skills for work and skills for getting work

Chuvakin has a great post over at his blog where he talks about what skills you should be focusing on, such as skills that help land you jobs or skills that help you do jobs. I think I agree with all the points made.

Getting past an HR filter to land a job is a sort of small-time thing. You can apply for 20 jobs and you just need to get through and hired once. After that, you have, usually, several years to either prove your worth or get booted out for not being able to do the work. The bottomline is you need to be able to do the work.

I also believe that the deeper and more versed one becomes with the “skills that help you do your job” the easier it is to demonstrate those skills to someone else. For instance, it might seem hard to demonstrate a web app weakness to a manager…unless you’ve done it so much you can pretty much spot them on sight (insert some allusion to MagicEye pictures that often take a lot of work to see the first time, but once you get it, you can get it faster and faster).

You know you’re good with a router or firewall or load balancer when someone throws you a strange question and you figure out some interesting way to do it that wouldn’t have been obvious without a few years of experience. That skill might not get you a new job, but it will certainly cement your place in a current job!

possible issues with windows handling lnk files

Just read (and had to re-read several times) a quick vulnerability announcement over on US-CERT for how Windows handles LNK files. From the sounds of this, all you need to do is view the location of the malicious LNK file to have it execute code. It’s still not entirely clear if this means viewing the containing folder in Windows Explorer, clicking the LNK file (duh), or something else.

This might be interesting, as it is not uncommon for users to mistakenly attempt sending .LNK files via email, rather than attaching the actual target file of their silly shortcut. And LNK files litter corporate network shares…

If this is just viewing the file sitting in a folder is enough to trigger this, it’s kinda reminiscent of older issues with Windows Explorer displaying certain files like DLL files on network shares. Just the act looking in the direction of the file was enough to cause issues!

network diagrams: an underappreciated art

Why your network diagrams suck (and they do, which is sad because it’s a fundamental IT need):

1. You don’t have any.

2. You pooped them out last week.

3. You tried to put everything on one drawing (VLANs, servers, network gear, port-specific connections, IP addresses, serials, virtualization…).

4. You didn’t include enough info to answer questions the diagrams are meant to answer.

5. You have too many diagrams and they conflict. (Also see next.)

6. You don’t update them as you make changes (if you update them at all).

7. You auto-generate them from some network scan tool or inventory tool, and they just look like ass no matter what you do (or don’t say enough to be meaningful).

8. They all look and feel completely different because 4 different people maintain their own diagrams for what they control.

9. You don’t make diagrams from the viewpoint of the intended audience. What works for you won’t work for your contractors, auditors, developers, security/comliance, customers.

passive credibility is easy with social networking

Just perused on DarkReading an article about a social networking experiment centered around fake profile “Robin Sage.” I know the article is maybe a bit sensationalist and simplistic, but I fail to see why someone accepting a friend with a fake profile is a Big Deal.

(Disclaimer: I didn’t know about Robin Sage nor have any interaction with this experiment. I’m feeling left out!)

There *are* some interesting aspects, and I hope the forthcoming BlackHat USA talk will expond on some of these issues, and leave alone the silly issue with “omg I friended a bot” aspect. This is a lot like saying someone is dumb because they looked down when you pointed and said their shoe is untied.

1. People put stupid (and valuable) stuff online. Sure, Facebook and other places may seem like they’re private, but really they’re not when you don’t properly vet friend requests. Once you have more than 50, you simply can’t keep them all properly identified and you’ll likely start getting into the 2+ degrees of separation; i.e. the friends of your friends, and so on. So putting even your day-to-day boring diary bits out there can be revealing when you’re, say, in the military. Hell, you can even get closer to home and post that you’re out of town for a weekend, which can lead to a break-in by someone close to you. Or be stalked by someone obssessed with you. Sure, most of the time nothing will happen and certainly few people are truly targets of interested parties trying to piece together information from 1,000s of sources like a nationstate espionage net, but there is still risk in throwing such activities to the digital winds.

Passive credibility.I think this is far more interesting! If you want to gain some instant “credibility” in social networks, you don’t start pestering people when you have 0 followers/friends/connections. You start going after the ones who auto-follow you back. Then target the ones who seem to have so many, that there’s no way they can closely monitor them all. By then, you’ll have plenty of “names” that others will recognize, which can lend some immediate “credibility” for people who superficially check you out. And you can just slowly work from there. This is really all old hat, but effective.

Take Ligatt’s twitter account, for instance. At least early on, almost all of his followers were celebrities or other accounts that only follow-back out of politeness. He might have 500 followers, but 490 of them were never reading a thing he wrote. Likewise look at some of the #LIGATT infiltrators trying to redeem the company’s services through twitter posts. They scream “fake” because of the sub-2 followers/followees.

How does a spy not look like a spy? By having a presence in the community and with friends/neighbors such that they appear to be an average citizen. Not some loner, curmugeon who looks over his shoulder constantly and only does yard work at night or only get visitors who look like they’re Russian army castoffs.

Not so much these days, but certainly in the earlier decades of the Internet we all had this ability to take on a fake persona and build up a “brand” around it. Back then it was called having an online nick/handle/screenname. Today, we have so many average people using their real names online that seem so very surprised, shocked, that such subterfuge happens! TO those of us that have done these things in the past, this is certainly not new or surprising or even that hard.

3. Assets. Sure, most people don’t have anything to worry about. But plenty of people should be aware of how potentially valuable they may be to foreign agents (foreign being different/opposed to you, whether it be national or corporate). There have been decades of work done on turning assets in the meatspace of espionage, and much of that work is far easier in the online realms.