Quick step-through of Metasploit Express

I've been raving about the penetration testing tool Metasploit for a while. With the release of Metasploit Express earlier this year I'm even more pleased with all the efforts HD Moore and his team have put forth. Metasploit Express is a commercial product you'll have to pay for but to me it's well worth the investment. It's easier to use, it has nice reporting and more. All the things we need in today's world of junk security tools that just don't deliver.

In the event you haven't tried it out, here's a brief walk-through of some of the nice features and capabilities of Metasploit Express.

<-- The main interface for a "project" provides access to hosts, sessions, reports, modules and tasks - the main sections of the app.










<-- If your vulnerability scanner has found a specific vulnerability you can search for it in Metasploit Express to confirm there's an exploit module as shown here.








<-- You can then manually launch the exploit on your target host.














<-- Once a vulnerability has been exploited and the payload delivered, you can gather evidence as shown here.












<-- Or, you just can just obtain a remote command prompt showing that you've compromised the host.














<-- When all's said and done, you can kill your session, clean up the remnants and be done with it.

































There are numerous other features within Metasploit Express that allow you to automate host discovery, the exploitation process and so on...just a bit much to cover in one blog post. Perhaps I'll cover that in detail in my next edition of Hacking For Dummies. :)

All in all, Metasploit Express is a security testing tool you shouldn't be without. It's a great way to "prove" those security vulnerabilities you discover are indeed a business problem.

Read More

Tips and tricks on e-discovery, forensics, and managing esi

Here are a few pieces I wrote and recorded for SearchCompliance.com on managing all that electronic data on your network that you're constantly drowning in...

Leaning on records management can take the angst out of e-discovery

Why you need to create an ESI strategy (webcast)

Why you need to create an ESI strategy (podcast)

What is computer forensics technology? Does it help compliance?

Read More

Possible bomb at Newark, ratchet up security!!??

I heard a news story this morning about the possible bomb that was found at Newark Airport. The reporter went on to say that TSA is "ratcheting up security" and searching bags with more scrutiny in the event the threat is real.

What I want to know is (and can't seem to find the answer to): why is it we "ratchet up security" when a such threat is detected rather than putting controls and processes in place that allow us to remain vigilant at all times?

So, we see a threat, we scurry to lock things down, and a few minutes or weeks later (or years in the case of the 9/11 attacks) we get back into our old complacent ways. I wrote about this phenomenon earlier this year in this piece for Security Technology Executive magazine:

Don't lose sight of what's important

...I just don't get it.

Read More

MS Exchange security + hacking and hardening SQL Server

Here are some new articles I've written for TechTarget that you may be interested in:

Nine Exchange server risks you don’t want to overlook

Ten hacker tricks to exploit SQL Server systems (and oldie that I recently updated)

Do you need to harden SQL Server 2008 R2?

Enjoy!

Read More

This woman "did not have a plan B", do you?

Watch this intense video of the psycho at the Florida school board meeting firing at the superintendent who supposedly signed the papers leading to his wife losing her job.

Shows that you've always got to have an escape route. Be it with information security, driving down the road, or attending a meeting such as this.

Of course, this was a situation in a government school building where only the criminals can have guns. Zero tolerance at it's finest. I'm just glad everyone else in the room was (relatively) unharmed.

Read More

Metrodome collapse video: nothing's really secure

Check out this video of the Metrodome collapsing over the weekend. Let this be a reminder that no matter:

• how much engineering goes into a system
  
• how much attention to detail the contractors pay during construction
  
• how much insurance coverage you have
• how detailed and "water tight" your contracts are
  
• how many fail-safe features are available "just in case"
  

...that bad things can and will happen. Be it in a building or on your network there's no guarantee of safety and security.

The real question is: what are you doing today to prepare for such an event? How are you going respond rather than react when something does happen so you can minimize the impact to your business? The clock's ticking.

Read More

Canon's digital camera image originality not so original

How's this pic for an attention grabber?!

Well, the folks at Elcomsoft have done it again. This time they've discovered a vulnerability in Canon's Original Data Security system demonstrating that digital image verification data can be forged. Apparently Canon has yet to respond.

Why is this a big deal? Well, it's impactful for the media, for forensics investigators, and for those of us in infosec as digital images are used in many aspects of what we do.

Don't test the authenticity of this Einstein photo since the original "hacked" version has been modified by me uploading it to Blogger. However, some originals are here. Dmitry Sklyarov’s presentation that covers all the technical details behind the discovery. Very interesting stuff.

Also, if you're not familiar with Elcomsoft's tools, you've got to check them out. Lots of neat stuff written by a group of sharp people who are helping to drive security in ways that affect practically every aspect of business and lives...especially with this discovery.

Fingers crossed waiting for them to write software involving homes and automobiles one day! That's the next frontier of infosec of which we've just cracked the surface.

Read More

The WikiLeaks lack of security responsibility & mental disorder connection

Last week I wrote out some talking points in preparation for a TV interview with the Canadian Broadcasting Corporation on the WikiLeaks issue and what businesses can do to keep their information secure. At the last minute they ended up not doing the segment so I thought I'd post my perspective here:

• The leaks are not the problem – it’s the choices and all the events to lead to information being exposed that needs the attention. Surprisingly, we’re not hearing much about that.
• Certain fundamental aspects of information security like business need to know, data classification, and separation of duties are often ignored OR they’re mired in a wealth of complexity and bureaucracy that to the point where they cannot be enforced or they just don’t work at all.
• Government agencies and people have been trying to keep secrets for centuries…arguably since the dawn of time. We're just experiencing a new means of keeping secrets and subsequent exposure.
  
• The issue we’re now facing is information systems complexity. Be it inside government agencies or in businesses computers systems, applications, and all the hands in the pie create a scenario whereby it’s virtually impossible to ensure that everything of value is secure ALL the time. A fundamental principle of information is that it wants to be free. That, and the fact that the same electronic asset can be in multiple locations at the same time has created a monster that can be difficult to tame if you don’t go about it the right way.
  
• You cannot simply classify ALL of your electronic assets as “sensitive” or “critical” like what many people are accusing government agencies of doing – if you do, then it negates most of the benefit.
• Just because someone has passed a background check, obtained a security clearance, or had glaring references doesn’t mean they’re NOT going to do something bad moving forward…it may also mean they just haven’t gotten CAUGHT.
• As long as human beings are involved in the process, there will continue to be information risks to government agencies and businesses alike.
• There’s a fundamental issue here that’s come into play in so many situations – mostly in business: INACTION. Management is out of the loop, users don’t want to be inconvenienced, and many people just keep their heads in the sand.
  

• There's a three-step solution to keeping information secure:

1. Know what you’ve got and where it’s located
2. Understand how it’s at risk
3. Do something about it by putting reasonable and measurable controls in place to keep things in check. Okay, maybe a step four: be very careful what you store electronically!
   

• Even with all the security controls like tracking suspicious behavior and blocking people from downloading sensitive material to thumb drives and external hard drives there’ll ALWAYS be a way around it.
• I suspect this data leakage problem will only get worse.
  

And finally, a few more personal points of view I just thought of. President Obama has created a new position to investigate the leaks…I say, Mr. Obama why not just ask government agencies why they’re not following their own rules?? Bigger government certainly won’t help the matter…

Furthermore, it's obvious Julian Assange is no fan of our country and wants to weaken the U.S....presumably for the same reason so many other people around the world want to weaken us as well. Don't get me wrong, I'm all for freedom of speech, transparency in government and so on. I'm just going about it from a different angle. It is funny how such activists promote "democracy" and rail against censorship while at the same time the politicians they support want to silence anyone who disagrees with their viewpoints.

It's complex world we live in.

Read More

Are terrorists hanging out at Wal-Mart or something?

Our Imperial Federal Government is at it again with Homeland Security's new "videos" coming to a Wal-Mart near you. Do they have "intelligence" on Islamic terrorists casing our local Wally World parking lots or something. OK, probably not...they're likely just trying to get the word out to the dumb masses.

Unbelievable stuff people...Let's just sit idly and let this government intrusion nonsense continue in support the Islamic terrorists' ultimate goal.

Read More

Unbelievable #s in the new Billion Dollar Lost Laptop Study

I spent last Thursday in San Francisco at a press briefing held by Intel's Anti-Theft Technology group regarding the new Ponemon Institute Billion Dollar Lost Laptop Study. Larry Ponemon's study found that businesses are losing billions of dollars through lost and stolen laptops - something I wrote about three years ago...and a problem that's been around even longer.

Malcolm Harkins (Intel's CISO), Anand Pashupathy (GM of Intel's Anti-Theft Services), Larry Ponemon (Founder of the Ponemon Institute) and I had a lively discussion on the findings of the study, why we have this problem, and what it's going to take to stop it.

I still shake my head when I see businesses ignore such a high-payoff security control.

Here's some press coverage for your reading enjoyment...check out what the reporters involved in the briefing had to say. The numbers are crazy and can be a great resource for finally getting some support for laptop encryption and related security controls. It's arguably some of the most important stuff affecting infosec today.

Wall Street Journal: Intel-Backed Study Tallies Laptop Losses

InfoWorld: Corporate America's lost laptop epidemic

eWeek: Intel: Failing to Protect Laptops Cost Companies Billions

The Register: Intel reveals 'the billion dollar lost laptop problem' - Chipzilla's plan to rescue $bns spent on McAfee

CRN: Intel Says Businesses Must Do More To Protect Their Mobile PCs

VentureBeat: The Wikileaks wake-up call: Lost or stolen laptops cost corporations $2.1 billion per year

Read More