President Obama].” This is a must-read post for anyone in the field, as the President’s stance on Cyber Security will affect all of us in some way. You can read the full post here.

Well, that’s all for this week. As always, we’d love to know if there are any other NoVA bloggers out there would would like to be considered for our “Top NoVA Infosec Blog Posts of the Week” feature. If so, leave a comment below or send us a tweet @grecs.

o o o o o

How Ironclad is your information?

View our Calendar for a list of similar infosec events in and around the NoVA area. See our original post for more information about this meetup.

o     o     o     o     o

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

An informal meetup of security professionals in the NoVA/DC area, this is a great chance to take a longer lunch and get to know some local professionals that you may not have had the chance to meet before. 

You can view additional details about this meetup below.

• Who: @mubix and whoever else shows up
• What: NoVA/DC Luncheon Meetup
• When: 05-21, around lunchtime
• Where: Rossyln, VA (be sure to contact mubix for full meetup details)

o     o     o     o     o

Do you have your summer reading yet?

That’s the title (or part of it, anyways) of Matt Watchinski’s talk at the upcoming DojoSec meetup this Thursday, April 2nd. As much as we’d like you to guess what the rest of the title is (there would be some interesting answers, we’re sure), we’ll be a good sport and just tell you.

The full title is “1 Byte, 5 Minutes, Holy Hot Tuna,” which is related (but mostly unrelated) to what Watchinski will be discussing: The recent flaw in Adobe Acrobat and Acrobat Reader. 

Watchinski will discuss the entire process behind discovering the flaw, including how he gathered intelligence through exploitation, mitigation, and vulnerability disclosure. He’ll also discuss why the VRT decided to release a third-party patch and why the flaw caused a mini media circus.

Watchinski’s fellow speaker, Rob Fuller (known as Mubix to many of you) also went the way of a creative title for his talk, giving a presentation entitled: “From Couch to Career in 80 Hours.” The thing we love most about his title? The fact that he didn’t promise to work miracles in 1 hour. 80 hours sounds about right for what Fuller is hoping his audience will want to accomplish.

In Fuller’s crash course about what the DojoSec site describes as “hacking your career,” Fuller wants to give his audience tips that will help them take them to the next level professionally. While a lot of Fuller’s talk will appeal to the hacker part of security professionals (cyber-stalking potential employers, anyone?), Fuller will also cover practical issues that are often overlooked, such as how to accept an offer letter.

Sound like something you might want to attend? The great news is that now you can ‘attend’ the meetup virtually as well as in person. The DojoSec meetup will be streaming live via their Ustream channel.

If you’d like additional information about this meetup, look no further then below. 

• Who: Rob Fuller (Mubix), Room362.com and Matt Watchinski, Sourcefire 
• What: “From Couch to Career in 80 hours” by Fuller and “1 Byte, 5 Minutes, Holy Hot Tuna” by Watchinski
• When: 04-02, 6:00-9:30 PM EST
• Where: Capitol College (11301 Springfield Road, Laurel, Maryland 20708)

For more information on DojoSec, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to more information about the DojoSec meetup.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.