sorinmustaca.com – Sorin Mustaca – personal blog. Security software, agile development, scrum, programming and more

Finally, officially CSSLP certified

17.05.2012 (4:01 pm) – Filed under: Uncategorized

(ISC)2 requires that a candidate meets some requirements before he/she receives the right to call himself/herself (ISC)2 certified.

 

 


Receiving the (ISC)² credential is a several-step process:

  1. Required Experience – possessing the required number of years for the appropriate credential
  2. Study – taking advantage of the educational materials (ISC)² makes available for you to review and refresh your knowledge before taking the credential examination
  3. Application – validating your education and/or experience
  4. Examination – sitting and passing the appropriate exam
  5. Code of Ethics – committing to and abiding by principles and guidelines set forth by (ISC)²
  6. Endorsement Process – attesting to your eligibility requirements
After that you get : 

 

Maintaining your membership requires the following:

  • Remain in Good Standing - to remain in good standing as a member of (ISC)² a credential holder must abide by the
    (ISC)² Code of Ethics
  • Earn Continuing Professional Education Credits (CPEs) - Credential holders must earn the minimum number of Continuing Professional Education credits (CPEs) annually during each year of the three-year certification cycle. Although members may earn more than the minimum number of CPE credits required for credential maintenance for the three-year cycle, they are still required to earn and submit the minimum annual number to maintain their certification in “good standing.”
  • Pay Annual Maintenance Fees (AMFs) - Payment of Annual Maintenance Fees (AMFs) ensures that the organization has the necessary financial resources to maintain member records, ensures certification continues to meet the needs and requirements of the market, and ensures that the organization will continue to be a functional, dynamic entity far into the future.

 

 

Never forget that as soon as any information is published on a public website, it doesn’t actually belong to you anymore

03.05.2012 (7:59 am) – Filed under: News,quoted

Avira Survey Finds Computer Users Don’t Feel Safe on Social Media Sites

“This survey was very interesting because it demonstrated that even though social media sites are very popular among the general population, computer users from all over the world have the same concerns,” said Sorin Mustaca, data security expert at Avira.“They are wary of the safety of their personal information when it’s disseminated across social media sites. In order to use social media sites without being afraid of having your data misused, I strongly advise not storing private data on these websites. Never forget that as soon as any information is published on a public website, it doesn’t actually belong to you anymore,” he added.

Read more here:

Expert Offers Tips on How to Clean Up a Computer – Softpedia.com

26.04.2012 (7:54 am) – Filed under: quoted,security

Softepedia republished my article in the TechBlog about “Spring cleaning your computer” into a new article.

This is the original:  Spring cleaning your computer

This is the new article:  Expert Offers Tips on How to Clean Up a Computer

 

How to exhaust the space on any online backup system

29.03.2012 (8:57 pm) – Filed under: News

Check the other article I wrote about Dropbox.

While playing with the mklink, I made a mistake of trying something new:

mklink /D S t:\S

Remember that the Dropbox folder was located in T:\S\.

So, basically I created a circular reference… and this is what happened:

 

This is what was transferred until when I stopped the Dropbox program after receiving errors that I run of space:

Apparently, Dropbox doesn’t have any kind of loop detection.

I will let them know that…

 

Dropbox: How to backup other folders than the default Dropbox

29.03.2012 (8:32 pm) – Filed under: General

I recently tested a couple of online backup solutions and one of them was Dropbox.

If you know the system, you know also that Dropbox requires the user to choose a folder which will be synchronized in the cloud.

That folder is called “Dropbox” and can’t be changed.

I wanted to backup a couple of folders which I have on my Truecrypt partition but I didn’t want to move them in the Dropbox folder in order to be synchronized with the cloud. For that, I created symlinks with the “mklink” command:

cd t:\S\Dropbox

mklink /D name directory_source

 

My Truecrypt partition is called T and in it are folders S together with folders P and N which I wanted to backup.

I added the symlinks to P and N in the folder S.

mklink /D P t:\P

mklink /D N t:\N

Dropbox sensed that immediately and started to synchronize.

So far so good…

There is a catch:

If you sync another computer with the same Dropbox account, you will have the problem that the folders N and P appear to be in folder S. You can change this by selecting what to synchronized in Dropbox.

 

Certified Secure Software Lifecycle Professional exam passed

04.03.2012 (10:37 am) – Filed under: security

So, it is over … I finally managed to be able to take the exam and I passed it.

Let’s see how I did it:

 

Study materials

Official (Isc)2 Guide to the Csslp (Isc2 Press) von Mano Paul

(about 500 useful pages)

The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional von Ronald L. Krutz und Alexander J. Fry von John

(about 600 useful pages)

 

I bought both of them only because the second has tests. But I was disappointed because the same tests are in the book in printed form. Of course, with answers. And of a questionable quality. But, nevertheless, better than nothing.

 

Which one is better ?

I don’t know… none of them would make a difference in passing the exam if you don’t have what it takes: min. 4 years experience in software development.

The two books mentioned covered the chapters in two different ways:

- the first one is more like a story about the topics required by the exam

- the second one is very technical and descriptive. It is like a conclusion of the first one.

Study time

With interruptions, I started in December 2011 and I studied about 3-4 times per week (incl. weekend) in the evening and in weekends.

So, this makes about 3,5 months study time.

 

 

The exam

Probably the toughest exam I’ve had so far…

It doesn’t have much to do with the theory I read. It has to do with experience and it is good so.

ISC requires to have min. 4 years of experience in order to be allowed to take the exam.

You need experience in

- Software development

- Managing software development

- Security – here the ComptTIA Security+ certification helped a lot

- Testing

- Planning software development – here the ComptTIA Project+ certification helped a lot

- Designing software

- Software architectures

- Auditing

 

Without having previous experience in these areas, you have no chance… because the books only just touch the subjects.

 

What is required by the certification

The Candidate Information Bulletin specifies quite clearly what is expected.

 

 

Next steps

I need an endorsement from an ISC professional which guarantees for me certain aspects.

Everything is well documented, I don’t expect any problems here.

 

 

Quoted in the Networkworld.com because of the DNSChanger malware

25.01.2012 (9:18 am) – Filed under: quoted,security

http://www.networkworld.com/news/2012/012412-authorities-prepare-to-close-down-255242.html?hpg1=bn

 

“If your computer was infected at some point in time and it was using one of the DNS servers which are now controlled by FBI, after March 8, it will no longer be able to make any DNS requests through these servers,” Avira product manager and data security expert Sorin Mustaca said in a blog post. “In layman’s terms, you will no longer be able to browse the web, read emails and do everything you usually do on Internet.”

 

 

Article written in Techblog on Monday,23.1.2012, question from the journalist sent on Tuesday with deadline one hour (or less), article published the same day.

I love online media :)

 

How to check if your DNS Server was hacked

24.01.2012 (9:16 am) – Filed under: News,security

Post initially published in Avira Techblog.

You must have heard already about the already “famous” malware DNSChanger which manipulates the DNS settings of the computer in order to silently direct the users to malicious websites.

FBI and others took action against this malware and in November 2011 have managed to break the botnet. According to FBI, more than 4 million computers were affected world-wide. The thieves manipulated DNS entries in order to block antivirus programs and the operating systems to update delivering this way even more malware on users’ computers. The DNSChanger malware was used also to redirect users to rogue servers controlled by the fraudsters, allowing them to control users’ web activity and generate income through online advertising. When FBI shut down the botnet, they also replace the servers which were directing to malicious domains with valid DNS servers.

So, if the botnet is shut down why all this trouble?

FBI will deactivate those new valid DNS servers on March 8, 2012.

If your computer was infected at some point in time and it was using one of the DNS servers which are now controlled by FBI, after March 8, it will no longer be able to make any DNS requests through these servers. In layman’s terms, you will no longer be able to browse the web, read emails and do everything you usually do on Internet. So, it is mandatory that the DNS settings of the computer are restored to their original state.

After an infection with DNSChanger malware, until now it was needed to restore the settings manually. Here are tutorials in German and in English.

With the Avira DNS-Repair tool released (press release in German only) on Friday, January 20,  you can revert to the default settings of Windows only with a few clicks.

You can download the tool free of charge from the Avira Support’s Knowledge Base website in German and in English.

Avira cooperated also with the German Federal Office for Information Security (BSI) and published the tool also on the special website created to check if the DNS requests are made to the right places: www.DNS-OK.de. Note that on this website you see the link to the Avira DNS-Repair-Tool only if it is detected that your system is affected by the malware.

 

RSYNC Daemon on Fujitsu Siemens SBLAN2 (NextFW version)

05.01.2012 (7:57 pm) – Filed under: News,security

 

If you own such a device, then the first thing you do with it is to upgrade its firmware to NextFW.

The Support forum of Fujitsu-Siemens is full of useful How-Tos which help you reach your goal.

 

 

After you’ve done that, you may want to enable the rsync daemon . With a running rsync service you can have basically your own private online backup service.

This is at least what I tried to achieve. But it is tricky to make it run correctly.

Read here about rsync utility and here about rsync daemon (aka rsyncd).

 

Here is how I configured it so that it works also on Windows:

amsadmin# cat /etc/rsyncd.conf
lock file = /var/run/rsyncd.lock
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
use chroot = no
#max verbosity = 1
gid = wheel
uid = amsadmin

[backup]
path = /mnt/home/storage/backup
comment = bck export area for storage
auth users = amsadmin
secrets file = /mnt/.zap/etc/rsyncd.secrets
read only = no
write only = yes
list = yes

Make sure you make symlinks to /etc/rsyncd.conf and /etc/rsyncd.secrets.

 

# ln -s /mnt/.zap/etc/rsync.conf /etc/rsyncd.conf

# ln -s /mnt/.zap/etc/rsync.secrets /etc/rsyncd.secrets

 

The file rsyncd.secrets is a standard plain text file containing something like:

user:password

 

Make sure you symlink rsync.sh from /mnt/.zap/etc/rc.d/rsync.sh to /mnt/.zap/etc/rc0.d/rsync.sh

 # ln -s /mnt/.zap/etc/rc.d/rsync.sh /mnt/.zap/etc/rc0.d/rsync.sh

 

Then restart and it will do the job.

 

If you wonder from where you should get the rsync on Windows, then just think to Cygwin.

This is how I use rsync.exe to backup my T drive:

rsync.exe -urtav –ignore-errors –exclude=outlook –exclude=RECYCLER –exclude=$RECYCLE.BIN –exclude=”System Volume Information” –delete /cygdrive/T amsadmin@sblan2::backup/

 

Let me know if I can be of any help.

 

9 Things That Motivate Employees More Than Money (guest post)

06.12.2011 (9:02 am) – Filed under: News

Original post: http://www.inc.com/ilya-pozin/9-things-that-motivate-employees-more-than-money.html   Author:  Ilya Pozin

 

 

Be generous with praise. Everyone wants it and it’s one of the easiest things to give. Plus, praise from the CEO goes a lot farther than you might think. Praise every improvement that you see your team members make. Once you’re comfortable delivering praise one-on-one to an employee, try praising them in front of others.  

 

Get rid of the managers. Projects without project managers? That doesn’t seem right! Try it. Removing the project lead or supervisor and empowering your staff to work together as a team rather then everyone reporting to one individual can do wonders. Think about it. What’s worse than letting your supervisor down? Letting your team down! Allowing people to work together as a team, on an equal level with their co-workers, will often produce better projects faster. People will come in early, stay late, and devote more of their energy to solving problems.  

 

Make your ideas theirs. People hate being told what to do. Instead of telling people what you want done; ask them in a way that will make them feel like they came up with the idea. “I’d like you to do it this way” turns into “Do you think it’s a good idea if we do it this way?”  

 

Never criticize or correct. No one, and I mean no one, wants to hear that they did something wrong. If you’re looking for a de-motivator, this is it. Try an indirect approach to get people to improve, learn from their mistakes, and fix them. Ask, “Was that the best way to approach the problem? Why not? Have any ideas on what you could have done differently?” Then you’re having a conversation and talking through solutions, not pointing a finger.  

 

Make everyone a leader. Highlight your top performers’ strengths and let them know that because of their excellence, you want them to be the example for others. You’ll set the bar high and they’ll be motivated to live up to their reputation as a leader.  

 

Take an employee to lunch once a week. Surprise them. Don’t make an announcement that you’re establishing a new policy. Literally walk up to one of your employees, and invite them to lunch with you. It’s an easy way to remind them that you notice and appreciate their work.  

 

Give recognition and small rewards. These two things come in many forms: Give a shout out to someone in a company meeting for what she has accomplished. Run contests or internal games and keep track of the results on a whiteboard that everyone can see. Tangible awards that don’t break the bank can work too. Try things like dinner, trophies, spa services, and plaques. 

 

Throw company parties. Doing things as a group can go a long way. Have a company picnic. Organize birthday parties. Hold a happy hour. Don’t just wait until the holidays to do a company activity; organize events throughout the year to remind your staff that you’re all in it together. 

 

Share the rewards—and the pain. When your company does well, celebrate. This is the best time to let everyone know that you’re thankful for their hard work. Go out of your way to show how far you will go when people help your company succeed. If there are disappointments, share those too. If you expect high performance, your team deserves to know where the company stands. Be honest and transparent.

 

Next »