OMG, my refrigerator got hacked!

August 10, 2017 at 9:39 am | Posted in Uncategorized | Leave a comment

Years ago I started worrying about getting a virus on my laptop. More recently I began worrying about getting a virus on my iPhone. As of 2017, my new fear is that my smart refrigerator can send spam – or worse.

Last year a photograph of a smart refrigerator displaying an adult site on the display floor of a major retailer went viral. (I tried to find and credit the original source; it was posted on John McAfee’s twitter feed but it’s not clear whether it’s his photo.)


We live in a golden age. You can change the temperature in your house from a remote location by simply using your phone to access your Internet-connected thermostat in your home. But who else can connect to this device?


Connected devices or smart devices, referred to as The Internet of Things (IoT) devices, have simplified our lives more than we could ever imagine – or so their manufacturers claim. IoT devices have moved beyond home alarm systems to control home automation components like electric lights, HVAC systems, robotic vacuums, ovens, refrigerators, freezers, and even water faucets.

IoT devices are used in medical devices such as heart rate monitors, blood pressure monitors, pacemakers, and hospital equipment. IoT devices in automobiles send and receive information to the device manufacturer or update the equipment components. They let us know remotely if our brakes are worn, if it’s time for an oil change, or if it’s time to change our cabin filter. We’ve come a long way from the diagnostic port on a 1973 VW which could tell you if your alternator was charging your battery properly.

In short, IoT is big business, and everybody wants to cash in. IBM has rolled out a bunch of commercials promoting the IBM Watson IoT.

If you have watched a TV show or movie recently, it seems that any nerdy character with a bad haircut, an unfortunate tattoo, and an earring who can speak a complete sentence without using the words “like” and “you know” can hack into every security camera or device in a building. That’s fiction, but what about reality? IoT devices are notorious for lacking integrated security. Most of them just have a userid and password as credentials.


Criminals, identity thieves, or just plain pranksters would love to disarm your alarm system, steal your information, or just make your life miserable by hacking into an IoT device. An IoT device can be compromised in two ways:

  • An IoT device can be told to do what it is not supposed to do. A networked component in your smart TV could become part of a botnet attack. As hackers demonstrated to Jeep, an IoT device in an automobile may be hacked so that attackers can disable the power braking system.
  • IoT devices can be told to do what they are supposed to do, but at the wrong frequency. These attacks could include turning on the water or the lights in your house at the wrong time, flooding your basement or leaving it well-lit for thieves.

Every device or software may have flaws. A flaw that nobody else knows about is referred to as a “zero-day exploit.” According to a WikiLeaks report, the CIA has a set of tools to hack IoT devices via “zero-day exploits.” One zero-day exploit lets you activate the microphone on a smart TV or other device to remotely record conversations. According to the report, the CIA has many zero-day exploits for Android and Apple iOS devices. Who else has this set of tools? A government agency could use them to spy on their own citizens, or a rival nation, or even disrupt an election of another country. I am looking at you, Vladimir Putin.


According to Gartner Inc, there will be over 20 billion IoT devices by 2020. There is consumer demand for these IoT devices. Consumers want it simple and fast, and device manufacturers do not want to make these device overly complicated out of the fear that consumers won’t buy them. Adding additional security to these devices is not generally in the device manufacturers’ best interest if they want to increase sales. However, technology always changes. Devices, unlike computers, rarely have the ability to accept a patch or update. WiFi routers may have firmware updates, but not all Internet-connected devices do. This leaves the consumer at a security disadvantage. Worse, it leaves them open to hacking.

What can the consumer do?

Most users do not change the default security on devices. WiFi routers’ passwords are rarely changed out of the box by the average consumer; nor are the passwords of security cameras. If you think the password is like your front door, you should lock your front door, and for heaven’s sake, change the default password.

You should try to practice good password hygiene.

  • Avoid reusing credentials – Use different passwords and user IDs for your different devices. How in the world can I keep up with all these passwords? I can barely remember my daughter’s birthday or the security code for my ATM card. You can get a password manager app and install it on your phone.
  • Change passwords frequently – Passwords can become stale. Your roommate that moved out two months ago knows your WiFi password, and so does his ex-girlfriend. It might be time to change a few passwords.
  • Make the passwords strong – The passwords should be at least 15 characters. You should have a mix of uppercase, lowercase, numbers, and special characters. You can make the passwords out of a phrase, song lyric, or something that you can remember. For example, take a look at the following:
    • Ih8DaNew0rle@ns$aintz translation ”I hate the New Orleans Saints”
    • Its@Sm@11W0rld@fterA11 translation “It’s a small world after all”
    • A7thN@tionArmy#C0u1dNtH0ldMeB@ck translation “A seven nation army couldn’t hold me back”
    • WhyD0e$MyC@tP00p1nD@Corner translation “Why does my cat poop in the corner?”

It’s a given that the average consumer might not consider security a priority with an IoT device. However, the IoT goes beyond consumer devices. If a device can be accessed via Bluetooth, WiFi, or any other wireless technology, it is vulnerable and could be compromised – and that includes crucial healthcare devices. Medical device maker Johnson and Johnson had to reveal to over 100,000 patients that a hacker could exploit one of their insulin pumps. We are not talking about refrigerators and security cameras anymore. We are now talking about people’s lives and well being. It may no longer be a spy-novel plot device to suppose an assassin could remotely speed up a pacemaker or stop a medical implant from working.

A financial institution spends a significant portion of its IT budget on security. Healthcare providers only spend about 6% of their IT budget on security, and it is usually applied after the device is designed rather than being integrated into the device.

Who knows if there is a zero-day exploit in a medical device right now? It may take years for manufacturers to find them all. Who knows if a hacker found the exploit first? If it’s difficult for an automobile manufacturer to replace an electric window motor in a mandated recall, it will be extremely difficult to replace a medical device that has been installed and then recalled due to IoT insecurity. Technology has gone down a road that can bring us great prosperity and better health. We need to make sure that the potholes are paved and road is secure from bandits.

Until next time,

George Monsalvatge

Kaplan IT Training Announces New Blog Column Focusing on Women In Technology

March 30, 2017 at 10:58 am | Posted in Certification Paths, cybersecurity, Knowledge, Uncategorized | Leave a comment


Women At Work In Engineering and Technology is our new blog column created especially for women working in these specializations and those who are interested in taking on the challenge. As we bring Women’s History Month 2017 to a close, this is the perfect time to introduce our new column. Let’s make Women’s History Month every month for women in technology.

Worker Shortage

Although many women are currently work in the area, education and corporations are investigating ways to encourage more women and girls to choose tech as a career option. Women have played a large part in engineering, technology, science and math, but until recently were often overlooked. The recognition is growing and so are the opportunities. There are definite shortages of technology workers, most assuredly women are missing at larger rates than men. How can we address this?

There are companies and institutions that have chosen to provide virtual classes for beginners as well as advanced learners that teach coding. Coding literacy is in demand and companies are finding innovative ways to fill the void. This is an example of how important technology has become in our world. Currently, there is a lack of employees that can take on the roles of software engineers and system administrators. Fortunately for those who acquire these skills, the need is increasing.  Other areas that contain critical shortages include cyber security and data management.

Educational Efforts In Public School Education

There are efforts in K-12 education in many schools across the nation to bring coding and advanced technology classes to students. These efforts are boosted by the United States push towards S.T.E.A.M and S.T.E.M.

S.T.E.A.M. is education’s way to encourage students’ to embrace careers in Science, Technology, Engineering, The Arts, and Math. This usually takes place in lower grade levels through middle school. S.T.E.M. is the acronym given to Science, Technology, Engineering and Math studies in high schools. Students are surrounded by technology, but oftentimes they are not aware of its power or relevance. Many educational institutions believe that if introduced early enough, students will take advantage of the knowledge over the course of their education and be more apt to be successful in an increasingly technical world. Girls, in particular, are targeted because of the scarcity of females that continue to enroll and stay on track in these courses.

Women Where Are You?

As young women and girls enter the technology field it becomes quite apparent that they are surrounded by fewer female faces. Support is often lacking, and roadblocks appear because of lack of access to find pathways to assist in continued progress.  Mentorship and encouragement is extremely important,

We Want To Help

Our goal with our new column is to provide information that can uplift women and girls in the field of technology. We will be discussing technical trends, careers, certifications, and training. We will keep you up to date on what it takes to find yourself and be successful in a technology focused career.

We will also reach out to our readers to find out your challenges, issues, personal stories as you navigate the world of technology. Technology surrounds us. We are mastering it and thriving. It’s time for us to let the world know while encouraging others. Look for us. We are here to share your stories and give you information that you can use.



Transcender is Now an Authorized Practice Test Provider for (ISC)²® Certifications

December 7, 2016 at 4:51 pm | Posted in (ISC)2, CISSP, Uncategorized | Leave a comment

There are a lot of great security certifications out there, but since its release in 1994, the CISSP (Certified Information Systems Security Professional) has become one of the best known and most highly regarded credentials. At Transcender, we’ve been dedicated to providing CISSP practice tests for over 13 years. Earlier in 2016 we also released our first test preparation for its sister certification, SSCP (Systems Security Certified Practitioner).  Our hard work has paid off, because we’re now an authorized practice test provider for (ISC)²® certifications!

What does this mean to you? Nothing has changed about our award-winning products, but it does mean that (ISC)² has officially endorsed our practice tests for CISSP and SSCP.

  • The SSCP practice exam is a 300-question exam that will develop your test-taking skills, identify any weak areas, and prepare you for the actual test.
  • The premium SSCP study solution combines our trusted practice exam with self-paced eLearning, for a comprehensive learning experience.
  • The CISSP practice exam has an exhaustive 924-item question bank that will test every aspect of your technical skills, plus a 892-item flash card array.
  • The premium CISSP study solution includes the practice exam with  20 hours of online instruction through self-paced eLearning, which includes access to a live subject matter expert.

We’re also working together to develop a practice test for the up-and-coming CCSP (Certified Cloud Security Professional) certification for 2017. Be sure to follow our blog or subscribe to special updates and promotions on the Transcender web site to be notified of its release.

Transcender has been committed to closing the skills gap in the IT industry for the last 25 years and helping qualified candidates get the recognition they deserve.  And now even (ISC)² recognizes our efforts.  After your certification training, come over to us to help you prepare for exam day. Study with confidence, knowing that you have the most relevant and up-to-date study tool in the marketplace!

Free webinar on social media hacks – staying safe while surfing

July 29, 2016 at 11:49 am | Posted in Uncategorized | Leave a comment

What do you think when you hear “social media hack?” The top of everyone’s nightmare list is having an attacker take control of your Facebook account and impersonate you online, expose private information, or steal your data – or your money. This kind of hack gets the most news, and it’s potentially the most dangerous attack. The results can range from simple pranking or trolling to blackmail, identity theft, account lockout, and financial loss.

But how easily can you recognize other types of social media hacks – the ones that try to steal corporate data, spread malicious websites or code, or even influence the course of an election?

What makes these attacks uniquely “social media” based is that they rely on these huge user bases of relatively unsophisticated users – like grandma and your boss’s boss – and they take advantage of how few checks and balances there are when it comes to creating a user profile.

Join Transcender’s training expert George Monsalvatge for a 45-minute webinar that will help you (and your users) identify these increasingly sophisticated and distributed attacks aimed at social media networks. The webinar is FREE and relatively painless to join – just click the helpful link below:

Social Media Hack Attacks:
Staying Safe While Surfing
Register Today!
This webinar discusses several types of social media attacks and discusses best practices in order to prevent social media attacks.
8/3/2016 at 12:00 pm EST / 11:00 am CST


The New A+ 900 Series: What’s New (Part 5 of 5)

May 20, 2016 at 3:09 pm | Posted in Uncategorized | Leave a comment

Welcome back to my series of posts on the new A+ exam. Did you think I was NEVER going to finish this blog series? Me too! But I have been really snowed in working on some new products that I think will really please our customers. One of those is a practice test for (ISC)2’s SSCP exam. And there are a few more exciting security titles are coming soon! Watch our website for more information.

The old A+ 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States. CompTIA released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015.

  • In my first post, I went over the timeline and what to expect from the exam changes as a whole.
  • In my second post, I went into detail regarding the first two objectives for 220-901, Hardware and Networking.
  • In my third post, I went into detail regarding the last two objectives for 220-901, Mobile Devices and Hardware & Network Troubleshooting.
  • In my fourth post, I covered the first two objectives for 220-902, Windows Operating Systems and Other Operating Systems and Technologies.

In this post, I will cover the rest of 220-902, a total of three objectives: Security, Software Troubleshooting, and Operational Procedures. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics. This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

You’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is used to describe the depth or complexity of a learning outcome, just as the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in the abstract, you may be asked to configure a subnet mask.

220-902 Objective 3: Security

A+ 220-802 covered Security in its own domain. It included prevention methods, security threats, securing a workstation, data destruction/disposal, and wired/wireless network security. The biggest change in this objective is the new topics that are covered (obviously because new security threats have emerged) and the inclusion of Windows OS security settings and securing mobile devices.

What’s changed? In A+ 220-902, Security now includes OS security settings. No big surprise: Windows is widely used, and securing it should be the top priority of anyone using it daily. This objective also includes mobile device security, which should also not be a surprise with the popularity of these devices increasing, particularly in enterprises.

3.1 Identify common security threats and vulnerabilities. – From Objective 3, subobjective 2 in the old 220-802. The wording changed to “Identity” from “Compare and contrast,” which affected the Bloom’s level by moving up to the application level.  New topics were added:

  • Malware – Revised to include spyware, viruses, worms, trojans, and rootkits under a single bullet with ransomware being a new entry.
  • Spear Phishing – added
  • Spoofing – added
  • Zero day attack – added
  • Zombie/botnet – added
  • Brute forcing – added
  • Dictionary attacks – added
  • Non-compliant systems – added
  • Violations of security best practices – added
  • Tailgating – added
  • Man-in-the-middle – added

3.2 Compare and contrast common prevention methods. – From Objective 3, subobjective 1 in 220-802. The wording changed to “Compare and contrast” from “Apply and use,” which affected the Bloom’s level  by moving down the comprehension level. These new topics were added:

  • Physical security 
    • Mantrap – changed from Tailgating in the 220-802 to more accurately reflect the actual preventive control
    • Cable locks – added to the Physical security section
    • ID badges – changed from Badges in the 220-802 to more accurately reflect the preventive control
    • Smart card – added to the Physical security section
    • Tokens – changed from RSA tokens in the 220-802 to more accurately reflect the preventive control
    • Entry control roster – added to the Physical security section
  • Digital security
    • Antivirus/Antimalware – added Antimalware to the Digital security section
    • Multifactor authentication – added to the Digital security section
    • VPN – added to the Digital security section
    • DLP – added Data loss prevention (DLP) to the Digital security section
    • Disabling ports – added to the Digital security section
    • Access control lists – added to the Digital security section
    • Smart card – added to the Digital security section
    • Email filtering – added to the Digital security section
    • Trusted/untrusted software sources – added to the Digital security section
  • User education/AUP – Acceptable Use Policy (AUP) added

Continue Reading The New A+ 900 Series: What’s New (Part 5 of 5)…

Transcender developers discuss the behind-the-scenes development strategy for practice exams

January 17, 2013 at 9:55 am | Posted in Microsoft, Transcender news, Uncategorized, Vendor news | Leave a comment
Tags: , ,

Our partners at Global Knowledge recently sat down with several members of the Transcender practice test development team — specifically George, Aima, and Josh — and picked our brains about “how their practice exams are developed and how they have evolved to keep up with changes coming from Microsoft. In the end, we learned that there are major challenges in writing practice exams that accurately reflect and teach students important exam concepts, Microsoft is moving towards more open standards, and customer feedback is crucial to developing and evolving Transcender practice exams.”

You can read the entire article here on the Global Knowledge blog: The Evolution of Microsoft Certification Practice Exams.

OData, Oh My!

March 30, 2011 at 1:05 pm | Posted in Microsoft, Technical Tips, Uncategorized | 1 Comment
Tags: , , , , , , , ,

Slogging through .NET 4 certification path, I am happy to find Microsoft adopt even more open standards. As open standards become more popular, the ideal of developing application logic and ignoring the plumbing details seems likes more of a possible reality. Well, a programmer can dream, right?

Anyway, one of these open standards is OData. WCF Data Services, formerly known as ADO.NET Data Services, uses the Open Data Protocol (OData) to expose data through addressable URIs, similar to REST (representational state transfer) services. OData supports both Atom and Json (JavaScript Object Notation) formats for the payload.

Okay, so again, what is OData? It’s a simple HTTP mechanism for accessing data. For example, let’s say that I have an application and want to retrieve all titles provided by Netflix that contain the notorious actor Charlie Sheen. Using OData, you can just type in the following URL:$filter=Name eq ‘Charlie Sheen’&$expand=TitlesActedIn

If you are using IE, then you need to turn off feed reading view to see the results. Go to Internet Options and under the Content tab, click the Settings button in the Feeds and Web Slices section. Turn off reading view by unchecking the Turn on feed reading view checkbox.

Go ahead, try it. (Yeah, I forgot he was in Platoon, too.) What this query does is access the People set, filter it to a single actor and include the related Titles set. The $filter and $expand are keywords that limit entries and include related entries, respectively.

Let’s say that you like to listen to music while at work and want to retrieve all awesome live concerts available for instant streaming. Then, you would type a URL similar to this one:‘Must-See Concerts’)/Titles?$filter=Instant/Available eq true&$select=Name,Synopsis

In this case, we choose the Titles set from the Genre “Must-See Concerts.” Notice the $select keyword is used to limit the entry properties to only the name and synopsis.

Okay, enough hand-holding. Try it out for yourself. Netflix has some more examples and eBay even has its own OData implementation.  So there’s the plumbing; I’ll let you move on to creating the applications!

TechEd 2010 New Orleans: First Impressions

June 8, 2010 at 8:53 am | Posted in Microsoft, Transcender news, Uncategorized | Leave a comment


Keynote band - great way to start a Monday!

We finally made it! We’re in New Orleans, enjoying the 100% humidity and I start to wonder if I will ever feel cold again. (This from the girl who never ventures from home without her sweater.) I can see the convention center from my hotel room, but that doesn’t mean that I actually enjoy the walk. And to have this Alabama girl complain about heat, you know it’s bad.

But so far, I have thoroughly enjoyed rediscovering this city. My family and I came here within a year after Hurricane Katrina hit, and the changes that have occurred are dramatic. This city is absolutely beautiful! Yesterday, we ate at the Grand Isle. I couldn’t get enough of the onion rings! Last night, we went to Mulate’s to savor some local flavor. I would recommend both to all my fellow TechEd attendees.

To kick off TechEd 2010, I took in the Keynote session. Just before the session, a zydeco band entertained the audience. The performers were great and threw in some old crowd favorites. They happened to  mention that they don’t usually do Monday mornings because Monday mornings are for recovering from the weekend. So, thanks guys!

The Keynote session was all about cloud computing, something that I have been hearing more and more about (even though some of it is a little out of my world). But as I started to understand it, I thought about its impact to the IT certification industry. A quick Internet search showed me that there are several cloud certifications out there from vendors such as Red Hat, 3Tera, and others. And I suspect that Microsoft will be entering that arena soon….remember: you heard it here first, folks.

So what about interest in cloud certification? Are there any of our readers out there who would find value in this and perhaps pursue certification? We just want to know!

Tuesday is a busy day for me. And with the Women in Technology luncheon, I just won’t have any time to spend in our booth. But look for me elsewhere: just find the lady falling in an uncoordinated fashion.

Did you see me today?! Took a spill going from one session to another and felt like a complete idiot. Now I have a lovely bruise/scrape on my knee. I can be such a moron sometimes!


Entries and comments feeds.

%d bloggers like this: