One of my favorite Security writers, Bruce Schneier, had an interesting entry last week called Reacting to Security Vulnerabilities where he discusses the recent reports about the security flaw in the SSL protocol and how we as users should relax and essentially, ‘do nothing.’  “What?!? – Do nothing??”  Yup, and he has some good reasons why.  Usually, new exploits, threats, breaches and the typical security stuff that garners the headlines, makes security folks jump.  Jump to search the internet for anything related, jump to see if our systems are infected or vulnerable, jump to put an action plan in place to reduce the risk.  These are reactionary behaviors when gloom gets delivered and we fully don’t understand the risk.  I’m not saying ignore warnings or plan for the worst, but since several new ‘weaknesses’ seem to get published on a monthly basis, you do need to prioritize and put some context around it.

With anything in life, there are certain things we have control over and others we do not.  For many years now, we’ve been warned that it is risky to click on embedded links in a suspicious email or dangerous to click through the certificate warnings from your browser and hopefully many people have changed their behavior.  That’s within our control.  But when a researcher finds a specific vulnerability in a particular protocol, potentially affecting several vendors, there is really not much an individual user can do.  Sure, you or the IT department can check with their vendor to see if it applies to their product but would you immediately stop using something when it’s a critical part of your infrastructure.  Once again, which is usually the case for security, you must weigh the risks and determine if it’s within your control.  Bruce points out that many of the vulnerabilities affect systems that are out of our control and if your data is already out there, unplugging your computer will not lessen the potential exposure.

What you can do is simply stick to your general security practices (AV/FW, OS patch, Auto updates, backups, common sense), which already protect you from a slew vulnerabilities but let the experts/vendors figure out the best way to handle new exposure(s) since they must deal with them on a daily basis.  If the risk is too great and your infrastructure is vulnerable, push your vendor for an answer.  Most vendors, especially with security products, are fairly reasonable and typically move fast when it comes to security holes – their reputation and revenue are at risk.  You can also report to CERT if you’re not getting a response but most vulnerability ‘finders’ alert the vendor fist and give them a chance to fix or respond to it.

Protecting yourself from the multitude of threats on the internet can be daunting, never ending, and always changing so you do need to be vigilant with the things you can control but as you peruse the Top 9 Beaches of 2009 or the Top 15 Most Common Attacks, you find there was/is little you could do to avoid them.

ps

• #25 out of 26 Short Topics about Security
• Previous stories: 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

*For the record, F5 is listed on the US-CERT site as being potentially vulnerable but we have tested our products/versions and are not vulnerable to this issue.  F5 Networks has published a security advisory in the past to cover similar vulnerability and provide best practice recommendations. These best practice recommendations can be found at the F5 support site:

https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6999.html

https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html

This week marked one year since it first went online 12/8/08.  It is satisfying to me to maintain this site and I am very pleased that a fair amount of you find it useful.  We even have folks from other CERT’s checking us out occasionally.

Wow, close to 60 folks turned out for the holiday event this week!  There was plenty of good food to share and camaraderie for all.  Personnel from BSCFD and SCPD were also on hand to express their thanks to the CERT members.  Our own Christy Adonis and Redwood City’s Ernie Gomez spoke a few words on the good year we had and look forward to more joint training exercises in the future.  There is now talk of a summer get together, so stay tuned and check back here for further details.

Sales at the CERT merchandise table were brisk all evening, guess it’s time for me to re-stock.  Photos from the event are now on the online CERT photo album (use the link at right)

Happy Holidays to everyone out there, stay warm, dry & safe! (oh, and prepared!)

Hayman will have the following items available for sale at tomorrow’s get together.  Glow Sticks make great stocking stuffers!

Quantities are limited on some items!!

• CERT caps $11 ea
• LED Glow sticks $4
• CERT lapel pins $4
• LED flashlights $3.25

The location has been changed to the Community Rooms on the second floor of  San Carlos Library.  Address is 610 Elm Street, next door to City Hall.   This will be a warmer location than the FS14 equipment bay originally planned, and will have plenty of seating.  Redwood City CERT has also been invited to participate.

We will have full access to the kitchen, making things more convenient for food prep.

Do Internet passwords protect personal information from unwanted intrusion? How can you be sure if someone on-line is who they say they are? Does anti-virus software really protect your hard-drive?

To help parents, educators, students and individuals with these questions and many others associated with wide usage of the Internet, the Pittsburgh Supercomputing Center (PSC) has created SAFE-Net, a program of cyber-security awareness. Through SAFE-Net, PSC presents workshops that train educators and provide materials for classroom learning — developed in collaboration with in collaboration with the CERT (Computer Emergency Response Team) Program at CMU’s Software Engineering Institute. These materials address cyber threats, measures of protection, and questions of cyber ethics that arise as a result of social networking and other wide uses of the Internet.

The SAFE-Net website provides free information, including classroom and parent materials about cyber-security issues, with lessons geared to grade levels 1-3, 4-6, and 7-12.

“Many Internet users lack an understanding of common threats they may face online,” says Cheryl Begandy, PSC director of education, outreach and training. “Among parents, many lack confidence that their child is safe when using the Internet.”

“Cyber security involves more than small barriers, such as anti-virus software and knowing to delete spam,” says Wiam Younes, training and awareness coordinator with CMU’s Information Security Office, who has collaborated with PSC on SAFE-Net content development and training. “It requires a wall of defenses, and the SAFE-Net program is geared to provide thorough cyber-security education in three areas: cyber ethics, cyber safety, and cyber security.”

PSC has held two Cyber-Safety Train-the-Teacher workshops introducing SAFE-Net to 18 Pittsburgh-area teachers.

SAFE-Net is funded by an NSF grant for Cyber Safety Awareness.

As part of PSC’s involvement with TeraGrid, the NSF program for comprehensive distributed cyberinfrastructure, PSC staff have led TeraGrid’s working group on cyber-security, experience that contributed to development of SAFE-Net.

Recent research at PSC by CMU researchers has brought national attention to the vulnerability of personal information on the Internet: http://www.psc.edu/science/2009/privacy

About Pittsburgh Supercomputing Center:  http://www.psc.edu

The community Emergency Response Team (CERT)

Program educates people about disaster preparedness for hazards that may impact their area and trains them in basic disaster response skills, such as fire safety, light search and rescue, team organisation, and disaster medical operations. Using the training learned in the classroom and during exercises, CERT members can assist others in their neighborhood or workplace following an event when professional responders are not immediately avavilable to help. CERT members are also encouraged to support emergency response agencies by taking a more active role in emergency preparedness projects in their community.

www.citizencorps.gov/cert

Several months back all of you decided to have, in place of our December meeting, a winter social with appetizers and desserts as a great way to close 2009.  Please join us for an evening of CERT recognition and appreciation along with a recap of our Team progress thru 2009… Invite a friend or family member to join you for a fun night at the Fire Station.

First Annual Winter Get Together

December 8th, 2009

7:00pm to 9:00pm

@ Fire Station 14… 911 Granada St., Belmont

Additional details on the Activities page.

Just keeping up with the times.  For those who would rather have a tweet to tell them of blog updates or CERT news/events, go to Twitter and look for BSSCERT.  Please do not expect day-to-day updates of our activities (trust me, it’s not worth reading about)

Along that same theme, techies out there may be interested that I also set up RSS notification for this blog.  See the link on the right side.

Robb Wolf Nutrition Cert - BTB CrossFit Atlanta

Lara and I went to the nutrition cert with Robb Wolf. Rest and learn.

Two batches of photos have just been uploaded to our Shutterfly album.  The first group of photos added are from the graduation of the 2004 San Carlos CERT class. The second are those from the class taught at NDNU this past August.  Use the link at the right hand to go to the album page.  Please contact Hayman or Christy if you have other CERT related photos that you would like to contribute.

Other than all the normal merchandise I bring to every meeting, I now have an online shop set up for folks to pick and choose all sorts of products with our CERT logo on it.  Check it out here. I also have this as a link in the right side of the main blog page.

I would love to get some feedback on the store.

Here is an interesting article on the do’s and don’ts of long term water storage.

I went in with a pretty good understanding of the movements and the foundations, and came out with a clearer more defined understanding. It was great to focus on how the fundamental 9 movement were broken down into their individual progressions, and each one built upon the previous one.

• squat, front squat, and overhead squat
• press, push press and push jerk,
• dead lift, sumo dead lift and medicine ball clean

We also did some tabatas. It’s amazing how a pvc pipe can work your body and muscles after 8 hours of various movements with the darn little thing!  We finished the first day with some time with “Fran”! This all sucked pretty bad especially after a week with the swine flu… It was cool to see 50+ people all doing “fran” in different variations of scaling, quite the sight to see!

The insane pull up station

Second day we focused on the more difficult from the first day, the push jerk and the med ball clean for a bit before starting into new stuff. We learned how to teach GHD sit ups, back extension, hip extension and the back/hip extension, as well as double unders, kipping pull ups, butterfly pull ups, muscle ups and rowing. We also had a team WOD that pulled together some of the elements from the first day to break up the classroom/lecture time.

4 different working stations, it was just a running tally at each station for all 4 stations, so one person would start at SDHP while the other person was on the rest station and someone else was running, and one other was doing push ups. The person on the run would tag the rest person, and they would go to the SDHP spot and continue where the prior person left off, say they got 20 reps, the 2nd person would start at 21… and it worked that way for all stations, other than the run/rest obviously.

• SDHP (53#)
• box jump
• push up
• run (200m?)

There was the rest station because we had so many people I imagine. I didn’t spend too much time at this station as the person behind me was busting ass on the run, I can’t really talk though, I was hustling on the run also. Another thing I learned this weekend was that my Vibram Five Fingers are probably a size too big and that makes me unhappy! I really noticed it when I was ripping around a turn on the run and there was some serious lateral play, another thing I’ve noticed is the heel cup isn’t quite place properly.

Strong people are harder to kill!

Overall it was very helpful, I enjoyed the lecture sessions on all the various topics, nutrition, zone, paleo etc. Programming basics, how not to kill your clients and scaling, and the humor of the staff was great. I especially loved sitting down for 45 minutes immediately after tabata squats!  Thanks to Chuck, Jon, Lance, Nadia, Joe, Joe and Big Mike and of course Gale from CrossFit Strong in Dallas. That box is incredible, 18,000 sq. ft. CrossFit heaven!

I will take this information and apply it to myself and my training to become a better athlete and a better CrossFitter. I will also be more than happy to help anyone with questions or anything.

The next big event is possibly the competition in Dallas, December 12th, and definitely the Kettlebell Cert at Bayou City December 5th & 6th.

this Saturday November 7th.  If you are a CERT member who missed the final skills/hands-on day, a local department has 3 slots available this weekend. Please contact Christy at (650) 802-4254 or email christya@bscfd.org for more details.

TUESDAY DECEMBER 8th, 7pm, Fire Station 14….. FIRST ANNUAL CERT APPRECIATION NIGHT…. JOIN US FOR APPETIZERS, AWARDS AND DESSERT…. MORE INFORMATION TO FOLLOW.

Thank you to all who responded to the request last Friday for your assistance via the SMCAlert system. This was the second request this year for emergency CERT assistance, with that, we continue to learn and grow our team continues to advance in many ways. If you are a long standing CERT member and do not have an ID card, you encouraged to attend a meeting to start the process to get an ID Card, and to complete the paperwork covering you as a Disaster Service Worker.  All of this is very important for your safety, well being and the safety of others and our TEAM.

A reminder to all members, as you respond to a CERT Activation/call out, please remember to bring your CERT equipment, ID card and your CERT Vest.  All of these items allow first responders and the general public to identify you as a CERT Volunteer.  If you are not signed up for SMCAlert and would like to receive emergency CERT activations/call outs, click the link at the right and sign up now.

i was unable to install some applications due to certificate errors and protected errors but, now i am able to install them thanks to opda-cn …
i was exhausted with all the methods and trick that i could find, like using hello ox hack method- well it itself required to be signed first, then hard resetting the phone with *#7370*-i only lost my contacts, no use either. i was reluctant first to try opda-cn first so went to www.s60cerkey.com for the certificate and key. i got it well, downloaded but, it didnt work. so finally registered myself in opda-cn and applied for the cer/key. and i am happy now, thank you.

if you are having similar problems like i did, then do this
1. first goto

http://cer.opda.cn/en/index.php

2. register
3. then apply for the cer/key
4. wait for a day ie 24hrs.
5. download signinig tools, etc
6. after 24hrs get the cer/key and then sing your apps using the signing tool for your pc or you can get the freesigner app and sign it in your phone
or you can sign it through the web signing tool ie online(i did this method, cos i couldnt wait a moment)

finally i signed my symtorrent, virtual keyboard apps to start with.

once again thanks to: http://cer.opda.cn/en/index.php

On Friday (10/30) afternoon, a notification from Belmont PD went out via SMC Alert requesting CERT assistance with a missing persons case. An elderly woman with dementia was reported missing in the Hallmark neighborhood in Belmont.   Eleven CERT members from several cities responded and showed up at the Command Center established at Fox Elementary School.

Fliers were provided, instructions given, and radio call sign (Tango-2) issued. We were just about to head out when the police radios transmitted the good news that the woman was safe and had been located nearby.

This turned out to be a really good dress rehearsal of how to respond to an alert, and on how best to equip for a missing persons search.

Some tips:

• Be sure to have a jacket since this late afternoon alert would probably have run well past sunset.
• Bring water
• Large flashlight suitable for outdoors use
• Good walking shoes
• Walking poles would be helping for uneven terrain and searching thru brush

Thanks to all the BSC CERT’s who responded.  A few photos from this have been posted to our CERT photo album.

Prima di tutto diciamo che è un software a scopo dimostrativo …ecco il Disinformatico di oggi spiega il funzionamento

Il CERT (Computer Emergency Response Team) statunitense, uno dei più stimati enti di sicurezza informatica, ha segnalato la disponibilità di PhoneSnoop, un programma che, installato sul telefonino BlackBerry della vittima, permette all’aggressore di chiamare il cellulare della vittima e attivarne il microfono per ascoltare a distanza quello che succede in prossimità dell’apparecchio…

clicca qui per continuare

Thanks Luca – PMFriends

Ogni venerdì ore 11: Il Disinformatico, programma settimanale in diretta di musica, caccia alle bufale e notiziole d’informatica. Il programma è ricevibile in diretta in streaming (Real Audio) qui e scaricabile in differita come podcast

Fonte:Disinformatico

Hayman will have the following items available for sale at tonight’s meeting after the training.  Quantities are limited on some items!!

•  CERT caps $11 ea
•  LED Glow sticks $4
•  CERT lapel pins $4
•  LED flashlights $3.25

Some factory seconds of white BSC CERT T-shirts will also be available for $5 (2, size: L). Hope to see everyone there!

What are the valid return values for the following code: (select all that apply)

SELECT IS_MEMBER('DOMAIN\SuperUsers')

By Britt Cluff

Answer:

• 1
• 0
• NULL

Explanation: The IS_MEMBER() function returns an INT datatype and a NULL if either the group or role is invalid.

Reference: IS_MEMBER