Elcomsoft's new Phone Password Breaker now supports the BlackBerry

Elcomsoft's neat iPhone Password Breaker tool that can crack iPhone backup passwords just got 100% better. Now it's called Phone Password Breaker and supports BlackBerry backups. Nice.

Combine such a tool with all the open shares and unstructured data scattered about the average network and you've got a pretty serious problem on your hands. That is unless you're using the tool in a security assessment and demonstrating the continued risks smartphones represent in the enterprise.

Phone Password Breaker can crack password-protected iPhone, iPad and iPod Touch backups and decrypt encrypted BlackBerry backups. Like some of its sister products the tool can utilize GPU acceleration - something that can prove very beneficial when you only have a relatively short period of time to obtain your results.

The Pro version costs $199 and the Home edition is less than half that. Not bad given the value it can bring. Kudos to Vladimir Katalov and his team - yet another great security/forensics tool we can all benefit from. Check it out.

Read More

In the unlikely event you experience a security breach...

If you've experienced a data breach - or if you're into thinking long term - want to plan ahead in the event one does occur, here's an Entrepreneur Magazine bit from a PR specialist on how to handle a crisis.

It doesn't have to be difficult but you can pretty much bet it will be if you don't have a plan. For further reading, here are some pieces I've written about information security incident response.

Read More

Don't believe the hype

In this piece, fellow SearchEnterpriseDesktop.com writer Mike Nelson does a good job railing against vendor FUD. His content ties right into my thoughts on all the IT and security marketing fluff we're exposed to. It's nuts.

If you do anything, educate yourself on the basics before going in - before you buy any product or service...With Google, Bing, and all the good resources out there it's relatively simple to learn the essentials. Armed with just enough of the basics you'll at least be able to call b.s. when the sales weasels' audacity of hype gets out of line.

Read More

Cybersecurity Act of 2009 - It's great for government growth!

You may already know how I feel about our out of control government. Well here's a new piece I wrote about the Cybersecurity Act of 2009 - legislation that'll make your head spin.

Why the Cybersecurity Act is better for government than business

In subsequent edits to this article I had added some material on the new Lieberman-Carper-Collins legislation Protecting Cyberspace as a National Asset Act of 2010 (a.k.a. Senate Bill 3480) that didn't make the final cut. So, I'm going to write a follow-up article on that. Stay tuned...

Bottom line: We've got to wake up to the reality of what's happening to the U.S. - and the world - in the name of government control - silent (and not so silent) tyranny...It's all happening right before our eyes.

Read More

New Windows identity & access management resources

Here are some new pieces I wrote for SearchWindowsServer.com on Windows IAM - pros, cons, and considerations:

Are identity and access management payoffs worth the fuss?

The compliance benefits of Windows identity and access management

Six ways to improve identity and access management (IAM) for Windows

Finding the value in Microsoft Forefront Identity Manager 2010

Enjoy!

Read More

Got VoIP? Better make sure it's secure.

Given that VoIP has been around for more than 10 years, it's hard to find a business where's it's not running in some capacity. I do find it interesting how many network managers aren't too concerned about the security of VoIP. People say things like "It's on the inside of the network", "It's running on a separate VLAN", and "We're PCI and HIPAA compliant but there's nothing of significance being sent over the wire with VoIP". Interesting.

Here's a new story about VoIP hackers getting sentenced to prison - proof, to me, that people out there want your systems, your minutes, your bandwidth and beyond.

There are numerous ways to exploit VoIP from poorly-secured call manager interfaces to network traffic and beyond. For example, Cain & Abel provides a simple way for a malicious insider to turn your Ethernet switches into hubs and capture/playback VoIP traffic. VoIP Hopper can help those where VLAN segmentation gets in their way. I go into VoIP hacking in detail in Chapter 13 of my book Hacking For Dummies, 3rd edition. For further reading check out these pieces that I've presented on VoIP security.

However you choose to uncover your vulnerabilities in VoIP, just do something. In the end, if it's got an on/off switch and an IP address someone's going to try and manipulate it for ill-gotten gains.

Read More

It all goes back to choice

I've said it before and I've come across a quote that prompts me to say it again. Peter McWilliams once said "We are all, right now, living the life we choose."

The same goes for security...and compliance...and overall business risk. The sum of your business decisions up to this point define exactly where you are right now.

As Og Mandino said "Use wisely your power of choice." As I've discovered it's hard as heck sometimes but incorporating this discipline into every decision you make can have a tremendous impact on all aspects of your life.

Read More

Looking for a tech job? Here's what you have to do to stand out.

If you're currently looking for a job in IT with the current unemployment rate at 9.6% you know how difficult things can be. Deep down you likely know that you've got to do something to stand out above the noise so you can land that new position. But just what is it that you need to do? Do you network more, do you go back to school, do you get a certification, or do you run on a platform of "hope" and wait on the sidelines for things to happen?

Well, here's a piece that I wrote that talks about the steps you can take to get to where you need to be:

Getting hired in IT: How to stand out

Check out my related articles and audio programs for further reading on IT and information security careers.

Read More

Want to be a security expert? Just start a blog & a Twitter account

I find it intriguing how may security experts there are on the Web with zero credentials to back it up. I especially see this with former journalists and reporters turned infosec pundits. It seems that so many of these people who used to write for newspapers and computer magazines have suddenly changed their focus now that security's all the rage. Maybe it's the job market? A friend told me recently that he believes why these people are cropping up everywhere is because they're unemployed are trying to stay connected. Maybe so...

Don't take this the wrong way, I know you can eventually become an expert in something by diving in and getting your hands dirty over an extended period of time like I talked about here and here. But does throwing up blog and having a Twitter presence without any real education, training or field experience count? Just because you're good with words and maintain a strong online presence doesn't automatically make you an expert...in anything.

Maybe I'm missing something.

Read More

Just run down the checklist - that's "good enough"

No offense to my auditor friends/colleagues and all the hands-on auditors of the world who DO know their stuff...Here's a new piece I wrote about one of the greatest impediments to reasonable information security in business today:

Why do so many people buy into “checklist” audits?

...goes back to the compliance crutch mentality that my colleague Charles Cresson Wood and I wrote about last year. Time to move on?? Looking at how we treat other things involving risk (automobiles and healthcare come to mind) I suspect we never will.

As the saying goes good enough hardly ever is.

Read More

With this tool there's no excuse to not analyze your source code

A few months back I wrote about Checkmarx's CxDeveloper source code analysis product. Well, I've had some more recent source code analysis experience with the tool and thought I'd write a follow up piece.

I'll start by saying that I can't stress how cost-effective this tool is for performing source code analysis...esp. when similar products cost MUCH more. Granted, I haven't performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:

• hard-coded cryptographic key and password string (ouch!)
• SQL injection
• cross-site scripting
  
• file manipulation
• path traversal

The tool will seek out more traditional source code quality issues like improper resource shutdowns, hard-coded paths, and so on as well. One of my favorite things in the product is the line counter that will tell you, in a matter of seconds, how many lines of code you have in your application.

CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn't think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.

CxDeveloper simply finds stuff in your source code that you're not going to find otherwise at small fraction of the competition's licensing fees. And it's very simple to use...there's not much to it at all. Maybe I'm missing something but it seems like a winner to me - especially in a product segment that's struggled to get off the ground yet has so much to offer.

For further reading on source code analysis, here are some articles I've written on the subject:

Essentials of static source code analysis for Web applications

Eight reasons to do source code analysis on your web application

What to do after penetration testing: source code analysis

Read More

Be careful what you ask for

Richard Carlson once said "Be careful what you ask for....sometimes your life is pretty darn good exactly the way it is." He went on to say "Think carefully through what it is you think you want, because you just might end up getting it, which is often more than you bargained for - more frustration, more grief, more travel, more responsibility, more conflict, more demands on your time, and so forth."

These words can apply to so many facets of IT and information security. Keep this in mind especially if you're searching for a job or thinking about changing careers...or if you're assuming the grass will somehow be greener on the other side. Maybe yes, maybe no.

On a related note regarding time management, it's easy to overlook the fact that when we take on something new we have to give up something else. There's only so many of us to go around. Good example of less is more - especially when it comes to having peace of mind.

Read More

Silent tyranny in the name of "cybersecurity"

I just finished a new article on the Cybersecurity Act of 2009 (a.k.a. Rockefeller-Snowe Cybersecurity Act or S. 773) and the equally scary Protecting Cyberspace as a National Asset Act of 2010 (a.k.a. Lieberman-Carper-Collins or S. 3480).

Goodness gracious folks. Have you read these pieces of legislation yet? Are you tracking what's going on?

There's some serious government control headed our way if we sit back at let politicians force these policies and ideals on us. Not that we haven't experienced some serious lashing since January of 2009 but every single business here in the U.S. will be affected by this additional government control in some capacity...ditto with those of us working in the field.

I'll post the article once it's published...and I know I'll have a lot more to say about this in the coming months. In the meantime, here's to limited government and more personal (and business) freedom!

Read More

Unique new book on least privilege security in Windows

I've been reading through Russell Smith's new book Least Privilege Security for Windows 7, Vista and XP and I've realized it's about time for a book on this subject. I've covered some of the material in the past including in my recent SearchWinIT.com tip Should Windows users have full administrative rights? and I know there's content on this topic scattered across various books, articles, etc. but I've never seen a book dedicated to the subject. Pretty cool.

The book gets pretty technical showing various ways to use Group Policy, Software Restriction Policies/AppLocker and so on to really lock down workstations...presumably without it getting in the way of doing business. Speaking of that, to me, the most valuable chapter is Chapter 2: Political and Cultural Challenges for Least Privilege Security. Get over those humps and the technical stuff is a relative piece of cake.

From what I've seen thus far Least Privilege Security for Windows 7, Vista and XP is a solid book from a relatively young, yet promising, publisher (Packt Publishing) on a very important topic for Windows admins these days. You can buy the book on Amazon.com here:















Here's a sample chapter from the book:
Solving Least Privilege Problems with the Application Compatibility Toolkit

Packt also has an online portal (PacktLib) that allows you search across all of their books.

Definitely worth checking out.

Read More

Are your high-tech devices enslaving you?

I saw a recent Don't Sweat the Small Stuff calendar quote where Richard Carlson said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow, how true that is! Ever tried to not look at your emails or answer phone calls when you're out and about with your family or taking some time to yourself? Especially when you're on vacation...It's very difficult but it can be done. If you're going to have peace of mind, it has to be done.

Dr. Carlson also had a related quote - one of my all time favorites:
"If someone throws you the ball, you don’t have to catch it."

Think about what Dr. Carlson said and try it out over the next couple of weeks. I've found that if you do it and stick with it, you'll not only develop a greater sense of peace but practically every aspect of your life will benefit from it.

Read More

Article 2, Section 1: Employees shall not be allowed to defend themselves

Here's an interesting scenario of company policy versus state law. Regardless of the interpretation and how it turns out, way to go Iron Mountain for making it known your employees are unarmed!

In the same spirit of those "zero tolerance" school zones that tell the bad guys that there's no one there to defend themselves, this kind of stuff is absolutely mindless.

Read More

New content on data protection & compliance

Here's the full download of the CSO Executive series I wrote recently for Realtimepublishers.com on data protection and compliance in the enterprise:














The series consists of the following:
Article 1:
Primary Concerns of Regulatory Compliance and Data Classification
Article 2:
Finding, Classifying and Assessing Data in the Enterprise
Article 3:
Data Protection Reporting and Follow Up

Enjoy!

Read More

Hacking Methodology chapter available for download

Chapter 4 of the latest edition of my book Hacking For Dummies is now available for download on TechTarget's SearchWindowsServer.com.

If you like what you see, here's a direct link to the book on Amazon where you can save 34% off the cover price:

Happy ethical hacking!

Read More

Preventing email denial of service when scanning Web apps

Here's a new piece I've written that outlines one of those pesky Web scanning problems most of us have been affected by in some way or another:

Ways to avoid email floods when running Web vulnerability scans

Hope this helps!

Read More

You cannot secure what you don't acknowledge

Here's a piece I wrote for SearchSMBStorage.com on storage security...specifically some must-have tools for finding storage-related security flaws in small business.

Five must-have data storage security tools for smaller businesses

If you don't know what's where it'll be impossible to keep it secure.

Read More

Security's not just an executive decision

I recently came across this quote by Peter Drucker that struck a chord:

"Most discussions of decision making assume that only senior executives make decisions or that only senior executives' decisions matter. This is a dangerous mistake."

It reminds of how certain executives decide that information security is something that doesn't affect their business regardless of what others are telling them. I'm sure many of these executives' subordinates are ready and willing to prove otherwise.

Business leaders: get the right people together and figure out how information risks affect your business...they do.

Read More

What’s Better for Your Information Security Career – Certifications, a Degree, or Good Old-Fashioned Experience?

Here's a piece I wrote on information security careers and what's best for getting ahead:

What’s Better for Your Information Security Career – Certifications, a Degree, or Good Old-Fashioned Experience?

If you want to learn more on the go, I also have a Security On Wheels audio program on this topic that picks up where my article leaves off:
Certifications, Degrees, or Experience - What's Best for Your Security Career?

Read More

Good rule of thumb for information security

Thomas Jefferson once said:

"Learn to see in another's calamity the ills that you should avoid."

If you want to manage information risks and keep your business out of hot water I can't think of a better principle to work by.

Read More

The key to accurate and insightful Web security scans

You've likely found that Web vulnerability scanners aren't just point-and-click. Maybe so for relatively simplistic marketing websites but not for complex applications. In fact, one of the greatest ways to get a grand false sense of security is to turn a Web vulnerability scanner loose on your site/application and assume everything of consequence has been discovered and audited.

The thing is we're now seeing an entirely new set of Web applications that just aren't that simple to assess with an automated tool. Be it an online survey, e-signing application, or e-commerce system if the scanner doesn't know where to go (or client-side Web 2.0 code trips it up) you're going to get a whole lot of nothing in the results column.

Making the problem worse is the fact every application is different...often vastly different. Not just the platform and the coding but the logic and the workflow. It's all those manual clicks in/around the app combined with tons of Ajax, Flash, and other code that's almost impossible for a scanner to traverse that really complicates things. And it's a problem that's not going away.

There's one Web vulnerability scanner that has always helped to take the pain out of this process - at least as long as I can remember. That scanner is HP's WebInspect. Performing a manual scan using WebInspect is very simple: you load up a new scan, tell it you want to perform a "Manual Crawl" as shown in the following screenshot and you're good to go.






















Once you kick the scan off, WebInspect automatically loads Internet Explorer for you to step through the application. Meanwhile, in the background, the scanner captures every page you browse to, every input you provide (login credentials included), and every script that's run. Once you're done you simply close out Internet Explorer and WebInspect should complete its crawl (you may have to click Finish). If the application logs the scanner out, WebInspect will automatically log itself back in.

[Side note: This assumes that Default Audit Mode under Edit/Application Settings/Step Mode is set to Manual Audit (which I prefer). Otherwise the audit will have already started during the crawl phase and may complete (you sometimes have to pause the scan and restart for it to complete)].

Once that's done, you'll then click the red Audit button, select the audit policy you want to use, and WebInspect will continue on testing the pages it crawled for vulnerabilities. That's it.

It's still up to you to know and understand the logic and workflow of the application you're assessing. If you don't step through the application in the right ways or overlook critical parts of it, you can't blame the scanner for not providing good results. It will if it knows where to look and what to look for.

Bottom line: you absolutely cannot rely on the results of a basic Web "scan" in the name of PCI DSS compliance or whatever. You have to use a good scanner...in all the right ways. No one ever said it was easy. But done right, the payoffs are worthwhile.

Read More

Securing and hacking Windows go hand in hand

Computer hacking concepts extend to every nook and cranny of what we work with on a daily basis. Front and center are Windows-based servers. A large part of what I do in my work performing internal security vulnerability assessments - a.k.a. pen tests and audits - involves Windows servers. There's so much you can do to build up Windows server security and so much you can take to bring it down. I recommend both approaches. Here are two pieces I've written that cover each:

The very best Sysinternals tools for Windows server security

Step-by-step guide: Hacking Windows file servers

Read More

Crunch risk numbers or fix the obvious?

My colleague Ben Rothke (@benrothke) recently wrote a good piece on basing information security decisions on good data. I like his approach - it'll make you think. It's true we do need good data so we can make better decisions. Sadly, we often don't have the data or, if we do, we're not qualified to interpret it.

Maybe it's just me but I don't believe my degrees in computer engineering and management of technology qualify for "enterprise statistician". That still doesn't make information security oversights okay. The dilemma reminds of something that Gilbert Arland once said: "Failure to hit the bullseye is never the fault of the target." We do need good data. It's just not that simple in the world of information security.

The problem is similar to the underlying principle of goal setting and leadership: how are you going to know where to go if you don't know where you're going, much less how to get there?

The reality is, we're never - at least for the foreseeable future - going to have all the right data to make good information security decisions. We have to do the best with what we've got. But that shouldn't keep us from focusing on what's obviously important. Case in point I can say based on experience that the majority of organizations I've seen (both small and large) haven't even addressed the basics of information security. Why burden ourselves with complex risk calculations when the bleeding and the cure are right before our eyes?

Don't get me wrong. Quantifiable risk calculations have their place in our industry. But unless and until we get the basic stuff under control, what's the point of making things even more complicated? I'm just saying.

Staying tuned for Part 2 of Ben's article...

Read More

The case for zero-day testing

Here's a good piece by David Maynor regarding penetration testing and whether or not zero day exploits should be used. I agree with David. With penetration testing, ethical hacking, vulnerability assessments - whatever you want to call them - anything should be fair game. That is if you want a real-world view of what's at risk. Limiting your tests could skew the results and you'll end up with a false sense of security when nothing big turns up.

Read More