Quick step-through of Metasploit Express

I've been raving about the penetration testing tool Metasploit for a while. With the release of Metasploit Express earlier this year I'm even more pleased with all the efforts HD Moore and his team have put forth. Metasploit Express is a commercial product you'll have to pay for but to me it's well worth the investment. It's easier to use, it has nice reporting and more. All the things we need in today's world of junk security tools that just don't deliver.

In the event you haven't tried it out, here's a brief walk-through of some of the nice features and capabilities of Metasploit Express.

<-- The main interface for a "project" provides access to hosts, sessions, reports, modules and tasks - the main sections of the app.










<-- If your vulnerability scanner has found a specific vulnerability you can search for it in Metasploit Express to confirm there's an exploit module as shown here.








<-- You can then manually launch the exploit on your target host.














<-- Once a vulnerability has been exploited and the payload delivered, you can gather evidence as shown here.












<-- Or, you just can just obtain a remote command prompt showing that you've compromised the host.














<-- When all's said and done, you can kill your session, clean up the remnants and be done with it.

































There are numerous other features within Metasploit Express that allow you to automate host discovery, the exploitation process and so on...just a bit much to cover in one blog post. Perhaps I'll cover that in detail in my next edition of Hacking For Dummies. :)

All in all, Metasploit Express is a security testing tool you shouldn't be without. It's a great way to "prove" those security vulnerabilities you discover are indeed a business problem.

Read More

Tips and tricks on e-discovery, forensics, and managing esi

Here are a few pieces I wrote and recorded for SearchCompliance.com on managing all that electronic data on your network that you're constantly drowning in...

Leaning on records management can take the angst out of e-discovery

Why you need to create an ESI strategy (webcast)

Why you need to create an ESI strategy (podcast)

What is computer forensics technology? Does it help compliance?

Read More

Possible bomb at Newark, ratchet up security!!??

I heard a news story this morning about the possible bomb that was found at Newark Airport. The reporter went on to say that TSA is "ratcheting up security" and searching bags with more scrutiny in the event the threat is real.

What I want to know is (and can't seem to find the answer to): why is it we "ratchet up security" when a such threat is detected rather than putting controls and processes in place that allow us to remain vigilant at all times?

So, we see a threat, we scurry to lock things down, and a few minutes or weeks later (or years in the case of the 9/11 attacks) we get back into our old complacent ways. I wrote about this phenomenon earlier this year in this piece for Security Technology Executive magazine:

Don't lose sight of what's important

...I just don't get it.

Read More

MS Exchange security + hacking and hardening SQL Server

Here are some new articles I've written for TechTarget that you may be interested in:

Nine Exchange server risks you don’t want to overlook

Ten hacker tricks to exploit SQL Server systems (and oldie that I recently updated)

Do you need to harden SQL Server 2008 R2?

Enjoy!

Read More

This woman "did not have a plan B", do you?

Watch this intense video of the psycho at the Florida school board meeting firing at the superintendent who supposedly signed the papers leading to his wife losing her job.

Shows that you've always got to have an escape route. Be it with information security, driving down the road, or attending a meeting such as this.

Of course, this was a situation in a government school building where only the criminals can have guns. Zero tolerance at it's finest. I'm just glad everyone else in the room was (relatively) unharmed.

Read More

Metrodome collapse video: nothing's really secure

Check out this video of the Metrodome collapsing over the weekend. Let this be a reminder that no matter:

• how much engineering goes into a system
  
• how much attention to detail the contractors pay during construction
  
• how much insurance coverage you have
• how detailed and "water tight" your contracts are
  
• how many fail-safe features are available "just in case"
  

...that bad things can and will happen. Be it in a building or on your network there's no guarantee of safety and security.

The real question is: what are you doing today to prepare for such an event? How are you going respond rather than react when something does happen so you can minimize the impact to your business? The clock's ticking.

Read More

Canon's digital camera image originality not so original

How's this pic for an attention grabber?!

Well, the folks at Elcomsoft have done it again. This time they've discovered a vulnerability in Canon's Original Data Security system demonstrating that digital image verification data can be forged. Apparently Canon has yet to respond.

Why is this a big deal? Well, it's impactful for the media, for forensics investigators, and for those of us in infosec as digital images are used in many aspects of what we do.

Don't test the authenticity of this Einstein photo since the original "hacked" version has been modified by me uploading it to Blogger. However, some originals are here. Dmitry Sklyarov’s presentation that covers all the technical details behind the discovery. Very interesting stuff.

Also, if you're not familiar with Elcomsoft's tools, you've got to check them out. Lots of neat stuff written by a group of sharp people who are helping to drive security in ways that affect practically every aspect of business and lives...especially with this discovery.

Fingers crossed waiting for them to write software involving homes and automobiles one day! That's the next frontier of infosec of which we've just cracked the surface.

Read More

The WikiLeaks lack of security responsibility & mental disorder connection

Last week I wrote out some talking points in preparation for a TV interview with the Canadian Broadcasting Corporation on the WikiLeaks issue and what businesses can do to keep their information secure. At the last minute they ended up not doing the segment so I thought I'd post my perspective here:

• The leaks are not the problem – it’s the choices and all the events to lead to information being exposed that needs the attention. Surprisingly, we’re not hearing much about that.
• Certain fundamental aspects of information security like business need to know, data classification, and separation of duties are often ignored OR they’re mired in a wealth of complexity and bureaucracy that to the point where they cannot be enforced or they just don’t work at all.
• Government agencies and people have been trying to keep secrets for centuries…arguably since the dawn of time. We're just experiencing a new means of keeping secrets and subsequent exposure.
  
• The issue we’re now facing is information systems complexity. Be it inside government agencies or in businesses computers systems, applications, and all the hands in the pie create a scenario whereby it’s virtually impossible to ensure that everything of value is secure ALL the time. A fundamental principle of information is that it wants to be free. That, and the fact that the same electronic asset can be in multiple locations at the same time has created a monster that can be difficult to tame if you don’t go about it the right way.
  
• You cannot simply classify ALL of your electronic assets as “sensitive” or “critical” like what many people are accusing government agencies of doing – if you do, then it negates most of the benefit.
• Just because someone has passed a background check, obtained a security clearance, or had glaring references doesn’t mean they’re NOT going to do something bad moving forward…it may also mean they just haven’t gotten CAUGHT.
• As long as human beings are involved in the process, there will continue to be information risks to government agencies and businesses alike.
• There’s a fundamental issue here that’s come into play in so many situations – mostly in business: INACTION. Management is out of the loop, users don’t want to be inconvenienced, and many people just keep their heads in the sand.
  

• There's a three-step solution to keeping information secure:

1. Know what you’ve got and where it’s located
2. Understand how it’s at risk
3. Do something about it by putting reasonable and measurable controls in place to keep things in check. Okay, maybe a step four: be very careful what you store electronically!
   

• Even with all the security controls like tracking suspicious behavior and blocking people from downloading sensitive material to thumb drives and external hard drives there’ll ALWAYS be a way around it.
• I suspect this data leakage problem will only get worse.
  

And finally, a few more personal points of view I just thought of. President Obama has created a new position to investigate the leaks…I say, Mr. Obama why not just ask government agencies why they’re not following their own rules?? Bigger government certainly won’t help the matter…

Furthermore, it's obvious Julian Assange is no fan of our country and wants to weaken the U.S....presumably for the same reason so many other people around the world want to weaken us as well. Don't get me wrong, I'm all for freedom of speech, transparency in government and so on. I'm just going about it from a different angle. It is funny how such activists promote "democracy" and rail against censorship while at the same time the politicians they support want to silence anyone who disagrees with their viewpoints.

It's complex world we live in.

Read More

Are terrorists hanging out at Wal-Mart or something?

Our Imperial Federal Government is at it again with Homeland Security's new "videos" coming to a Wal-Mart near you. Do they have "intelligence" on Islamic terrorists casing our local Wally World parking lots or something. OK, probably not...they're likely just trying to get the word out to the dumb masses.

Unbelievable stuff people...Let's just sit idly and let this government intrusion nonsense continue in support the Islamic terrorists' ultimate goal.

Read More

Unbelievable #s in the new Billion Dollar Lost Laptop Study

I spent last Thursday in San Francisco at a press briefing held by Intel's Anti-Theft Technology group regarding the new Ponemon Institute Billion Dollar Lost Laptop Study. Larry Ponemon's study found that businesses are losing billions of dollars through lost and stolen laptops - something I wrote about three years ago...and a problem that's been around even longer.

Malcolm Harkins (Intel's CISO), Anand Pashupathy (GM of Intel's Anti-Theft Services), Larry Ponemon (Founder of the Ponemon Institute) and I had a lively discussion on the findings of the study, why we have this problem, and what it's going to take to stop it.

I still shake my head when I see businesses ignore such a high-payoff security control.

Here's some press coverage for your reading enjoyment...check out what the reporters involved in the briefing had to say. The numbers are crazy and can be a great resource for finally getting some support for laptop encryption and related security controls. It's arguably some of the most important stuff affecting infosec today.

Wall Street Journal: Intel-Backed Study Tallies Laptop Losses

InfoWorld: Corporate America's lost laptop epidemic

eWeek: Intel: Failing to Protect Laptops Cost Companies Billions

The Register: Intel reveals 'the billion dollar lost laptop problem' - Chipzilla's plan to rescue $bns spent on McAfee

CRN: Intel Says Businesses Must Do More To Protect Their Mobile PCs

VentureBeat: The Wikileaks wake-up call: Lost or stolen laptops cost corporations $2.1 billion per year

Read More

The best way to survive an accident

In life and in business I truly believe there are no accidents, just bad choices. This reminds me of a Lexus commercial I saw a while back that touted how safe their vehicle was. The announcer said "The best way to survive an accident is to avoid it in the first place."

Regardless of what you believe about accidents, we do have to look at information security this way. Such avoidance means being proactive and putting forth the effort to do what's right rather than wait until something goes awry. Funny how so many things outside of the security realm can be tied back to security.

While we're on the subject, here are a few bits I've written about computer security incident response in case you're interested.

Read More

Windows and Linux management tips and tricks

From Windows to Linux - desktops to mobile devices - here are some recent pieces I've written for TechTarget that you may be interested in:

Devise a Windows XP end-of-life strategy before migrating to Windows 7

Troubleshooting Windows 7 with built-in tools and online resources

Securing the new desktop: enterprise mobile devices

Common Linux Security policy management gaps

Read More

Stop all Wi-Fi deployments!

A study in the Netherlands has found that Wi-Fi radiation will eventually result in the death of parts of tree leaves. Yep, take those access points and put them 20 inches from trees and let the killing being. Seriously!?

Who's putting their access points that close to trees? Why are people even studying something like this? Apparently the "global warming" crowd is up to it again...I'm just glad those were Dutch tax dollars and not mine. :)

Read More

Just how much control are we willing to have forced upon us?

It's been an interesting and truly scary news week in the "good old" U.S. of A. Think about this stuff folks:

• A Democrat congressman in charge of the House Ways and Means Committee with jurisdiction over taxes gets reprimanded for not paying taxes
• A judge is busted for buying drugs to use with a stripper
• San Francisco banning circumcision and toys in Happy Meals
  

And, of course, TSA minions doing things like giving three year olds invasive searches (at the same time our own enemies are allowed through because profiling is "insensitive") ...I suppose these government employees don't care...after all, they have very little to lose in their work because TSA agents are apparently immune from prosecution.

...and now, this: The US Secretary of Transportaion Ray LaHood wants wants cars to include scrambling technology that would disable cell phone use by drivers and perhaps passengers. Wow...when it the control going to end! ?

What is the United States coming to!? I think most people know the answer. Unfortunately our priorities aren't straight because of one tremendous flaw in how we think and live.

When are we going to stand up as a country and tell our government not just no, but Hell No! on everything they're trying to push on us? Enough is enough...

Here's a good piece from a man who really understood what's going to sum this all up:
All tyranny needs to gain a foothold is for people of good conscience to remain silent. -Thomas Jefferson

Read More

Becoming a more refined Web security expert

Here are some recent pieces I've written on Web application security and testing that you may be interested in. From getting started in your career to cloud security to doing Web application security testing the right way...check 'em out:

The secrets to getting started in your software testing career

Four skills that will make you a better web security professional

Building solid security requirements

Security oversights in the cloud: Asking the tough questions

Why current application security measures fail

Read More

Internet Password Breaker - yet another reason to encrypt your laptops

Elcomsoft just released their new version of Elcomsoft Internet Password Breaker which now supports Chrome, Opera, Safari and Firefox. In essence the program can recover passwords, sensitive form data and so on that users have conveniently stored in their browsers for the past, oh, several years. Furthermore, the tool can now instantly recover Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail account info, user IDs, passwords and cached forms.

Here's a screenshot of the new version 2.0:





















Using the tool is as simple as loading it up, selecting which browser or other type of account you want to recover sensitive information from and you're off. It's that easy.

Looking at this from a malicious user's perspective, imagine the damage that can be done when just one seemingly benign laptop is lost or stolen and happens to be completely exposed because its hard drive is not encrypted. Ugly stuff folks.

Looking at it from the opposite perspective, Elcomsoft Internet Password Breaker can really get you out of a bind when you make some sort of bonehead move like I've done before (like "accidentally" deleting your browser history) and need to recover your own information.

Either way, it's a good tool to have in your security or forensics toolbox.

Read More

The fundamental flaw of information security in SMBs

Here's a good piece that Entrepreneur Magazine put together for SMBs to ensure they have a secure information systems environment. I don't disagree with any of the recommendations. What I do find interesting is that there's no mention of "determine where you're weak".

Be it in the beginning before you put all of the recommended controls in place (and potentially saving yourself a lot of time/money if it's determined you don't need certain types of controls) or after everything is established - you absolutely have to assess where things stand.

You know my feelings on this: You cannot secure what you don't acknowledge. Building out a supposed secure infrastructure is only one piece of the puzzle. Basic controls are just the beginning.

That's the fundamental flaw with information security today - especially within SMBs...Owners and managers of SMBs read these recommendations, put their strong firewalls and passwords in place, and leave it at that. Months or years go by and then something bad happens: an employee breach, external hack, malware attack , you name it. All along these very people had no real sense of how secure or unsecure their systems really were. Don't follow their lead.

Read More

Some things you need to know about Windows Firewall & Microsoft Security Essentials

Here are a couple more pieces I wrote for SearchEnterpriseDesktop.com where I ponder the utility of Windows Firewall as well as a few things you may not have thought about regarding Microsoft Security Essentials:

Weighing Windows Firewall for enterprise desktop protection

Microsoft Security Essentials may protect non-enterprise users in your business

Microsoft Security Essentials – when it may not be a good fit

Read More

My (belated) thoughts on Intel's purchase of McAfee

I've been so busy working that I've failed to post some timely pieces I wrote over the summer...here's one of them:

Intel's McAfee buy marks a turning point for security

I truly believe we cannot even fathom how this acquisition will impact us long term.

Read More

Windows 7 security tools & password weaknesses

Here are some recent SearchEnterpriseDesktop.com pieces I wrote regarding Windows 7 security...enjoy!

Using Windows 7's built-in features to keep your desktops secure

Windows 7 doesn’t end the need to monitor passwords

Read More

Interesting findings from Venafi on encryption management

Information security vendor Venafi released a survey at the October Gartner show that has some interesting findings related to encryption management:

• Organizations anticipate a 27% year-over-year certificate and key inventory growth rate
• 85% of organizations manage encryption certificates and private keys manually via spreadsheet and reminder notes
  
• 78% of organizations have experienced system downtime due to encryption failures in the past 12 months
  

Given what I see in my information security assessments - how many in IT often struggle to find newer ways of managing and securing their environment - none of this surprises me. It's often home-grown solutions sticking around, the general perception that policies can be enforced and processes can be followed without the right technologies in place and a general lack of leadership in/around IT.

Still interesting insight from the survey nonetheless...apparently there's still some room for improvement - even with something as niche (given the big picture) as encryption management.

Apparently Venafi is conducting an extended encryption management survey to dig even deeper on this data. Might be worth checking out to see how your organization compares

Read More

Using GFI LANguard to find open network shares

Have you see what your users are sharing up on your network? What about your server shares - are they divulging too much PII and intellectual property to any Joe Blow on the network?

Outside of mobile security (smartphone weaknesses, lack of laptop encryption, etc.) the problem of unstructured information scattered about the network is a very predictable high priority finding in any given security assessment.

The reality is you cannot secure what you don't acknowledge. How do you know what's in your environment just sitting there for the taking? You could very well have experienced an internal data breach and not know anything about it.

Enter GFI LANguard.






















I've used LANguard for years to uncover open shares on networks and it works just dandy for this purpose.

Do yourself a favor and download the trial version of LANguard and run the share finder tool in your environment to see just what's being shared out - and exposed. It's as simple as the following:

1. Select Launch Custom Scan
2. Select Network & Software Audit
3. Select the Share Finder profile
4. Select Scan a range of computers or Scan a domain or workgroup and enter your network information
5. Enter the login credentials of a basic user representative of most domain users in your environment
6. Select Scan and let the tool do it's thing
   
7. Once complete, select Analyze scan results
8. Select Results Filtering (upper left)
9. Select Open Shares (middle left)
10. Scroll down and look* for shares with permissions granted to BUILTIN\Users or Everyone
11. Login to the network with the basic user credentials from above and see what you can see. I've found both FileLocator Pro and Identity Finder to work very well for rooting out sensitive information. I also recommend manual browsing for files/content/context that automated tools may have trouble uncovering.
    

That's it!

I cannot stress enough that sensitive files readily-accessible on open shares is one of the greatest risks on your network. It's screaming for your attention right now. So track down your open shares, set permissions on a need to know basis or remove the shares altogether, and get your arms around this beast before it grows even larger.

*I wish LANguard had the ability to filter down into open shares even further by only showing shares that are open to specific groups or users that you specify. It's a hassle to have to manually sort through things... Hint, hint. :)

Read More

Let the smoke (and mirrors) clear

Finally, some hope and change we can believe in!

But not so fast...a quick note to all the Republicans out there: you didn't get voted in because people are embracing you...people are just tired of seeing the Democrats' lack of principles and leadership- not to mention their taking money (by force) from the people who earn it and giving it to those who don't deserve it - undermining and effectively destroying what our country is all about.

I still go back to the Margaret Mead quote I posted yesterday: "It may be necessary temporarily to accept a lesser evil, but one must never label a necessary evil as good."

The next two years will certainly be interesting...

Read More

Today is the day

Today is the day we get a chance to vote for more government or less government.

Today is the day those of us in America can begin to stop the bleeding we've been experiencing since January 20, 2009. Technically, for decades.

Today is the day we're empowered to remind the career politicians around our country that we the people are in charge. Not them.

Today is the day we stop giving up little liberties to gain a little security...otherwise, as Benjamin Franklin said: we'll "deserve neither and lose both".

We can't stop today, though...Otherwise we'll continue with the mess that power-hungry politicians (Democrats and Republicans) have left us with to this point. Like Margaret Mead said "It may be necessary temporarily to accept a lesser evil, but one must never label a necessary evil as good." Remember that today and in 2012.

Something has to change long term if we're going to continue to thrive in America as intended by our Founding Fathers. As you go out and vote today, remember what George Orwell once said: "If liberty means anything at all, it means the right to tell people what they do not want to hear."

Read More

The business side of Web security (you can't afford to ignore)

Here's a new piece I wrote about the *other* aspects of Web security beyond the bits and bytes...Don't let this stuff catch you off guard.

Preventing phishing attacks is not just a technical issue

Read More

Talk about old school...

I recently came across a Web site I was creating an account for which stated the following for its login requirements:

Your user name & password must consist of letters in all caps 4-7 characters in length.

Too funny...

Read More

AppDetectivePro v7 worth checking out

Have you checked out Application Security's (somewhat) new AppDetectivePro version 7? Have you even heard of AppDetectivePro? If not, it needs to be on your radar. It's a powerful database vulnerability scanner that can perform both unauthenticated penetration tests as well as authenticated audits of SQL Server, Oracle, MySQL, DB2, Notes/Domino and Sybase (wow) systems. A screenshot of a penetration test of an Oracle 11g-based system is shown below:
























AppDetective is a tool that I've relied on for years to help with database security assessments. The price per database instance is pricey but it's worth it. I've found that the results are very similar when running it on similar systems so one scan per platform may be enough to get by with as long as you implement the same changes on like systems across the board.

Probably the biggest improvement with AppDetective Pro version 7 is the User Rights Review shown below:
























User Rights Review allows you to run reports on effective role and user permissions for a specific database. That's big in today's world of big government and big regulation. I'm not surprised at its utility, however, since reporting is one of AppDetectivePro's strong suits - pleasing compliance managers, auditors, and regulators from sea to shining sea for years.

The bad news (not necessarily related to the new version 7) is that I recently lost about 5 hours of my life troubleshooting a problem with AppDetectivePro that should've been readily-accessible in the documentation or online knowledgebase. In essence, a SQL Server system I was testing was running in shared memory mode and had TCP/IP disabled. Running the tool on the same SQL Server box still yielded a big fat nothing until a level 2 support person helped me get to the bottom of the problem.

Overall, AppDetectivePro is still the most comprehensive and recognized database vulnerability scanner. It's definitely worth checking out. As for SQL Server 2008 R2 support (a biggie in my book) I checked with the folks at Application Security about a month ago, and according to their site today, there's still no support for it but I suspect that'll come soon as more clients demand it. Furthermore the name of the product doesn't really reflect what it does (databases not apps, although it used to perform basic Web app scans)...but, hey, now you know, right?

Read More

Is this quote one of the contributing factors to lax infosec?

Novelist Robert Heinlein once said "In the absence of clearly-defined goals, we become strangely loyal to performing daily trivia until ultimately we become enslaved by it."

I suspect this is a large contributing factor to the lack of information security - and subsequent data breaches - in business today.

Feel like you need a jump start on goal setting? Check out this piece I wrote on the subject:

Eight steps to accomplishing your IT career goals

Read More

Got compliance? Here are some tips for moving ahead.

Tired of "compliance"? Me too. But, it's still one of those necessary (arguably sometimes unnecessary) evils we must deal with in business today.

Here are some new pieces I've written for the fine folks at SearchCompliance.com that will hopefully be of some benefit to you and your business.:

Priorities for your sound regulatory compliance management policy

Put compliance management back into server virtualization

Achieving compliance is about more than secure data encryption

What compliance professionals shouldn't do after data breaches

Can mobile device security include risk management and compliance?

....and finally, any discussion on compliance wouldn't be complete without talking about THE approach we need to take to any security/compliance project: risk management. Here's a bit a wrote about metrics you can use ensure your efforts aren't in vain.

Using metrics to enhance information risk management

For further reading on all the fun things about compliance check out my compliance resources page.

Read More

911, what's your emergency?

There's a saying when seconds count the police are only minutes away. Maybe yes, maybe no - and like I just experienced, sometimes they may not care at all. Let me explain...

Have you ever been driving down the road and witnessed someone driving completely erratically to the point where you think "WOW, that person is going to cause a wreck, soon." Well, I was out for a leisurely drive in a nearby town and was unfortunately the near-recipient of such a wreck by a gotta-have-it-now-the-world-revolves-around-me-probably-hopped-up-on-meth-idiotic driver....not once but twice! Yep, within a matter of about 4 minutes I nearly got nailed by this person TWO times.

It appeared the older lady (mid to late 60s) in a ~2005 Buick Regal license plate number (ah, nevermind) was either intoxicated OR on a suicide mission. I thought to myself, I've got to call the police and tell them about this woman....I survived her but that doesn't mean everyone else will.

So I called 911 - presumably the City of Cartersville, GA Police 911 center since I was driving right by their headquarters building when I called. I gave them some very basic info, and started to fill the operator in on some more details they probably could've used. Instead, the 911 operator I spoke with said thanks, cut me off, and went on her merry way. Yep, I heard a click....I said uh, eh, ah, oh...and there was nothing. Phone line was dead. Our government at work! I know 911 call centers have to be succinct and not tie up their...and sure, this wasn't an emergency, yet. But come on.

Keep this in mind everywhere you are - in the car, at home, and at work - for at the end of the day the police have no obligation to protect us (really); therefore we must fend for ourselves.

Read More

Beware of the oversights w/default policies in Web vuln scanners

I just ran some Web vulnerability scans against an app I'm testing using a couple of default/benign scan policies. Nothing big turned up. I re-ran the scan using a full scan policy that checks for everything and the new MS10-070 ASP.NET padding oracle vulnerability reared its ugly head...BIG difference in the outcome.

Keep this in mind when checking for Web security flaws with your automated scanners and never ever completely rely on their results. You can't live without them but they're only ~50% of the solution.

Read More

Elcomsoft's new Phone Password Breaker now supports the BlackBerry

Elcomsoft's neat iPhone Password Breaker tool that can crack iPhone backup passwords just got 100% better. Now it's called Phone Password Breaker and supports BlackBerry backups. Nice.

Combine such a tool with all the open shares and unstructured data scattered about the average network and you've got a pretty serious problem on your hands. That is unless you're using the tool in a security assessment and demonstrating the continued risks smartphones represent in the enterprise.

Phone Password Breaker can crack password-protected iPhone, iPad and iPod Touch backups and decrypt encrypted BlackBerry backups. Like some of its sister products the tool can utilize GPU acceleration - something that can prove very beneficial when you only have a relatively short period of time to obtain your results.

The Pro version costs $199 and the Home edition is less than half that. Not bad given the value it can bring. Kudos to Vladimir Katalov and his team - yet another great security/forensics tool we can all benefit from. Check it out.

Read More

In the unlikely event you experience a security breach...

If you've experienced a data breach - or if you're into thinking long term - want to plan ahead in the event one does occur, here's an Entrepreneur Magazine bit from a PR specialist on how to handle a crisis.

It doesn't have to be difficult but you can pretty much bet it will be if you don't have a plan. For further reading, here are some pieces I've written about information security incident response.

Read More

Don't believe the hype

In this piece, fellow SearchEnterpriseDesktop.com writer Mike Nelson does a good job railing against vendor FUD. His content ties right into my thoughts on all the IT and security marketing fluff we're exposed to. It's nuts.

If you do anything, educate yourself on the basics before going in - before you buy any product or service...With Google, Bing, and all the good resources out there it's relatively simple to learn the essentials. Armed with just enough of the basics you'll at least be able to call b.s. when the sales weasels' audacity of hype gets out of line.

Read More

Cybersecurity Act of 2009 - It's great for government growth!

You may already know how I feel about our out of control government. Well here's a new piece I wrote about the Cybersecurity Act of 2009 - legislation that'll make your head spin.

Why the Cybersecurity Act is better for government than business

In subsequent edits to this article I had added some material on the new Lieberman-Carper-Collins legislation Protecting Cyberspace as a National Asset Act of 2010 (a.k.a. Senate Bill 3480) that didn't make the final cut. So, I'm going to write a follow-up article on that. Stay tuned...

Bottom line: We've got to wake up to the reality of what's happening to the U.S. - and the world - in the name of government control - silent (and not so silent) tyranny...It's all happening right before our eyes.

Read More

New Windows identity & access management resources

Here are some new pieces I wrote for SearchWindowsServer.com on Windows IAM - pros, cons, and considerations:

Are identity and access management payoffs worth the fuss?

The compliance benefits of Windows identity and access management

Six ways to improve identity and access management (IAM) for Windows

Finding the value in Microsoft Forefront Identity Manager 2010

Enjoy!

Read More

Got VoIP? Better make sure it's secure.

Given that VoIP has been around for more than 10 years, it's hard to find a business where's it's not running in some capacity. I do find it interesting how many network managers aren't too concerned about the security of VoIP. People say things like "It's on the inside of the network", "It's running on a separate VLAN", and "We're PCI and HIPAA compliant but there's nothing of significance being sent over the wire with VoIP". Interesting.

Here's a new story about VoIP hackers getting sentenced to prison - proof, to me, that people out there want your systems, your minutes, your bandwidth and beyond.

There are numerous ways to exploit VoIP from poorly-secured call manager interfaces to network traffic and beyond. For example, Cain & Abel provides a simple way for a malicious insider to turn your Ethernet switches into hubs and capture/playback VoIP traffic. VoIP Hopper can help those where VLAN segmentation gets in their way. I go into VoIP hacking in detail in Chapter 13 of my book Hacking For Dummies, 3rd edition. For further reading check out these pieces that I've presented on VoIP security.

However you choose to uncover your vulnerabilities in VoIP, just do something. In the end, if it's got an on/off switch and an IP address someone's going to try and manipulate it for ill-gotten gains.

Read More

It all goes back to choice

I've said it before and I've come across a quote that prompts me to say it again. Peter McWilliams once said "We are all, right now, living the life we choose."

The same goes for security...and compliance...and overall business risk. The sum of your business decisions up to this point define exactly where you are right now.

As Og Mandino said "Use wisely your power of choice." As I've discovered it's hard as heck sometimes but incorporating this discipline into every decision you make can have a tremendous impact on all aspects of your life.

Read More

Looking for a tech job? Here's what you have to do to stand out.

If you're currently looking for a job in IT with the current unemployment rate at 9.6% you know how difficult things can be. Deep down you likely know that you've got to do something to stand out above the noise so you can land that new position. But just what is it that you need to do? Do you network more, do you go back to school, do you get a certification, or do you run on a platform of "hope" and wait on the sidelines for things to happen?

Well, here's a piece that I wrote that talks about the steps you can take to get to where you need to be:

Getting hired in IT: How to stand out

Check out my related articles and audio programs for further reading on IT and information security careers.

Read More

Want to be a security expert? Just start a blog & a Twitter account

I find it intriguing how may security experts there are on the Web with zero credentials to back it up. I especially see this with former journalists and reporters turned infosec pundits. It seems that so many of these people who used to write for newspapers and computer magazines have suddenly changed their focus now that security's all the rage. Maybe it's the job market? A friend told me recently that he believes why these people are cropping up everywhere is because they're unemployed are trying to stay connected. Maybe so...

Don't take this the wrong way, I know you can eventually become an expert in something by diving in and getting your hands dirty over an extended period of time like I talked about here and here. But does throwing up blog and having a Twitter presence without any real education, training or field experience count? Just because you're good with words and maintain a strong online presence doesn't automatically make you an expert...in anything.

Maybe I'm missing something.

Read More

Just run down the checklist - that's "good enough"

No offense to my auditor friends/colleagues and all the hands-on auditors of the world who DO know their stuff...Here's a new piece I wrote about one of the greatest impediments to reasonable information security in business today:

Why do so many people buy into “checklist” audits?

...goes back to the compliance crutch mentality that my colleague Charles Cresson Wood and I wrote about last year. Time to move on?? Looking at how we treat other things involving risk (automobiles and healthcare come to mind) I suspect we never will.

As the saying goes good enough hardly ever is.

Read More

With this tool there's no excuse to not analyze your source code

A few months back I wrote about Checkmarx's CxDeveloper source code analysis product. Well, I've had some more recent source code analysis experience with the tool and thought I'd write a follow up piece.

I'll start by saying that I can't stress how cost-effective this tool is for performing source code analysis...esp. when similar products cost MUCH more. Granted, I haven't performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:

• hard-coded cryptographic key and password string (ouch!)
• SQL injection
• cross-site scripting
  
• file manipulation
• path traversal

The tool will seek out more traditional source code quality issues like improper resource shutdowns, hard-coded paths, and so on as well. One of my favorite things in the product is the line counter that will tell you, in a matter of seconds, how many lines of code you have in your application.

CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn't think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.

CxDeveloper simply finds stuff in your source code that you're not going to find otherwise at small fraction of the competition's licensing fees. And it's very simple to use...there's not much to it at all. Maybe I'm missing something but it seems like a winner to me - especially in a product segment that's struggled to get off the ground yet has so much to offer.

For further reading on source code analysis, here are some articles I've written on the subject:

Essentials of static source code analysis for Web applications

Eight reasons to do source code analysis on your web application

What to do after penetration testing: source code analysis

Read More

Be careful what you ask for

Richard Carlson once said "Be careful what you ask for....sometimes your life is pretty darn good exactly the way it is." He went on to say "Think carefully through what it is you think you want, because you just might end up getting it, which is often more than you bargained for - more frustration, more grief, more travel, more responsibility, more conflict, more demands on your time, and so forth."

These words can apply to so many facets of IT and information security. Keep this in mind especially if you're searching for a job or thinking about changing careers...or if you're assuming the grass will somehow be greener on the other side. Maybe yes, maybe no.

On a related note regarding time management, it's easy to overlook the fact that when we take on something new we have to give up something else. There's only so many of us to go around. Good example of less is more - especially when it comes to having peace of mind.

Read More

Silent tyranny in the name of "cybersecurity"

I just finished a new article on the Cybersecurity Act of 2009 (a.k.a. Rockefeller-Snowe Cybersecurity Act or S. 773) and the equally scary Protecting Cyberspace as a National Asset Act of 2010 (a.k.a. Lieberman-Carper-Collins or S. 3480).

Goodness gracious folks. Have you read these pieces of legislation yet? Are you tracking what's going on?

There's some serious government control headed our way if we sit back at let politicians force these policies and ideals on us. Not that we haven't experienced some serious lashing since January of 2009 but every single business here in the U.S. will be affected by this additional government control in some capacity...ditto with those of us working in the field.

I'll post the article once it's published...and I know I'll have a lot more to say about this in the coming months. In the meantime, here's to limited government and more personal (and business) freedom!

Read More

Unique new book on least privilege security in Windows

I've been reading through Russell Smith's new book Least Privilege Security for Windows 7, Vista and XP and I've realized it's about time for a book on this subject. I've covered some of the material in the past including in my recent SearchWinIT.com tip Should Windows users have full administrative rights? and I know there's content on this topic scattered across various books, articles, etc. but I've never seen a book dedicated to the subject. Pretty cool.

The book gets pretty technical showing various ways to use Group Policy, Software Restriction Policies/AppLocker and so on to really lock down workstations...presumably without it getting in the way of doing business. Speaking of that, to me, the most valuable chapter is Chapter 2: Political and Cultural Challenges for Least Privilege Security. Get over those humps and the technical stuff is a relative piece of cake.

From what I've seen thus far Least Privilege Security for Windows 7, Vista and XP is a solid book from a relatively young, yet promising, publisher (Packt Publishing) on a very important topic for Windows admins these days. You can buy the book on Amazon.com here:















Here's a sample chapter from the book:
Solving Least Privilege Problems with the Application Compatibility Toolkit

Packt also has an online portal (PacktLib) that allows you search across all of their books.

Definitely worth checking out.

Read More

Are your high-tech devices enslaving you?

I saw a recent Don't Sweat the Small Stuff calendar quote where Richard Carlson said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow, how true that is! Ever tried to not look at your emails or answer phone calls when you're out and about with your family or taking some time to yourself? Especially when you're on vacation...It's very difficult but it can be done. If you're going to have peace of mind, it has to be done.

Dr. Carlson also had a related quote - one of my all time favorites:
"If someone throws you the ball, you don’t have to catch it."

Think about what Dr. Carlson said and try it out over the next couple of weeks. I've found that if you do it and stick with it, you'll not only develop a greater sense of peace but practically every aspect of your life will benefit from it.

Read More

Article 2, Section 1: Employees shall not be allowed to defend themselves

Here's an interesting scenario of company policy versus state law. Regardless of the interpretation and how it turns out, way to go Iron Mountain for making it known your employees are unarmed!

In the same spirit of those "zero tolerance" school zones that tell the bad guys that there's no one there to defend themselves, this kind of stuff is absolutely mindless.

Read More

New content on data protection & compliance

Here's the full download of the CSO Executive series I wrote recently for Realtimepublishers.com on data protection and compliance in the enterprise:














The series consists of the following:
Article 1:
Primary Concerns of Regulatory Compliance and Data Classification
Article 2:
Finding, Classifying and Assessing Data in the Enterprise
Article 3:
Data Protection Reporting and Follow Up

Enjoy!

Read More

Hacking Methodology chapter available for download

Chapter 4 of the latest edition of my book Hacking For Dummies is now available for download on TechTarget's SearchWindowsServer.com.

If you like what you see, here's a direct link to the book on Amazon where you can save 34% off the cover price:

Happy ethical hacking!

Read More

Preventing email denial of service when scanning Web apps

Here's a new piece I've written that outlines one of those pesky Web scanning problems most of us have been affected by in some way or another:

Ways to avoid email floods when running Web vulnerability scans

Hope this helps!

Read More

You cannot secure what you don't acknowledge

Here's a piece I wrote for SearchSMBStorage.com on storage security...specifically some must-have tools for finding storage-related security flaws in small business.

Five must-have data storage security tools for smaller businesses

If you don't know what's where it'll be impossible to keep it secure.

Read More

Security's not just an executive decision

I recently came across this quote by Peter Drucker that struck a chord:

"Most discussions of decision making assume that only senior executives make decisions or that only senior executives' decisions matter. This is a dangerous mistake."

It reminds of how certain executives decide that information security is something that doesn't affect their business regardless of what others are telling them. I'm sure many of these executives' subordinates are ready and willing to prove otherwise.

Business leaders: get the right people together and figure out how information risks affect your business...they do.

Read More

What’s Better for Your Information Security Career – Certifications, a Degree, or Good Old-Fashioned Experience?

Here's a piece I wrote on information security careers and what's best for getting ahead:

What’s Better for Your Information Security Career – Certifications, a Degree, or Good Old-Fashioned Experience?

If you want to learn more on the go, I also have a Security On Wheels audio program on this topic that picks up where my article leaves off:
Certifications, Degrees, or Experience - What's Best for Your Security Career?

Read More

Good rule of thumb for information security

Thomas Jefferson once said:

"Learn to see in another's calamity the ills that you should avoid."

If you want to manage information risks and keep your business out of hot water I can't think of a better principle to work by.

Read More

The key to accurate and insightful Web security scans

You've likely found that Web vulnerability scanners aren't just point-and-click. Maybe so for relatively simplistic marketing websites but not for complex applications. In fact, one of the greatest ways to get a grand false sense of security is to turn a Web vulnerability scanner loose on your site/application and assume everything of consequence has been discovered and audited.

The thing is we're now seeing an entirely new set of Web applications that just aren't that simple to assess with an automated tool. Be it an online survey, e-signing application, or e-commerce system if the scanner doesn't know where to go (or client-side Web 2.0 code trips it up) you're going to get a whole lot of nothing in the results column.

Making the problem worse is the fact every application is different...often vastly different. Not just the platform and the coding but the logic and the workflow. It's all those manual clicks in/around the app combined with tons of Ajax, Flash, and other code that's almost impossible for a scanner to traverse that really complicates things. And it's a problem that's not going away.

There's one Web vulnerability scanner that has always helped to take the pain out of this process - at least as long as I can remember. That scanner is HP's WebInspect. Performing a manual scan using WebInspect is very simple: you load up a new scan, tell it you want to perform a "Manual Crawl" as shown in the following screenshot and you're good to go.






















Once you kick the scan off, WebInspect automatically loads Internet Explorer for you to step through the application. Meanwhile, in the background, the scanner captures every page you browse to, every input you provide (login credentials included), and every script that's run. Once you're done you simply close out Internet Explorer and WebInspect should complete its crawl (you may have to click Finish). If the application logs the scanner out, WebInspect will automatically log itself back in.

[Side note: This assumes that Default Audit Mode under Edit/Application Settings/Step Mode is set to Manual Audit (which I prefer). Otherwise the audit will have already started during the crawl phase and may complete (you sometimes have to pause the scan and restart for it to complete)].

Once that's done, you'll then click the red Audit button, select the audit policy you want to use, and WebInspect will continue on testing the pages it crawled for vulnerabilities. That's it.

It's still up to you to know and understand the logic and workflow of the application you're assessing. If you don't step through the application in the right ways or overlook critical parts of it, you can't blame the scanner for not providing good results. It will if it knows where to look and what to look for.

Bottom line: you absolutely cannot rely on the results of a basic Web "scan" in the name of PCI DSS compliance or whatever. You have to use a good scanner...in all the right ways. No one ever said it was easy. But done right, the payoffs are worthwhile.

Read More

Securing and hacking Windows go hand in hand

Computer hacking concepts extend to every nook and cranny of what we work with on a daily basis. Front and center are Windows-based servers. A large part of what I do in my work performing internal security vulnerability assessments - a.k.a. pen tests and audits - involves Windows servers. There's so much you can do to build up Windows server security and so much you can take to bring it down. I recommend both approaches. Here are two pieces I've written that cover each:

The very best Sysinternals tools for Windows server security

Step-by-step guide: Hacking Windows file servers

Read More