Tech

Completed Master of Science, Information Security and Assurance

Edward — Wed, 28 Jan 2015 19:48:02 +0000

Completed Master of Science, Information Security and Assurance Edward Wed, 01/28/2015 - 11:48

If you have been following my website, which you probably haven't since I don't update often enough to keep it interesting, but anyway; I started to go back to school to get my Bachelors of Science degree in 2011. When I started I knew that the B.S. should only be the beginning, after all, I had been in the technology industry and career field for 18 years. So my intent was to complete the B.S. and go directly into an advanced degree. When I completed the first degree 17 months later in 2013, I wasn't sure which direction to go. I was trying to determine if I should move towards a MS in InfoSec, a PhD in InfoSec, or some other degree. I ended up moving towards the "Masters of Science in Information Security and Assurance" with the intent on adding something like an MBA later.

So here it is, January 2015, I completed the "Masters of Science in Information Security and Assurance" degree program and graduated in October 2014. And I'm wondering what I should do next. And lately I've been contemplating Law or Business degrees. I could easily continue to go to Western Governors University for an MBA and likely not have to take a GMAT test. Or I can try and get into one of the Brick and Mortar schools in the area such a Berkeley, Stanford, Santa Clara, etc. by scoring high on a GMAT.

Or the other path I am considering as mentioned is a Juris Doctorate (JD) degree. Those same local schools have law programs as well, so I could study for and take an LSAT test to see if that may be an appropriate path. For the law school option, there is a similar path I could take to the one I took with WGU, and that would be to attend the Concord Law School by Kaplan University. Since I have proven that online school works for me and I live and work in Caliifornia, this is an option.

What do others think?

SQL Injection protection and detection, SANS GCIH Class

Edward — Fri, 03 Aug 2012 06:13:06 +0000

SQL Injection protection and detection, SANS GCIH Class Edward Thu, 08/02/2012 - 23:13

Today was day 4 of the GCIH course being taught by Mark Baggett. Things are going great and I'm learning stuff, I today we discussed SQL injection and cross site scripting.

Regarding prevention, the training it states to perform input checking and disallow/block the user from entering symbols or specials characters such the apostrophe (') or the semi-colon (;) or the percent (%), etc.

This bothers me a bit, while input validation and checking really is key and probably the most important aspect to prevent SQL injection from affecting you, my problem is with the preventing the use of these symbols. If these symbols are blocked, your users can't use words like can't. Also, say you're using this sort of validation / blocking on passwords; then you just restricted the passwords that a person can use.

I do a bunch of coding in PHP, and when I was learning how to protect the websites I was writing, the material I used to stated to use string escaping and functions such as mysql_real_escape_string().

Mark mentioned parameterization, I didn't see this mentioned the course material. (although I didn't look closely).

I believe this is the best way to prevent your user's input from affecting your SQL query. For example, if you are going to ask a database to verify a username password, the old method would be to construct your query something alone the lines like:

SELECT * FROM databse.table WHERE username = '$USERNAME' and password = '$PASSWORD'

This is a classic query that can be injected if you pass the variables in this way, such as passing:

Username: Password:

This turnes the query into:

SELECT * FROM database.table WHERE username = '' OR uid = 1; -- #' and password = 'password';

Which would return the values for the user with id of 1, typically the administrative user; of course this is just an example. The idea of parameterization, also known as using bind-variables is that the user input is not sent to the database in the same place as the SQL statement. Instead you set your query up such as:

SELECT * FROM database.table WHERE username = ? and password = ?

Then you pass the variables in later with a bind-variable and execute statement. With this format, you can pass just about, if not all variables and the statement doesn't change because it's already set in the database.

In php, this would look like:

<?php
$query = "SELECT * FROM database.table WHERE username = ? and password = ?";
$results = array();
if ($sth = $dbh->prepare($query)) {
    $sth->bind_param('ss', $_POST['username'], $_POST['password']);
    $sth->bind_result($results);
    $sth->execute();
    while($sth->fetch()) {
        $result_count++;
        print var_dump($results) . "\n";
    }
}
?>

This turns uses mysqli, other languages may do this similarly, but the important part is in the query, not in the php code.

The class is not a programming class, and Mark did mention this as a way to protect against SQL injection. My main concern with the instruction to filter input such as apostrophes is that this type of recommendation comes from security vendors, and looking for apostrophes in user inputs such as with a web application firewall will produce a lot of false positives. The biggest is the use of apostrophes to show possession or when used in a contraction.

Having your security software alert every time a user's post contains an apostrophe without checking for other artifacts of an injection attempt is going to flood your logs and make you miss a real attempt.

As for the class, I'm having fun and learning things. Mark is doing a great job of keeping things interesting and making things relevant by providing real world anecdotal accounts that the class can relate to. I learned how the buffer overflows actually happen in the processor, which I knew how they can over flow a buffer, but not how that could cause code to execute, now I do. I'm looking forward to Saturday for the capture the flag portion.

Passed my Cisco CCNA for my Degree (SAN GCIH coming)

Edward — Fri, 27 Jul 2012 18:47:06 +0000

Passed my Cisco CCNA for my Degree (SAN GCIH coming) Edward Fri, 07/27/2012 - 11:47

It's been a bit longer than I anticipated in obtaining this certification, and I learned or re-learned way more about some networking items I will likely never use again, and/or haven't used in years such as information regard hubs. Reminds me of the 10base5 or 4wireE&M telephone signaling that I studied while in the Air Force and never used while I was there or since.

Do they even still make or use hubs? (I know that some companies still have/use them) but why when you can buy a 100Mb workgroup switch for under $15?

On to more school work, glad to have that behind me, still have one more Cisco test to take, the Cisco 640-553 IINS exam. But in the meantime, next week I'm going to SANS Institute and taking the GCIH course.

Words with friends - Android

Edward — Mon, 14 Feb 2011 18:54:49 +0000

Words with friends - Android Edward Mon, 02/14/2011 - 10:54

I used to have an iPhone, and would play this game with friends and strangers as well as my wife. Back in September, I switched to the Samsung Captivate Android based platform, and this is the only app that I wish was ported when I switched. There was an announcement that the app would be coming to the Android platform.

Well, my wait is finally over. I just installed "Words with Friends Free" from the Android market published by Zynga with friends.

If you would like to play a Scrabble type game with me, I believe my username is KrYPt0. It's been over 200 days since I played my last game on the iPhone