Rishi Pande

passing the CISSP

2006-08-17T19:05:00-05:00:00

I heard earlier this morning that I finally passed my CISSP. I am going to outline a few of the strategies that I used and followed while studying hoping that it may help someone.

First off, a disclaimer: I DO NOT KNOW ANYTHING MORE ABOUT THE CISSP THAN OTHERS WOULD! IF YOU FOLLOW THESE STRATEGIES THERE IS NO GUARANTEE THAT YOU WILL PASS. THIS IS JUST A RECOUNT OF HOW I STUDIED. NOTHING MORE, NOTHING LESS!!!

I started studying for the CISSP about 4 months in advance. Nothing too heavy about two hours a day and 6 hours on the weekend. During the entire time that I studied for the CISSP, I worked (50-60 hour weeks), ate out, partied, watched movies, etc, i.e. I led a normal life while studying.

First, let me tackle the question asked most often - did I attend an ISC2 seminar? The answer is yes and I found it useful. Not so much from a knowledge standpoint but more so from a strategy standpoint. I am not going to discuss the strategies discussed in the course because that is the 'secret sauce' for ISC2 and I cannot divulge that information. While I believe the course is useful, I also think that you can pass the exam without attending the course. This depends more on the individual themselves.

Arright now for my strategies:

1) The 80/20 rule: There is always a discussion of how deep someone's knowledge about a certain subject should be while studying for the CISSP. I would argue that I spent 80% of my time learning the breadth rather than the depth of a subject. So for ex. if I had choose between understanding the basics of the GLBA versus learning the details of implementations for HIPAA I would choose the former rather than the later.

2) Subject concentrationThough there is no exact indication of the concentration for the CISSP exam, I believe that all the subjects other than 'Law, Investigations and Ethics' and 'Physical security' are more important. I took about half the time I took to study the other topics.

3) Materials: I felt that materials from the ISC2 guide, the Shon Harris book and the Krutz and Wines book were all very important. I spent a significant amount of my time studying at Barnes & Nobles and Borders precisely for this reason. I would also like to say that the Advanced questions at the back of every chapter in the Krutz and Wines book were really good. The questions covered matter that I did not see covered anywhere else. Though I did not see any of those questions on the exam itself, it egged me to study topics not covered in any of the books.

4) The Bible: Ok, so it is not really the bible but the notes from is a condensed version of the Krutz and Wines book and also other references. I found these notes to be a very good resource. I kept reading it over and over and over again.

5) CCCure: This site by Clement Dupius is a good hangout for everyone studying for the CISSP and the message boards have prompt and in-depth, well thought out responses. The question engine also gives you a feel for the type of questions on the real exam.

6) 25 questions: I believe that every huge project can be broken down into a series of smaller equal parts. So I basically broke down the entire question set of 250 questions into 10 sets of 25 questions. I treated each set of 25 questions as an exam itself. This also allowed me to know how I was doing on time and allowed me to take a break pretty much every half hour and fill in the bubbles.

7) Time: Take all the time in the world you want. I left the exam hall after 5 hours and 50 minutes. I was the last one out but I had enough time to take two bathroom breaks(every two hours) and a small water break every half hour. I did not hurry myself into choosing an answer or got tired or tensed up while taking the exam.

That's all that I can think of for now. I hope this helps someone pass their CISSP. Good luck!

upgraded to Ubuntu

2006-07-02T16:52:00-05:00:00

My new Dell XPS laptop was frussturating me because of the Windows XP Media installed on it. It just came with too much crap that I could not put up with any longer after three months. At the same time, I needed some of my Windows functionality to work from home.
I just installed Ubuntu on my dearest laptop. So far, so good. It detected my internal wireless card and even connected to my 802.1x network. Now thw big challenge of the night is going to be getting VMware to run correctly and load a XP image on that thing. Will keep you posted. Additional notes:
The OS seems to work fine most fo the time. Here are some additional things that I noticed:

1) Video (and by that I mean wmf and other windows media files) doesn't really work that well in Ubuntu. Some media plays but it is very iffy. If you load XP in a VMWare isntance it works but the video moves extremely slowly and there is no sound.
2) Some times my computer hangs up on startup. I am not sure what the problem can be attributed to. I think it may be due to my Dell XPS M160 laptop.
Other than that everything else works fine.

SSL certificates and poor implementations

2006-04-03T09:47:00-05:00:00

We all know what a SSL cert is, right? Well then why are most certs so poorly implemented? I think the problem lies with most system administrators getting the cert at the last minute (when users report seeing an expired cert on the site) and sticking it in. Often though, several weak ciphers are allowed. I assume that everything below 128 bit encryption is a weak cipher (and hopfully you do too)
Anyways, here are a few tools to check how the SSL encryption of your site looks to hackers:

ServerSniff
SSLDigger

localstart.asp

2006-04-09T13:38:00-05:00:00

Localstart.asp is a default page on IIS installations. This page is protected by IIS using basic authentication. The problem with this is that if I am able to bruteforce the password, I know the password for the admin on the local box.
This can be very bad since the attacker now knows the admin's password. If the box enables any network services, this is almost fatal. Even if this particular box does not have any network services, the attacker has an idea of how the admins is making up passwords. For example, if the localstart.asp admin password is "Adm1nB0xname" - the attacker has a fairly good idea of what the password is going to be on another box in the network that has more previleges such as ssh.
A word of caution to those who decide that the best way to go about it is to remove localstart.asp. It seems that simply removing causes problems in IIS. The best solution is to replace localstart.asp with a blank page and have no authentication on it.

Anti-phishing project - and a bad implementation attempt

2005-06-30T15:21:00-05:00:00

So, it finally happened yesterday afternoon. I had to give up on my skunkworks project. Below is an article on what the attempt was, and how exactly and why I had to abandon it. Hopefully, it will help someone following along the same lines (if someone is really dumb enough to follow along those lines)

Phishing project (a.k.a. what I did the Spring of 2005) Rishi Pande

Goal: The main goal of this project was to stop phishing.

Background:
Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. Most current anti-phishing measures work in client side browsers. Ideas have ranged from simply not displaying a site matching certain criteria to having the browser skin change. However, all these measures are client-side changes, and a dumb user would get past all the problems. Also, the company that gets phished carries no liability but faces great damage (lost customers, public embarrassment, etc.) The main ‘trick’ in the phishing is the oldest in the book, namely, making a user believe that something fake is in fact genuine.

Approach:
The core idea behind the project was to verify the authenticity of the website. The fake website has to look similar (if not the same) as the actual website as shown in the Anti-phishing archives.

To determine if a site has been phished, we need the contents and location of the real site and the contents and location of the fake site. Since the text and images on the fake webpage are a near replica of the real webpage, the idea was to use information retrieval algorithms to determine the similarity between the two pages. If the two pages match, then the site is being phished. This would be valuable information to the developers/ maintainers of the website.

Algorithm:
The two user information characteristics that a webpage has are text and images. Thus a combination of a textual document matcher and an image matching algorithm should match all characteristics for similarity.
Text matching
Information retrieval research has produced several document matching algorithm. Chief among these, is the vector based search. The vector based approach works by parsing a document for stop words (and, it, or, but, etc.) and then getting the stem of each remaining word. Then an Inverse Document Frequency list is produced based on the frequency of each word. This formation is called the vector of the document. Vectors of all documents to be matched are calculated before any actual matching is done.
When the new document to be matched is supplied, its vector is calculated. Then the cosine of the angle between the two vectors is calculated. If the cosine value of the difference between the two vectors is high, then the documents are said to be similar. High, of course, is relative in this scheme. Sample matches should be made to set the value of the bar that determines the cut-off point.

Image matching
Image matching can get highly complex. This is because the information in the images is visual but represented as binary. Several techniques have been developed that match images based on edges in the image, actual images, geo-spatial methods. A new technique that has come about in the past few years is called Content Based Image Retrieval (CBIR). CBIR has accurate image matching properties. However, implementations of most algorithms are still proprietary. Also, most image matching algorithms face a sizing problem – a.k.a. if the image is resized, the matching characteristics
An interesting implementation is one done by Steve Scorbett (http://www.scorbett.ca ), called ImageCompare. The implementation basically takes any image and converts it to a fixed size (100 X 100) with a grayscale palette. Any minor differences are not seen by the algorithm. We used the image comparison method used by Steve Corbett and found the algorithm to be exactly what we needed. This was because if the phisher makes too many changes to the image, the user may not be convinced enough that the website is an actual record.

Problems
This section documents the problems we ran into during development.
The first sign of trouble started when the document matching algorithm started generating false positives. An issue that I had overlooked during the earlier stages was that the pages that are phished are the login pages. Unfortunately, the content of most login pages is the same. Enter username/ password. Therefore, all login pages would match and generate false positives.
Therefore, it was determined that we may have to alter the algorithm to not check the text at all. Therefore, all in all, it would just check all the images on a webpage. This means that all the images on a particular page would have to be indexed with the page.
Such a simple method is extremely inefficient because you really can’t index. No vectors can be formed for each document based on images because images do not have a ‘dictionary’ like words. This makes searching extremely inefficient and impractical with any reasonably sized database of web pages.

Conclusion
This implementation was an attempt at stopping phishing attacks at least from a proof-of-concept point of view. Unfortunately, it did not pan out. But then again, this is what I think research is all about :)
NOTE: Six months after I gave up on this project, CNET published an article this morning which seems very similar to my idea detailed here. They call it "phishing print" but it seems remarkably similar to my idea. IT would be nice if they get beyond the marketing and into the technical nitty-gritty.

new section in my blogs

2006-01-18T10:11:00-06:00:00

To date, I have mainly been blogging about technical issues and problems. I generally hold back my views and tend to form opinions as time goes by. I have some opinions now - these opions are to be taken in light of the fact that I am not an expert. I am just a simple guy trying to figure out a big bad industry- software security. These opinions do not reflect the opinions of my employers or anyone associated with me or them in any other way. These are my trawlings - my free thought. I have created a new section to reflect this. Thanks. As always please feel free to comment.

blog story

2006-02-14T07:43:00-06:00:00

Here is an interesting post this morning from the New York Metro. IT talks about why people blog and how some blogs are more popular than others (like me :( )
Have Fun!

byte array to hex string in C++

2006-02-09T16:29:00-06:00:00

Here is a way to convert your byte array to a hex string in c++. It will convert a byte array that looks like
2A 1F 2C
to a string value "2A1F2C"


	char finalhash[20];

	char hexval[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};

	for(int j = 0; j < 10; j++){

		finalhash[j*2] = hexval[((hval[j] >> 4) & 0xF)];

		finalhash[(j*2) + 1] = hexval[(hval[j]) & 0x0F];

	}

.net byte v/s java byte

2006-01-27T09:55:00-06:00:00

So a byte is a byte is a byte unless it is not! That in one sentence sums up my findings from yesterday. A byte in .NET represents a unsigned byte (0 - 255) automatically but a byte in Java is a signed byte(-128 - 127) and no there is no way to get an unsigned byte. I never really came across this problem till I was running some encryption algorithms on both. I need to encrypt a string in .NET and decrypt it on Java. For this I was converting the byte array into a hex string and asking users to enter it. However, because of the difference in interpretation of bytes I am running into problems.
NOTE: There is a signed byte in .NET available called ssbyte. I am not sure how an encryption algorithm can stuff it's data into it thgh. Sad! Sad! Sad!
CORRECTION: Okay so I had a brain-dead day and worte this out. It does not really matter how the two languages interpret the bits as long as the bits are the same going in to the encryption/decryption libraries.I am keeping this here to remind myself how stupid I can be.

RC4 implementation in C#

2006-01-26T07:05:00-06:00:00

I was very surprised to find that the .NET framework does not have an implementation of RC4. I read somewhere that .NET 2.0 will have access to RC4 but it is definetely not included in the 1.1 version. So I went out and found a good implementation of RC4. It is quite simple to use (I think) and has a simple function use. I could of course write one on my own but it is easier to reuse code and the license seems pretty liberal. Have fun! Oh and for those who really follow my blog, I am writing this piece about the security technology environment. IT should be out soon.

Introducing modularity at all stages

2006-01-10T09:19:00-06:00:00

I did my stint in college with modular software design and have always asked the question "At what stage does it get too modular?" Let me explain that question a bit more in depth - It is noce to have a modular and pluggable arachitecture but the more pluggable and modular you make it, the more overhead you have. The problem comes when you are putting int oo mcuh overhead and not really using it. This in my opinion is the call that the software architect is paid the big bucks to decide. The problem with making the call is that not all conditions in which the software will be used can be forseen. So when does a design get too modular?
I currently have a case where the software that we designed (notice the "we" now that the design turns out to be not optimal - just kidding) was not made pluggable in the data access part. Now it looks like under different conditions different dlls have to access different data modules. If I would have called for this part to be modular and pluggable in the first instance I would have gotten away with it. Now, I have to redesign the end componenet a bit. Not a good thing :( . Oh well, at least I know the set of conditions it occured under and the problems associated with it. A good lesson for me.
Oh yeah, so when does a design get too modular? Short answer - never! It just depends on the resources that you can spare.

Dynamic DLL loading

2006-01-06T15:22:00-06:00:00

I worked on the redesign of one of my components this week. The redesign was caused because of added functionality. We ran into a problem where we needed to choose the chain of dlls to load at runtime. To give a quick overview here is what we ended up doing.



typedef long  (_stdcall *getBlockSize)(long Size);


				HINSTANCE LoadMe=NULL;

				LoadMe = LoadLibrary("..\\bin\\MY.dll");

				if (LoadMe != 0){

					getBlockSize pBlkSize = NULL;

					pBlkSize = (getBlockSize)GetProcAddress(LoadMe, "getBlockSize");

					DWORD error = GetLastError();

					if(pBlkSize == NULL){

						error = GetLastError();

						rtnstatus = DLL_ERROR;

					}else{

						lKeySize = (*pBlkSize)(strlen(czKey));

}

Hope this helps me someday :p

how does a business become successful?

2005-12-22T12:07:00-06:00:00

It has been an extraordinarily long time now that I have not posted. I have been working on a very important project at work with an extremely tight deadline - so tight that I had to cancel my long planned overseas vacation :( .
I had a very successful meeting on Tuesday though where the entire engineering team re-evaluated our plans and goals and where we are headed. It was determined that some deadlines cannot be met and so they were pushed back. I am sure this upset a lot of people in my company especially those in the upper level of management. Pushing back a product deadline is not something that will help the company's stock price especially if the announcement comes the week the stock starts trading.
This incident made me think about the difference between successful and unsuccessful companies. What really differentiates a google from a ask jeeves? Why are some companies successful in the same space that other companies have come and gone?
I guess I should start by defining what I really mean by success. To me, success is when you capture 30-40% of the software engineering world's attention. It is when software engineers are familiar with the capabilities of your product and under the right circumstances are willing to use your product.
I hope to be able to answer this question soon. If anyone has any thoughts feel free to comment

more Active Directory funkiness

2005-11-14T15:22:00-06:00:00

We had a bug that got reported on November 1 this year. Nobody could figure out the reason for the bug except that the possible module for the bug had to be a module that I wrote. The bug was reported across all the clients. The condition had not occured before even during extensive testing.
I could not reproduce the bug on my machine nor could the testing team. We were quite confounded by the bug till someone pointed out that Nov 1 was right after we moved to daylight savings time. This gave me a funny feeling because my module did query the domain for time. After some checks, it turns out that the ADSI returns different times before and after daylight savings time kicks in. So if you were to query any time based parameters from the AD (such as time password changed) it will return a different value before and after the time change. This is because all time based parameters are returned as long values representing the difference between the current system time and a fixed date (Jan 1, 1969 or some variation thereof). This difference changes when daylight savings time kicks in.
Has anybody dealt with this issue before? I cannot figure out a way in which I can query the AD for UTC time instead of system time.
I have an ugly hack in mind as the solution: change the time I store when the system time changes, but I am afraid I am going to introduce more bugs than necessary - what with the change in daylight savings time in 2007.

UPDATE:
After sitting on this problem for the week I found the source fo the error. We were using a wrapper function around AD provided by Microsoft which gave the time as a double value so that it can be accurately displayed as a date. Instead we now fetch the property from the IADSUser object. During the return, it turns out that AD makes a reverse query to the computer making the request and fetches the system time. The reply depends on the system time. If you are storing any property, you have to be very careful - and hopfully not spend a week on the problem. Kudos to my co-workers who helped me solve this issue :p

Today's dilbert

2005-11-16T06:53:00-06:00:00

hmmm ... what does this remind me of? Just kidding
But I thought this would be a lot of fun to read