This form of attack has been implemented in New Zealand polytechnics for years now, its nothing new!
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of mung fu > Sent: Tuesday, 25 February 2003 8:48 p.m. > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Security Advisory MA-2003-01 - CISSP Trojan > > > > Security Advisory MA-2003-01 CISSP - Trojan Security Certification > > > Original Release Date: Thursday January 16, 2003 > Last Revised: -- > Source: -- > > Systems Affected > > o Information Security Community > o Information Technology Employers > o Information Security Consultants > > > Overview > > It has recently been identified that The International > Information Systems Security Certification Consortium (CISSP) > has developed and released a potentially destructive trojan > application, which masquerades as a valid standard for > professional certification in the field of information security. > > > I. Description > > Delivered in the benign form of a six hour examination, the > CISSP prompts target user with a series of 250 questions > regarding the following topics: > > o Access Control Systems & Methodology > o Applications & Systems Development > o Business Continuity Planning > o Cryptography > o Law, Investigation & Ethics > o Operations Security > o Physical Security > o Security Architecture & Models > o Security Management Practices > o Telecommunications, Network & Internet Security > > This rather large payload, commonly referred to as the Common Body of > Knowledge (CBK), may cause a Denial of Service situation, > leaving the target overwhelmed and unable to respond to > further requests during the duration of the attack. If the > target handles the Denial of Service attack appropriately, > and is unaffected, the CISSP trojan discontinues this attack, > and self-mutates into a certification of added IS > credibility. If accepted by the target, this certification > begins to cause the following symptoms: > > o Increase in self-confidence > o Increase in salary requirements > o False sense of accomplishment > o False sense of self-improvement > > Despite the symptoms, the target experiences no real benefit > whatsoever. The affected target then is made to transfer > funds in excess of $2,000 (US) to a remote bank account owned > by ISC2. Finally, the affected target promotes itself to a > "Certified Information Security Expert" sans authentication. > The affected > target may then infect others, eventually creating a massive > army of unskilled, prefabricated, shrink-wrapped, not for > resale, half-assed security engineers, consultants, and > "research scientists". > > > II. Impact > > An abundance of sub-par information security engineers, > consultants, and "research scientists". > > A negative impact on the economy, specifically within the Information > Technology sector. > > > III. Solution > > Avoid any certifications issued by ISC2 until a patch is distributed. > Obtain information security related certifications from valid sources. > Employers are encouraged to recognize the CISSP as a trojan > certification. > > > Appendix A - Vendor Information > > International Information Security Certification Consortium, Inc. > > (ISC)2 is the premier organization dedicated to providing > information security professionals and practitioners > worldwide with the standard for professional certification. > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Big $$$ to be made with the HushMail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
