Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Security Advisory MA-2003-01 - CISSP Trojan

From: "Steve Wray" <steve.wray () paradise net nz>
Date: Wed, 26 Feb 2003 09:35:42 +1300
This form of attack has been implemented in New Zealand
polytechnics for years now, its nothing new!


-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of mung fu
Sent: Tuesday, 25 February 2003 8:48 p.m.
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Security Advisory MA-2003-01 - CISSP Trojan



Security Advisory MA-2003-01     CISSP - Trojan Security Certification


Original Release Date: Thursday January 16, 2003
Last Revised: --
Source: --

Systems Affected

        o Information Security Community
        o Information Technology Employers
        o Information Security Consultants


Overview

It has recently been identified that The International 
Information Systems Security Certification Consortium (CISSP) 
has developed and released a potentially destructive trojan 
application, which masquerades as a valid standard for 
professional certification in the field of information security.


I. Description

Delivered in the benign form of a six hour examination, the 
CISSP prompts target user with a series of 250 questions 
regarding the following topics:

        o Access Control Systems & Methodology
        o Applications & Systems Development
        o Business Continuity Planning
        o Cryptography
        o Law, Investigation & Ethics
        o Operations Security
        o Physical Security
        o Security Architecture & Models
        o Security Management Practices
        o Telecommunications, Network & Internet Security

This rather large payload, commonly referred to as the Common Body of
Knowledge (CBK), may cause a Denial of Service situation, 
leaving the target overwhelmed and unable to respond to 
further requests during the duration of the attack.  If the 
target handles the Denial of Service attack appropriately, 
and is unaffected, the CISSP trojan discontinues this attack, 
and self-mutates into a certification of added IS 
credibility. If accepted by the target, this certification 
begins to cause the following symptoms:

        o Increase in self-confidence
        o Increase in salary requirements
        o False sense of accomplishment
        o False sense of self-improvement

Despite the symptoms, the target experiences no real benefit 
whatsoever.  The affected target then is made to transfer 
funds in excess of $2,000 (US) to a remote bank account owned 
by ISC2.  Finally, the affected target promotes itself to a 
"Certified Information Security Expert" sans authentication.  
The affected
target may then infect others, eventually creating a massive 
army of unskilled, prefabricated, shrink-wrapped, not for 
resale, half-assed security engineers, consultants, and 
"research scientists".


II. Impact

An abundance of sub-par information security engineers, 
consultants, and "research scientists".

A negative impact on the economy, specifically within the Information
Technology sector.


III. Solution

Avoid any certifications issued by ISC2 until a patch is distributed.
Obtain information security related certifications from valid sources.
Employers are encouraged to recognize the CISSP as a trojan 
certification.


Appendix A - Vendor Information

International Information Security Certification Consortium, Inc.

(ISC)2 is the premier organization dedicated to providing 
information security professionals and practitioners 
worldwide with the standard for professional certification.




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: