Latest articles in ‘Opinions’

  1. RSA key lengths, elliptic curve cryptography and quantum computing

    Published: Thu 14 December 2017 in Opinions.
    Are RSA keys over 2048 bits overkill? Are elliptic curve the future of cryptography? Is quantum computing a real threat and what is its exact impact?

    Some tools, like PGP, are still stuck1 to legacy cryptography, mainly the RSA algorithm. For such tools, RSA-2048 is often described as strong enough for any foreseeable future, anything above being overkill The GnuPG official documentation in particular even goes this far as considering that using RSA-3027 or RSA-4096 constitutes “an improvement so marginal that it’s really not worth mentioning”, adding that “the way to go would be to switch to elliptical curve cryptography”.

    The assertion that this improvement is “marginal” is debatable, as is the trust in the elliptical curves to protect us in the future.

    Longer RSA keys

    While the NIST considers RSA-2048 to be safe for commercial use up to 2030, it still advises the use of at least a RSA-3072 key for beyond (see BlueKrypt’s Keylength website to get an overview of various recommendations).

    Read quickly, such recommendation …

  2. Why making good software is deemed not profitable

    Published: Thu 23 November 2017 in Opinions.
    You thought that large companies have the means to produce high quality software? The situation is a bit more complex, let me explain you why.

    Another company got caught his hand in the cookie jar, and this time we are not talking of the firmware of some cheap home router:

    CVE-2017-10151, CVSS 3.0 Base Score 10.0:

    Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Supported versions that are affected are, and

    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager.

    While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products.

    Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager.

    The issue is pretty simple: Oracle added a default account with administrative privileges and hardcoded credentials to their product to alleviate development work. This what is commonly called a backdoor.

    While there is obviously no statistics available about such practices …

  3. EC-Council CEH certification review

    Published: Wed 04 October 2017 in Opinions.
    Updated: Fri 06 October 2017 (Added a note about Metasploit)
    Facts, advices and personal impressions on the EC-Council CEH certification.

    The five Ws

    • What: The EC-Council Certified Ethical Hacker (CEH) is a technical certification on penetration testing.

      While being oriented toward technical people, the certification itself goes lightly on the practical side but insists instead on having a broad general culture. This certification covers definitions, concepts, tools, as well as a strong focus on ethic.

      This certification never go really deep in any subject, but instead attempts to cover the widest possible range of topics related to pentesting. Example of covered topics include cryptography, regulation and compliance, operating systems (client, server and mobile systems are all covered), networking (including wireless networking), procedures, code review, physical security, social engineering and, last but not least, ethic.

    • When: This certification has no prerequisite (a two years experience in IT security allows to avoid the training requirement, but subscribing to an approved training removes any experience prerequisite).

      It is suitable for anyone interested …

  4. How are attacks and APTs attributed

    Published: Sun 01 October 2017 in Opinions.
    How to put the name of a country or an individual behind a security event.

    Computer-based attack attribution works like the attribution of any other illegal activity: it requires a significant amount of investigation, gathering clues, corroborating information, attempting to eliminate false leads and recognize right ones, etc.

    On the attackers’ side

    The attacker may cover his tracks using two main techniques: plausible deniability and false flag.

    Plausible deniability

    Plausible deniability aims non-attribution by making the attacker’s identity unclear. It relies notably on using off-the-shelf and widely available tools and techniques, and carefully removing all metadata or potential clue.

    CIA’s Development Tradecraft DOs and DON’Ts from the “Vault 7” leak is a perfect example on how to implement plausible deniability in malicious software.

    False flag

    False flag (in the case of a government entity we can also talk of a black ops) aims misattribution by voluntarily and actively forging clues designed to deceive investigators (or simply the targets) into attributing the attack …

  5. BSDA certification review

    Published: Fri 22 September 2017 in Opinions.
    Updated: Tue 26 September 2017 (Add link to the BSDA Certification Study DVD)
    Facts, advices and personal impressions on the BSDA certification from the BSD Certification Group.

    The five Ws

    • What: The BSD Associate (BSDA) is a technical certification on BSD systems administration. It covers DragonFlyBSD, FreeBSD, NetBSD and OpenBSD.

      This certification covers general BSD systems administration (there is not much about system architecture itself), the specificities of each covered BAD flavors, common Unix services administration, and also a few non-technical points notably on the BSD license and its difference with other licensing types.

      I personally find the official naming misleading, as the requirement for this certification actually targets system administrators, not assistants.

    • When: The BSDA has no prerequisites, but is very technical and covers a wide range of domains so I would certainly not recommend it for the beginners.

      It can be seen as the BSD counter-part of the LPIC-2 Linux certification.

    • Why: BSD systems have a different approach than Linux ones on a lot of things, both technical and non-technical. Being Linux certified does …

  6. Linux LPIC certification review

    Published: Sun 03 September 2017 in Opinions.
    Facts, advices and personal impressions on the Linux LPIC certification (all levels).

    The five Ws

    • What: The Linux Professional Institute Certification (LPIC) is a technical certification on GNU/Linux systems administration. This certification is vendor-neutral and covers the major GNU/Linux distributions (Debian, SUSE, Red Hat) and their derivatives.

      With the Linux Essentials certification aside (it targets end-users, not administrators), the LPIC certification path has three main levels:

      • LPIC-1 “Linux Administrator”: This level studies the GNU/Linux system itself: how it works, how to administrate the local system with some knowledge on troubleshooting and main services.

      • LPIC-2 “Linux Engineer”: This level has two folds: on one side you study advanced administration and troubleshooting techniques, on the other you now envision the GNU/Linux system as part of the corporate ecosystem and study the administration of the most common network services (here again vendor neutral, so you should be comfortable with both Apache and Nginx HTTP servers for instance).

      • LPIC-3 …

  7. Cisco CCNA Security certification review

    Published: Fri 01 September 2017 in Opinions.
    Facts, advices and personal impressions on the Cisco CCNA Security certification.

    The five Ws

    • What: CCNA Security is a technical certification about general network security in a professional context. It describes the typical threats potentially affecting such networks then various Cisco technologies allowing to mitigate them. This covers the networking devices themselves, but also the data both in transit and at rest and end-user devices both corporate ones and personal one (BYOD).

    • When: Obtaining this certification requires to have at least the CCENT certification (I recommend having a CCNA Routing & Switching, though).


      While the CCENT or CCNA R&S is a prerequisite to be granted the CCNA Security certification, they are not technically required to take the exam.

      If for some reasons it suits you, Cisco allows you to take the CCNA Security exam before having obtained a CCENT or CCNA R&S. If you pass the exam, you will be granted the CCNA Security certification once you get your …

  8. Cisco CCNA Routing & Switching certification review

    Published: Mon 21 August 2017 in Opinions.
    Facts, advices and personal impressions on the Cisco CCNA Routing & Switching certification.

    The five Ws

    • What: CCNA Routing & Switching is a technical certification about enterprise-grade IT networking from Cisco. It covers the involved devices, protocols and how to implement them using Cisco technologies.

    • When: This is an entry-level certification with no prerequisite.

    • Why: This certification demonstrate a good level of familiarity with enterprise networks and Cisco’s IOS-based devices.

      It is a de-facto standard in terms of IT networking certification, valuable even for employers using different technologies than Cisco, and is also a prerequisite for several other Cisco certifications.


      Note that Cisco certifications may not have the actual CCNA R&S certification as a prerequisite, but the CCENT instead which is half of the CCNA R&S.

      If you are interested in networking (and I expect you are when you intend to pass a Cisco exam) I warmly encourage you to pass the full CCNA R&S certification instead of …

  9. Are certifications useful? A few words about career plans.

    Published: Thu 17 August 2017 in Opinions.
    Why the right certification may be beneficial for your employer, for the customers, but above all for yourself.

    I regularly encounter people claiming that certifications have no use, or at best only help to pass HR screening.

    I acknowledge that the importance and impact of certification is often over-emphasized by people selling certification-related books and services (which is to be expected: they are selling something, this is advertisement), and I also agree that a certification is not a proof of anything per see.

    However, I believe that a certification from a well-known and trusted organism benefits the whole IT security chain: it benefits both you, your employer and the final customer.


    I talk here of “certification from a well-known and trusted organism”. There is a tendency for a lot of websites hosting a few training material to deliver “certifications”, praising the value your resume will get with one of these.

    In case of doubts, check job offers: if there is no demand for this particular certification (and …

  10. NSA and Microsoft, toward a tighter “collaborative teamwork”?

    Published: Tue 16 May 2017 in Opinions.
    An history of forced love and denial between the National "Security" Agency and large corporations.

    This article is somewhat a sequel of my thoughts about the Wannacry case.

    The NSA relies on a large database of undisclosed and unfixed software vulnerabilities database to allow them to hack their way into any system either deemed hostile or useful for their intelligence gathering. As explained by explained by the former NSA director Michael Hayden:

    If the agency thinks that no one else will be able to exploit a vulnerability, it leaves the problem unfixed to aid in its own spying efforts.

    It is only if the NSA estimates that the exploit may be known to someone else, and therefore represents a potential risk to the US safety, that they will inform the vendor for the vulnerability to get fixed.

    It may happen that sometime this process gets a hiccup, with a vendor interfering with NSA activity like it most probably happened to Microsoft with the MS08-067 …

Pages: 1 2

Popular tags see all